Azure
/
caf-terraform-landingzones
зеркало из https://github.com/Azure/caf-terraform-landingzones.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Move eslz under caf_solution add-ons

This commit is contained in:
lolorol 2021-03-29 15:19:26 +00:00
Родитель ddc80c3ea3
Коммит 060ce72a59
35 изменённых файлов: 199 добавлений и 936 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
caf_eslz/backend.azurerm
Просмотреть файл

@ -1,4 +0,0 @@
terraform {
backend "azurerm" {
}
}

51
caf_eslz/locals.remote_tfstates.tf
Просмотреть файл

@ -1,51 +0,0 @@
locals {
landingzone = {
current = {
storage_account_name = var.tfstate_storage_account_name
container_name = var.tfstate_container_name
resource_group_name = var.tfstate_resource_group_name
}
lower = {
storage_account_name = var.lower_storage_account_name
container_name = var.lower_container_name
resource_group_name = var.lower_resource_group_name
}
}
}
data "terraform_remote_state" "remote" {
for_each = try(var.landingzone.tfstates, {})
backend = var.landingzone.backend_type
config = {
storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name
container_name = local.landingzone[try(each.value.level, "current")].container_name
resource_group_name = local.landingzone[try(each.value.level, "current")].resource_group_name
subscription_id = var.tfstate_subscription_id
key = each.value.tfstate
}
}
locals {
landingzone_tag = {
"landingzone" = var.landingzone.key
}
global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].global_settings
diagnostics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics
caf = {
tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags)
global_settings = {
for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].global_settings, {}))
}
diagnostics = {
for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].diagnostics, {}))
}
managed_identities = {
for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].managed_identities, {}))
}
}
}

18
caf_eslz/main.tf
Просмотреть файл

@ -1,18 +0,0 @@
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 2.52.0"
}
}
required_version = ">= 0.13"
}
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}

147
caf_eslz/variables.tf
Просмотреть файл

@ -1,147 +0,0 @@
variable "landing_zones_variables" {
default = {}
}
# Map of the remote data state
variable "lower_storage_account_name" {
description = "This value is propulated by the rover"
}
variable "lower_container_name" {
description = "This value is propulated by the rover"
}
variable "lower_resource_group_name" {
description = "This value is propulated by the rover"
}
variable "tfstate_subscription_id" {
description = "This value is propulated by the rover. subscription id hosting the remote tfstates"
}
variable "tfstate_storage_account_name" {
description = "This value is propulated by the rover"
}
variable "tfstate_container_name" {
description = "This value is propulated by the rover"
}
variable "tfstate_resource_group_name" {
description = "This value is propulated by the rover"
}
variable "diagnostics_definition" {
default = {}
}
variable "landingzone" {
default = {
backend_type = "azurerm"
global_settings_key = "launchpad"
level = "level1"
key = "enterprise_scale"
tfstates = {
launchpad = {
level = "lower"
tfstate = "caf_launchpad.tfstate"
}
}
}
}
variable "user_type" {}
variable "tenant_id" {}
variable "rover_version" {}
variable "logged_user_objectId" {
default = null
}
variable "tags" {
type = map(any)
default = {}
}
variable "root_id" {
type = string
description = "If specified, will set a custom Name (ID) value for the Enterprise-scale \"root\" Management Group, and append this to the ID for all core Enterprise-scale Management Groups."
default = "es"
validation {
condition = can(regex("^[a-zA-Z0-9-]{2,10}$", var.root_id))
error_message = "The root_id value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens."
}
}
variable "root_name" {
type = string
description = "If specified, will set a custom Display Name value for the Enterprise-scale \"root\" Management Group."
default = "Enterprise-Scale"
validation {
condition = can(regex("^[A-Za-z][A-Za-z0-9- ._]{1,22}[A-Za-z0-9]?$", var.root_name))
error_message = "The root_name value must be between 2 to 24 characters long, start with a letter, end with a letter or number, and can only contain space, hyphen, underscore or period characters."
}
}
variable "deploy_core_landing_zones" {
type = bool
description = "If set to true, will include the core Enterprise-scale Management Group hierarchy."
default = false
}
variable "archetype_config_overrides" {
type = map(any)
description = "If specified, will set custom Archetype configurations to the default Enterprise-scale Management Groups."
default = {}
}
variable "subscription_id_overrides" {
type = map(list(string))
description = "If specified, will be used to assign subscription_ids to the default Enterprise-scale Management Groups."
default = {}
}
variable "deploy_demo_landing_zones" {
type = bool
description = "If set to true, will include the demo \"Landing Zone\" Management Groups."
default = false
}
variable "custom_landing_zones" {
type = map(
object({
display_name = string
parent_management_group_id = string
subscription_ids = list(string)
archetype_config = object({
archetype_id = string
parameters = any
access_control = any
})
})
)
description = "If specified, will deploy additional Management Groups alongside Enterprise-scale core Management Groups."
default = {}
validation {
condition = can(regex("^[a-z0-9-]{2,36}$", keys(var.custom_landing_zones)[0])) || length(keys(var.custom_landing_zones)) == 0
error_message = "The custom_landing_zones keys must be between 2 to 36 characters long and can only contain lowercase letters, numbers and hyphens."
}
}
variable "library_path" {
type = string
description = "If specified, sets the path to a custom library folder for archetype artefacts."
default = ""
}
variable "template_file_variables" {
type = map(any)
description = "If specified, provides the ability to define custom template variables used when reading in template files from the built-in and custom library_path."
default = {}
}
variable "default_location" {
type = string
description = "If specified, will use set the default location used for resource deployments where needed."
default = "eastus"
# Need to add validation covering all Azure locations
}

44
caf_solution/add-ons/caf_eslz/README.md
Просмотреть файл

@ -1,44 +0,0 @@
# Cloud Adoption Framework for Azure - Landing zones on Terraform - Enterprise-Scale
The foundations landing zone allows you to manage the core components of an environment:
* Management groups
* Policies
Foundations landing zone operates at **level 1**.
For a review of the hierarchy approach of Cloud Adoption Framework for Azure landing zones on Terraform, you can refer to [the following documentation](../../documentation/code_architecture/hierarchy.md).
</BR>
## Components
CAF eslz leverages the enterprise-scale module in order to deploy its core components.
For full description on enterprise_scale module usage, please [refer to the repository](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale)
This is currently work in progress.
Use the following configuration file in order to get started with the enterprise-scale module integration:
```bash
# This example will setup the complete enterprise-scale fundamentals management groups and policies. Please make sure you have appropriate privileges on the tenant and subscription
rover -lz /tf/caf/public/landingzones/caf_eslz \
-var-folder /tf/caf/public/landingzones/caf_eslz/scenario/100 \
-level level1 \
-a [plan|apply|destroy]
# This example will setup custom enterprise-scale management groups and policies. Please make sure you have appropriate privileges on the tenant and subscription
rover -lz /tf/caf/public/landingzones/caf_eslz \
-var-folder /tf/caf/public/landingzones/caf_eslz/scenario/200 \
-level level1 \
-a [plan|apply|destroy]
# If the tfstates are stored in a different subscription you need to execute the following command
rover -lz /tf/caf/public/landingzones/caf_eslz \
-tfstate_subscription_id <ID of the subscription> \
-var-folder /tf/caf/public/landingzones/caf_foundations/scenario/200 \
-level level1 \
-a apply
```

2
caf_eslz/archetype_config_overrides.tf → caf_solution/add-ons/caf_eslz/archetype_config_overrides.tf
Просмотреть файл

@ -39,7 +39,7 @@ locals {
parameters = {
for param_key, param_value in try(mg_value.parameters, {}) : param_key => {
for key, value in param_value : key => try(local.caf[value.output_key][value.lz_key][value.resource_type][value.resource_key][value.attribute_key], value)
for key, value in param_value : key => jsonencode(try(local.caf[value.output_key][value.lz_key][value.resource_type][value.resource_key][value.attribute_key], value.value))
}
}

0
caf_eslz/custom_landing_zones.tf → caf_solution/add-ons/caf_eslz/custom_landing_zones.tf
Просмотреть файл

0
caf_eslz/enterprise_scale.tf → caf_solution/add-ons/caf_eslz/enterprise_scale.tf
Просмотреть файл

25
caf_solution/add-ons/caf_eslz/es_main.tf
Просмотреть файл

@ -1,25 +0,0 @@
# For full description on enterprise_scale module usage, please refer to https://github.com/Azure/terraform-azurerm-caf-enterprise-scale
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "0.0.8"
root_parent_id = data.azurerm_client_config.current.tenant_id
root_id = var.root_id
root_name = var.root_name
deploy_core_landing_zones = var.deploy_core_landing_zones
# Control whether to deploy the demo landing zones // default = false
deploy_demo_landing_zones = var.deploy_demo_landing_zones
# Set a path for the custom archetype library path
library_path = try(format("%s", var.library_path), "")
# Deploys the custom landing zone configuration as defined in config file
custom_landing_zones = var.custom_landing_zones
subscription_id_overrides = var.subscription_id_overrides
archetype_config_overrides = var.archetype_config_overrides
default_location = local.global_settings.regions[local.global_settings.default_region]
}

0
caf_eslz/lib/archetype_definitions/README.md → caf_solution/add-ons/caf_eslz/lib/archetype_definitions/README.md
Просмотреть файл

0
caf_eslz/lib/policy_assignments/README.md → caf_solution/add-ons/caf_eslz/lib/policy_assignments/README.md
Просмотреть файл

0
caf_eslz/lib/policy_definitions/README.md → caf_solution/add-ons/caf_eslz/lib/policy_definitions/README.md
Просмотреть файл

0
caf_eslz/lib/policy_set_definitions/README.md → caf_solution/add-ons/caf_eslz/lib/policy_set_definitions/README.md
Просмотреть файл

0
caf_eslz/lib/role_definitions/README.md → caf_solution/add-ons/caf_eslz/lib/role_definitions/README.md
Просмотреть файл

21
caf_solution/add-ons/caf_eslz/locals.remote_tfstates.tf
Просмотреть файл

@ -31,16 +31,21 @@ locals {
"landingzone" = var.landingzone.key
}
tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags)
global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].global_settings
diagnostics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.objects[var.landingzone.global_settings_key].diagnostics
global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.global_settings
caf = {
tags = merge(local.global_settings.tags, local.landingzone_tag, { "level" = var.landingzone.level }, { "environment" = local.global_settings.environment }, { "rover_version" = var.rover_version }, var.tags)
diagnostics = {
diagnostics_definition = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_definition
diagnostics_destinations = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations
storage_accounts = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.storage_accounts
log_analytics = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.log_analytics
event_hub_namespaces = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.event_hub_namespaces
global_settings = {
for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].global_settings, {}))
}
diagnostics = {
for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].diagnostics, {}))
}
managed_identities = {
for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.objects[key].managed_identities, {}))
}
}
}

16
caf_solution/add-ons/caf_eslz/main.tf
Просмотреть файл

@ -1,18 +1,18 @@
terraform {
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 2.52.0"
}
}
required_version = ">= 0.13"
}
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = true
}
}
features {}
}
data "azurerm_client_config" "current" {}
data "azurerm_subscription" "current" {}

0
caf_solution/add-ons/caf_eslz/output.tf
Просмотреть файл

25
caf_solution/add-ons/caf_eslz/scenario/100/enterprise_scale_contoso_com.tfvars
Просмотреть файл

@ -1,25 +0,0 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "launchpad"
level = "level1"
key = "caf_eslz"
tfstates = {
launchpad = {
level = "lower"
tfstate = "caf_launchpad.tfstate"
}
}
}
enterprise_scale = {
# Define a custom ID to use for the root Management Group
# Also used as a prefix for all core Management Group IDs
# root_id = "caf"
# root_name = "CAF-RootManagementGroup"
# Control whether to deploy the default core landing zones // default = true
deploy_core_landing_zones = true
# Control whether to deploy the demo landing zones // default = false
deploy_demo_landing_zones = false
}

45
caf_solution/add-ons/caf_eslz/scenario/200/enterprise_scale_contoso_com.tfvars
Просмотреть файл

@ -1,45 +0,0 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "launchpad"
level = "level1"
key = "caf_foundations"
tfstates = {
launchpad = {
level = "lower"
tfstate = "caf_launchpad.tfstate"
}
}
}
enterprise_scale = {
#path to the policies definition and assignment repo
library_path = "/tf/caf/public/landingzones/caf_eslz/scenario/200/lib"
#management groups hierarchy configuration
custom_landing_zones = {
caf = {
display_name = "CAF-RootManagementGroup"
parent_management_group_id = ""
subscription_ids = []
archetype_config = {
archetype_id = "es_root"
parameters = {}
access_control = {}
}
}
child-caf = {
display_name = "CAF-ChildManagementGroup"
parent_management_group_id = "caf"
subscription_ids = []
archetype_config = {
archetype_id = "es_management"
parameters = {
ES-Deploy-ForwardDiagLog = {
logAnalytics = "central_logs_region1"
}
}
access_control = {}
}
}
}
}

12
caf_solution/add-ons/caf_eslz/scenario/200/lib/archetype_definition_es_management.tmpl.json
Просмотреть файл

@ -1,12 +0,0 @@
{
"es_management": {
"policy_assignments": [
"ES-Deploy-ASC-Standard"
],
"policy_definitions": [
],
"policy_set_definitions": [],
"role_assignments": [],
"role_definitions": []
}
}

13
caf_solution/add-ons/caf_eslz/scenario/200/lib/archetype_definition_es_root.json
Просмотреть файл

@ -1,13 +0,0 @@
{
"es_root": {
"policy_assignments": [
"ES-Deploy-ASC-Standard"
],
"policy_definitions": [
"ES-Deploy-ASC-Standard"
],
"policy_set_definitions": [],
"role_assignments": [],
"role_definitions": []
}
}

28
caf_solution/add-ons/caf_eslz/scenario/200/lib/policy_assignment_es_allowed_resource-locations.tmpl.json
Просмотреть файл

@ -1,28 +0,0 @@
{
"name": "ES-Allowed-Locations",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Specifies the allowed locations (regions) where resources can be deployed",
"displayName": "ES-Allowed-Resource-Locations",
"notScopes": [],
"parameters": {
"listOfAllowedLocations": {
"value": [
"uksouth",
"ukwest"
]
}
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"scope": "${current_scope_resource_id}"
},
"sku": {
"name": "A0",
"tier": "Free"
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}

28
caf_solution/add-ons/caf_eslz/scenario/200/lib/policy_assignment_es_allowed_resourcegroup-locations.tmpl.json
Просмотреть файл

@ -1,28 +0,0 @@
{
"name": "ES-Allowed-RSG-Locations",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Specifies the allowed locations (regions) where Resource Groups can be deployed",
"displayName": "ES-Allowed-ResourceGroup-Locations",
"notScopes": [],
"parameters": {
"listOfAllowedLocations": {
"value": [
"uksouth",
"ukwest"
]
}
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988",
"scope": "${current_scope_resource_id}"
},
"sku": {
"name": "A0",
"tier": "Free"
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}

28
caf_solution/add-ons/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_ce.tmpl.json
Просмотреть файл

@ -1,28 +0,0 @@
{
"name": "ES-Deploy-ASC-ContExport",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Deploy ASC Continuous Export To Log Analytics Workspace.",
"displayName": "ES-Deploy-ASC-ContinuousExportToWorkspace",
"notScopes": [],
"parameters": {
"resourceGroupLocation": {
"value": null
},
"workspaceResourceId": {
"value": null
}
},
"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-ASC-ContinuousExportToWorkspace",
"scope": "${current_scope_resource_id}"
},
"sku": {
"name": "A0",
"tier": "Free"
},
"location": "${default_location}",
"identity": {
"type": "SystemAssigned"
}
}

88
caf_solution/add-ons/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_monitoring.tmpl.json
Просмотреть файл

@ -1,88 +0,0 @@
{
"name": "ES-Deploy-ASC-Monitoring",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Enable Monitoring in Azure Security Center.",
"displayName": "ES-Deploy-ASC-Monitoring",
"notScopes": [],
"parameters": {
"aadAuthenticationInSqlServerMonitoringEffect": {
"value": "Disabled"
},
"diskEncryptionMonitoringEffect": {
"value": "Disabled"
},
"encryptionOfAutomationAccountMonitoringEffect": {
"value": "Disabled"
},
"identityDesignateLessThanOwnersMonitoringEffect": {
"value": "Disabled"
},
"identityDesignateMoreThanOneOwnerMonitoringEffect": {
"value": "Disabled"
},
"identityEnableMFAForWritePermissionsMonitoringEffect": {
"value": "Disabled"
},
"identityRemoveDeprecatedAccountMonitoringEffect": {
"value": "Disabled"
},
"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
"value": "Disabled"
},
"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
"value": "Disabled"
},
"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": {
"value": "Disabled"
},
"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
"value": "Disabled"
},
"jitNetworkAccessMonitoringEffect": {
"value": "Disabled"
},
"networkSecurityGroupsOnSubnetsMonitoringEffect": {
"value": "AuditIfNotExists"
},
"sqlDbEncryptionMonitoringEffect": {
"value": "Disabled"
},
"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": {
"value": "Disabled"
},
"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": {
"value": "Disabled"
},
"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": {
"value": "Disabled"
},
"sqlServerAdvancedDataSecurityMonitoringEffect": {
"value": "Disabled"
},
"systemUpdatesMonitoringEffect": {
"value": "Disabled"
},
"useRbacRulesMonitoringEffect": {
"value": "Disabled"
},
"vmssSystemUpdatesMonitoringEffect": {
"value": "Disabled"
},
"windowsDefenderExploitGuardMonitoringEffect": {
"value": "Disabled"
}
},
"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
"scope": "${current_scope_resource_id}"
},
"sku": {
"name": "A0",
"tier": "Free"
},
"location": "${default_location}",
"identity": {
"type": "SystemAssigned"
}
}

21
caf_solution/add-ons/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_asc_standard.tmpl.json
Просмотреть файл

@ -1,21 +0,0 @@
{
"name": "ES-Deploy-ASC-Standard",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Deploy Azure Security Center Standard Tier.",
"displayName": "ES-Deploy-ASC-Standard",
"notScopes": [],
"parameters": {},
"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-ASC-Standard",
"scope": "${current_scope_resource_id}"
},
"sku": {
"name": "A0",
"tier": "Free"
},
"location": "${default_location}",
"identity": {
"type": "SystemAssigned"
}
}

25
caf_solution/add-ons/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_diag_activitylog.tmpl.json
Просмотреть файл

@ -1,25 +0,0 @@
{
"name": "ES-Deploy-ForwardActLogs",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.",
"displayName": "ES-Deploy-Diagnostics-ForwardActivityLogs",
"notScopes": [],
"parameters": {
"logAnalytics": {
"value": null
}
},
"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-Diagnostics-LogAnalytics",
"scope": "${current_scope_resource_id}"
},
"sku": {
"name": "A0",
"tier": "Free"
},
"location": "${default_location}",
"identity": {
"type": "SystemAssigned"
}
}

25
caf_solution/add-ons/caf_eslz/scenario/200/lib/policy_assignment_es_deploy_diag_loganalytics.tmpl.json
Просмотреть файл

@ -1,25 +0,0 @@
{
"name": "ES-Deploy-ForwardDiagLog",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.",
"displayName": "ES-Deploy-Diagnostics-ForwardDiagnosticLogs",
"notScopes": [],
"parameters": {
"logAnalytics": {
"value": null
}
},
"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/ES-Deploy-Diagnostics-LogAnalytics",
"scope": "${current_scope_resource_id}"
},
"sku": {
"name": "A0",
"tier": "Free"
},
"location": "${default_location}",
"identity": {
"type": "SystemAssigned"
}
}

284
caf_solution/add-ons/caf_eslz/scenario/200/lib/policy_definition_es_deploy_asc_standard.json
Просмотреть файл

@ -1,284 +0,0 @@
{
"name": "ES-Deploy-ASC-Standard",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2019-09-01",
"properties": {
"description": "Ensures that subscriptions have Security Center Standard enabled.",
"displayName": "ES-Deploy-ASC-Standard",
"mode": "All",
"parameters": {
"pricingTierVMs": {
"type": "String",
"metadata": {
"displayName": "pricingTierVMs",
"description": ""
},
"allowedValues": [
"Standard",
"Free"
],
"defaultValue": "Standard"
},
"pricingTierSqlServers": {
"type": "String",
"metadata": {
"displayName": "pricingTierSqlServers",
"description": ""
},
"allowedValues": [
"Standard",
"Free"
],
"defaultValue": "Standard"
},
"pricingTierAppServices": {
"type": "String",
"metadata": {
"displayName": "pricingTierAppServices",
"description": ""
},
"allowedValues": [
"Standard",
"Free"
],
"defaultValue": "Standard"
},
"pricingTierStorageAccounts": {
"type": "String",
"metadata": {
"displayName": "pricingTierStorageAccounts",
"description": ""
},
"allowedValues": [
"Standard",
"Free"
],
"defaultValue": "Standard"
},
"pricingTierContainerRegistry": {
"type": "String",
"metadata": {
"displayName": "pricingTierContainerRegistry",
"description": ""
},
"allowedValues": [
"Standard",
"Free"
],
"defaultValue": "Standard"
},
"pricingTierKeyVaults": {
"type": "String",
"metadata": {
"displayName": "pricingTierKeyVaults",
"description": ""
},
"allowedValues": [
"Standard",
"Free"
],
"defaultValue": "Standard"
},
"pricingTierKubernetesService": {
"type": "String",
"metadata": {
"displayName": "pricingTierKubernetesService",
"description": ""
},
"allowedValues": [
"Standard",
"Free"
],
"defaultValue": "Standard"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Security/pricings",
"deploymentScope": "subscription",
"existenceScope": "subscription",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Security/pricings/pricingTier",
"equals": "Standard"
},
{
"field": "type",
"equals": "Microsoft.Security/pricings"
}
]
},
"deployment": {
"location": "northeurope",
"properties": {
"mode": "incremental",
"parameters": {
"pricingTierVMs": {
"value": "[parameters('pricingTierVMs')]"
},
"pricingTierSqlServers": {
"value": "[parameters('pricingTierSqlServers')]"
},
"pricingTierAppServices": {
"value": "[parameters('pricingTierAppServices')]"
},
"pricingTierStorageAccounts": {
"value": "[parameters('pricingTierStorageAccounts')]"
},
"pricingTierContainerRegistry": {
"value": "[parameters('pricingTierContainerRegistry')]"
},
"pricingTierKeyVaults": {
"value": "[parameters('pricingTierKeyVaults')]"
},
"pricingTierKubernetesService": {
"value": "[parameters('pricingTierKubernetesService')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"pricingTierVMs": {
"type": "string",
"metadata": {
"description": "pricingTierVMs"
}
},
"pricingTierSqlServers": {
"type": "string",
"metadata": {
"description": "pricingTierSqlServers"
}
},
"pricingTierAppServices": {
"type": "string",
"metadata": {
"description": "pricingTierAppServices"
}
},
"pricingTierStorageAccounts": {
"type": "string",
"metadata": {
"description": "pricingTierStorageAccounts"
}
},
"pricingTierContainerRegistry": {
"type": "string",
"metadata": {
"description": "ContainerRegistry"
}
},
"pricingTierKeyVaults": {
"type": "string",
"metadata": {
"description": "KeyVaults"
}
},
"pricingTierKubernetesService": {
"type": "string",
"metadata": {
"description": "KubernetesService"
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "VirtualMachines",
"properties": {
"pricingTier": "[parameters('pricingTierVMs')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "StorageAccounts",
"dependsOn": [
"[concat('Microsoft.Security/pricings/VirtualMachines')]"
],
"properties": {
"pricingTier": "[parameters('pricingTierStorageAccounts')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "AppServices",
"dependsOn": [
"[concat('Microsoft.Security/pricings/StorageAccounts')]"
],
"properties": {
"pricingTier": "[parameters('pricingTierAppServices')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "SqlServers",
"dependsOn": [
"[concat('Microsoft.Security/pricings/AppServices')]"
],
"properties": {
"pricingTier": "[parameters('pricingTierSqlServers')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "KeyVaults",
"dependsOn": [
"[concat('Microsoft.Security/pricings/SqlServers')]"
],
"properties": {
"pricingTier": "[parameters('pricingTierKeyVaults')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "KubernetesService",
"dependsOn": [
"[concat('Microsoft.Security/pricings/KeyVaults')]"
],
"properties": {
"pricingTier": "[parameters('pricingTierKubernetesService')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "ContainerRegistry",
"dependsOn": [
"[concat('Microsoft.Security/pricings/KubernetesService')]"
],
"properties": {
"pricingTier": "[parameters('pricingTierContainerRegistry')]"
}
}
],
"outputs": {}
}
}
}
}
}
}
}
}

77
caf_solution/add-ons/caf_eslz/scenario/contoso/archetype_config_overrides.tfvars Normal file
Просмотреть файл

@ -0,0 +1,77 @@
archetype_config_overrides = {
root = {
archetype_id = "es_root"
parameters = {
"Deploy-Resource-Diag" = {
"logAnalytics" = {
# value = "resource_id"
lz_key = "caf_foundations_sharedservices"
output_key = "diagnostics"
resource_type = "log_analytics"
resource_key = "central_logs_region1"
attribute_key = "id"
}
}
}
access_control = {
"Contributor" = {
"managed_identities" = {
# principal_ids = ["principal_id1", "principal_id2"]
lz_key = "launchpad"
attribute_key = "principal_id"
resource_keys = [
"level1"
]
}
}
}
}
# decommissioned = {
# archetype_id = "es_decommissioned"
# parameters = {}
# access_control = {}
# }
# sandboxes = {
# archetype_id = "es_sandboxes"
# parameters = {}
# access_control = {}
# }
landing-zones = {
archetype_id = "es_landing_zones"
parameters = {}
access_control = {
"Contributor" = {
"managed_identities" = {
# principal_ids = ["principal_id1", "principal_id2"]
lz_key = "launchpad"
attribute_key = "principal_id"
resource_keys = [
"level3", "subscription_creation_landingzones"
]
}
}
}
}
# platform = {
# archetype_id = "es_platform"
# parameters = {}
# access_control = {}
# }
# connectivity = {
# archetype_id = "es_connectivity_foundation"
# parameters = {}
# access_control = {}
# }
# management = {
# archetype_id = "es_management"
# parameters = {}
# access_control = {}
# }
}

47
caf_solution/add-ons/caf_eslz/scenario/contoso/custom_landing_zones.tfvars Normal file
Просмотреть файл

@ -0,0 +1,47 @@
custom_landing_zones = {
contoso-devops = {
display_name = "Devops"
parent_management_group_id = "contoso-platform"
subscription_ids = []
archetype_config = {
archetype_id = "default_empty"
parameters = {}
access_control = {}
}
}
contoso-staging = {
display_name = "Staging"
parent_management_group_id = "contoso-landing-zones"
subscription_ids = []
archetype_config = {
archetype_id = "default_empty"
parameters = {}
access_control = {}
}
}
contoso-dev = {
display_name = "Dev"
parent_management_group_id = "contoso-landing-zones"
subscription_ids = []
archetype_config = {
archetype_id = "default_empty"
parameters = {}
access_control = {}
}
}
contoso-production = {
display_name = "Production"
parent_management_group_id = "contoso-landing-zones"
subscription_ids = []
archetype_config = {
archetype_id = "default_empty"
parameters = {}
access_control = {}
}
}
}

4
caf_solution/add-ons/caf_eslz/scenario/contoso/enterprise_scale.tfvars Normal file
Просмотреть файл

@ -0,0 +1,4 @@
library_path = "landingzones/caf_solution/add-ons/caf_eslz/scenario/contoso" // Adjust the path as needed
root_id = "contoso"
root_name = "Contoso"
deploy_core_landing_zones = true

19
caf_solution/add-ons/caf_eslz/scenario/contoso/landingzone.tfvars Normal file
Просмотреть файл

@ -0,0 +1,19 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "caf_foundations_sharedservices"
level = "level1"
key = "caf_foundations_enterprise_scale"
tfstates = {
// Remote tfstate to retrieve default location and log analytics workspace
caf_foundations_sharedservices = {
level = "current"
tfstate = "caf_foundations_sharedservices.tfstate"
}
// Remote tfstate to retrieve the MSI created by the launchpad and set permissions on the MG hierarchy
// Requires scenarion 200 to get access to Log Analytics key 'central_logs_region1'
launchpad = {
level = "lower"
tfstate = "caf_launchpad.tfstate"
}
}
}

10
caf_solution/add-ons/caf_eslz/scenario/contoso/subscription_id_overrides.tfvars Normal file
Просмотреть файл

@ -0,0 +1,10 @@
subscription_id_overrides = {
root = []
decommissioned = []
sandboxes = []
landing-zones = []
platform = []
connectivity = []
management = []
identity = []
}

28
caf_solution/add-ons/caf_eslz/variables.tf
Просмотреть файл

@ -1,7 +1,17 @@
variable "landing_zones_variables" {
default = {}
}
# Map of the remote data state
variable "lower_storage_account_name" {}
variable "lower_container_name" {}
variable "lower_resource_group_name" {}
variable "lower_storage_account_name" {
description = "This value is propulated by the rover"
}
variable "lower_container_name" {
description = "This value is propulated by the rover"
}
variable "lower_resource_group_name" {
description = "This value is propulated by the rover"
}
variable "tfstate_subscription_id" {
description = "This value is propulated by the rover. subscription id hosting the remote tfstates"
@ -12,13 +22,14 @@ variable "tfstate_storage_account_name" {
variable "tfstate_container_name" {
description = "This value is propulated by the rover"
}
variable "tfstate_key" {
description = "This value is propulated by the rover"
}
variable "tfstate_resource_group_name" {
description = "This value is propulated by the rover"
}
variable "diagnostics_definition" {
default = {}
}
variable "landingzone" {
default = {
backend_type = "azurerm"
@ -34,6 +45,7 @@ variable "landingzone" {
}
}
variable "user_type" {}
variable "tenant_id" {}
variable "rover_version" {}
@ -75,7 +87,7 @@ variable "deploy_core_landing_zones" {
}
variable "archetype_config_overrides" {
type = map(any)
# type = map(any)
description = "If specified, will set custom Archetype configurations to the default Enterprise-scale Management Groups."
default = {}
}
@ -132,4 +144,4 @@ variable "default_location" {
default = "eastus"
# Need to add validation covering all Azure locations
}
}