diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index e41bf9080..ecd556510 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -31,6 +31,8 @@ // Add the IDs of extensions you want installed when the container is created in the array below. "extensions": [ "4ops.terraform", - "mutantdino.resourcemonitor" + "mutantdino.resourcemonitor", + "ms-azure-devops.azure-pipelines", + "omartawfik.github-actions-vscode" ] } \ No newline at end of file diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index c3e99220a..f43688128 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.7' services: rover: - image: aztfmod/rover:2004.0211 + image: aztfmod/rover:2005.1314 labels: - "caf=Azure CAF" diff --git a/.github/workflows/ci-branches.yml b/.github/workflows/ci-branches.yml new file mode 100644 index 000000000..b57b94406 --- /dev/null +++ b/.github/workflows/ci-branches.yml @@ -0,0 +1,247 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: landingzones + +on: + pull_request: + branches: + - master + +env: + TF_CLI_ARGS: '-no-color' + TF_CLI_ARGS_destroy: '-auto-approve -refresh=false' + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }} + TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }} + TFVARS_PATH: '/tf/caf/environments' + +jobs: + level0: + name: level0 + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + region: ["westus2"] + convention: ["random"] + + container: + image: aztfmod/rover:2005.1314 + options: --user 0 + + steps: + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: Locate launchpad + run: | + id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }} + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }} + fi + + caf_foundations: + name: caf_foundations + runs-on: ubuntu-latest + + needs: level0 + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_caf_foundations"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + container: + image: aztfmod/rover:2005.1314 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + workspace='caffoundationsci' + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy caf_foundations + run: | + /tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' + + landingzones: + name: landingzones + runs-on: ubuntu-latest + + needs: [level0, caf_foundations] + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_hub_spoke", "landingzone_secure_vnet_dmz", "landingzone_starter", "landingzone_vdc_demo"] + region: ["westus2"] + convention: ["cafrandom"] + environment: ["integration-tests"] + + container: + image: aztfmod/rover:2005.1314 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + job_id=${{ job.container.id }} + workspace=${job_id:0:63} + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy landing_zone + run: | + /tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \ + '-var workspace=caffoundationsci' + + - name: destroy landing_zone + if: always() + run: | + /tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} destroy \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \ + '-var workspace=caffoundationsci' + + - name: cleanup workspace + if: always() + run: | + stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name) + az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login + + caf_foundations_destroy: + name: caf_foundations_destroy + runs-on: ubuntu-latest + + needs: landingzones + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_caf_foundations"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + container: + image: aztfmod/rover:2005.1314 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + workspace='caffoundationsci' + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: destroy caf_foundations + run: | + /tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} destroy \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' \ + '-auto-approve' + + level0_destroy: + name: level0_destroy + runs-on: ubuntu-latest + + needs: caf_foundations_destroy + + strategy: + fail-fast: false + matrix: + region: ["westus2"] + convention: ["random"] + + container: + image: aztfmod/rover:2005.1314 + options: --user 0 + + steps: + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: Remove launchpad + run: | + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource destroy -var location=${{ matrix.region }} -auto-approve + + - name: Complete purge + run: | + for i in `az group list -o tsv --query '[].name'`; do az group delete -n $i -y --no-wait; done + for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i -y; done diff --git a/.github/workflows/ci-landingzone_hub_spoke.yml b/.github/workflows/ci-landingzone_hub_spoke.yml new file mode 100644 index 000000000..512b9f34a --- /dev/null +++ b/.github/workflows/ci-landingzone_hub_spoke.yml @@ -0,0 +1,175 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: landingzone_hub_spoke + +on: + push: + paths: + - 'landingzones/landingzone_hub_spoke/**' + - 'environments/**/landingzone_hub_spoke/**' + - '.github/workflows/ci-landingzone_hub_spoke.yml' + branches-ignore: + - master + +env: + TF_CLI_ARGS: '-no-color' + TF_CLI_ARGS_destroy: '-auto-approve -refresh=false' + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }} + TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }} + TFVARS_PATH: '/tf/caf/environments' + +jobs: + level0: + name: level0 + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + region: ["westus2"] + convention: ["random"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: Locate launchpad + run: | + id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }} + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }} + fi + + caf_foundations: + name: caf_foundations + runs-on: ubuntu-latest + + needs: level0 + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_caf_foundations"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + workspace='caffoundationsci' + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy caf_foundations + run: | + id=$(az storage account list --query "[?tags.launchpad=='launchpad_opensource' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' + fi + + landingzone_hub_spoke: + name: landingzone_hub_spoke + runs-on: ubuntu-latest + + needs: [level0, caf_foundations] + + strategy: + fail-fast: false + #max-parallel: 1 + matrix: + landingzone: ["landingzone_hub_spoke"] + region: ["westus2"] + convention: ["cafrandom"] + environment: ["integration-tests"] + scenario: ["bastion","no_bastion" ] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + job_id=${{ job.container.id }} + workspace=${job_id:0:63} + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy hub_spoke + run: | + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_hub_spoke apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.scenario }}.tfvars' \ + '-var workspace=caffoundationsci' + + - name: destroy hub_spoke + if: always() + run: | + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_hub_spoke destroy \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.scenario }}.tfvars' \ + '-var workspace=caffoundationsci' + + - name: cleanup workspace + if: always() + run: | + stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name) + az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login diff --git a/.github/workflows/ci-landingzone_secure_vnet_dmz.yml b/.github/workflows/ci-landingzone_secure_vnet_dmz.yml new file mode 100644 index 000000000..7b1515a32 --- /dev/null +++ b/.github/workflows/ci-landingzone_secure_vnet_dmz.yml @@ -0,0 +1,176 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: landingzone_secure_vnet_dmz + +on: + push: + paths: + - 'landingzones/landingzone_secure_vnet_dmz/**' + - 'environments/**/landingzone_secure_vnet_dmz/**' + - '.github/workflows/ci-landingzone_secure_vnet_dmz.yml' + branches-ignore: + - master + +env: + TF_CLI_ARGS: '-no-color' + TF_CLI_ARGS_destroy: '-auto-approve -refresh=false' + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }} + TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }} + TFVARS_PATH: '/tf/caf/environments' + +jobs: + level0: + name: level0 + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + region: ["westus2"] + convention: ["random"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: Locate launchpad + run: | + id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }} + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }} + fi + + caf_foundations: + name: caf_foundations + runs-on: ubuntu-latest + + needs: level0 + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_caf_foundations"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + container: + image: aztfmod/rover:2004.1606 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + workspace='caffoundationsci' + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy caf_foundations + run: | + id=$(az storage account list --query "[?tags.launchpad=='launchpad_opensource' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' + fi + + landingzone_secure_vnet_dmz: + name: landingzone_secure_vnet_dmz + runs-on: ubuntu-latest + + needs: [level0, caf_foundations] + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_secure_vnet_dmz"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + job_id=${{ job.container.id }} + workspace=${job_id:0:63} + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + + - name: deploy secure_vnet_dmz + run: | + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_secure_vnet_dmz apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \ + '-var workspace=caffoundationsci' + + - name: destroy secure_vnet_dmz + if: always() + run: | + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_secure_vnet_dmz destroy \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \ + '-var workspace=caffoundationsci' + + - name: cleanup workspace + if: always() + run: | + stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name) + az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login + + \ No newline at end of file diff --git a/.github/workflows/ci-landingzone_starter.yml b/.github/workflows/ci-landingzone_starter.yml new file mode 100644 index 000000000..f3779ddb5 --- /dev/null +++ b/.github/workflows/ci-landingzone_starter.yml @@ -0,0 +1,171 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: landingzone_starter + +on: + push: + paths: + - 'landingzones/landingzone_starter/**' + - 'environments/**/landingzone_starter/**' + - '.github/workflows/ci-landingzone_starter.yml' + branches-ignore: + - master + +env: + TF_CLI_ARGS: '-no-color' + TF_CLI_ARGS_destroy: '-auto-approve -refresh=false' + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }} + TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }} + TFVARS_PATH: '/tf/caf/environments' + + +jobs: + level0: + name: level0 + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + region: ["westus2"] + convention: ["random"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: Locate launchpad + run: | + id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }} + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }} + fi + + caf_foundations: + name: caf_foundations + runs-on: ubuntu-latest + + needs: level0 + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_caf_foundations"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + workspace='caffoundationsci' + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy caf_foundations + run: | + id=$(az storage account list --query "[?tags.launchpad=='launchpad_opensource' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' + fi + + landingzone_starter: + name: landingzone_starter + runs-on: ubuntu-latest + + needs: [level0, caf_foundations] + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_starter"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + job_id=${{ job.container.id }} + workspace=${job_id:0:63} + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy starter + run: | + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_starter apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var workspace=caffoundationsci' + + - name: destroy starter + if: always() + run: | + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_starter destroy \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var workspace=caffoundationsci' + + - name: cleanup + run: | + stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name) + az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login + \ No newline at end of file diff --git a/.github/workflows/ci-landingzone_vdc_demo.yml b/.github/workflows/ci-landingzone_vdc_demo.yml new file mode 100644 index 000000000..6b8663a93 --- /dev/null +++ b/.github/workflows/ci-landingzone_vdc_demo.yml @@ -0,0 +1,172 @@ +# +# Copyright (c) Microsoft Corporation +# Licensed under the MIT License. +# + +name: landingzone_vdc_demo + +on: + push: + paths: + - 'landingzones/landingzone_vdc_demo/**' + - 'environments/**/landingzone_vdc_demo/**' + - '.github/workflows/ci-landingzone_vdc_demo.yml' + branches-ignore: + - master + +env: + TF_CLI_ARGS: '-no-color' + TF_CLI_ARGS_destroy: '-auto-approve -refresh=false' + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }} + TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }} + TFVARS_PATH: '/tf/caf/environments' + +jobs: + level0: + name: level0 + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + region: ["westus2"] + convention: ["random"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: Locate launchpad + run: | + id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }} + /tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }} + fi + + caf_foundations: + name: caf_foundations + runs-on: ubuntu-latest + + needs: level0 + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_caf_foundations"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + workspace='caffoundationsci' + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy caf_foundations + run: | + id=$(az storage account list --query "[?tags.launchpad=='launchpad_opensource' && tags.workspace=='level0']" -o json | jq -r .[0].id) + if [ "${id}" == "null" ]; then + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' + fi + + landingzone_vdc_demo: + name: landingzone_vdc_demo + runs-on: ubuntu-latest + + needs: [level0, caf_foundations] + + strategy: + fail-fast: false + matrix: + landingzone: ["landingzone_vdc_demo"] + region: ["westus2"] + convention: ["random"] + environment: ["integration-tests"] + + container: + image: aztfmod/roverdev:2005.110010 + options: --user 0 + + steps: + - uses: actions/checkout@v2 + + - name: setup context + id: context + run: | + ln -s ${GITHUB_WORKSPACE} /tf/caf + echo "ls /tf/caf" && ls -lsa /tf/caf + ls -lsa /tmp + + job_id=${{ job.container.id }} + workspace=${job_id:0:63} + echo ::set-env name=TF_VAR_workspace::${workspace} + + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + + echo "local user: $(whoami)" + + - name: workspace + run: | + /tf/rover/launchpad.sh workspace create ${TF_VAR_workspace} + + - name: deploy vdc_demo + run: | + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_vdc_demo apply \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \ + '-var workspace=caffoundationsci' + + - name: destroy vdc_demo + if: always() + run: | + /tf/rover/rover.sh /tf/caf/landingzones/landingzone_vdc_demo destroy \ + '-var tags={testing-job-id="${{ github.run_id }}"}' \ + '-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \ + '-var workspace=caffoundationsci' + + - name: cleanup workspace + if: always() + run: | + stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name) + az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login diff --git a/CHANGELOG.md b/CHANGELOG.md index 978032ac1..2536935f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +## v5.0.2005 (May 2020) +FEATURES: +* **rover :** upgrade to rover 2005.1314 - improved support for Azure DevOps and GitHub Actions +* **added support for azurerm 2.9 :** On all sample landing zones [azurerm provider](https://github.com/terraform-providers/terraform-provider-azurerm/releases/tag/v2.9.0) +* **documentation :** added guidance and documentation on LZ hierarchy and delivery [#32](https://github.com/Azure/caf-terraform-landingzones/pull/32) +* **devops :** added GitHub actions workflows to implement integration tests on public repository [25](https://github.com/Azure/caf-terraform-landingzones/issues/25) + +BUGFIXES: +* **landingzone_caf_foundations :** Avoid creating unnecessary policy definitions [#33](https://github.com/Azure/caf-terraform-landingzones/pull/33) +* **landingzone_hub_spoke :** Setting "enable_bastion = false" not working [#34](https://github.com/Azure/caf-terraform-landingzones/issues/34) +* **rover :** launchpad opensource light fails to deploy successfully [#18]( +https://github.com/aztfmod/landingzones/issues/18) + ## v3.0.2003 (March 2020) FEATURES: diff --git a/README.md b/README.md index b282153d9..d5a215077 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Microsoft Cloud Adoption Framework for Azure provides you with guidance to adopt Azure. When deploying resources in a new environment, you can leverage landing zones and blueprints to accelerate your deployment. A landing zone is a set of infrastructure components that assembled together will deploy a complete environment ready to host an application. -For full details on Cloud Adoption Framework, refer to http://aka.ms/caf. For any idea, bug, please fill in an issue. You can also reach out to us on tf-landingzones at microsoft dot com. +For full details on Cloud Adoption Framework, refer to For any idea, bug, please fill in an issue. You can also reach out to us on tf-landingzones at microsoft dot com. ## Overview @@ -20,15 +20,15 @@ Examples of landing zones: ### Available landing zones -Currently we provide you with the following landing zones: +Currently we provide you with the following sample landing zones: -| Name | Purpose | Depends on | Tested with launchpad -| ------- | ---------------- | -- | -- | -| [landingzone_caf_foundations](./landingzones/landingzone_caf_foundations) | setup all the fundamentals for a subscription (logging, accounting, security.). You can find all details of the caf_foundations landing zone [Here](./landingzones/landingzone_caf_foundations/readme.md) | N/A | launchpad_opensource_light | -| [landingzone_hub_spoke](./landingzones/landingzone_hub_spoke) | example of [hub and spoke environment](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) documentation [here](./landingzones/landingzone_hub_spoke/readme.md) | landingzone_caf_foundations | launchpad_opensource_light | -| [landingzone_vdc_demo](./landingzones/landingzone_vdc_demo) | setup a demo environment of a hub-spoke topology including shared services, as well as various DMZ (ingress, egress, transit). You can find all details of the vdc_demo landing zone [Here](./landingzones/landingzone_vdc_demo/readme.md)| landingzone_caf_foundations | launchpad_opensource_light | -| [landingzone_secure_vnet_dmz](./landingzones/landingzone_secure_vnet_dmz) | (preview) this is an early implementation of the reference architecture [secure_vnet_dmz](https://docs.microsoft.com/en-gb/azure/architecture/reference-architectures/dmz/secure-vnet-dmz). This is a work in progress used to illustrate landing zone creation process as described [here](./documentation/code_architecture/how_to_code_a_landingzone.md) . You can find all details of the secure vnet dmz landing zone [Here](./landingzones/landingzone_secure_vnet_dmz/readme.md)| landingzone_caf_foundations | launchpad_opensource_light | -| [landingzone_starter](./landingzones/landingzone_starter) | this is an empty landing zones to use as a template to develop a level 2 landing zone. You can find all details of the starter landing zone [Here](./landingzones/landingzone_starter/readme.md)| landingzone_caf_foundations | launchpad_opensource_light | +| Name | Purpose | Depends on | Tested with launchpad +| -------------------------------------------------------------------------- | ---------------- | -- | -- | +| [landingzone_caf_foundations](./landingzones/landingzone_caf_foundations) | setup all the fundamentals for a subscription (logging, accounting, security.). You can find all details of the caf_foundations landing zone [Here](./landingzones/landingzone_caf_foundations/readme.md) | N/A | launchpad_opensource_light, launchpad_opensource | +| [landingzone_hub_spoke](./landingzones/landingzone_hub_spoke) | example of [hub and spoke environment](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) documentation [here](./landingzones/landingzone_hub_spoke/readme.md) | landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource | +| [landingzone_vdc_demo](./landingzones/landingzone_vdc_demo) | setup a demo environment of a hub-spoke topology including shared services, as well as various DMZ (ingress, egress, transit). You can find all details of the vdc_demo landing zone [Here](./landingzones/landingzone_vdc_demo/readme.md)| landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource | +| [landingzone_secure_vnet_dmz](./landingzones/landingzone_secure_vnet_dmz) | (preview) this is an early implementation of the reference architecture [secure_vnet_dmz](https://docs.microsoft.com/en-gb/azure/architecture/reference-architectures/dmz/secure-vnet-dmz). This is a work in progress used to illustrate landing zone creation process as described [here](./documentation/code_architecture/how_to_code_a_landingzone.md) . You can find all details of the secure vnet dmz landing zone [Here](./landingzones/landingzone_secure_vnet_dmz/readme.md)| landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource | +| [landingzone_starter](./landingzones/landingzone_starter) | this is an empty landing zones to use as a template to develop a level 2 landing zone. You can find all details of the starter landing zone [Here](./landingzones/landingzone_starter/readme.md)| landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource | ## Getting started @@ -44,9 +44,9 @@ In order to start deploying your with CAF landing zones, you need the following You can deploy it easily on Windows and MacOS with the following software managers: -MacOS | Windows | -------- | ---------------- -```brew cask install visual-studio-code docker```
```brew install git ``` | Install Chocolatey (https://chocolatey.org/docs/installation)
``` choco install git vscode docker-desktop ``` +| MacOS | Windows | +| ------ | ------- | +|```brew cask install visual-studio-code docker```
```brew install git ``` | Install Chocolatey (https://chocolatey.org/docs/installation)
``` choco install git vscode docker-desktop ``` | Once installed, open **Visual Studio Code** and install "**Remote Development**" extension as follow: ![RemoteDevelopment](./_pictures/caf_setup_remotedev.png) diff --git a/environments/integration-tests/landingzone_caf_foundations/landingzone_caf_foundations_westus2_cafrandom.tfvars b/environments/integration-tests/landingzone_caf_foundations/landingzone_caf_foundations_westus2_cafrandom.tfvars new file mode 100644 index 000000000..41ec103f7 --- /dev/null +++ b/environments/integration-tests/landingzone_caf_foundations/landingzone_caf_foundations_westus2_cafrandom.tfvars @@ -0,0 +1,112 @@ +# Sample Cloud Adoption Framework foundations landing zone + +## globalsettings +global_settings = { + #specifies the set of locations you are going to use in this landing zone + location_map = { + region1 = "westus2" + region2 = "eastasia" + } + + #naming convention to be used as defined in naming convention module, accepted values are cafclassic, cafrandom, random, passthrough + convention = "cafrandom" + + #Set of tags for core operations + tags_hub = { + environment = "DEV" + owner = "CAF" + deploymentType = "Terraform" + costCenter = "1664" + BusinessUnit = "SHARED" + DR = "NON-DR-ENABLED" + } + + # Set of resource groups to land the blueprint + resource_groups_hub = { + HUB-CORE-SEC = { + name = "hub-core-sec" + location = "westus2" + } + HUB-OPERATIONS = { + name = "hub-operations" + location = "westus2" + } + } +} + +## accounting settings +accounting_settings = { + # Azure Subscription activity logs retention period + azure_activity_logs_name = "actlogs" + azure_activity_logs_event_hub = false + azure_activity_logs_retention = 365 + + # Azure diagnostics logs retention period + azure_diagnostics_logs_name = "diaglogs" + azure_diagnostics_logs_event_hub = false + + #Logging and monitoring + analytics_workspace_name = "caflalogs" + + ##Log analytics solutions to be deployed + solution_plan_map = { + NetworkMonitoring = { + "publisher" = "Microsoft" + "product" = "OMSGallery/NetworkMonitoring" + } + } +} + +## governance +governance_settings = { + #current code supports only two levels of managemenr groups and one root + deploy_mgmt_groups = false + management_groups = { + root = { + name = "caf-rootmgmtgroup" + subscriptions = [] + #list your subscriptions ID in this field as ["GUID1", "GUID2"] + children = { + child1 = { + name = "tree1child1" + subscriptions = [] + } + child2 = { + name = "tree1child2" + subscriptions = [] + } + child3 = { + name = "tree1child3" + subscriptions = [] + } + } + } + } + + policy_matrix = { + #autoenroll_asc = true - to be implemented via builtin policies + autoenroll_monitor_vm = false + autoenroll_netwatcher = false + + no_public_ip_spoke = false + cant_create_ip_spoke = false + managed_disks_only = false + restrict_locations = false + list_of_allowed_locs = ["southeastasia", "eastasia"] + restrict_supported_svc = false + list_of_supported_svc = ["Microsoft.Network/publicIPAddresses", "Microsoft.Compute/disks"] + msi_location = "southeastasia" + } +} + +## security +security_settings = { + #Azure Security Center Configuration + enable_security_center = false + security_center = { + contact_email = "email@email.com" + contact_phone = "9293829328" + } + #Enables Azure Sentinel on the Log Analaytics repo + enable_sentinel = true +} diff --git a/environments/integration-tests/landingzone_caf_foundations/landingzone_caf_foundations_westus2_random.tfvars b/environments/integration-tests/landingzone_caf_foundations/landingzone_caf_foundations_westus2_random.tfvars new file mode 100644 index 000000000..87b0350c0 --- /dev/null +++ b/environments/integration-tests/landingzone_caf_foundations/landingzone_caf_foundations_westus2_random.tfvars @@ -0,0 +1,112 @@ +# Sample Cloud Adoption Framework foundations landing zone + +## globalsettings +global_settings = { + #specifies the set of locations you are going to use in this landing zone + location_map = { + region1 = "westus2" + region2 = "eastasia" + } + + #naming convention to be used as defined in naming convention module, accepted values are cafclassic, cafrandom, random, passthrough + convention = "random" + + #Set of tags for core operations + tags_hub = { + environment = "DEV" + owner = "CAF" + deploymentType = "Terraform" + costCenter = "1664" + BusinessUnit = "SHARED" + DR = "NON-DR-ENABLED" + } + + # Set of resource groups to land the blueprint + resource_groups_hub = { + HUB-CORE-SEC = { + name = "hub-core-sec" + location = "westus2" + } + HUB-OPERATIONS = { + name = "hub-operations" + location = "westus2" + } + } +} + +## accounting settings +accounting_settings = { + # Azure Subscription activity logs retention period + azure_activity_logs_name = "actlogs" + azure_activity_logs_event_hub = false + azure_activity_logs_retention = 365 + + # Azure diagnostics logs retention period + azure_diagnostics_logs_name = "diaglogs" + azure_diagnostics_logs_event_hub = false + + #Logging and monitoring + analytics_workspace_name = "caflalogs" + + ##Log analytics solutions to be deployed + solution_plan_map = { + KeyVaultAnalytics = { + "publisher" = "Microsoft" + "product" = "OMSGallery/KeyVaultAnalytics" + } + } +} + +## governance +governance_settings = { + #current code supports only two levels of managemenr groups and one root + deploy_mgmt_groups = false + management_groups = { + root = { + name = "caf-rootmgmtgroup" + subscriptions = [] + #list your subscriptions ID in this field as ["GUID1", "GUID2"] + children = { + child1 = { + name = "tree1child1" + subscriptions = [] + } + child2 = { + name = "tree1child2" + subscriptions = [] + } + child3 = { + name = "tree1child3" + subscriptions = [] + } + } + } + } + + policy_matrix = { + #autoenroll_asc = true - to be implemented via builtin policies + autoenroll_monitor_vm = false + autoenroll_netwatcher = false + + no_public_ip_spoke = false + cant_create_ip_spoke = false + managed_disks_only = false + restrict_locations = false + list_of_allowed_locs = ["southeastasia", "eastasia"] + restrict_supported_svc = false + list_of_supported_svc = ["Microsoft.Network/publicIPAddresses", "Microsoft.Compute/disks"] + msi_location = "southeastasia" + } +} + +## security +security_settings = { + #Azure Security Center Configuration + enable_security_center = false + security_center = { + contact_email = "email@email.com" + contact_phone = "9293829328" + } + #Enables Azure Sentinel on the Log Analaytics repo + enable_sentinel = true +} diff --git a/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke.tfvars b/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke.tfvars new file mode 100644 index 000000000..c5fab03db --- /dev/null +++ b/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke.tfvars @@ -0,0 +1,265 @@ +# Configuration sample for a hub and spoke environment +# definition of variables for the virtual network +rg_network = { + CORE-NET = { + name = "network-core" + } + TRANSIT-NET = { + name = "network-transit" + } + EDGE-NET = { + name = "network-edge" + } +} + +# settings for the core network blueprint +core_networking = { + shared_services_vnet = { + vnet = { + name = "Core-Network" + address_space = ["10.0.0.0/8"] + } + specialsubnets = { + AzureFirewallSubnet = { + name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet + cidr = "10.0.4.0/24" + } + GatewaySubnet = { + name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway + cidr = "10.0.255.224/27" + } + } + subnets = { + subnet0 = { + name = "Active_Directory" + cidr = "10.0.1.0/24" + nsg_inbound = [ + # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, + ["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"], + ["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"], + ["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"], + ["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"], + ["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"], + ["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"], + ["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"], + ["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"], + ["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"], + ["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"], + ["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"], + ] + } + subnet1 = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = "10.0.0.128/25" + nsg_inbound = [ + ["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"], + ["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"], + ["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"], + ] + nsg_outbound = [ + ["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"], + ["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"], + ["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"], + ] + } + } + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } +} + +# Settings for the public IP address to be used for Azure Firewall +# Must be standard and static for + firewall_ip_addr_config = { + ip_name = "firewall" + allocation_method = "Static" + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the Azure Firewall settings + az_fw_config = { + name = "azfw" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AzureFirewallApplicationRule", true, true, 30], + ["AzureFirewallNetworkRule", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the UDR object + udr_web_to_az_firewall = { + nexthop_type = "VirtualAppliance" + prefix = "0.0.0.0/0" + route_name = "web_to_az_firewall" + subnet_to_udr = "Web_tier" + nexthop_ip = "" + } + udr_transit_to_az_firewall = { + nexthop_type = "VirtualAppliance" + prefix = "10.0.1.0/24" + route_name = "transit_to_az_firewall" + subnet_to_udr = "GatewaySubnet" + nexthop_ip = "" + } + +## DDoS standard configuration + enable_ddos_standard = false + ddos_name = "ddos_protection_plan" + +## settings for Azure bastion configuration +## not enabled, uncomment the code in the networking shared services blueprint. + enable_bastion = true + bastion_ip_addr_config = { + ip_name = "bastion" + ip_addr = { + allocation_method = "Static" + #Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure + + #properties below are optional + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + #dns_prefix = "arnaudmytest" + #timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes. + #zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing + #reverse_fqdn = "" + #public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix" + #refer to the prefix and check sku types are same in IP and prefix + } + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + bastion_config = { + name = "azurebastion" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["BastionAuditLogs", true, true, 30], + ] + metric = [ + # ["AllMetrics", true, true, 30], + ] + } + } + + +# Settings for the Virtual Network gateway to be created + provision_gateway = false + gateway_config = { + gateway_type = "VPN" + # Possible values are "VPN" or "ExpressRoute" + vpn_gateway_name = "vpngateway" + active_active = false + #An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false. + enable_bgp = false + #If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false. + vpn_gateway_sku = "Basic" + #Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ + #and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku. + vpn_gateway_type = "RouteBased" + #The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased. + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["GatewayDiagnosticLog", true, true, 30], + ["TunnelDiagnosticLog", true, true, 30], + ["RouteDiagnosticLog", true, true, 30], + ["IKEDiagnosticLog", true, true, 30], + ["P2SDiagnosticLog", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + pip = { + name = "vpn" + allocation_method = "Dynamic" + sku = "Basic" + #For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU + #dns_prefix = "arnaudvpn" + #zones = ["1"] + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + } + +#Settings for the connection to be established +#Settings for the local network connection + connection_name = "onpremconnection" + remote_network_connect = true + + remote_network = { + gateway_name = "caf_local_network" + gateway_ip = "1.2.3.4" + gateway_adress_space = ["1.0.0.0/8"] + + bgp_settings = { + # asn = + # bgp_peering_address = + # peer_weight = + } + } + +##Settings for the Azure Key Vault + akv_config = { + name = "vpn-akv" + akv_features = { + enabled_for_disk_encryption = true + enabled_for_deployment = true + enabled_for_template_deployment = true + } + sku_name = "standard" + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AuditEvent", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } + } + +} \ No newline at end of file diff --git a/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke_bastion.tfvars b/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke_bastion.tfvars new file mode 100644 index 000000000..c5fab03db --- /dev/null +++ b/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke_bastion.tfvars @@ -0,0 +1,265 @@ +# Configuration sample for a hub and spoke environment +# definition of variables for the virtual network +rg_network = { + CORE-NET = { + name = "network-core" + } + TRANSIT-NET = { + name = "network-transit" + } + EDGE-NET = { + name = "network-edge" + } +} + +# settings for the core network blueprint +core_networking = { + shared_services_vnet = { + vnet = { + name = "Core-Network" + address_space = ["10.0.0.0/8"] + } + specialsubnets = { + AzureFirewallSubnet = { + name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet + cidr = "10.0.4.0/24" + } + GatewaySubnet = { + name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway + cidr = "10.0.255.224/27" + } + } + subnets = { + subnet0 = { + name = "Active_Directory" + cidr = "10.0.1.0/24" + nsg_inbound = [ + # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, + ["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"], + ["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"], + ["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"], + ["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"], + ["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"], + ["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"], + ["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"], + ["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"], + ["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"], + ["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"], + ["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"], + ] + } + subnet1 = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = "10.0.0.128/25" + nsg_inbound = [ + ["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"], + ["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"], + ["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"], + ] + nsg_outbound = [ + ["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"], + ["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"], + ["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"], + ] + } + } + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } +} + +# Settings for the public IP address to be used for Azure Firewall +# Must be standard and static for + firewall_ip_addr_config = { + ip_name = "firewall" + allocation_method = "Static" + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the Azure Firewall settings + az_fw_config = { + name = "azfw" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AzureFirewallApplicationRule", true, true, 30], + ["AzureFirewallNetworkRule", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the UDR object + udr_web_to_az_firewall = { + nexthop_type = "VirtualAppliance" + prefix = "0.0.0.0/0" + route_name = "web_to_az_firewall" + subnet_to_udr = "Web_tier" + nexthop_ip = "" + } + udr_transit_to_az_firewall = { + nexthop_type = "VirtualAppliance" + prefix = "10.0.1.0/24" + route_name = "transit_to_az_firewall" + subnet_to_udr = "GatewaySubnet" + nexthop_ip = "" + } + +## DDoS standard configuration + enable_ddos_standard = false + ddos_name = "ddos_protection_plan" + +## settings for Azure bastion configuration +## not enabled, uncomment the code in the networking shared services blueprint. + enable_bastion = true + bastion_ip_addr_config = { + ip_name = "bastion" + ip_addr = { + allocation_method = "Static" + #Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure + + #properties below are optional + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + #dns_prefix = "arnaudmytest" + #timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes. + #zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing + #reverse_fqdn = "" + #public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix" + #refer to the prefix and check sku types are same in IP and prefix + } + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + bastion_config = { + name = "azurebastion" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["BastionAuditLogs", true, true, 30], + ] + metric = [ + # ["AllMetrics", true, true, 30], + ] + } + } + + +# Settings for the Virtual Network gateway to be created + provision_gateway = false + gateway_config = { + gateway_type = "VPN" + # Possible values are "VPN" or "ExpressRoute" + vpn_gateway_name = "vpngateway" + active_active = false + #An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false. + enable_bgp = false + #If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false. + vpn_gateway_sku = "Basic" + #Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ + #and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku. + vpn_gateway_type = "RouteBased" + #The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased. + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["GatewayDiagnosticLog", true, true, 30], + ["TunnelDiagnosticLog", true, true, 30], + ["RouteDiagnosticLog", true, true, 30], + ["IKEDiagnosticLog", true, true, 30], + ["P2SDiagnosticLog", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + pip = { + name = "vpn" + allocation_method = "Dynamic" + sku = "Basic" + #For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU + #dns_prefix = "arnaudvpn" + #zones = ["1"] + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + } + +#Settings for the connection to be established +#Settings for the local network connection + connection_name = "onpremconnection" + remote_network_connect = true + + remote_network = { + gateway_name = "caf_local_network" + gateway_ip = "1.2.3.4" + gateway_adress_space = ["1.0.0.0/8"] + + bgp_settings = { + # asn = + # bgp_peering_address = + # peer_weight = + } + } + +##Settings for the Azure Key Vault + akv_config = { + name = "vpn-akv" + akv_features = { + enabled_for_disk_encryption = true + enabled_for_deployment = true + enabled_for_template_deployment = true + } + sku_name = "standard" + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AuditEvent", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } + } + +} \ No newline at end of file diff --git a/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke_no_bastion.tfvars b/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke_no_bastion.tfvars new file mode 100644 index 000000000..6bc7ee95e --- /dev/null +++ b/environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke_no_bastion.tfvars @@ -0,0 +1,265 @@ +# Configuration sample for a hub and spoke environment +# definition of variables for the virtual network +rg_network = { + CORE-NET = { + name = "network-core" + } + TRANSIT-NET = { + name = "network-transit" + } + EDGE-NET = { + name = "network-edge" + } +} + +# settings for the core network blueprint +core_networking = { + shared_services_vnet = { + vnet = { + name = "Core-Network" + address_space = ["10.0.0.0/8"] + } + specialsubnets = { + AzureFirewallSubnet = { + name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet + cidr = "10.0.4.0/24" + } + GatewaySubnet = { + name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway + cidr = "10.0.255.224/27" + } + } + subnets = { + subnet0 = { + name = "Active_Directory" + cidr = "10.0.1.0/24" + nsg_inbound = [ + # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, + ["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"], + ["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"], + ["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"], + ["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"], + ["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"], + ["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"], + ["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"], + ["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"], + ["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"], + ["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"], + ["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"], + ] + } + subnet1 = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = "10.0.0.128/25" + nsg_inbound = [ + ["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"], + ["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"], + ["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"], + ] + nsg_outbound = [ + ["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"], + ["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"], + ["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"], + ] + } + } + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } +} + +# Settings for the public IP address to be used for Azure Firewall +# Must be standard and static for + firewall_ip_addr_config = { + ip_name = "firewall" + allocation_method = "Static" + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the Azure Firewall settings + az_fw_config = { + name = "azfw" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AzureFirewallApplicationRule", true, true, 30], + ["AzureFirewallNetworkRule", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the UDR object + udr_web_to_az_firewall = { + nexthop_type = "VirtualAppliance" + prefix = "0.0.0.0/0" + route_name = "web_to_az_firewall" + subnet_to_udr = "Web_tier" + nexthop_ip = "" + } + udr_transit_to_az_firewall = { + nexthop_type = "VirtualAppliance" + prefix = "10.0.1.0/24" + route_name = "transit_to_az_firewall" + subnet_to_udr = "GatewaySubnet" + nexthop_ip = "" + } + +## DDoS standard configuration + enable_ddos_standard = false + ddos_name = "ddos_protection_plan" + +## settings for Azure bastion configuration +## not enabled, uncomment the code in the networking shared services blueprint. + enable_bastion = false + bastion_ip_addr_config = { + ip_name = "bastion" + ip_addr = { + allocation_method = "Static" + #Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure + + #properties below are optional + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + #dns_prefix = "arnaudmytest" + #timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes. + #zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing + #reverse_fqdn = "" + #public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix" + #refer to the prefix and check sku types are same in IP and prefix + } + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + bastion_config = { + name = "azurebastion" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["BastionAuditLogs", true, true, 30], + ] + metric = [ + # ["AllMetrics", true, true, 30], + ] + } + } + + +# Settings for the Virtual Network gateway to be created + provision_gateway = false + gateway_config = { + gateway_type = "VPN" + # Possible values are "VPN" or "ExpressRoute" + vpn_gateway_name = "vpngateway" + active_active = false + #An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false. + enable_bgp = false + #If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false. + vpn_gateway_sku = "Basic" + #Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ + #and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku. + vpn_gateway_type = "RouteBased" + #The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased. + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["GatewayDiagnosticLog", true, true, 30], + ["TunnelDiagnosticLog", true, true, 30], + ["RouteDiagnosticLog", true, true, 30], + ["IKEDiagnosticLog", true, true, 30], + ["P2SDiagnosticLog", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + pip = { + name = "vpn" + allocation_method = "Dynamic" + sku = "Basic" + #For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU + #dns_prefix = "arnaudvpn" + #zones = ["1"] + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + } + +#Settings for the connection to be established +#Settings for the local network connection + connection_name = "onpremconnection" + remote_network_connect = true + + remote_network = { + gateway_name = "caf_local_network" + gateway_ip = "1.2.3.4" + gateway_adress_space = ["1.0.0.0/8"] + + bgp_settings = { + # asn = + # bgp_peering_address = + # peer_weight = + } + } + +##Settings for the Azure Key Vault + akv_config = { + name = "vpn-akv" + akv_features = { + enabled_for_disk_encryption = true + enabled_for_deployment = true + enabled_for_template_deployment = true + } + sku_name = "standard" + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AuditEvent", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } + } + +} \ No newline at end of file diff --git a/environments/integration-tests/landingzone_secure_vnet_dmz/landingzone_secure_vnet_dmz.tfvars b/environments/integration-tests/landingzone_secure_vnet_dmz/landingzone_secure_vnet_dmz.tfvars new file mode 100644 index 000000000..34561f840 --- /dev/null +++ b/environments/integration-tests/landingzone_secure_vnet_dmz/landingzone_secure_vnet_dmz.tfvars @@ -0,0 +1,337 @@ +# definition of variables for the virtual network +rg_network = { + CORE-NET = { + name = "-network-core" + } + TRANSIT-NET = { + name = "-network-transit" + } + EDGE-NET = { + name = "-network-edge" + } +} + +# settings for the core network blueprint +core_networking = { + shared_services_vnet = { + vnet = { + name = "Core-Network" + address_space = ["10.0.0.0/8"] + } + specialsubnets = { + AzureFirewallSubnet = { + name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet + cidr = "10.0.4.0/24" + } + GatewaySubnet = { + name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway + cidr = "10.0.255.224/27" + } + } + subnets = { + subnet0 = { + name = "Web_tier" + cidr = "10.0.1.0/24" + nsg_inbound = [ + # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, + ["HTTP-In", "100", "Inbound", "Allow", "tcp", "*", "80", "*", "*"], + ["HTTPS-In", "101", "Inbound", "Allow", "tcp", "*", "443", "*", "*"], + ] + } + subnet1 = { + name = "Business_tier" + cidr = "10.0.2.0/24" + nsg_inbound = [ + # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, + ["HTTP-In", "100", "Inbound", "Allow", "tcp", "*", "80", "*", "*"], + ["HTTPS-In", "101", "Inbound", "Allow", "tcp", "*", "443", "*", "*"], + ] + nsg_outbound = [ + ["HTTP-Out", "100", "Outbound", "Allow", "tcp", "*", "80", "*", "*"], + ["HTTPS-Out", "101", "Outbound", "Allow", "tcp", "*", "443", "*", "*"], + ] + } + subnet2 = { + name = "Data_tier" + cidr = "10.0.3.0/24" + nsg_inbound = [ + # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, + ["TDS-In", "100", "Inbound", "Allow", "tcp", "*", "1433", "*", "*"], + ] + } + subnet3 = { + name = "AzureBastionSubnet" #Must be called AzureBastionSubnet + cidr = "10.0.0.128/25" + nsg_inbound = [ + ["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"], + ["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"], + ["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"], + ] + nsg_outbound = [ + ["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"], + ["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"], + ["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"], + ] + } + } + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } +} + +# Settings for the public IP address to be used for Azure Firewall +# Must be standard and static for + ip_addr_config = { + ip_name = "firewall" + allocation_method = "Static" + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the Azure Firewall settings + az_fw_config = { + name = "azfw" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AzureFirewallApplicationRule", true, true, 30], + ["AzureFirewallNetworkRule", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the UDR object + udr_web_to_az_firewall = { + nexthop_type = "VirtualAppliance" + prefix = "0.0.0.0/0" + route_name = "web_to_az_firewall" + subnet_to_udr = "Web_tier" + nexthop_ip = "" + } + udr_transit_to_az_firewall = { + nexthop_type = "VirtualAppliance" + prefix = "10.0.1.0/24" + route_name = "transit_to_az_firewall" + subnet_to_udr = "GatewaySubnet" + nexthop_ip = "" + } + +## DDoS standard configuration + enable_ddos_standard = false + ddos_name = "ddos_protection_plan" + +## settings for Azure bastion configuration +## not enabled, uncomment the code in the networking shared services blueprint. + enable_bastion = false + bastion_ip_addr_config = { + ip_name = "bastion" + ip_addr = { + allocation_method = "Static" + #Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure + + #properties below are optional + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + #dns_prefix = "arnaudmytest" + #timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes. + #zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing + #reverse_fqdn = "" + #public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix" + #refer to the prefix and check sku types are same in IP and prefix + } + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + bastion_config = { + name = "azurebastion" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["BastionAuditLogs", true, true, 30], + ] + metric = [ + # ["AllMetrics", true, true, 30], + ] + } + } + +# Settings for the Virtual Network gateway to be created + provision_gateway = false + gateway_config = { + gateway_type = "VPN" + # Possible values are "VPN" or "ExpressRoute" + vpn_gateway_name = "vpngateway" + active_active = false + #An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false. + enable_bgp = false + #If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false. + vpn_gateway_sku = "Basic" + #Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ + #and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku. + vpn_gateway_type = "RouteBased" + #The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased. + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["GatewayDiagnosticLog", true, true, 30], + ["TunnelDiagnosticLog", true, true, 30], + ["RouteDiagnosticLog", true, true, 30], + ["IKEDiagnosticLog", true, true, 30], + ["P2SDiagnosticLog", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + pip = { + name = "vpn" + allocation_method = "Dynamic" + sku = "Basic" + #For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU + #dns_prefix = "arnaudvpn" + #zones = ["1"] + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } + } + } + +#Settings for the connection to be established +#Settings for the local network connection + connection_name = "onpremconnection" + remote_network_connect = true + + remote_network = { + gateway_name = "caf_local_network" + gateway_ip = "1.2.3.4" + gateway_adress_space = ["1.0.0.0/8"] + + bgp_settings = { + # asn = + # bgp_peering_address = + # peer_weight = + } + } + +##Settings for the Azure Key Vault + akv_config = { + name = "vpn-akv" + akv_features = { + enabled_for_disk_encryption = true + enabled_for_deployment = true + enabled_for_template_deployment = true + } + sku_name = "standard" + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AuditEvent", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } + } + +} + +# configuration for application sets +rg_app = { + web_tier = { + name = "-app-frontend" + } + app_tier = { + name = "-app-application" + } + db_tier = { + name = "-app-database" + } +} + +web_tier = { + as = { + name = "as-web" + tags = { + tier = "web" + } + } + lb = { + name = "ilb-web" + frontend_name = "PrivateIPAddress-ilb-web" + tags = { + tier = "web" + } + } +} + +app_tier = { + as = { + name = "as-app" + tags = { + tier = "app" + } + } + lb = { + name = "ilb-app" + frontend_name = "PrivateIPAddress-ilb-app" + tags = { + tier = "app" + } + } +} + +db_tier = { + as = { + name = "as-db" + tags = { + tier = "db" + } + } + lb = { + name = "ilb-app" + frontend_name = "PrivateIPAddress-ilb-db" + tags = { + tier = "db" + } + } +} + diff --git a/environments/integration-tests/landingzone_starter/landingzone_starter.tfvars b/environments/integration-tests/landingzone_starter/landingzone_starter.tfvars new file mode 100644 index 000000000..c4c88a5ba --- /dev/null +++ b/environments/integration-tests/landingzone_starter/landingzone_starter.tfvars @@ -0,0 +1 @@ +# nothing \ No newline at end of file diff --git a/environments/integration-tests/landingzone_vdc_demo/landingzone_vdc_demo.tfvars b/environments/integration-tests/landingzone_vdc_demo/landingzone_vdc_demo.tfvars new file mode 100644 index 000000000..1486782a7 --- /dev/null +++ b/environments/integration-tests/landingzone_vdc_demo/landingzone_vdc_demo.tfvars @@ -0,0 +1,400 @@ +# settings for the shared network blueprint +resource_groups_shared_services = { + HUB-CORE-NET = { + name = "-hub-network-shared" + location = "southeastasia" + } +} + +enable_ddos_standard = false +ddos_name = "ddos_protection_plan" + +shared_services_vnet = { + vnet = { + name = "Shared-Services" + address_space = ["10.101.4.0/22"] + dns = [] + } + specialsubnets = { + } + subnets = { + subnet0 = { + name = "Critical_Applications" + cidr = "10.101.4.0/25" + service_endpoints = [] + nsg_inbound = [] + nsg_outbound = [] + } + subnet1 = { + name = "Active_Directory" + cidr = "10.101.4.128/27" + service_endpoints = [] + nsg_inbound = [ + # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, + ["LDAP", "100", "Inbound", "Allow", "*", "*", "389", "*", "*"], + ["RPC-EPM", "102", "Inbound", "Allow", "tcp", "*", "135", "*", "*"], + ["SMB-In", "103", "Inbound", "Allow", "tcp", "*", "445", "*", "*"], + ] + nsg_outbound = [ + ["o-LDAP-t", "100", "Outbound", "Allow", "*", "*", "389", "*", "*"], + ["o-SMB-In", "103", "Outbound", "Allow", "tcp", "*", "445", "*", "*"], + ] + } + subnet2 = { + name = "SQL_Servers" + cidr = "10.101.4.160/27" + service_endpoints = [] + nsg_inbound = [ + # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, + ["TDS-In", "100", "Inbound", "Allow", "tcp", "*", "1433", "*", "*"], + ] + nsg_outbound = [] + } + subnet4 = { + name = "AzureBastionSubnet" + cidr = "10.101.4.192/27" + service_endpoints = [] + nsg_inbound = [ + ["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"], + ["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"], + ["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"], + ] + nsg_outbound = [ + ["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"], + ["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"], + ["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"], + ] + } + } + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } +} + +## settings for Azure bastion configuration +## not enabled, uncomment the code in the networking shared services blueprint. +enable_bastion = true +bastion_config = { + name = "azurebastion" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["BastionAuditLogs", true, true, 30], + ] + metric = [ + # ["AllMetrics", true, true, 30], + ] + } + ip_name = "caf-pip-bastion" + ip_addr = { + allocation_method = "Static" + #Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure + + #properties below are optional + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + #dns_prefix = "arnaudmytest" + #timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes. + #zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing + #reverse_fqdn = "" + #public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix" + #refer to the prefix and check sku types are same in IP and prefix + } + ip_diags = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } +} + + +# settings for the shared egress blueprint +resource_groups_shared_egress = { + HUB-EGRESS-NET = { + name = "-hub-network-egress" + location = "southeastasia" + } +} + +# Settings for the shared services egress vnet - note that Azure Firewall subnet must be at least /26 +networking_egress = { + vnet = { + name = "Shared-Egress" + address_space = ["10.0.0.0/25"] + dns = ["192.168.0.16", "192.168.0.64"] + } + specialsubnets = { + AzureFirewallSubnet = { + name = "AzureFirewallSubnet" + cidr = "10.0.0.0/26" + service_endpoints = [] + } + } + subnets = { + subnet1 = { + name = "Network_Monitoring" + cidr = "10.0.0.64/26" + service_endpoints = [] + nsg_inbound = [] + nsg_outbound = [] + } + } + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } +} + +# Settings for the public IP address to be used for egress +# Must be standard and static for Azure Firewall +ip_addr_config = { + ip_name = "caf-pip-egress" + allocation_method = "Static" + #Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure + + #properties below are optional + sku = "Standard" #defaults to Basic + ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both + #dns_prefix = "arnaudmytest" + #timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes. + #zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing + #reverse_fqdn = "" + #public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix" + #refer to the prefix and check sku types are same in IP and prefix + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } +} + +# Settings for the Azure Firewall settings +az_fw_config = { + name = "az-fw-caf" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AzureFirewallApplicationRule", true, true, 30], + ["AzureFirewallNetworkRule", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } +} + +# Settings for the UDR object +udr_object = { + nexthop_type = "VirtualAppliance" + prefix = "0.0.0.0/0" + route_name = "myWay" + subnets_to_udr = "" + nexthop_ip = "" +} + +# settings for the transit network blueprint + +#resource group creation +resource_groups_shared_transit = { + HUB-NET-TRANSIT = { + name = "-hub-network-transit" + location = "southeastasia" + } +} + +# Settings for the shared services egress vnet +networking_transit = { + vnet = { + name = "Shared-Transit" + address_space = ["172.16.0.0/23"] + dns = ["192.168.0.16", "192.168.0.64"] + } + specialsubnets = { + GatewaySubnet = { + name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway + cidr = "172.16.0.0/24" + service_endpoints = [] + } + } + subnets = { + subnet1 = { + name = "NetworkMonitoring" + cidr = "172.16.1.0/24" + service_endpoints = [] + nsg_inbound = [] + nsg_outbound = [] + } + } + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["VMProtectionAlerts", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } +} + +# Settings for the public IP address to be used for egress +public_ip_addr = { + name = "caf-pip-vpn" + allocation_method = "Dynamic" + sku = "Basic" + #For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU + #dns_prefix = "arnaudvpn" + #zones = ["1"] + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["DDoSProtectionNotifications", true, true, 30], + ["DDoSMitigationFlowLogs", true, true, 30], + ["DDoSMitigationReports", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } +} + +# Settings for the Virtual Network gateway to be created +provision_gateway = false +gateway_config = { + gateway_type = "VPN" + # Possible values are "VPN" or "ExpressRoute" + vpn_gateway_name = "mygateway" + active_active = false + #An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false. + enable_bgp = false + #If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false. + vpn_gateway_sku = "Basic" + #Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ + #and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku. + vpn_gateway_type = "RouteBased" + #The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased. + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["GatewayDiagnosticLog", true, true, 30], + ["TunnelDiagnosticLog", true, true, 30], + ["RouteDiagnosticLog", true, true, 30], + ["IKEDiagnosticLog", true, true, 30], + ["P2SDiagnosticLog", true, true, 30], + ] + metric = [ + ["AllMetrics", true, true, 30], + ] + } +} + + +#Settings for the connection to be established +#Settings for the local network connection +connection_name = "onpremconnection" +remote_network_connect = true + +remote_network = { + gateway_name = "caf_local_network" + gateway_ip = "1.2.3.4" + gateway_adress_space = ["1.0.0.0/8"] +} + +##Settings for the Azure Key Vault + +akv_config = { + name = "techakv" + akv_features = { + enabled_for_disk_encryption = true + enabled_for_deployment = true + enabled_for_template_deployment = true + } + sku_name = "premium" + # network_acls = { + # bypass = "AzureServices" + # default_action = "Deny" + # } + diagnostics = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AuditEvent", true, true, 60], + ] + metric = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 60], + ] + } +} + +# settings for the operations blueprint + +# #Azure Site Recovery Configuration +asr_config = { + asr_vault_name = "asr" + asr_diags = { + log_analytics_destination_type = "Dedicated" + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AzureBackupReport", true, true, 30], + ["CoreAzureBackup", true, true, 30], + ["AddonAzureBackupAlerts", true, true, 30], + ["AddonAzureBackupJobs", true, true, 30], + ["AddonAzureBackupPolicy", true, true, 30], + ["AddonAzureBackupProtectedInstance", true, true, 30], + ["AddonAzureBackupStorage", true, true, 30], + ["AzureSiteRecoveryJobs", true, true, 30], + ["AzureSiteRecoveryEvents", true, true, 30], + ["AzureSiteRecoveryReplicatedItems", true, true, 30], + ["AzureSiteRecoveryReplicationStats", true, true, 30], + ["AzureSiteRecoveryRecoveryPoints", true, true, 30], + ["AzureSiteRecoveryReplicationDataUploadRate", true, true, 30], + ["AzureSiteRecoveryProtectedDiskDataChurn", true, true, 30], + ] + metric = [ + #["AllMetrics", 60, True], + ] +} +} + + +#Azure Automation account name +auto_config = { + auto_account = "azauto" + auto_diags = { + log = [ + # ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["JobLogs", true, true, 30], + ["JobStreams", true, true, 30], + ["DscNodeStatus", true, true, 30], + ] + metric = [ + # ["Category name", "Metric Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["AllMetrics", true, true, 30], + ] + } +} \ No newline at end of file diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/main.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/main.tf index b1c79e7d9..6a90a876d 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/main.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/main.tf @@ -18,5 +18,5 @@ locals { blueprint_tag = { "blueprint" = basename(abspath(path.module)) } - tags = merge(var.tags_hub,local.blueprint_tag) + tags = merge(var.tags, var.tags_hub,local.blueprint_tag) } \ No newline at end of file diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/variable.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/variable.tf index 724a23c9d..5458fb7af 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/variable.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/variable.tf @@ -39,6 +39,7 @@ variable "tags_hub" { description = "map of the tags to be applied" type = map(string) } +variable "tags" {} variable "convention" { diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/main.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/main.tf index 40872623c..624bc8759 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/main.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/main.tf @@ -21,5 +21,5 @@ locals { blueprint_tag = { "blueprint" = basename(abspath(path.module)) } - tags = merge(var.tags_hub,local.blueprint_tag) + tags = merge(var.tags, var.tags_hub,local.blueprint_tag) } \ No newline at end of file diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/enable_az_monitor.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/enable_az_monitor.tf index 4835baec5..2091b2dea 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/enable_az_monitor.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/enable_az_monitor.tf @@ -1,13 +1,13 @@ #Definition ID: providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a -#Name: [Preview]: Enable Azure Monitor for VMs +#Name: Enable Azure Monitor for VMs resource "azurerm_policy_assignment" "vm_auto_monitor" { count = var.policies_matrix.autoenroll_monitor_vm ? 1 : 0 name = "vm_auto_monitor" scope = var.scope - policy_definition_id = "providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a" + policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a" description = "Policy Assignment with Terraform" - display_name = "TF Deploy Azure Monitor for VM" + display_name = "TF Enable Azure Monitor for VMs" location = var.policies_matrix.msi_location identity { type = "SystemAssigned" diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/create_pip.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/create_pip.tf index c07ce55b6..500b890e8 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/create_pip.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/create_pip.tf @@ -1,5 +1,6 @@ resource "azurerm_policy_definition" "deny_publicip_spoke" { + count = var.policies_matrix.cant_create_ip_spoke ? 1 : 0 name = "pol-deny-publicip-creation" policy_type = "Custom" mode = "Indexed" @@ -23,7 +24,7 @@ resource "azurerm_policy_assignment" "deny-publicip-spoke" { count = var.policies_matrix.cant_create_ip_spoke ? 1 : 0 name = "deny-publicip-spoke" scope = var.scope - policy_definition_id = azurerm_policy_definition.deny_publicip_spoke.id + policy_definition_id = azurerm_policy_definition.deny_publicip_spoke[0].id description = "Policy Assignment for deny public IP creatin in spokes" display_name = "TF Deny public IP in spoke" diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/pip_on_nic.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/pip_on_nic.tf index 2ad1ee9c1..a0021ed86 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/pip_on_nic.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/pip_on_nic.tf @@ -1,5 +1,6 @@ resource "azurerm_policy_definition" "deny_publicips_on_nics" { + count = var.policies_matrix.no_public_ip_spoke ? 1 : 0 name = "pol-deny-publicips-on-nics" policy_type = "Custom" mode = "Indexed" @@ -31,7 +32,7 @@ resource "azurerm_policy_assignment" "publicIP-deny-on-nics" { count = var.policies_matrix.no_public_ip_spoke ? 1 : 0 name = "deny-publicip-on-nics" scope = var.scope - policy_definition_id = azurerm_policy_definition.deny_publicips_on_nics.id + policy_definition_id = azurerm_policy_definition.deny_publicips_on_nics[0].id description = "Policy Assignment for deny public IP on NICs" display_name = "TF Deny public IP assignment on NICs" diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/variable.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/variable.tf index e0b196551..0e9d16370 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/variable.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_governance/variable.tf @@ -12,3 +12,4 @@ variable "log_analytics" { } variable "tags_hub" {} +variable "tags" {} \ No newline at end of file diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_security/main.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_security/main.tf index b1c79e7d9..6a90a876d 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_security/main.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_security/main.tf @@ -18,5 +18,5 @@ locals { blueprint_tag = { "blueprint" = basename(abspath(path.module)) } - tags = merge(var.tags_hub,local.blueprint_tag) + tags = merge(var.tags, var.tags_hub,local.blueprint_tag) } \ No newline at end of file diff --git a/landingzones/landingzone_caf_foundations/blueprint_foundations_security/variable.tf b/landingzones/landingzone_caf_foundations/blueprint_foundations_security/variable.tf index 7b5addc42..52945101e 100644 --- a/landingzones/landingzone_caf_foundations/blueprint_foundations_security/variable.tf +++ b/landingzones/landingzone_caf_foundations/blueprint_foundations_security/variable.tf @@ -9,6 +9,8 @@ variable "tags_hub" { } +variable "tags" {} + variable "log_analytics" { } diff --git a/landingzones/landingzone_caf_foundations/foundations.tf b/landingzones/landingzone_caf_foundations/foundations.tf index 96161d603..16a2c00d9 100644 --- a/landingzones/landingzone_caf_foundations/foundations.tf +++ b/landingzones/landingzone_caf_foundations/foundations.tf @@ -3,7 +3,7 @@ module "blueprint_foundations_accounting" { source = "./blueprint_foundations_accounting/" prefix = local.prefix - + tags = var.tags location = var.global_settings.location_map.region1 tags_hub = var.global_settings.tags_hub resource_groups_hub = var.global_settings.resource_groups_hub @@ -15,6 +15,7 @@ module "blueprint_foundations_accounting" { module "blueprint_foundations_security" { source = "./blueprint_foundations_security/" + tags = var.tags location = var.global_settings.location_map.region1 tags_hub = var.global_settings.tags_hub resource_groups_hub = module.blueprint_foundations_accounting.resource_group_operations @@ -26,6 +27,7 @@ module "blueprint_foundations_security" { module "blueprint_foundations_governance" { source = "./blueprint_foundations_governance/" + tags = var.tags tags_hub = var.global_settings.tags_hub location = var.global_settings.location_map.region1 log_analytics = module.blueprint_foundations_accounting.log_analytics_workspace diff --git a/landingzones/landingzone_caf_foundations/main.tf b/landingzones/landingzone_caf_foundations/main.tf index 2148270af..0b037ca89 100644 --- a/landingzones/landingzone_caf_foundations/main.tf +++ b/landingzones/landingzone_caf_foundations/main.tf @@ -1,5 +1,5 @@ provider "azurerm" { - version = "~>2.4.0" + version = "~>2.9.0" features {} } @@ -12,6 +12,13 @@ terraform { } } +locals { + landingzone_tag = { + "landingzone" = basename(abspath(path.module)) + } + tags = merge(var.tags, local.landingzone_tag) +} + data "terraform_remote_state" "level0_launchpad" { backend = "azurerm" config = { diff --git a/landingzones/landingzone_caf_foundations/readme.md b/landingzones/landingzone_caf_foundations/readme.md index 0e6ffde97..a7486712e 100644 --- a/landingzones/landingzone_caf_foundations/readme.md +++ b/landingzones/landingzone_caf_foundations/readme.md @@ -5,6 +5,8 @@ The foundation landing zone sets the basics of operations, accounting and auditi ## Foundations architecture diagram ![Foundations blueprint overview](../../_pictures/caf_foundations/foundations_overall.png) +For an explanation on the purposes of the components in this foundational landing zone, please have a look at this specific Cloud Adoption Framework documentation: [Use Terraform to build your landing zones](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/terraform-landing-zone). + ## Getting Started To deploy a landingzone, refer to the setup instructions here: https://github.com/aztfmod/landingzones diff --git a/landingzones/landingzone_caf_foundations/variables.tf b/landingzones/landingzone_caf_foundations/variables.tf index 3d2e7dff6..f2a6c90b8 100644 --- a/landingzones/landingzone_caf_foundations/variables.tf +++ b/landingzones/landingzone_caf_foundations/variables.tf @@ -3,6 +3,10 @@ variable "lowerlevel_storage_account_name" {} variable "lowerlevel_container_name" {} variable "lowerlevel_key" {} # Keeping the key for the lower level0 access variable "lowerlevel_resource_group_name" {} +variable "tags" { + type = map + default = {} +} variable "global_settings" {} variable "accounting_settings" {} diff --git a/landingzones/landingzone_hub_spoke/hub_network.sandpit.auto.tfvars b/landingzones/landingzone_hub_spoke/hub_network.sandpit.auto.tfvars index 7fd1d9318..20a01cf04 100644 --- a/landingzones/landingzone_hub_spoke/hub_network.sandpit.auto.tfvars +++ b/landingzones/landingzone_hub_spoke/hub_network.sandpit.auto.tfvars @@ -48,28 +48,7 @@ core_networking = { ["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"], ] } - # subnet1 = { - # name = "Business_tier" - # cidr = "10.0.2.0/24" - # nsg_inbound = [ - # # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, - # ["HTTP-In", "100", "Inbound", "Allow", "tcp", "*", "80", "*", "*"], - # ["HTTPS-In", "101", "Inbound", "Allow", "tcp", "*", "443", "*", "*"], - # ] - # nsg_outbound = [ - # ["HTTP-Out", "100", "Outbound", "Allow", "tcp", "*", "80", "*", "*"], - # ["HTTPS-Out", "101", "Outbound", "Allow", "tcp", "*", "443", "*", "*"], - # ] - # } - # subnet2 = { - # name = "Data_tier" - # cidr = "10.0.3.0/24" - # nsg_inbound = [ - # # {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" }, - # ["TDS-In", "100", "Inbound", "Allow", "tcp", "*", "1433", "*", "*"], - # ] - # } - subnet3 = { + subnet1 = { name = "AzureBastionSubnet" #Must be called AzureBastionSubnet cidr = "10.0.0.128/25" nsg_inbound = [ @@ -114,7 +93,7 @@ core_networking = { # Settings for the public IP address to be used for Azure Firewall # Must be standard and static for - ip_addr_config = { + firewall_ip_addr_config = { ip_name = "firewall" allocation_method = "Static" sku = "Standard" #defaults to Basic @@ -164,23 +143,13 @@ core_networking = { } ## DDoS standard configuration - enable_ddos_standard = true + enable_ddos_standard = false ddos_name = "ddos_protection_plan" ## settings for Azure bastion configuration ## not enabled, uncomment the code in the networking shared services blueprint. - enable_bastion = true - bastion_config = { - name = "azurebastion" - diagnostics = { - log = [ - #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] - ["BastionAuditLogs", true, true, 30], - ] - metric = [ - # ["AllMetrics", true, true, 30], - ] - } + enable_bastion = false + bastion_ip_addr_config = { ip_name = "bastion" ip_addr = { allocation_method = "Static" @@ -196,7 +165,7 @@ core_networking = { #public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix" #refer to the prefix and check sku types are same in IP and prefix } - ip_diags = { + diagnostics = { log = [ #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] ["DDoSProtectionNotifications", true, true, 30], @@ -208,6 +177,18 @@ core_networking = { ] } } + bastion_config = { + name = "azurebastion" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["BastionAuditLogs", true, true, 30], + ] + metric = [ + # ["AllMetrics", true, true, 30], + ] + } + } # Settings for the Virtual Network gateway to be created diff --git a/landingzones/landingzone_hub_spoke/hub_network.tf b/landingzones/landingzone_hub_spoke/hub_network.tf index ef47477dd..dc93995b5 100644 --- a/landingzones/landingzone_hub_spoke/hub_network.tf +++ b/landingzones/landingzone_hub_spoke/hub_network.tf @@ -1,6 +1,7 @@ module "hub_network" { source = "./hub_network" + tags = var.tags global_settings = local.global_settings prefix = local.prefix location = local.global_settings.location_map["region1"] diff --git a/landingzones/landingzone_hub_spoke/hub_network/bastion/module.tf b/landingzones/landingzone_hub_spoke/hub_network/bastion/module.tf deleted file mode 100644 index 50823297f..000000000 --- a/landingzones/landingzone_hub_spoke/hub_network/bastion/module.tf +++ /dev/null @@ -1,41 +0,0 @@ -module "bastion_pip" { - source = "aztfmod/caf-public-ip/azurerm" - version = "2.0.0" - # source = "git://github.com/aztfmod/terraform-azurerm-caf-public-ip?ref=2003-refresh" - - - convention = var.global_settings.convention - name = var.bastion_config.ip_name - location = var.location - resource_group_name = var.rg - ip_addr = var.bastion_config.ip_addr - tags = var.tags - diagnostics_map = var.caf_foundations_accounting.diagnostics_map - log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id - diagnostics_settings = var.bastion_config.ip_diags -} - -resource "azurerm_bastion_host" "azurebastion" { - - name = var.bastion_config.name - location = var.location - resource_group_name = var.rg - tags = var.tags - - ip_configuration { - name = "bastionpipconfiguration" - subnet_id = var.subnet_id - public_ip_address_id = module.bastion_pip.id - } -} - -module "diagnostics_bastion" { - source = "aztfmod/caf-diagnostics/azurerm" - version = "1.0.0" - - name = azurerm_bastion_host.azurebastion.name - resource_id = azurerm_bastion_host.azurebastion.id - log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id - diagnostics_map = var.caf_foundations_accounting.diagnostics_map - diag_object = var.bastion_config.diagnostics -} \ No newline at end of file diff --git a/landingzones/landingzone_hub_spoke/hub_network/bastion/output.tf b/landingzones/landingzone_hub_spoke/hub_network/bastion/output.tf deleted file mode 100644 index f871cf7a5..000000000 --- a/landingzones/landingzone_hub_spoke/hub_network/bastion/output.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "bastion" { - depends_on = [azurerm_bastion_host.azurebastion] - value = azurerm_bastion_host.azurebastion -} diff --git a/landingzones/landingzone_hub_spoke/hub_network/bastion/variables.tf b/landingzones/landingzone_hub_spoke/hub_network/bastion/variables.tf deleted file mode 100644 index 3a4dfb384..000000000 --- a/landingzones/landingzone_hub_spoke/hub_network/bastion/variables.tf +++ /dev/null @@ -1,36 +0,0 @@ -variable "location" { - -} - -variable "rg" { - -} - -variable "name" { - -} - -variable "tags" { - -} - -variable "subnet_id" { - -} - - -variable "enable_bastion" { - -} - -variable "global_settings" { - -} - -variable "bastion_config" { - -} - -variable "caf_foundations_accounting" { - description = "caf_foundations_accounting settings" -} \ No newline at end of file diff --git a/landingzones/landingzone_hub_spoke/hub_network/blueprint.tf b/landingzones/landingzone_hub_spoke/hub_network/blueprint.tf index 32707f12b..853bb4309 100644 --- a/landingzones/landingzone_hub_spoke/hub_network/blueprint.tf +++ b/landingzones/landingzone_hub_spoke/hub_network/blueprint.tf @@ -48,7 +48,7 @@ module "core_network" { prefix = var.prefix location = var.global_settings.location_map.region1 networking_object = var.core_networking.shared_services_vnet - tags = var.global_settings.tags_hub + tags = local.tags diagnostics_map = var.caf_foundations_accounting.diagnostics_map log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace diagnostics_settings = var.core_networking.shared_services_vnet.diagnostics @@ -62,14 +62,14 @@ module "az_firewall_ip" { version = "2.0.0" convention = var.global_settings.convention - name = var.core_networking.ip_addr_config.ip_name + name = var.core_networking.firewall_ip_addr_config.ip_name location = var.location resource_group_name = azurerm_resource_group.rg_edge.name - ip_addr = var.core_networking.ip_addr_config - tags = var.global_settings.tags_hub + ip_addr = var.core_networking.firewall_ip_addr_config + tags = local.tags diagnostics_map = var.caf_foundations_accounting.diagnostics_map log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id - diagnostics_settings = var.core_networking.ip_addr_config.diagnostics + diagnostics_settings = var.core_networking.firewall_ip_addr_config.diagnostics } module "az_firewall" { @@ -82,7 +82,7 @@ module "az_firewall" { subnet_id = lookup(module.core_network.vnet_subnets, "AzureFirewallSubnet", null) public_ip_id = module.az_firewall_ip.id location = var.global_settings.location_map.region1 - tags = var.global_settings.tags_hub + tags = local.tags diagnostics_map = var.caf_foundations_accounting.diagnostics_map la_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id diagnostics_settings = var.core_networking.az_fw_config.diagnostics @@ -96,7 +96,7 @@ module "firewall_dashboard" { location = var.location rg = azurerm_resource_group.rg_network.name name = basename(abspath(path.module)) - tags = var.global_settings.tags_hub + tags = local.tags } module "firewall_rules" { @@ -113,23 +113,44 @@ module "ddos_protection_std" { name = var.core_networking.ddos_name rg = azurerm_resource_group.rg_edge.name location = var.location - tags = var.global_settings.tags_hub + tags = local.tags } # Azure Bastion Configuration # Please check Azure Bastion availability in the target region: https://azure.microsoft.com/en-us/global-infrastructure/services/?products=azure-bastion -module "bastion_host" { - source = "./bastion" +module "bastion_ip" { + source = "aztfmod/caf-public-ip/azurerm" + version = "2.0.0" - enable_bastion = var.core_networking.enable_bastion - name = var.core_networking.bastion_config.name - rg = azurerm_resource_group.rg_edge.name - subnet_id = lookup(module.core_network.vnet_subnets, "AzureBastionSubnet", null) - location = var.location - tags = local.tags - caf_foundations_accounting = var.caf_foundations_accounting - bastion_config = var.core_networking.bastion_config - global_settings = var.global_settings + convention = var.global_settings.convention + name = var.core_networking.bastion_ip_addr_config.ip_name + location = var.location + resource_group_name = azurerm_resource_group.rg_edge.name + ip_addr = var.core_networking.bastion_ip_addr_config.ip_addr + tags = local.tags + diagnostics_map = var.caf_foundations_accounting.diagnostics_map + log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id + diagnostics_settings = var.core_networking.bastion_ip_addr_config.diagnostics +} + +module "bastion" { + source = "aztfmod/caf-azure-bastion/azurerm" + version = "0.1.0" + + enable_bastion = var.core_networking.enable_bastion + bastion_config = var.core_networking.bastion_config + + name = var.core_networking.bastion_config.name + resource_group_name = azurerm_resource_group.rg_edge.name + subnet_id = lookup(module.core_network.vnet_subnets, "AzureBastionSubnet", null) + public_ip_address_id = module.bastion_ip.id + location = var.global_settings.location_map.region1 + tags = local.tags + + convention = var.global_settings.convention + diagnostics_map = var.caf_foundations_accounting.diagnostics_map + log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace + diagnostics_settings = var.core_networking.bastion_config.diagnostics } diff --git a/landingzones/landingzone_hub_spoke/hub_network/main.tf b/landingzones/landingzone_hub_spoke/hub_network/main.tf index 416ee54e8..9dd2cc570 100644 --- a/landingzones/landingzone_hub_spoke/hub_network/main.tf +++ b/landingzones/landingzone_hub_spoke/hub_network/main.tf @@ -15,5 +15,5 @@ locals { blueprint_tag = { "blueprint" = basename(abspath(path.module)) } - tags = merge(var.global_settings.tags_hub,local.blueprint_tag) + tags = merge(var.tags, var.global_settings.tags_hub,local.blueprint_tag) } \ No newline at end of file diff --git a/landingzones/landingzone_hub_spoke/hub_network/variables.tf b/landingzones/landingzone_hub_spoke/hub_network/variables.tf index 1e9b76aff..1c47d0c72 100644 --- a/landingzones/landingzone_hub_spoke/hub_network/variables.tf +++ b/landingzones/landingzone_hub_spoke/hub_network/variables.tf @@ -10,51 +10,11 @@ variable "prefix" { # description = "(Required) Define the region where the resource groups will be created" # } -# variable "tags" { -# description = "tags for the deployment" -# } - -# variable "shared_services_vnet" { -# description = "Network configuration" -# } - -# variable "enable_network_watcher" { -# description = "Enable network watcher for the subnet - this will deploy and configure a Linux VM with network watcher extensions." -# default = false -# } - -# variable "subnet_to_deploy_network_monitoring" { -# description = "Name of the subnet (must be a valid subnet name if the shared services virtual network) wher to deploy the network watcher VM" -# default = "" -# } - -# variable "log_analytics_workspace" { - -# } - -# variable "diagnostics_map" { - -# } - -# variable "enable_ddos_standard" { -# description = "(Optional) boolean to switch on/off ddos standard" -# } - -# variable "ddos_name" { - -# } +variable "tags" { + description = "tags for the deployment" +} -# variable "resource_groups_shared_services" { -# description = "(Required) Resource group to use to host all shared services blueprint resources." -# } -# variable "bastion_config" { -# description = "(Required) Configuration object for the Azure Bastion service." -# } - -# variable "enable_bastion" { -# description = "Switch to enable Azure Bastion // reserved for future use" -# } variable "global_settings" { description = "global settings" diff --git a/landingzones/landingzone_hub_spoke/main.tf b/landingzones/landingzone_hub_spoke/main.tf index 2e45add15..516759a49 100644 --- a/landingzones/landingzone_hub_spoke/main.tf +++ b/landingzones/landingzone_hub_spoke/main.tf @@ -1,5 +1,5 @@ provider "azurerm" { - version = "~>2.4.0" + version = "~>2.9.0" features {} } @@ -8,6 +8,13 @@ terraform { } } +locals { + landingzone_tag = { + "landingzone" = basename(abspath(path.module)) + } + tags = merge(var.tags, local.landingzone_tag) +} + data "terraform_remote_state" "landingzone_caf_foundations" { backend = "azurerm" config = { diff --git a/landingzones/landingzone_hub_spoke/variables.tf b/landingzones/landingzone_hub_spoke/variables.tf index e6c1baa1c..b09e353e0 100644 --- a/landingzones/landingzone_hub_spoke/variables.tf +++ b/landingzones/landingzone_hub_spoke/variables.tf @@ -3,6 +3,10 @@ variable "lowerlevel_storage_account_name" {} variable "lowerlevel_container_name" {} variable "lowerlevel_key" {} # Keeping the key for the lower level0 access variable "lowerlevel_resource_group_name" {} +variable "tags" { + type = map + default = {} +} variable "workspace" {} variable "logged_user_objectId" {} \ No newline at end of file diff --git a/landingzones/landingzone_secure_vnet_dmz/app_tiers.sandpit.auto.tfvars b/landingzones/landingzone_secure_vnet_dmz/app_tiers.sandpit.auto.tfvars index 74bab10fe..b48066bd5 100644 --- a/landingzones/landingzone_secure_vnet_dmz/app_tiers.sandpit.auto.tfvars +++ b/landingzones/landingzone_secure_vnet_dmz/app_tiers.sandpit.auto.tfvars @@ -57,5 +57,4 @@ db_tier = { tier = "db" } } -} - +} \ No newline at end of file diff --git a/landingzones/landingzone_secure_vnet_dmz/app_tiers.tf b/landingzones/landingzone_secure_vnet_dmz/app_tiers.tf index 33098280d..cf58303d3 100644 --- a/landingzones/landingzone_secure_vnet_dmz/app_tiers.tf +++ b/landingzones/landingzone_secure_vnet_dmz/app_tiers.tf @@ -1,22 +1,42 @@ +resource "azurecaf_naming_convention" "rg_appweb" { + name = var.rg_app.web_tier.name + prefix = var.prefix != "" ? var.prefix : null + resource_type = "azurerm_resource_group" + convention = local.global_settings.convention +} + +resource "azurecaf_naming_convention" "rg_appapp" { + name = var.rg_app.app_tier.name + prefix = var.prefix != "" ? var.prefix : null + resource_type = "azurerm_resource_group" + convention = local.global_settings.convention +} + +resource "azurecaf_naming_convention" "rg_appdb" { + name = var.rg_app.db_tier.name + prefix = var.prefix != "" ? var.prefix : null + resource_type = "azurerm_resource_group" + convention = local.global_settings.convention +} + resource "azurerm_resource_group" "rg_appweb" { - name = "${local.prefix}${var.rg_app.web_tier.name}" + name = azurecaf_naming_convention.rg_appweb.result location = local.global_settings.location_map.region1 tags = local.global_settings.tags_hub } resource "azurerm_resource_group" "rg_appapp" { - name = "${local.prefix}${var.rg_app.app_tier.name}" + name = azurecaf_naming_convention.rg_appapp.result location = local.global_settings.location_map.region1 tags = local.global_settings.tags_hub } resource "azurerm_resource_group" "rg_appdb" { - name = "${local.prefix}${var.rg_app.db_tier.name}" + name = azurecaf_naming_convention.rg_appdb.result location = local.global_settings.location_map.region1 tags = local.global_settings.tags_hub } - resource "azurerm_availability_set" "as_web" { name = var.web_tier.as.name location = azurerm_resource_group.rg_appweb.location diff --git a/landingzones/landingzone_secure_vnet_dmz/main.tf b/landingzones/landingzone_secure_vnet_dmz/main.tf index 2e45add15..516759a49 100644 --- a/landingzones/landingzone_secure_vnet_dmz/main.tf +++ b/landingzones/landingzone_secure_vnet_dmz/main.tf @@ -1,5 +1,5 @@ provider "azurerm" { - version = "~>2.4.0" + version = "~>2.9.0" features {} } @@ -8,6 +8,13 @@ terraform { } } +locals { + landingzone_tag = { + "landingzone" = basename(abspath(path.module)) + } + tags = merge(var.tags, local.landingzone_tag) +} + data "terraform_remote_state" "landingzone_caf_foundations" { backend = "azurerm" config = { diff --git a/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/module.tf b/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/module.tf deleted file mode 100644 index 4e9ab4eea..000000000 --- a/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/module.tf +++ /dev/null @@ -1,39 +0,0 @@ -module "bastion_pip" { - source = "aztfmod/caf-public-ip/azurerm" - version = "1.0.0" - - convention = var.global_settings.convention - name = var.bastion_config.ip_name - location = var.location - rg = var.rg - ip_addr = var.bastion_config.ip_addr - tags = var.tags - diagnostics_map = var.caf_foundations_accounting.diagnostics_map - log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id - diagnostics_settings = var.bastion_config.ip_diags -} - -resource "azurerm_bastion_host" "azurebastion" { - - name = var.bastion_config.name - location = var.location - resource_group_name = var.rg - tags = var.tags - - ip_configuration { - name = "bastionpipconfiguration" - subnet_id = var.subnet_id - public_ip_address_id = module.bastion_pip.id - } -} - -module "diagnostics_bastion" { - source = "aztfmod/caf-diagnostics/azurerm" - version = "1.0.0" - - name = azurerm_bastion_host.azurebastion.name - resource_id = azurerm_bastion_host.azurebastion.id - log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id - diagnostics_map = var.caf_foundations_accounting.diagnostics_map - diag_object = var.bastion_config.diagnostics -} \ No newline at end of file diff --git a/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/output.tf b/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/output.tf deleted file mode 100644 index f871cf7a5..000000000 --- a/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/output.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "bastion" { - depends_on = [azurerm_bastion_host.azurebastion] - value = azurerm_bastion_host.azurebastion -} diff --git a/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/variables.tf b/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/variables.tf deleted file mode 100644 index 3a4dfb384..000000000 --- a/landingzones/landingzone_secure_vnet_dmz/net_core/bastion/variables.tf +++ /dev/null @@ -1,36 +0,0 @@ -variable "location" { - -} - -variable "rg" { - -} - -variable "name" { - -} - -variable "tags" { - -} - -variable "subnet_id" { - -} - - -variable "enable_bastion" { - -} - -variable "global_settings" { - -} - -variable "bastion_config" { - -} - -variable "caf_foundations_accounting" { - description = "caf_foundations_accounting settings" -} \ No newline at end of file diff --git a/landingzones/landingzone_secure_vnet_dmz/net_core/blueprint.tf b/landingzones/landingzone_secure_vnet_dmz/net_core/blueprint.tf index c2c2729c9..454bd1be6 100644 --- a/landingzones/landingzone_secure_vnet_dmz/net_core/blueprint.tf +++ b/landingzones/landingzone_secure_vnet_dmz/net_core/blueprint.tf @@ -1,17 +1,38 @@ +resource "azurecaf_naming_convention" "rg_network_name" { + name = var.rg_network.CORE-NET.name + prefix = var.prefix != "" ? var.prefix : null + resource_type = "azurerm_resource_group" + convention = var.global_settings.convention +} + +resource "azurecaf_naming_convention" "rg_transit_name" { + name = var.rg_network.TRANSIT-NET.name + prefix = var.prefix != "" ? var.prefix : null + resource_type = "azurerm_resource_group" + convention = var.global_settings.convention +} + +resource "azurecaf_naming_convention" "rg_edge_name" { + name = var.rg_network.EDGE-NET.name + prefix = var.prefix != "" ? var.prefix : null + resource_type = "azurerm_resource_group" + convention = var.global_settings.convention +} + resource "azurerm_resource_group" "rg_network" { - name = "${var.prefix}${var.rg_network.CORE-NET.name}" + name = azurecaf_naming_convention.rg_network_name.result location = var.global_settings.location_map.region1 tags = var.global_settings.tags_hub } resource "azurerm_resource_group" "rg_transit" { - name = "${var.prefix}${var.rg_network.TRANSIT-NET.name}" + name = azurecaf_naming_convention.rg_transit_name.result location = var.global_settings.location_map.region1 tags = var.global_settings.tags_hub } resource "azurerm_resource_group" "rg_edge" { - name = "${var.prefix}${var.rg_network.EDGE-NET.name}" + name = azurecaf_naming_convention.rg_edge_name.result location = var.global_settings.location_map.region1 tags = var.global_settings.tags_hub } @@ -91,20 +112,42 @@ module "ddos_protection_std" { } # Please check Azure Bastion availability in the target region: https://azure.microsoft.com/en-us/global-infrastructure/services/?products=azure-bastion -module "bastion_host" { - source = "./bastion" +module "bastion_ip" { + source = "aztfmod/caf-public-ip/azurerm" + version = "2.0.0" - enable_bastion = var.core_networking.enable_bastion - name = var.core_networking.bastion_config.name - rg = azurerm_resource_group.rg_edge.name - subnet_id = lookup(module.core_network.vnet_subnets, "AzureBastionSubnet", null) - location = var.location - tags = local.tags - caf_foundations_accounting = var.caf_foundations_accounting - bastion_config = var.core_networking.bastion_config - global_settings = var.global_settings + convention = var.global_settings.convention + name = var.core_networking.bastion_ip_addr_config.ip_name + location = var.location + resource_group_name = azurerm_resource_group.rg_edge.name + ip_addr = var.core_networking.bastion_ip_addr_config.ip_addr + tags = local.tags + diagnostics_map = var.caf_foundations_accounting.diagnostics_map + log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id + diagnostics_settings = var.core_networking.bastion_ip_addr_config.diagnostics +} + +module "bastion" { + source = "aztfmod/caf-azure-bastion/azurerm" + version = "0.1.0" + + enable_bastion = var.core_networking.enable_bastion + bastion_config = var.core_networking.bastion_config + + name = var.core_networking.bastion_config.name + resource_group_name = azurerm_resource_group.rg_edge.name + subnet_id = lookup(module.core_network.vnet_subnets, "AzureBastionSubnet", null) + public_ip_address_id = module.bastion_ip.id + location = var.global_settings.location_map.region1 + tags = local.tags + + convention = var.global_settings.convention + diagnostics_map = var.caf_foundations_accounting.diagnostics_map + log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace + diagnostics_settings = var.core_networking.bastion_config.diagnostics } + # create the UDR object module "user_route_web_to_az_firewall" { source = "./udr" diff --git a/landingzones/landingzone_secure_vnet_dmz/net_core/main.tf b/landingzones/landingzone_secure_vnet_dmz/net_core/main.tf index bc404d024..6e7422a5d 100644 --- a/landingzones/landingzone_secure_vnet_dmz/net_core/main.tf +++ b/landingzones/landingzone_secure_vnet_dmz/net_core/main.tf @@ -15,5 +15,5 @@ locals { blueprint_tag = { "blueprint" = basename(abspath(path.module)) } - tags = merge(var.global_settings.tags_hub,local.blueprint_tag) + tags = merge(var.tags, var.global_settings.tags_hub,local.blueprint_tag) } \ No newline at end of file diff --git a/landingzones/landingzone_secure_vnet_dmz/net_core/variables.tf b/landingzones/landingzone_secure_vnet_dmz/net_core/variables.tf index 2cd66b70f..ddbcc14e1 100644 --- a/landingzones/landingzone_secure_vnet_dmz/net_core/variables.tf +++ b/landingzones/landingzone_secure_vnet_dmz/net_core/variables.tf @@ -10,9 +10,9 @@ variable "prefix" { # description = "(Required) Define the region where the resource groups will be created" # } -# variable "tags" { -# description = "tags for the deployment" -# } +variable "tags" { + description = "tags for the deployment" +} # variable "shared_services_vnet" { # description = "Network configuration" diff --git a/landingzones/landingzone_secure_vnet_dmz/network_core.sandpit.auto.tfvars b/landingzones/landingzone_secure_vnet_dmz/network_core.sandpit.auto.tfvars index 210f58778..10af63013 100644 --- a/landingzones/landingzone_secure_vnet_dmz/network_core.sandpit.auto.tfvars +++ b/landingzones/landingzone_secure_vnet_dmz/network_core.sandpit.auto.tfvars @@ -160,17 +160,7 @@ core_networking = { ## settings for Azure bastion configuration ## not enabled, uncomment the code in the networking shared services blueprint. enable_bastion = true - bastion_config = { - name = "azurebastion" - diagnostics = { - log = [ - #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] - ["BastionAuditLogs", true, true, 30], - ] - metric = [ - # ["AllMetrics", true, true, 30], - ] - } + bastion_ip_addr_config = { ip_name = "bastion" ip_addr = { allocation_method = "Static" @@ -186,7 +176,7 @@ core_networking = { #public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix" #refer to the prefix and check sku types are same in IP and prefix } - ip_diags = { + diagnostics = { log = [ #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] ["DDoSProtectionNotifications", true, true, 30], @@ -198,6 +188,19 @@ core_networking = { ] } } + bastion_config = { + name = "azurebastionalz" + diagnostics = { + log = [ + #["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period] + ["BastionAuditLogs", true, true, 30], + ] + metric = [ + # ["AllMetrics", true, true, 30], + ] + } + + } # Settings for the Virtual Network gateway to be created diff --git a/landingzones/landingzone_secure_vnet_dmz/network_core.tf b/landingzones/landingzone_secure_vnet_dmz/network_core.tf index cca009d7d..326728d3a 100644 --- a/landingzones/landingzone_secure_vnet_dmz/network_core.tf +++ b/landingzones/landingzone_secure_vnet_dmz/network_core.tf @@ -1,6 +1,7 @@ module "net_core" { source = "./net_core" - + + tags = var.tags global_settings = local.global_settings prefix = local.prefix location = local.global_settings.location_map["region1"] diff --git a/landingzones/landingzone_secure_vnet_dmz/readme.md b/landingzones/landingzone_secure_vnet_dmz/readme.md deleted file mode 100644 index 0717ab991..000000000 --- a/landingzones/landingzone_secure_vnet_dmz/readme.md +++ /dev/null @@ -1,39 +0,0 @@ -# Introduction to Network DMZ between Azure and an on-premises datacenter landing zone - -Welcome to Azure Cloud Adoption Framework Series. - -This landing zone is an implementation of the following reference architecture: - -## Prerequisites - -This landing zone is a "level 2" type of landing zone, which **requires** you have deployed the foundations. The supported lower level landing zone is **landingzone_caf_foundations** which can be found in the same release and must have been applied successfully **before** applying this one. - -## Overall architecture - -The following diagram shows the environment we are deploying for this POC: - -![DMZ](../../_pictures/dmz/dmz-private.png) - -## Getting Started - -To deploy a landing zone, use the execution environnement as described at the root of the landing zone repository. - -## Deploying this landing zone - -``` -rover /tf/caf/landingzones/landingzone_secure_vnet_dmz plan -``` -Review the configuration and if you are ok with it, deploy it by running: -``` -rover /tf/caf/landingzones/landingzone_secure_vnet_dmz apply -``` -Have fun playing with the landing zone an once you are done, you can simply delete the deployment using: -``` -rover /tf/caf/landingzones/landingzone_secure_vnet_dmz destroy -``` - -More details about this landing zone can also be found in the landing zone folder and its blueprints sub-folders. - -## Contribute - -Pull requests are welcome to evolve the framework and integrate new features. diff --git a/landingzones/landingzone_secure_vnet_dmz/variables.tf b/landingzones/landingzone_secure_vnet_dmz/variables.tf index e6c1baa1c..2255e818f 100644 --- a/landingzones/landingzone_secure_vnet_dmz/variables.tf +++ b/landingzones/landingzone_secure_vnet_dmz/variables.tf @@ -3,6 +3,13 @@ variable "lowerlevel_storage_account_name" {} variable "lowerlevel_container_name" {} variable "lowerlevel_key" {} # Keeping the key for the lower level0 access variable "lowerlevel_resource_group_name" {} - +variable "tags" { + type = map + default = {} +} +variable "prefix" { + description = "(Optional) Prefix to uniquely identify the deployment" + default = "" +} variable "workspace" {} variable "logged_user_objectId" {} \ No newline at end of file diff --git a/landingzones/landingzone_starter/main.tf b/landingzones/landingzone_starter/main.tf index 2e45add15..f78d40ab6 100644 --- a/landingzones/landingzone_starter/main.tf +++ b/landingzones/landingzone_starter/main.tf @@ -1,5 +1,5 @@ provider "azurerm" { - version = "~>2.4.0" + version = "~>2.9.0" features {} } @@ -8,6 +8,13 @@ terraform { } } +locals { + landingzone_tag = { + "landingzone" = basename(abspath(path.module)) + } + tags = merge(var.tags, local.landingzone_tag) +} + data "terraform_remote_state" "landingzone_caf_foundations" { backend = "azurerm" config = { diff --git a/landingzones/landingzone_starter/variables.tf b/landingzones/landingzone_starter/variables.tf index 0090090ef..816bcd81b 100644 --- a/landingzones/landingzone_starter/variables.tf +++ b/landingzones/landingzone_starter/variables.tf @@ -3,4 +3,8 @@ variable "lowerlevel_storage_account_name" {} variable "lowerlevel_container_name" {} variable "lowerlevel_key" {} # Keeping the key for the lower level0 access variable "lowerlevel_resource_group_name" {} -variable "workspace" {} \ No newline at end of file +variable "workspace" {} +variable "tags" { + type = map + default = {} +} \ No newline at end of file diff --git a/landingzones/landingzone_vdc_demo/blueprint_operations/main.tf b/landingzones/landingzone_vdc_demo/blueprint_operations/main.tf index 86f003721..024ac066f 100644 --- a/landingzones/landingzone_vdc_demo/blueprint_operations/main.tf +++ b/landingzones/landingzone_vdc_demo/blueprint_operations/main.tf @@ -10,5 +10,5 @@ locals { blueprint_tag = { "blueprint" = basename(abspath(path.module)) } - tags = merge(var.global_settings.tags_hub,local.blueprint_tag) + tags = merge(var.tags, var.global_settings.tags_hub,local.blueprint_tag) } \ No newline at end of file diff --git a/landingzones/landingzone_vdc_demo/blueprint_operations/variables.tf b/landingzones/landingzone_vdc_demo/blueprint_operations/variables.tf index f80b68563..a81b4bc13 100644 --- a/landingzones/landingzone_vdc_demo/blueprint_operations/variables.tf +++ b/landingzones/landingzone_vdc_demo/blueprint_operations/variables.tf @@ -33,4 +33,6 @@ variable "global_settings" { variable "caf_foundations_accounting" { description = "caf_foundations_accounting settings" -} \ No newline at end of file +} + +variable "tags" {} \ No newline at end of file diff --git a/landingzones/landingzone_vdc_demo/bp_operations.tf b/landingzones/landingzone_vdc_demo/bp_operations.tf index 1e0eec302..07cba2f04 100644 --- a/landingzones/landingzone_vdc_demo/bp_operations.tf +++ b/landingzones/landingzone_vdc_demo/bp_operations.tf @@ -1,6 +1,7 @@ module "blueprint_operations" { source = "./blueprint_operations" + tags = local.tags prefix = local.prefix location = local.global_settings.location_map["region1"] caf_foundations_accounting = local.caf_foundations_accounting diff --git a/landingzones/landingzone_vdc_demo/main.tf b/landingzones/landingzone_vdc_demo/main.tf index 2e45add15..f78d40ab6 100644 --- a/landingzones/landingzone_vdc_demo/main.tf +++ b/landingzones/landingzone_vdc_demo/main.tf @@ -1,5 +1,5 @@ provider "azurerm" { - version = "~>2.4.0" + version = "~>2.9.0" features {} } @@ -8,6 +8,13 @@ terraform { } } +locals { + landingzone_tag = { + "landingzone" = basename(abspath(path.module)) + } + tags = merge(var.tags, local.landingzone_tag) +} + data "terraform_remote_state" "landingzone_caf_foundations" { backend = "azurerm" config = { diff --git a/landingzones/landingzone_vdc_demo/variables.tf b/landingzones/landingzone_vdc_demo/variables.tf index 13592c40f..71f041eff 100644 --- a/landingzones/landingzone_vdc_demo/variables.tf +++ b/landingzones/landingzone_vdc_demo/variables.tf @@ -4,5 +4,9 @@ variable "lowerlevel_container_name" {} variable "lowerlevel_key" {} # Keeping the key for the lower level0 access variable "lowerlevel_resource_group_name" {} variable "workspace" {} +variable "tags" { + type = map + default = {} +} variable "logged_user_objectId" {} \ No newline at end of file