Update templates

.devcontainer/devcontainer.json

@@ -20,7 +20,7 @@
     "settings": {
         "files.eol": "\n",
         "editor.tabSize": 2,
-        "terminal.integrated.scrollback": 32000,
+        "terminal.integrated.scrollback": 64000,
     },
 
     // Uncomment the next line if you want start specific services in your Docker Compose config.
@@ -30,7 +30,7 @@
     // "shutdownAction": "none",
 
     // Uncomment the next line to run commands after the container is created.
-    "postCreateCommand": "sudo cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chown -R $(whoami):$(whoami) /tf/caf ~/.ssh && sudo chmod 400 ~/.ssh/* && git config --global core.editor vi && pre-commit install && pre-commit autoupdate",
+    "postCreateCommand": "sudo cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chown -R $(whoami):$(whoami) /tf/caf ~/.ssh && sudo chmod 400 ~/.ssh/* && git config --global core.editor vim && pre-commit install && pre-commit autoupdate",
     "postStartCommand": "sudo chmod 666 /var/run/docker.sock && cp -f /tf/rover/version.txt /tf/caf/scripts/version.txt && sudo rm -rf /tf/rover && sudo ln -s /tf/caf/scripts /tf/rover",
 
     // Add the IDs of extensions you want installed when the container is created in the array below.

.devcontainer/docker-compose.yml

@@ -6,7 +6,7 @@
   version: '3.7'
   services:
     rover:
-      image: aztfmod/rover-preview:1.1.3-2201.190325
+      image: aztfmod/rover:1.1.3-2201.2104
       user: vscode
 
       labels:

caf_launchpad/landingzone.tf

@@ -4,7 +4,7 @@ module "launchpad" {
 
 
   # source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=master"
-  #source = "../../aztfmod"
+  # source = "../../aztfmod"
 
   providers = {
     azurerm.vhub = azurerm

templates/enterprise-scale/contoso/platform/connectivity.yaml

@@ -4,12 +4,12 @@ virtual_networks:
     resource_group_key: contoso_global_firewall
     region_key: region1
     address_space:
-      - 10.10.10.0/24
+      - <replace>
     specialsubnets:
       AzureFirewallSubnet:
         name: AzureFirewallSubnet
         cidr:
-          - 10.10.10.0/26
+          - <replace>
 
 
 azurerm_firewalls:
@@ -32,42 +32,3 @@ resource_groups:
   contoso_global_er_circuits:
     name: contoso-connectivity-global-er-circuits
     region_key: region1
-
-# private_links:
-#   - privatelink.adf.azure.com
-#   - privatelink.afs.azure.net
-#   - privatelink.api.azureml.ms
-#   - privatelink.azconfig.io
-#   - privatelink.azure-automation.net
-#   - privatelink.azure-devices.net
-#   - privatelink.azurecr.io
-#   - privatelink.azurewebsites.net
-#   - privatelink.blob.core.windows.net
-#   - privatelink.cassandra.cosmos.azure.com
-#   - privatelink.cognitiveservices.azure.com
-#   - privatelink.database.windows.net
-#   - privatelink.datafactory.azure.net
-#   # - privatelink.dfs.core.windows.net
-#   # - privatelink.documents.azure.com
-#   # - privatelink.eventgrid.azure.net
-#   # - privatelink.file.core.windows.net
-#   # - privatelink.gremlin.cosmos.azure.com
-#   # - privatelink.mariadb.database.azure.com
-#   # - privatelink.mongo.cosmos.azure.com
-#   # - privatelink.monitor.azure.com
-#   # - privatelink.mysql.database.azure.com
-#   # - privatelink.notebooks.azure.net
-#   # - privatelink.ods.opinsights.azure.com
-#   # - privatelink.oms.opinsights.azure.com
-#   # - privatelink.postgres.database.azure.com
-#   # - privatelink.queue.core.windows.net
-#   # - privatelink.redis.cache.windows.net
-#   # - privatelink.search.windows.net
-#   # - privatelink.service.signalr.net
-#   # - privatelink.servicebus.windows.net
-#   # - privatelink.sql.azuresynapse.net
-#   # - privatelink.table.core.windows.net
-#   # - privatelink.table.cosmos.azure.com
-#   # - privatelink.vaultcore.azure.net
-#   # - privatelink.web.core.windows.net
-

templates/enterprise-scale/contoso/platform/connectivity_express_route_peerings.yaml

@@ -6,17 +6,17 @@ express_route_circuit_peerings:
         lz_key: connectivity_express_route_prod
         key: prod
       peering_type: AzurePrivatePeering
-      primary_peer_address_prefix: 10.23.3.128/30
-      secondary_peer_address_prefix: 10.23.3.132/30
-      peer_asn: 65287
-      vlan_id: 300
+      primary_peer_address_prefix: <replace>
+      secondary_peer_address_prefix: <replace>
+      peer_asn: <replace>
+      vlan_id: <replace>
   non_prod:
     private_peering:
       express_route:
         lz_key: connectivity_express_route_non_prod
         key: non_prod
       peering_type: AzurePrivatePeering
-      primary_peer_address_prefix: 10.23.3.148/30
-      secondary_peer_address_prefix: 10.23.3.152/30
-      peer_asn: 65287
-      vlan_id: 300
+      primary_peer_address_prefix: <replace>
+      secondary_peer_address_prefix: <replace>
+      peer_asn: <replace>
+      vlan_id: <replace>

templates/enterprise-scale/contoso/platform/connectivity_virtual_hub.yaml

@@ -5,7 +5,7 @@ virtual_hubs:
       lz_key: virtual_wan
       key: global_wan
     region_key: region1
-    hub_address_prefix: 10.51.1.0/24
+    hub_address_prefix: <replace>
     deploy_s2s: false
     s2s_config:
       name: prod
@@ -22,7 +22,7 @@ virtual_hubs:
       lz_key: virtual_wan
       key: global_wan
     region_key: region1
-    hub_address_prefix: 10.51.192.0/24
+    hub_address_prefix: <replace>
     deploy_s2s: false
     s2s_config:
       name: non-prod

templates/enterprise-scale/contoso/platform/connectivity_vpn_sites.yaml

@@ -9,13 +9,11 @@ vpn_sites:
       key: global_wan
     device_vendor: checkpoint
     address_cidrs:
-      - 10.26.171.29/32
-      - 10.26.171.174/32
-      - 10.26.171.175/32
+      - <replace>
     links:
       primary:
         name: primary
-        ip_address: 202.152.224.2
+        ip_address: <replace>
         provider_name: Microsoft
         speed_in_mbps: 100
   non_prod:
@@ -28,12 +26,10 @@ vpn_sites:
       key: global_wan
     device_vendor: checkpoint
     address_cidrs:
-      - 10.26.171.29/32
-      - 10.26.171.174/32
-      - 10.26.171.175/32
+      - <replace>
     links:
       primary:
         name: primary
-        ip_address: 202.152.224.2
+        ip_address: <replace>
         provider_name: Microsoft
         speed_in_mbps: 100

templates/enterprise-scale/contoso/platform/contoso.caf.platform.yaml

@@ -53,7 +53,7 @@ configuration_folders:
   platform:
     # true: force the destination folder to be deleted and re-created before the files are created.
     # false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is.
-    cleanup_destination: false
+    cleanup_destination: true
     # base destination folder where rover ignite will store the tfvars files. No / at the end
     destination_base_path: /tf/caf
     # destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end
@@ -83,6 +83,11 @@ platform_core_setup:
       v1.1.1:
         caf_landingzone_branch: "2112.int"
 
+platform_management:
+  enable: true
+
+networking_topology:
+  deployment_option: virtual_wan
 
 platform_identity:
   # Set the Azure Active Directory tenant name (primary domain name)

templates/enterprise-scale/contoso/platform/identity.yaml

@@ -3,24 +3,3 @@ level1:
     central_logs_sea:
       name: log
 
-  azuread_groups:
-    caf_ac_prod_arthemis_management:
-      name: caf ac prod arthemis management
-      members:
-        object_ids:
-          - c3f2a2e9-5c07-4bad-9803-25a5194cdaaa
-    caf_ac_prod_aphrodite_management:
-      name: caf ac prod aphrodite management
-      members:
-        object_ids:
-          - c3f2a2e9-5c07-4bad-9803-25a5194cdaaa
-    caf_ac_non_prod_arthemis_management:
-      name: caf ac non-prod arthemis management
-      members:
-        object_ids:
-          - c3f2a2e9-5c07-4bad-9803-25a5194cdaaa
-    caf_ac_non_prod_aphrodite_management:
-      name: caf ac non-prod aphrodite management
-      members:
-        object_ids:
-          - c3f2a2e9-5c07-4bad-9803-25a5194cdaaa

templates/enterprise-scale/contoso/platform/launchpad_credentials.yaml

@@ -235,8 +235,8 @@ subscriptions:
             azuread_group_key: subscription_creation_landingzones
             secret_permissions:
               - Get
-      cred_jenkins:
-        name: jenkins
+      cred_gitops:
+        name: gitops
         resource_group_key: sp_credentials
         purge_protection_enabled: false
         creation_policies:
@@ -263,69 +263,69 @@ subscriptions:
 
     keyvault_access_policies:
       cred_ea_account_owner:
-          jenkins:
-            azuread_service_principal_key: jenkins
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
       cred_level0:
-          jenkins:
-            azuread_service_principal_key: jenkins
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
       cred_identity:
-          jenkins:
-            azuread_service_principal_key: jenkins
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
       cred_management:
-          jenkins:
-            azuread_service_principal_key: jenkins
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
       cred_eslz:
-          jenkins:
-            azuread_service_principal_key: jenkins
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
       cred_connectivity:
-          jenkins:
-            azuread_service_principal_key: jenkins
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
       cred_subscription_creation_platform:
-          jenkins:
-            azuread_service_principal_key: jenkins
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
       cred_subscription_creation_landingzones:
-          jenkins:
-            azuread_service_principal_key: jenkins
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
-      cred_jenkins:
-          jenkins:
-            azuread_service_principal_key: jenkins
+      cred_gitops:
+          gitops:
+            azuread_service_principal_key: gitops
             secret_permissions:
               - Get
 
 
     azuread_applications:
-      jenkins:
-        application_name: app-azure-platform-credentials-for-jenkins
+      gitops:
+        application_name: app-azure-platform-credentials-for-gitops
 
     azuread_service_principals:
-      jenkins:
+      gitops:
         azuread_application:
-          key: jenkins
+          key: gitops
 
     azuread_credentials:
-      jenkins:
+      gitops:
         type: password
-        azuread_credential_policy_key: jenkins
+        azuread_credential_policy_key: gitops
         azuread_application:
-          key: jenkins
+          key: gitops
         keyvaults:
-          cred_jenkins:
+          cred_gitops:
             secret_prefix: sp
       level0:
         type: password
@@ -392,7 +392,7 @@ subscriptions:
             secret_prefix: sp
 
     azuread_credential_policies:
-      jenkins:
+      gitops:
         length: 250
         special: false
         upper: true

templates/enterprise-scale/contoso/platform/subscriptions.yaml

@@ -1,16 +1,16 @@
 platform_subscriptions:
   management:
-    alias: "consoto-management"
-    name: "contoso-management"
+    alias: "management"
+    name: "<replace>-management"
     # Do not set the subscription_id when using the automated subscripiton creation
     # In that case delete the following attribute.
     # When re-using an existing subscripiton, set the GUID of the subscripiton.
     subscription_id: <replace>
   identity:
-    alias: "contoso-identity"
-    name: "contoso-identity"
+    alias: "identity"
+    name: "<replace>-identity"
     subscription_id: <replace>
   connectivity:
-    alias: "contoso-connectivity"
-    name: "contoso-connectivity"
+    alias: "connectivity"
+    name: "<replace>-connectivity"
     subscription_id: <replace>

templates/platform/ansible.yaml

@@ -124,8 +124,8 @@
       import_tasks: "{{ level }}/{{ base_folder }}/ansible.yaml"
       when:
         - (config.platform_management.enable | bool)
-        # - (level1_subscriptions is not skipped)
-        # - platform_subscriptions_details is defined
+        - level1_subscriptions is not skipped
+        - platform_subscriptions_details is defined
 
       vars:
         base_folder: "management"
@@ -170,6 +170,7 @@
       when:
         - config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine
         - launchpad_azuread_groups is defined
+        - platform_subscriptions_details is defined
       vars:
         base_folder: "asvm"
         level: "level2"

templates/platform/level0/credentials/readme.md

@@ -22,8 +22,6 @@ rover \
   -p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \
   -a plan
 
-rover logout
-
 ```
 
 If the plan is not successfull you need to come back to the yaml contoso.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan.
@@ -72,5 +70,5 @@ When you have successfully deployed the launchpad you can  move to the next step
 {% if config.caf_terraform.billing_subscription_role_delegations.enable %}
  [[Deploy the billing subscription role delegation](../billing_subscription_role_delegations/readme.md)
 {% else %}
- [Deploy the management services](../../level1/management/readme.md)
+ [Deploy the subscription services](../../level1/subscriptions/readme.md)
 {% endif %}

templates/platform/level0/launchpad/keyvaults.tfvars.j2

@@ -10,6 +10,11 @@ keyvaults = {
     }
 
     creation_policies = {
+      // {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
+      bootstrap_user = {
+        object_id          = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
+      }
 {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
       caf_platform_maintainers = {
         azuread_group_key  = "caf_platform_maintainers"
@@ -37,6 +42,11 @@ keyvaults = {
     }
 
     creation_policies = {
+      // {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
+      bootstrap_user = {
+        object_id          = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
+      }
 {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
       caf_platform_maintainers = {
         azuread_group_key  = "caf_platform_maintainers"
@@ -64,6 +74,11 @@ keyvaults = {
     }
 
     creation_policies = {
+      // {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
+      bootstrap_user = {
+        object_id          = "{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
+      }
 {% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
       caf_platform_maintainers = {
         azuread_group_key  = "caf_platform_maintainers"

templates/platform/level0/launchpad/readme.md

@@ -45,6 +45,9 @@ git fetch origin
 git checkout {{ config.gitops.caf_landingzone_branch }}
 
 rover \
+{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %}
+  --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \
+{% endif %}
   -lz /tf/caf/landingzones/caf_launchpad \
   -var-folder {{ config.configuration_folders.platform.destination_base_path }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \
   -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
@@ -66,6 +69,9 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla
 # On success plan, execute
 
 rover \
+{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %}
+  --impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \
+{% endif %}
   -lz /tf/caf/landingzones/caf_launchpad \
   -var-folder {{ config.configuration_folders.platform.destination_base_path }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \
   -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
@@ -91,6 +97,15 @@ rover ignite \
 
 ```
 
+Execute a rover logout and rover login in order to make sure your azure sessions has the Azure groups membership updated.
+
+```bash
+rover logout
+
+rover login -t {{ config.platform_identity.tenant_name }}
+
+```
+
 # Next steps
 
 When you have successfully deployed the launchpad you can  move to the next step.

templates/platform/level1/identity/readme.md

@@ -7,16 +7,30 @@ Deploy the identity services
 rover logout
 
 # login a with a user member of the caf-maintainers group
-rover login -t {{ config.platform_identity.tenant_name }}
+{% if platform_subscriptions_details is defined %}
+rover login -t {{ config.platform_identity.tenant_name }} -s {{ platform_subscriptions_details.identity.subscription_id }}
+{% elif subscriptions.platform_subscriptions.identity.subscription_id is defined %}
+rover login -t {{ config.platform_identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.identity.subscription_id }}
+{% else %}
+rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }}
+{% endif %}
 
 rover \
+{% if platform_subscriptions_details.eslz is defined %}
 {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
   --impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \
+{% endif %}
 {% endif %}
   -lz /tf/caf/landingzones/caf_solution \
   -var-folder {{ config.configuration_folders.platform.destination_base_path }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \
   -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
+{% if platform_subscriptions_details is defined %}
   -target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \
+{% elif subscriptions.platform_subscriptions.identity.subscription_id is defined %}
+  -target_subscription {{ subscriptions.platform_subscriptions.identity.subscription_id }} \
+{% else %}
+  -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
+{% endif %}
   -tfstate {{ config.tfstates.platform.identity.tfstate }} \
   -log-severity {{ config.gitops.rover_log_error }} \
   -env {{ config.caf_terraform.launchpad.caf_environment }} \

templates/platform/level1/management/ansible.yaml

@@ -91,6 +91,8 @@
 # diagnostics_definition
 #
 - name: "[{{ level }}-{{ base_folder }}] - resources - diagnostics_definition"
+  when:
+    - resources.subscriptions[subscription_key].diagnostics_definition is defined
   ansible.builtin.template:
     src: "{{ item }}"
     dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"

templates/platform/level1/management/readme.md

@@ -7,17 +7,27 @@ Deploy the management services
 rover logout
 
 # login a with a user member of the caf-maintainers group
-rover login -t {{ config.platform_identity.tenant_name }}
+{% if platform_subscriptions_details is defined %}
+rover login -t {{ config.platform_identity.tenant_name }} -s {{ platform_subscriptions_details.management.subscription_id }}
+{% elif subscriptions.platform_subscriptions.management.subscription_id is defined %}
+rover login -t {{ config.platform_identity.tenant_name }} -s {{ subscriptions.platform_subscriptions.management.subscription_id }}
+{% else %}
+rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }}
+{% endif %}
 
 rover \
+{% if platform_subscriptions_details.eslz is defined %}
 {% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
   --impersonate-sp-from-keyvault-url {{ keyvaults.cred_management.vault_uri }} \
+{% endif %}
 {% endif %}
   -lz /tf/caf/landingzones/caf_solution \
   -var-folder {{ config.configuration_folders.platform.destination_base_path }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \
   -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
 {% if platform_subscriptions_details is defined %}
   -target_subscription {{ platform_subscriptions_details.management.subscription_id }} \
+{% elif subscriptions.platform_subscriptions.management.subscription_id is defined %}
+  -target_subscription {{ subscriptions.platform_subscriptions.management.subscription_id }} \
 {% else %}
   -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
 {% endif %}

templates/platform/level1/subscriptions/readme.md

@@ -5,11 +5,13 @@ Set-up the subscription delegations for platform and landingzone subscriptions
 ```bash
 # For manual bootstrap:
 # Login to the subscription {{ config.caf_terraform.launchpad.subscription_name }} with the user {{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
-rover login -t {{ config.platform_identity.tenant_name }}
+rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }}
 
 rover \
+{% if platform_subscriptions_details.eslz is defined %}
 {% if config.platform_identity.azuread_identity_mode != "logged_in_user" %}
   --impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_platform.vault_uri }} \
+{% endif %}
 {% endif %}
   -lz /tf/caf/landingzones/caf_solution \
   -var-folder {{ config.configuration_folders.platform.destination_base_path }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \

templates/platform/level1/subscriptions/subscriptions.tfvars.j2

@@ -14,6 +14,7 @@ subscriptions = {
 
   {{ config.tfstates.platform.launchpad.lz_key_name }} = {
     name            = "{{ config.caf_terraform.launchpad.subscription_name }}"
+    alias           = "{{ config.platform_core_setup.enterprise_scale.management_group_prefix }}-launchpad"
     subscription_id = "{{ config.caf_terraform.launchpad.subscription_id }}"
   }
 {% for key in subscriptions.platform_subscriptions.keys() %}

templates/resources/diagnostic_log_analytics.tfvars.j2

@@ -8,9 +8,9 @@ diagnostic_log_analytics = {
     region             = "{{ dla.region | default(config.caf_terraform.launchpad.default_region_key)}}"
     name               = "{{ dla.name }}"
     resource_group_key = "{{ dla.resource_group_key }}"
-    # you can setup up to 5 key
 
 {% if resources.subscriptions[subscription_key].diagnostic_log_analytics[key].diagnostic_profiles is defined %}
+    # you can setup up to 5 key
     diagnostic_profiles = {
 {% for dp_key, dp_value in resources.subscriptions[subscription_key].diagnostic_log_analytics[key].diagnostic_profiles.items() %}
       {{ dp_key }} = {