Merge pull request #248 from Azure/topics/tb-111

Updates to Mission Enclave Starter, Migration of modules to overlays, bug fixes

<!-- Thank you for submitting a Pull Request. Please fill out the template below.-->
## Overview/Summary

Replace this with a brief description of what this Pull Request fixes, changes, etc.

## This PR fixes/adds/changes/removes

1. *Replace me*
2. *Replace me*
3. *Replace me*

### Breaking Changes

1. *Replace me*
2. *Replace me*

## Testing Evidence

Please provide any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).

## As part of this Pull Request I have

- [ ] Checked for duplicate [Pull Requests](https://github.com/azure/NoOpsAccelerator/pulls)
- [ ] Associated it with relevant [GitHub Issues](https://github.com/azure/NoOpsAccelerator/issues)
- [ ] Ensured my code/branch is up-to-date with the latest changes in the `main` [branch](https://github.com/azure/NoOpsAccelerator/tree/main)
- [ ] Performed testing and provided evidence.
- [ ] Updated relevant and associated documentation.

src/examples/terraform/scca-compliant-mission-enclave-starter/0-variables.tf

@@ -23,7 +23,7 @@ variable "tags" {
   type        = map(string)
   default = {
     "Organization" : "anoa",
-    "Region" : "usgovvirginia",
+    "Region" : "usgovarizona",
     "DeployEnvironment" : "dev"
   }
 }
@@ -73,7 +73,7 @@ variable "metadata_host" {
 variable "location" {
   description = "List of Azure regions into which stamps are deployed. Important: The first location in this list will be used as the main location for this deployment."
   type        = string
-  default     = "eastus"
+  default     = "usgovarizona"
 }
 
 variable "root_management_group_id" {
@@ -155,7 +155,7 @@ variable "management_groups" {
       display_name               = "transport"
       management_group_name      = "transport"
       parent_management_group_id = "platforms"
-      subscription_ids           = ["<<subscriptionId>>"]
+      subscription_ids           = ["subscriptionID"]
     },
     "management" = {
       display_name               = "management"
@@ -208,7 +208,7 @@ variable "log_analytics_config" {
 variable "hub_subscription_id" {
   description = "Subscription ID for the Hub deployment"
   type        = string
-  default     = "<<subscriptionId>>"
+  default     = "subscriptionID"
 
   validation {
     condition     = can(regex("^[a-z0-9-]{36}$", var.hub_subscription_id)) || var.hub_subscription_id == ""
@@ -510,7 +510,7 @@ variable "firewall_supernet_IP_address" {
 variable "ops_subscription_id" {
   description = "Subscription ID for the Operations Virtual Network deployment"
   type        = string
-  default     = "<<subscriptionId>>"
+  default     = "subscriptionID"
 
   validation {
     condition     = can(regex("^[a-z0-9-]{36}$", var.ops_subscription_id)) || var.ops_subscription_id == ""
@@ -591,7 +591,7 @@ variable "ops_storage_account_config" {
 variable "svcs_subscription_id" {
   description = "Subscription ID for the Shared Services Virtual Network deployment"
   type        = string
-  default     = "<<subscriptionId>>"
+  default     = "subscriptionID"
 
   validation {
     condition     = can(regex("^[a-z0-9-]{36}$", var.svcs_subscription_id)) || var.svcs_subscription_id == ""
@@ -737,7 +737,7 @@ variable "create_cosmosdb_sql_container" {
 variable "dev_team_subscription_id" {
   description = "Subscription ID for the Workload Virtual Network deployment"
   type        = string
-  default     = "<<subscriptionId>>"
+  default     = "subscriptionID"
 
   validation {
     condition     = can(regex("^[a-z0-9-]{36}$", var.dev_team_subscription_id)) || var.dev_team_subscription_id == ""
@@ -824,7 +824,7 @@ variable "dev_team_logging_storage_account_config" {
 variable "prod_subscription_id" {
   description = "Subscription ID for the Workload Virtual Network deployment"
   type        = string
-  default     = "<<subscriptionId>>"
+  default     = "subscriptionID"
 
   validation {
     condition     = can(regex("^[a-z0-9-]{36}$", var.prod_subscription_id)) || var.prod_subscription_id == ""

src/terraform/core/overlays/bastionHosts/main.tf

@@ -33,7 +33,7 @@ resource "azurerm_public_ip" "pip" {
   allocation_method   = var.public_ip_allocation_method
   sku                 = var.public_ip_sku # Mandatory for Azure Bastion host is Standard
   domain_name_label   = var.domain_name_label != null ? var.domain_name_label : format("gw%s%s", lower(replace(coalesce(var.custom_bastion_name, data.azurenoopsutils_resource_name.bastion.result), "/[[:^alnum:]]/", "")), random_string.str.result)
-  zones               = var.public_ip_zones
+  #zones               = var.public_ip_zones
 
   tags = merge(local.default_tags, var.extra_tags)
 

src/terraform/core/overlays/bastionHosts/variables.tf

@@ -82,42 +82,133 @@ variable "network_security_group_bastion_id" {
   default     = " "
 }
 
-variable "bastion_host_nsg_inbound_rules" {
-  type        = list(map(string))
-  default     = []
-  description = "List of objects that represent the configuration of each inbound rule."
-  # inbound_rules = [
-  #   {
-  #     name                       = ""
-  #     priority                   = ""
-  #     access                     = ""
-  #     protocol                   = ""
-  #     source_address_prefix      = ""
-  #     source_port_range          = ""
-  #     destination_address_prefix = ""
-  #     destination_port_range     = ""
-  #     description                = ""
-  #   }
-  # ]
-}
+#variable "bastion_host_nsg_inbound_rules" {
+#type        = list(map(string))
+#default     = []
+#description = "List of objects that represent the configuration of each inbound rule."
+# inbound_rules = [
+#   {
+#     name                       = ""
+#     priority                   = ""
+#     access                     = ""
+#     protocol                   = ""
+#     source_address_prefix      = ""
+#     source_port_range          = ""
+#     destination_address_prefix = ""
+#     destination_port_range     = ""
+#     description                = ""
+#   }
+# ]
+#}
 
-variable "bastion_host_nsg_outbound_rules" {
-  type        = list(map(string))
-  default     = []
-  description = "List of objects that represent the configuration of each outbound rule."
-  # outbound_rules = [
-  #   {
-  #     name                       = ""
-  #     priority                   = ""
-  #     access                     = ""
-  #     protocol                   = ""
-  #     source_address_prefix      = ""
-  #     source_port_range          = ""
-  #     destination_address_prefix = ""
-  #     destination_port_range     = ""
-  #     description                = ""
-  #   }
-  # ]
+#variable "bastion_host_nsg_outbound_rules" {
+#type        = list(map(string))
+#default     = []
+#description = "List of objects that represent the configuration of each outbound rule."
+# outbound_rules = [
+#   {
+#     name                       = ""
+#     priority                   = ""
+#     access                     = ""
+#     protocol                   = ""
+#     source_address_prefix      = ""
+#     source_port_range          = ""
+#     destination_address_prefix = ""
+#     destination_port_range     = ""
+#     description                = ""
+#   }
+# ]
+#}
+
+variable "nsg_inbound_rules" {
+  type = list(object({
+    name                       = string
+    priority                   = number
+    direction                  = string
+    access                     = string
+    protocol                   = string
+    source_address_prefix      = string
+    source_port_range          = string
+    destination_address_prefix = string
+    destination_port_range     = string
+  }))
+  default = [
+    {
+      name                       = "AllowHttpsInbound"
+      priority                   = 120
+      direction                  = "Inbound"
+      access                     = "Allow"
+      protocol                   = "Tcp"
+      source_address_prefix      = "*"
+      source_port_range          = "*"
+      destination_address_prefix = "*"
+      destination_port_range     = "443"
+    },
+    {
+      name                       = "AllowGatewayManagerInbound"
+      priority                   = 130
+      direction                  = "Inbound"
+      access                     = "Allow"
+      protocol                   = "Tcp"
+      source_address_prefix      = "*"
+      source_port_range          = "*"
+      destination_address_prefix = "*"
+      destination_port_range     = "443"
+    }
+  ]
+}
+variable "nsg_SshRdp_outbound_rules" {
+  type = list(object({
+    name                       = string
+    priority                   = number
+    direction                  = string
+    access                     = string
+    protocol                   = string
+    source_address_prefix      = string
+    source_port_range          = string
+    destination_address_prefix = string
+    destination_port_range     = list(string)
+  }))
+
+  default = [
+    {
+      name                       = "AllowSshRdpOutbound"
+      priority                   = 100
+      direction                  = "outbound"
+      access                     = "Allow"
+      protocol                   = "*"
+      source_address_prefix      = "*"
+      source_port_range          = "*"
+      destination_address_prefix = "*"
+      destination_port_range     = ["22", "3389"]
+    }
+  ]
+}
+variable "nsg_AllowAzureCloud_outbound_rules" {
+  type = list(object({
+    name                       = string
+    priority                   = number
+    direction                  = string
+    access                     = string
+    protocol                   = string
+    source_address_prefix      = string
+    source_port_range          = string
+    destination_address_prefix = string
+    destination_port_range     = string
+  }))
+  default = [
+    {
+      name                       = "AllowAzureCloudOutbound"
+      priority                   = 110
+      direction                  = "Inbound"
+      access                     = "Allow"
+      protocol                   = "Tcp"
+      source_address_prefix      = "*"
+      source_port_range          = "*"
+      destination_address_prefix = "*"
+      destination_port_range     = "443"
+    }
+  ]
 }
 
 variable "domain_name_label" {

src/terraform/core/overlays/redisCaches/variables.tf

@@ -110,7 +110,7 @@ variable "redis_configuration" {
 variable "authorized_cidrs" {
   description = "Map of authorized cidrs"
   type        = map(string)
-  default = {}
+  default     = {}
 }
 
 variable "allow_non_ssl_connections" {
@@ -171,7 +171,7 @@ variable "data_persistence_storage_account_replication" {
 variable "redis_version" {
   description = "Redis version to deploy. Allowed values are 4 or 6"
   type        = number
-  default     = 4
+  default     = 6
 }
 
 variable "zones" {
@@ -189,4 +189,4 @@ variable "patch_schedules" {
     start_hour_utc     = optional(string)
     maintenance_window = optional(string)
   }))
-}
+}