Skip to content
This repository has been archived by the owner on Jul 26, 2024. It is now read-only.

Missing additions to the latest version of the CAF Enterprise Scale add-on #340

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 19 additions & 9 deletions caf_solution/add-ons/caf_eslz/enterprise_scale.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,25 @@ module "enterprise_scale" {
azurerm.management = azurerm
}

root_parent_id = data.azurerm_client_config.current.tenant_id
root_parent_id = data.azurerm_client_config.core.tenant_id
default_location = local.global_settings.regions[local.global_settings.default_region]

#path to the policies definition and assignment repo
library_path = var.library_path
archetype_config_overrides = local.archetype_config_overrides
custom_landing_zones = local.custom_landing_zones
deploy_core_landing_zones = var.deploy_core_landing_zones
root_id = var.root_id
root_name = var.root_name
subscription_id_overrides = local.subscription_id_overrides
}
library_path = var.library_path
archetype_config_overrides = local.archetype_config_overrides
custom_landing_zones = local.custom_landing_zones
deploy_core_landing_zones = var.deploy_core_landing_zones
root_id = var.root_id
root_name = var.root_name
subscription_id_overrides = local.subscription_id_overrides
subscription_id_identity = var.subscription_id_identity == null ? data.azurerm_client_config.core.subscription_id : var.subscription_id_identity
subscription_id_management = var.subscription_id_management == null ? data.azurerm_client_config.management.subscription_id : var.subscription_id_management
subscription_id_connectivity = var.subscription_id_connectivity == null ? data.azurerm_client_config.connectivity.subscription_id : var.subscription_id_connectivity
deploy_identity_resources = var.deploy_identity_resources
deploy_connectivity_resources = var.deploy_connectivity_resources
deploy_management_resources = var.deploy_management_resources
configure_identity_resources = var.configure_identity_resources
configure_management_resources = var.configure_management_resources
disable_base_module_tags = var.disable_base_module_tags
default_tags = coalesce(var.tags, var.default_tags, null)
}
2 changes: 1 addition & 1 deletion caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ locals {
resource_group_name = try(value.resource_group_name, local.landingzone[try(value.level, "current")].resource_group_name)
storage_account_name = try(value.storage_account_name, local.landingzone[try(value.level, "current")].storage_account_name)
subscription_id = try(value.subscription_id, var.tfstate_subscription_id)
tenant_id = try(value.tenant_id, data.azurerm_client_config.current.tenant_id)
tenant_id = try(value.tenant_id, data.azurerm_client_config.core.tenant_id)
}
}
}
Expand Down
35 changes: 30 additions & 5 deletions caf_solution/add-ons/caf_eslz/main.tf
Original file line number Diff line number Diff line change
@@ -1,20 +1,45 @@

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 2.93.1"
version = "~> 2.96.0"
}
}
required_version = ">= 0.14"
experiments = [module_variable_optional_attrs]
}


# Core provider block
provider "azurerm" {
# Partner identifier for CAF Terraform landing zones.
partner_id = "ca4078f8-9bc4-471b-ab5b-3af6b86a42c8"
# partner identifier for CAF Terraform landing zones.
features {}
}

data "azurerm_client_config" "current" {}
# Declare an aliased provider block using your preferred configuration.
# This will be used for the deployment of all "Connectivity resources" to the specified `subscription_id`.
provider "azurerm" {
alias = "connectivity"
subscription_id = coalesce(var.subscription_id_connectivity, null)
features {}
}

# Declare a standard provider block using your preferred configuration.
# This will be used for the deployment of all "Management resources" to the specified `subscription_id`.
provider "azurerm" {
alias = "management"
subscription_id = coalesce(var.subscription_id_management, null)
features {}
}

data "azurerm_client_config" "core" {
provider = azurerm
}

data "azurerm_client_config" "management" {
provider = azurerm.management
}

data "azurerm_client_config" "connectivity" {
provider = azurerm.connectivity
}
165 changes: 164 additions & 1 deletion caf_solution/add-ons/caf_eslz/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,12 @@ variable "root_name" {
}
}

variable "root_parent_id" {
type = string
description = "If specified, will deploy the Enterprise scale bellow the root_parent_id."
default = null
}

variable "deploy_core_landing_zones" {
type = bool
description = "If set to true, will include the core Enterprise-scale Management Group hierarchy."
Expand Down Expand Up @@ -233,4 +239,161 @@ variable "reconcile_vending_subscriptions" {
type = bool
default = false
description = "Will reconcile the subrisciptions created outside of enterprise scale to prevent them to be revoved by the execution of this module."
}
}

variable "deploy_identity_resources" {
type = bool
default = false
}

variable "subscription_id_identity" {
type = string
}

variable "configure_identity_resources" {
type = object({
settings = object({
identity = object({
enabled = bool
config = object({
enable_deny_public_ip = bool
enable_deny_rdp_from_internet = bool
enable_deny_subnet_without_nsg = bool
enable_deploy_azure_backup_on_vms = bool
})
})
})
})
description = "If specified, will customize the \"Identity\" landing zone settings."
default = {
settings = {
identity = {
enabled = true
config = {
enable_deny_public_ip = true
enable_deny_rdp_from_internet = true
enable_deny_subnet_without_nsg = true
enable_deploy_azure_backup_on_vms = true
}
}
}
}
}

variable "deploy_management_resources" {
type = bool
description = "If set to true, will enable the \"Management\" landing zone settings and add \"Management\" resources into the current Subscription context."
default = false
}

variable "configure_management_resources" {
type = object({
settings = object({
log_analytics = object({
enabled = bool
config = object({
retention_in_days = number
enable_monitoring_for_arc = bool
enable_monitoring_for_vm = bool
enable_monitoring_for_vmss = bool
enable_solution_for_agent_health_assessment = bool
enable_solution_for_anti_malware = bool
enable_solution_for_azure_activity = bool
enable_solution_for_change_tracking = bool
enable_solution_for_service_map = bool
enable_solution_for_sql_assessment = bool
enable_solution_for_updates = bool
enable_solution_for_vm_insights = bool
enable_sentinel = bool
})
})
security_center = object({
enabled = bool
config = object({
email_security_contact = string
enable_defender_for_app_services = bool
enable_defender_for_arm = bool
enable_defender_for_containers = bool
enable_defender_for_dns = bool
enable_defender_for_key_vault = bool
enable_defender_for_oss_databases = bool
enable_defender_for_servers = bool
enable_defender_for_sql_servers = bool
enable_defender_for_sql_server_vms = bool
enable_defender_for_storage = bool
})
})
})
location = any
tags = any
advanced = any
})
description = "If specified, will customize the \"Management\" landing zone settings and resources."
default = {
settings = {
log_analytics = {
enabled = true
config = {
retention_in_days = 30
enable_monitoring_for_arc = true
enable_monitoring_for_vm = true
enable_monitoring_for_vmss = true
enable_solution_for_agent_health_assessment = true
enable_solution_for_anti_malware = true
enable_solution_for_azure_activity = true
enable_solution_for_change_tracking = true
enable_solution_for_service_map = true
enable_solution_for_sql_assessment = true
enable_solution_for_updates = true
enable_solution_for_vm_insights = true
enable_sentinel = true
}
}
security_center = {
enabled = true
config = {
email_security_contact = "security_contact@replace_me"
enable_defender_for_app_services = true
enable_defender_for_arm = true
enable_defender_for_containers = true
enable_defender_for_dns = true
enable_defender_for_key_vault = true
enable_defender_for_oss_databases = true
enable_defender_for_servers = true
enable_defender_for_sql_servers = true
enable_defender_for_sql_server_vms = true
enable_defender_for_storage = true
}
}
}
location = null
tags = null
advanced = null
}
}

variable "deploy_connectivity_resources" {
type = bool
description = "If set to true, will enable the \"Connectivity\" landing zone settings and add \"Connectivity\" resources into the current Subscription context."
default = false
}

variable "subscription_id_management" {
type = string
}

variable "subscription_id_connectivity" {
type = string
}

variable "disable_base_module_tags" {
type = bool
}

variable "tags" {
type = map(any)
}

variable "default_tags" {
type = map(any)
}