Azure
/
caf-terraform-landingzones
зеркало из https://github.com/Azure/caf-terraform-landingzones.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add support for single subscription deployment

This commit is contained in:
LaurentLesle 2022-02-16 10:37:53 +00:00
Родитель bead8002c4
Коммит 3e1301c487
85 изменённых файлов: 216 добавлений и 4125 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
caf_solution/add-ons/caf_eslz/variables.tf
Просмотреть файл

@ -89,11 +89,6 @@ variable "root_parent_id" {
type = string
description = "If specified, will deploy the Enterprise scale bellow the root_parent_id."
default = null
validation {
condition = can(regex("^[a-zA-Z0-9-]{2,10}$", var.root_parent_id))
error_message = "The root_parent_id value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens."
}
}
variable "deploy_core_landing_zones" {

Двоичные данные
templates/applications/action_plugins/__pycache__/merge_vars.cpython-39.pyc
Просмотреть файл

Двоичный файл не отображается.

155
templates/applications/action_plugins/merge_vars.py
Просмотреть файл

@ -1,155 +0,0 @@
#!/usr/bin/env python
"""
An Ansible action plugin to allow explicit merging of dict and list facts.
https://github.com/leapfrogonline/ansible-merge-vars/blob/master/LICENSE.md
"""
from ansible.plugins.action import ActionBase
from ansible.errors import AnsibleError
from ansible.utils.vars import isidentifier
# Funky import dance for Ansible backwards compatitility (not sure if we
# actually need to do this or not)
try:
from __main__ import display
except ImportError:
from ansible.utils.display import Display # pylint: disable=ungrouped-imports
display = Display()
class ActionModule(ActionBase):
"""
Merge all variables in context with a certain suffix (lists or dicts only)
and create a new variable that contains the result of this merge. These
initial suffixed variables can be definied anywhere in the inventory, or by
any other means; as long as they're in the context for the running play,
they'll be merged.
"""
def run(self, tmp=None, task_vars=None):
suffix_to_merge = self._task.args.get('suffix_to_merge', '')
merged_var_name = self._task.args.get('merged_var_name', '')
dedup = self._task.args.get('dedup', True)
expected_type = self._task.args.get('expected_type')
recursive_dict_merge = bool(self._task.args.get('recursive_dict_merge', False))
if 'cacheable' in self._task.args.keys():
display.deprecated(
"The `cacheable` option does not actually do anything, since Ansible 2.5. "
"No matter what, the variable set by this plugin will be set in the fact "
"cache if you have fact caching enabled. To get rid of this warning, "
"remove the `cacheable` argument from your merge_vars task. This warning "
"will be removed in a future version of this plugin."
)
# Validate args
if expected_type not in ['dict', 'list']:
raise AnsibleError("expected_type must be set ('dict' or 'list').")
if not merged_var_name:
raise AnsibleError("merged_var_name must be set")
if not isidentifier(merged_var_name):
raise AnsibleError("merged_var_name '%s' is not a valid identifier" % merged_var_name)
if not suffix_to_merge.endswith('__to_merge'):
raise AnsibleError("Merge suffix must end with '__to_merge', sorry!")
keys = sorted([key for key in task_vars.keys()
if key.endswith(suffix_to_merge)])
display.v("Merging vars in this order: {}".format(keys))
# We need to render any jinja in the merged var now, because once it
# leaves this plugin, ansible will cleanse it by turning any jinja tags
# into comments.
# And we need it done before merging the variables,
# in case any structured data is specified with templates.
merge_vals = [self._templar.template(task_vars[key]) for key in keys]
# Dispatch based on type that we're merging
if merge_vals == []:
if expected_type == 'list':
merged = []
else:
merged = {}
elif isinstance(merge_vals[0], list):
merged = merge_list(merge_vals, dedup)
elif isinstance(merge_vals[0], dict):
merged = merge_dict(merge_vals, dedup, recursive_dict_merge)
else:
raise AnsibleError(
"Don't know how to merge variables of type: {}".format(type(merge_vals[0]))
)
return {
'ansible_facts': {merged_var_name: merged},
'changed': False,
}
def merge_dict(merge_vals, dedup, recursive_dict_merge):
"""
To merge dicts, just update one with the values of the next, etc.
"""
check_type(merge_vals, dict)
merged = {}
for val in merge_vals:
if not recursive_dict_merge:
merged.update(val)
else:
# Recursive merging of dictionaries with overlapping keys:
# LISTS: merge with merge_list
# DICTS: recursively merge with merge_dict
# any other types: replace (same as usual behaviour)
for key in val.keys():
if not key in merged:
# first hit of the value - just assign
merged[key] = val[key]
elif isinstance(merged[key], list):
merged[key] = merge_list([merged[key], val[key]], dedup)
elif isinstance(merged[key], dict):
merged[key] = merge_dict([merged[key], val[key]], dedup, recursive_dict_merge)
else:
merged[key] = val[key]
return merged
def merge_list(merge_vals, dedup):
""" To merge lists, just concat them. Dedup if wanted. """
check_type(merge_vals, list)
merged = flatten(merge_vals)
if dedup:
merged = deduplicate(merged)
return merged
def check_type(mylist, _type):
""" Ensure that all members of mylist are of type _type. """
if not all(isinstance(item, _type) for item in mylist):
raise AnsibleError("All values to merge must be of the same type, either dict or list")
def flatten(list_of_lists):
"""
Flattens a list of lists:
>>> flatten([[1, 2] [3, 4]])
[1, 2, 3, 4]
I wish Python had this in the standard lib :(
"""
return list((x for y in list_of_lists for x in y))
def deduplicate(mylist):
"""
Just brute force it. This lets us keep order, and lets us dedup unhashable
things, like dicts. Hopefully you won't run into such big lists that
this will ever be a performance issue.
"""
deduped = []
for item in mylist:
if item not in deduped:
deduped.append(item)
return deduped

82
templates/applications/ansible-get-platform-details.yaml
Просмотреть файл

@ -1,82 +0,0 @@
# Get Platform subscriptions
- name: "Get platform subscriptions tfstate details"
register: subscription_tfstate_file_name
shell: |
az storage account list \
--subscription {{ config.caf_terraform.launchpad.subscription_id }} \
--query "[?tags.caf_tfstate=='{{ config.tfstates["platform"].platform_subscriptions.level | default('level1') }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name
# - debug:
# when: lookup('file', '{{ config_folder_platform }}/subscriptions.yaml', errors='ignore')
# msg: "{{ subscription_tfstate_file_name.stdout }}"
- name: "Download platform subscriptions tfstate details"
register: platform_subscription_tfstate_exists
shell: |
az storage blob download \
--name "{{ config.tfstates["platform"].platform_subscriptions.tfstate | default('platform_subscriptions.tfstate') }}" \
--account-name "{{ subscription_tfstate_file_name.stdout }}" \
--container-name "tfstate" \
--auth-mode "login" \
--file "{{ job_cache_base_path }}/{{ config.tfstates["platform"].platform_subscriptions.tfstate | default('platform_subscriptions.tfstate') }}"
- name: "Get platform_subscriptions details"
when:
- platform_subscription_tfstate_exists.rc == 0
shell: "cat {{ job_cache_base_path }}/{{ config.tfstates[\"platform\"].platform_subscriptions.tfstate | default('platform_subscriptions.tfstate') }}"
register: platform_subscriptions
- name: "Get platform_subscriptions json data"
when: platform_subscription_tfstate_exists.rc == 0
set_fact:
platform_sub_jsondata: "{{ platform_subscriptions.stdout | from_json }}"
- name: "Get subscriptions list"
when: platform_subscription_tfstate_exists.rc == 0
set_fact:
platform_subscriptions_details: "{{ platform_sub_jsondata | json_query(path) }}"
vars:
path: 'outputs.objects.value.{{ config.tfstates["platform"].platform_subscriptions.lz_key_name }}.subscriptions'
# Get Platform keyvaults
- name: "Get tfstate keyvaults account name"
register: launchpad_storage_account
ignore_errors: yes
shell: |
az storage account list \
--subscription {{ config.caf_terraform.launchpad.subscription_id }} \
--query "[?tags.caf_tfstate=='{{ config.tfstates["platform"].launchpad.level | default('level0') }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name
- debug:
msg: "{{launchpad_storage_account}}"
- name: "Get tfstate keyvaults details"
register: credentials_tfstate_exists
when: launchpad_storage_account.stderr == ""
ignore_errors: yes
shell: |
az storage blob download \
--name "{{ config.tfstates["platform"].launchpad_credentials.tfstate | default('launchpad_credentials.tfstate') }}" \
--account-name "{{ launchpad_storage_account.stdout }}" \
--container-name "{{ config.tfstates["platform"].launchpad.workspace | default('tfstate') }}" \
--auth-mode "login" \
--file "~/.terraform.cache/launchpad/{{ config.tfstates["platform"].launchpad_credentials.tfstate | default('launchpad_credentials.tfstate') }}"
- name: "Get launchpad_credentials details"
when: credentials_tfstate_exists is not skipped
shell: "cat ~/.terraform.cache/launchpad/{{ config.tfstates[\"platform\"].launchpad_credentials.tfstate | default('launchpad_credentials.tfstate') }}"
register: launchpad_credentials
- name: "Get launchpad_credentials json data"
when: credentials_tfstate_exists is not skipped
set_fact:
credjsondata: "{{ launchpad_credentials.stdout | from_json }}"
- name: "Set keyvaults variable"
when: credentials_tfstate_exists is not skipped
set_fact:
keyvaults: "{{ credjsondata | json_query(path) }}"
vars:
path: 'outputs.objects.value.launchpad_credentials_rotation.keyvaults'

87
templates/applications/ansible.yaml
Просмотреть файл

@ -1,87 +0,0 @@
- name: CAF Terraform - Generate configuration files
hosts: localhost
vars:
base_templates_folder: "{{ base_templates_folder }}/asvm"
resource_template_folder: "{{ base_templates_folder }}/resources"
subscriptions: "{{ lookup('file', '{{ config_folder }}/subscriptions.yaml') | from_yaml }}"
level: level3
tasks:
- name: "Load variable for landingzones config"
include_vars:
name: asvm_config__to_merge
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "config.asvm.yaml|tfstates.asvm.yaml|deployments.yaml"
- name: "Set base variables"
set_fact:
job_cache_base_path: "/home/vscode/.terraform.cache"
config: "{{asvm_config__to_merge}}"
- name: "Content of asvm_config__to_merge"
debug:
msg: "{{asvm_config__to_merge}}"
- name: "Load variable for platform config"
include_vars:
name: platform_config__to_merge
dir: "{{config_folder_platform | default(config_folder)}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml"
- name: "Content of platform_config__to_merge"
debug:
msg: "{{platform_config__to_merge}}"
- name: Merge asvm and platform variables
merge_vars:
suffix_to_merge: config__to_merge
merged_var_name: config
expected_type: 'dict'
recursive_dict_merge: True
- name: "Set base config variables"
set_fact:
config: "{{ ansible_facts.config }}"
- name: "Content of config"
debug:
msg: "{{config}}"
- name: "Creates cache directory"
file:
path: "{{ job_cache_base_path }}/launchpad"
state: directory
- name: "{{ level }} | Get platform details (requires '-e config_folder_platform=path to yamls' path to be set)"
include_tasks: "ansible-get-platform-details.yaml"
when:
- config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'reuse_subscriptions'
- config_folder_platform is defined
#
# Level 3
#
# landingzones deployments
- name: "{{ level }} | landingzones"
include_tasks: "{{ level }}/ansible.yaml"
loop: "{{asvm_config__to_merge.deployments.keys()}}"
loop_control:
loop_var: asvm_long_folder
#
# Linters
#
- name: Terraform linter
shell: |
terraform fmt -recursive {{ destination_base_path }}

66
templates/applications/level3/ansible-subscription-id.yaml
Просмотреть файл

@ -1,66 +0,0 @@
- name: "Load variable for subscriptions"
include_vars:
name: subscriptions
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "subscriptions.asvm.yaml|subscription.asvm.yaml"
- name: "Content of subscriptions"
debug:
msg: "{{subscriptions}}"
- name: "[{{ level }}-{{ subscription_key }}] Get tfstate details"
register: subscription_tfstate_storage_account_name
shell: |
az storage account list \
--subscription {{ config.caf_terraform.launchpad.subscription_id }} \
--query "[?tags.caf_tfstate=='{{ config.tfstates['asvm'][subscription_key].level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name
- debug:
msg: "{{ subscription_tfstate_storage_account_name.stdout }}"
- name: "[{{ level }}-{{ subscription_key }}] Download tfstate details"
register: subscription_tfstate_exists
ignore_errors: true
shell: |
az storage blob download \
--name "{{ config.tfstates['asvm'][subscription_key].subscriptions.tfstate }}" \
--account-name "{{ subscription_tfstate_storage_account_name.stdout }}" \
--container-name "{{ config.tfstates['asvm'][subscription_key].workspace }}" \
--auth-mode "login" \
--file "{{ job_cache_base_path }}/{{ config.tfstates['asvm'][subscription_key].subscriptions.tfstate }}"
- debug:
msg: "{{ subscription_tfstate_exists }}"
when: subscriptions.subscriptions[subscription_key] is defined
- name: "[{{ level }}-{{ subscription_key }}] Get landingzones_subscriptions details"
shell: "cat {{ job_cache_base_path }}/{{ config.tfstates['asvm'][subscription_key].subscriptions.tfstate }}"
register: platform_subscriptions
when:
- subscriptions.subscriptions[subscription_key] is defined
- subscription_tfstate_exists.rc == 0
- name: "[{{ level }}-{{ subscription_key }}] Get subscriptions data"
when:
- subscriptions.subscriptions[subscription_key] is defined
- subscription_tfstate_exists.rc == 0
set_fact:
asvm_subscriptions_details: "{{ platform_subscriptions.stdout | from_json | json_query(path) }}"
vars:
path: 'outputs.objects.value."{{ config.tfstates["asvm"][subscription_key].subscriptions.lz_key_name }}".subscriptions'
- name: "[{{ level }}-{{ subscription_key }}] cleanup"
when:
- subscriptions.subscriptions[subscription_key] is defined
- subscription_tfstate_exists.rc == 0
file:
path: "{{ job_cache_base_path }}/{{ config.tfstates['asvm'][subscription_key].subscriptions.tfstate }}"
state: absent
- debug:
msg: "Platform subscriptions - {{ asvm_subscriptions_details }}"
when:
- subscriptions.subscriptions[subscription_key] is defined
- subscription_tfstate_exists.rc == 0

62
templates/applications/level3/ansible-subscription.yaml
Просмотреть файл

@ -1,62 +0,0 @@
- name: set destination paths
set_fact:
destination_path: "{{ destination_base_path }}/{{ subscription_key }}/subscription"
deployment: "subscriptions"
- name: "Clean-up directory - subscription - {{ destination_path }}"
file:
path: "{{ destination_path }}"
state: absent
- name: "Content of subscriptions' resources"
debug:
msg: "{{resources}}"
- name: "[{{ level }} {{ subscription_key }}] Creates directory"
file:
path: "{{ destination_path }}"
state: directory
#
# global_settings
#
- name: "[{{ level }} {{ subscription_key }}] - subscription - global_settings"
when: resources.subscriptions[subscription_key].global_settings is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/global_settings.tfvars.j2"
#
# landingzone
#
- name: "[{{ level }} {{ subscription_key }}] - subscription - landingzone"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/landingzone.tfvars.j2"
#
# subscription
#
- name: "[{{ level }} {{ subscription_key }}] - subscription - subscription"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/subscriptions.tfvars.j2"
#
# Readme
#
- name: "[{{ level }}-{{ subscription_key }}] - subscription - *.md"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ base_templates_folder }}/{{ level }}/subscription/*.md"

58
templates/applications/level3/ansible.yaml
Просмотреть файл

@ -1,58 +0,0 @@
- name: set asvm context
set_fact:
asvm_folder: "{{ asvm_long_folder if 'path' not in asvm_long_folder else asvm_long_folder.path | regex_search('[^\/]+(?=\/$|$)') }}"
- name: "[{{ level }}-{{ asvm_folder }}] Set cache folder"
set_fact:
# job_cache_base_path: "/home/vscode/.terraform.cache"
subscription_key: "{{ asvm_folder }}"
- name: "Load variable for deployments"
include_vars:
name: deployments
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "deployments.asvm.yaml|deployments.yaml"
- debug:
msg: "{{deployments}}"
### Generate remote state storage containers
- name: "[{{ level }} {{ subscription_key }}] - remote state container"
include_tasks: "{{ level }}/storage_containers/ansible.yaml"
when:
- deployments.deployments[subscription_key].storage_containers is defined
#### Get subscription_id
- name: "[{{ level }} {{ subscription_key }}] - subscription"
include_tasks: "{{ level }}/ansible-subscription-id.yaml"
when:
- config.tfstates['asvm'][subscription_key].subscriptions is defined
- config.tfstates['asvm'][subscription_key].subscriptions.subscription_id is not defined
### Subscription
- name: "Load variable for subscriptions"
include_vars:
name: resources
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "subscriptions.asvm.yaml|subscription.asvm.yaml|tfstates.asvm.yaml"
- name: "[{{ level }} {{ subscription_key }}] - subscription"
include_tasks: "{{ level }}/ansible-subscription.yaml"
when:
- resources.subscriptions[subscription_key] is defined
- config.tfstates['asvm'][subscription_key].subscriptions.subscription_id is not defined
#### Privileged resources to deploy in the landingzone
- name: "[{{ level }} {{ subscription_key }}] - resources"
include_tasks: "{{ level }}/resources/ansible.yaml"
when:
- config.tfstates['asvm'][subscription_key].resources is defined

262
templates/applications/level3/resources/ansible.yaml
Просмотреть файл

@ -1,262 +0,0 @@
- name: set destination paths
set_fact:
destination_path: "{{ destination_base_path }}/{{ subscription_key }}/resources"
deployment: "resources"
- name: "Clean-up directory - subscription - {{ destination_path }}"
file:
path: "{{ destination_path }}"
state: absent
when: config.configuration_folders.asvm.cleanup_destination | default(true) | bool
- name: "Load variable for resources"
include_vars:
name: resources
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "resources.asvm.yaml"
- name: "Content of resources"
debug:
msg: "{{resources}}"
- name: "[{{ level }} {{ asvm_folder }}] - resources - Creates directory"
file:
path: "{{ destination_path }}"
state: directory
#
# azuread_credentials
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_credentials"
when:
- resources.subscriptions[subscription_key].azuread_credentials is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_credentials.tfvars.j2"
#
# azuread_applications
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_applications"
when:
- resources.subscriptions[subscription_key].azuread_applications is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_applications.tfvars.j2"
#
# azuread_credential_policies
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_credential_policies"
when:
- resources.subscriptions[subscription_key].azuread_credential_policies is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_credential_policies.tfvars.j2"
#
# azuread_groups
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_groups"
when:
- resources.subscriptions[subscription_key].azuread_groups is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_groups.tfvars.j2"
#
# azuread_groups_membership
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_groups_membership"
when:
- resources.subscriptions[subscription_key].azuread_groups_membership is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_groups_membership.tfvars.j2"
#
# azuread_service_principals
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - azuread_service_principals"
when:
- resources.subscriptions[subscription_key].azuread_service_principals is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_service_principals.tfvars.j2"
#
# custom_role_definitions
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - custom_role_definitions"
when:
- resources.subscriptions[subscription_key].custom_role_definitions is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/custom_role_definitions.tfvars.j2"
#
# keyvaults
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - keyvaults"
when:
- resources.subscriptions[subscription_key].keyvaults is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/keyvaults.tfvars.j2"
#
# keyvault_access_policies
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - keyvault_access_policies"
when:
- resources.subscriptions[subscription_key].keyvault_access_policies is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/keyvault_access_policies.tfvars.j2"
#
# landingzone
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - landingzone"
when:
- deployments.deployments[subscription_key][deployment].landingzone is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/landingzone.tfvars.j2"
#
# managed_identities
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - managed_identities"
when:
- resources.subscriptions[subscription_key].managed_identities is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/managed_identities.tfvars.j2"
#
# network_security_group_definition
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - network_security_group_definition"
when:
- resources.subscriptions[subscription_key].network_security_group_definition is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2"
#
# recovery_vaults
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - recovery_vaults"
when:
- resources.subscriptions[subscription_key].recovery_vaults is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/recovery_vaults.tfvars.j2"
#
# resource_groups
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - resource_groups"
when:
- resources.subscriptions[subscription_key].resource_groups is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/resource_groups.tfvars.j2"
#
# role_mapping
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - role_mapping"
when:
- resources.subscriptions[subscription_key].role_mapping is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/role_mapping.tfvars.j2"
#
# virtual_hub_connections
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - virtual_hub_connections"
when:
- resources.subscriptions[subscription_key].virtual_hub_connections is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/virtual_hub_connections.tfvars.j2"
#
# virtual_networks
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - virtual_networks"
when:
- resources.subscriptions[subscription_key].virtual_networks is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/virtual_networks.tfvars.j2"
#
# Readme
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - *.md"
# when: subscription_tfstate_exists.rc == 0
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ base_templates_folder }}/{{ level }}/resources/*.md"

35
templates/applications/level3/resources/readme.md
Просмотреть файл

@ -1,35 +0,0 @@
### Deploy base resources in {{ asvm_folder }}
```bash
rover login -t {{ config.platform_identity.tenant_name }}
unset ARM_SKIP_PROVIDER_REGISTRATION
cd /tf/caf/landingzones
git pull
git checkout {{ resources.gitops.landingzones }}
rover \
{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if subscriptions.subscriptions[asvm_folder][subscription_key].subscription_id is defined %}
-target_subscription {{ subscriptions.subscriptions[asvm_folder][subscription_key].subscription_id }} \
{% else %}
-target_subscription {{ asvm_subscriptions_details[asvm_folder].subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates['asvm'][asvm_folder].resources.tfstate }} \
--workspace {{ config.tfstates['asvm'][asvm_folder].workspace }} \
-log-severity {{ config.gitops.rover_log_error }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates['asvm'][asvm_folder].resources.tfstate }}.tfplan \
-a plan
rover logout
```

80
templates/applications/level3/storage_containers/ansible.yaml
Просмотреть файл

@ -1,80 +0,0 @@
- name: set destination paths
set_fact:
destination_path: "{{ destination_base_path }}/storage_containers"
deployment: "storage_containers"
- name: "Load variable for resources"
include_vars:
name: resources
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "tfstates.asvm.yaml|subscriptions.asvm.yaml|subscription.asvm.yaml"
- name: "Content of resources"
debug:
msg: "{{resources}}"
- name: "[{{ level }} {{ asvm_folder }}] - storage_containers - Creates directory"
file:
path: "{{ destination_path }}"
state: directory
#
# Get storage account names
#
- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - launchpad level3"
register: storage_account_level3
shell: |
az storage account list \
--subscription {{ config.caf_terraform.launchpad.subscription_id }} \
--query "[?tags.caf_tfstate=='level3' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r
- debug:
msg: "{{storage_account_level3.stdout}}"
- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - launchpad level4"
register: storage_account_level4
shell: |
az storage account list \
--subscription {{ config.caf_terraform.launchpad.subscription_id }} \
--query "[?tags.caf_tfstate=='level4' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name, resource_group:resourceGroup}[0]" -o json | jq -r
- debug:
msg: "{{storage_account_level4.stdout}}"
#
# landingzone
#
- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - landingzone"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/landingzone.tfvars.j2"
#
# storage_containers
#
- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - storage_containers"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ base_templates_folder }}/{{ level }}/storage_containers/storage_containers.tfvars.j2"
#
# Readme
#
- name: "[{{ level }}-{{ subscription_key }}] - storage_containers - *.md"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ base_templates_folder }}/{{ level }}/storage_containers/*.md"

28
templates/applications/level3/storage_containers/readme.md
Просмотреть файл

@ -1,28 +0,0 @@
### Create storage containers for the landingzone
```bash
rover login -t {{ config.platform_identity.tenant_name }}
cd /tf/caf/landingzones
git pull
git checkout {{ resources.gitops.landingzones }}
rover \
{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.asvm[asvm_folder].subscriptions.tfstate }} \
--workspace {{ config.tfstates.asvm[asvm_folder].subscriptions.workspace | default('tfstate') }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.asvm[asvm_folder].subscriptions.tfstate }}.tfplan \
-a plan
rover logout
```

16
templates/applications/level3/storage_containers/storage_containers.tfvars.j2
Просмотреть файл

@ -1,16 +0,0 @@
storage_containers = {
{% for key in resources.subscriptions.keys() %}
{{ key }}_level3 = {
name = "{{ resources.tfstates.asvm[key].workspace }}"
storage_account = {
name = "{{storage_account_level3.stdout|from_json|json_query('name')}}"
}
}
{{ key }}_level4 = {
name = "{{ resources.tfstates.asvm[key].workspace }}"
storage_account = {
name = "{{storage_account_level4.stdout|from_json|json_query('name')}}"
}
}
{% endfor %}
}

40
templates/applications/level3/subscription/readme.md
Просмотреть файл

@ -1,40 +0,0 @@
### Generate asvm for {{ asvm_folder }}
```bash
rover login -t {{ config.platform_identity.tenant_name }}
ARM_SKIP_PROVIDER_REGISTRATION=true && rover \
{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_landingzones.vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates["asvm"][asvm_folder].subscriptions.tfstate }} \
--workspace {{ config.tfstates["asvm"][asvm_folder].workspace }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates["asvm"][asvm_folder].subscriptions.tfstate }}.tfplan \
-a plan
rover logout
```
Once you have executed the rover apply to create the subscription, you need to re-execute the rover ignite to generate the instructions for the next steps.
Note you need to logout and login as a caf_maintainer group member
```bash
rover login -t {{ config.platform_identity.tenant_name }}
rover ignite \
--playbook /tf/caf/landingzones/templates/applications/ansible.yaml \
-e base_templates_folder={{ base_templates_folder }} \
-e resource_template_folder={{ resource_template_folder }} \
-e config_folder={{ config_folder }} \
-e destination_base_path={{ destination_base_path }} \
-e config_folder_platform={{ config_folder_platform }}
```

1
templates/applications/level4/readme.md
Просмотреть файл

@ -1 +0,0 @@
yaml support for level coming soon.

77
templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments.yaml
Просмотреть файл

@ -1,77 +0,0 @@
deployments:
asvm_storage_containers:
storage_containers:
landingzone:
key:
asvm:
asvm_storage_containers: subscriptions
global_settings_key:
platform:
asvm:
remote_tfstates:
platform:
asvm:
orion_dev:
subscriptions:
landingzone:
key:
asvm:
orion_dev: subscriptions
global_settings_key:
asvm:
asvm_storage_containers: subscriptions
remote_tfstates:
asvm:
asvm_storage_containers: subscriptions
resources:
landingzone:
key:
asvm:
orion_dev: resources
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
asvm:
orion_dev: subscriptions
asvm_storage_containers: subscriptions
platform:
virtual_hubs: non_prod
private_dns: non_prod
identity_level2: non_prod
asvm:
azurerm_firewalls: non_prod
orion_prod:
subscriptions:
landingzone:
key:
asvm:
orion_prod: subscriptions
global_settings_key:
asvm:
asvm_storage_containers: subscriptions
remote_tfstates:
asvm:
asvm_storage_containers: subscriptions
resources:
landingzone:
key:
asvm:
orion_prod: resources
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
asvm:
orion_prod: subscriptions
asvm_storage_containers: subscriptions
platform:
virtual_hubs: prod
private_dns: prod
identity_level2: prod
asvm:
azurerm_firewalls: prod

12
templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md
Просмотреть файл

@ -3,12 +3,14 @@
## Generate the configuration files
```bash
rover ignite \
--playbook /tf/caf/landingzones/templates/applications/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/applications \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/platform \
-e resource_template_folder=/tf/caf/landingzones/templates/resources \
-e destination_base_path=/tf/caf/configuration/contoso/landingzones/<replace> \
-e config_folder=/tf/caf/platform-definition/application/<replace> \
-e config_folder_platform=/tf/caf/platform-definition
-e config_folder=/tf/caf/definitions/asvm/orion-landingzone \
-e config_folder_platform=/tf/caf/definitions/single_subscription \
-e landingzones_folder=/tf/caf/landingzones
```

1015
templates/enterprise-scale/contoso/asvm/orion-landingzone/resources.asvm.yaml
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

13
templates/enterprise-scale/contoso/asvm/orion-landingzone/subscriptions.asvm.yaml
Просмотреть файл

@ -1,13 +0,0 @@
gitops:
landingzones: aci_network
subscriptions:
orion_dev:
orion_dev:
name: orion-dev
management_group_suffix: non-prod
orion_prod:
orion_prod:
name: orion-prod
management_group_suffix: prod

31
templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml
Просмотреть файл

@ -1,29 +1,28 @@
# ### orion ###
tfstates:
asvm:
asvm_storage_containers:
subscriptions:
lz_key_name: orion_storage_containers
tfstate: orion_storage_containers.tfstate
subscriptions:
lz_key_name: orion_subscriptions
tfstate: orion_subscriptions.tfstate
workspace: tfstate
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml
orion_dev:
subscriptions:
lz_key_name: orion_dev_subscriptions
tfstate: orion_dev_subscriptions.tfstate
resources:
lz_key_name: orion_dev_resources
tfstate: orion_dev_resources.tfstate
lz_key_name: orion_dev_level3
tfstate: orion_dev_level3.tfstate
workspace: orion-dev
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml
orion_prod:
subscriptions:
lz_key_name: orion_prod_subscriptions
tfstate: orion_prod_subscriptions.tfstate
resources:
lz_key_name: orion_prod_resources
tfstate: orion_prod_resources.tfstate
lz_key_name: orion_prod_level3
tfstate: orion_prod_level3.tfstate
workspace: orion-prod
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml

Двоичные данные
templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc
Просмотреть файл

Двоичный файл не отображается.

26
templates/platform/ansible.yaml
Просмотреть файл

@ -11,24 +11,40 @@
ignore_unknown_extensions: true
files_matching: "bootstrap.yaml"
- name: "Load variable for landingzones config"
include_vars:
name: asvm_config__to_merge
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "config.asvm.yaml|tfstates.asvm.yaml|deployments.yaml"
- name: "Load variable for platform config"
include_vars:
name: config
dir: "{{config_folder}}"
name: platform_config__to_merge
dir: "{{config_folder_platform | default(config_folder)}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml|subscriptions.yaml"
- name: Merge asvm and platform variables
merge_vars:
suffix_to_merge: config__to_merge
merged_var_name: config
expected_type: 'dict'
recursive_dict_merge: True
- name: "{{deployment}} - Set tfstate_object"
- name: "Get latest cache folder"
set_fact:
job_cache_base_path: "/home/vscode/.terraform.cache"
destination_base: '{{config.configuration_folders.platform.destination_base_path}}'
config: "{{ ansible_facts.config }}"
- debug:
msg:
- "{{bootstrap}}"
- "{{config}}"
verbosity: 2
# verbosity: 2
#
# Generate the foundation services
@ -36,7 +52,7 @@
- include_tasks: "process_foundations.yaml"
loop: "{{bootstrap.deployments.keys()}}"
when: bootstrap is defined
when: bootstrap != {}
loop_control:
loop_var: stage
vars:

18
templates/platform/generic/readme.md
Просмотреть файл

@ -7,20 +7,24 @@ rover logout
rover login -t {{ config.platform_identity.tenant_name }}
rover \
{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \
{% if config.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %}
--impersonate-sp-from-keyvault-url {{ keyvaults[ tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if config.subscriptions[resources.subscriptions.keys() | first ].subscription_id is defined %}
-target_subscription {{ config.subscriptions[resources.subscriptions.keys() | first ].subscription_id }} \
{% if platform_subscriptions_details is defined %}
-target_subscription {{ platform_subscriptions_details[resources.subscriptions.keys() | first].subscription_id }} \
{% elif subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id is defined %}
-target_subscription {{ subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id }} \
{% else %}
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates.platform[resources.deployments.tfstate.keys() | first][resources.deployments.tfstate.values() | first].tfstate }} \
-log-severity {{ config.gitops.rover_log_error }} \
-tfstate {{ tfstate_object.tfstate }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform[resources.deployments.tfstate.keys() | first][resources.deployments.tfstate.values() | first].tfstate }}.tfplan \
-w {{ tfstate_object.workspace | default('tfstate') }} \
-p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \
-a plan
```

8
templates/platform/level0/billing_subscription_role_delegations/readme.md
Просмотреть файл

@ -7,12 +7,11 @@ Set-up the subscription delegations for platform and landingzone subscriptions
rover login -t {{ config.platform_identity.tenant_name }}
rover \
-lz /tf/caf/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/level0/billing_subscription_role_delegations \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.platform.billing_subscription_role_delegations.tfstate }} \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
-log-severity {{ config.gitops.rover_log_error }} \
-launchpad \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
@ -35,10 +34,11 @@ To execute this step you need to login with on of the CAF maintainers:
rover login -t {{ config.platform_identity.tenant_name }}
rover ignite \
--playbook /tf/caf/starter/templates/platform/ansible.yaml \
--playbook {{ landingzones_folder }}/ansible.yaml \
-e base_templates_folder={{ base_templates_folder }} \
-e resource_template_folder={{resource_template_folder}} \
-e config_folder={{ config_folder }}
-e config_folder={{ config_folder }} \
-e landingzones_folder={{ landingzones_folder }}
```

154
templates/platform/level0/credentials/ansible.yaml
Просмотреть файл

@ -1,154 +0,0 @@
- name: "[{{ level }}-{{ base_folder }}] - Set variables"
set_fact:
destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
- name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad"
include_vars:
name: resources
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "launchpad_credentials.yaml"
- debug:
msg: "{{resources}}"
- name: "[{{ level }}-{{ base_folder }}] Clean-up directory"
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: absent
when: config.configuration_folders.platform.cleanup_destination | bool
- name: "[{{ level }}-{{ base_folder }}] Creates directory"
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: directory
#
# resource_groups
#
- name: "[{{ level }}-{{ base_folder }}] - resource_groups"
when:
- resources.subscriptions[subscription_key].resource_groups is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/resource_groups.tfvars.j2"
#
# azuread_credentials
#
- name: "[{{ level }}-{{ subscription_key }}] - credentials - azuread_credentials"
when:
- resources.subscriptions[subscription_key].azuread_credentials is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_credentials.tfvars.j2"
#
# azuread_applications
#
- name: "[{{ level }}-{{ subscription_key }}] - credentials - azuread_applications"
when:
- resources.subscriptions[subscription_key].azuread_applications is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_applications.tfvars.j2"
#
# azuread_credential_policies
#
- name: "[{{ level }}-{{ subscription_key }}] - credentials - azuread_credential_policies"
when:
- resources.subscriptions[subscription_key].azuread_credential_policies is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_credential_policies.tfvars.j2"
#
# azuread_service_principals
#
- name: "[{{ level }}-{{ subscription_key }}] - credentials - azuread_service_principals"
when:
- resources.subscriptions[subscription_key].azuread_service_principals is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/azuread_service_principals.tfvars.j2"
#
# keyvaults
#
- name: "[{{ level }}-{{ subscription_key }}] - credentials - keyvaults"
when:
- resources.subscriptions[subscription_key].keyvaults is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/keyvaults.tfvars.j2"
#
# keyvault_access_policies
#
- name: "[{{ level }}-{{ subscription_key }}] - credentials - keyvault_access_policies"
when:
- resources.subscriptions[subscription_key].keyvault_access_policies is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/keyvault_access_policies.tfvars.j2"
- name: "[{{ level }}-{{ base_folder }}] generate configuration files."
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/*.tfvars.j2"
- name: "[{{ level }}-{{ base_folder }}] deploy."
when: boostrap_launchpad | bool
shell: |
/tf/rover/rover.sh \
-lz /tf/caf/landingzones/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ tfstates.launchpad_credentials.tfstate }} \
-launchpad \
-log-severity {{ config.gitops.rover_log_error }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-a apply
args:
warn: no
- debug:
msg: "{{ keyvaults.cred_subscription_creation_platform.vault_uri }}"
when: credentials_tfstate_exists.rc == 0
- name: "[{{ level }}-{{ base_folder }}] generate configuration files."
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/*.md"

15
templates/platform/level0/credentials/readme.md
Просмотреть файл

@ -8,15 +8,14 @@ rover login -t {{ config.platform_identity.tenant_name }}
rover \
{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \
-launchpad \
-log-severity {{ config.gitops.rover_log_error }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \
@ -32,15 +31,14 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla
rover \
{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.platform.launchpad_credentials.tfstate }} \
-launchpad \
-log-severity {{ config.gitops.rover_log_error }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \
@ -52,10 +50,11 @@ rover \
# On success, re-execute the rover ignite
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
--playbook {{ base_templates_folder }}/ansible.yaml \
-e base_templates_folder={{ base_templates_folder }} \
-e resource_template_folder={{resource_template_folder}} \
-e config_folder={{ config_folder }}
-e config_folder={{ config_folder }} \
-e landingzones_folder={{ landingzones_folder }}
```

165
templates/platform/level0/launchpad/ansible.yaml
Просмотреть файл

@ -1,154 +1,10 @@
# - name: "{{deployment}} - Set variables"
# set_fact:
# destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}"
# - debug:
# msg:
# - "{{tfstate_object}}"
# - "{{resources}}"
# - name: "[{{resources.relative_destination_folder}}] Clean-up directory"
# file:
# path: "{{destination_path}}"
# state: absent
# when: config.configuration_folders.platform.cleanup_destination | bool
# - name: "[{{resources.relative_destination_folder}}] Creates directory"
# file:
# path: "{{destination_path}}"
# state: directory
# - name: "{{deployment}} - process subscription resources"
# include_tasks: "process_subscription_resources.yaml"
# loop: "{{resources.subscriptions.keys()}}"
# loop_control:
# loop_var: subscription_key
# #
# # container_groups
# #
# - name: "[{{resources.relative_destination_folder}}] - resources - container_groups"
# when:
# - resources.subscriptions[resources.subscriptions.keys()].container_groups is defined
# ansible.builtin.template:
# src: "{{ item }}"
# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
# force: yes
# with_fileglob:
# - "{{ resource_template_folder }}/container_groups.tfvars.j2"
# #
# # network_security_group_definition
# #
# - name: "[{{resources.relative_destination_folder}}] - resources - network_security_group_definition"
# when:
# - resources.subscriptions[resources.subscriptions.keys()].network_security_group_definition is defined
# ansible.builtin.template:
# src: "{{ item }}"
# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
# force: yes
# with_fileglob:
# - "{{ resource_template_folder }}/network_security_group_definition.tfvars.j2"
# #
# # resource_groups
# #
# - name: "[{{resources.relative_destination_folder}}] - resources - resource_groups"
# when:
# - resources.subscriptions[resources.subscriptions.keys()].resource_groups is defined
# ansible.builtin.template:
# src: "{{ item }}"
# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
# force: yes
# with_fileglob:
# - "{{ resource_template_folder }}/resource_groups.tfvars.j2"
# #
# # virtual_networks
# #
# - name: "[{{resources.relative_destination_folder}}] - resources - virtual_networks"
# when:
# - resources.subscriptions[resources.subscriptions.keys()].virtual_networks is defined
# ansible.builtin.template:
# src: "{{ item }}"
# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
# force: yes
# with_fileglob:
# - "{{ resource_template_folder }}/virtual_networks.tfvars.j2"
# #
# # network_profiles
# #
# - name: "[{{resources.relative_destination_folder}}] - resources - network_profiles"
# when:
# - resources.subscriptions[resources.subscriptions.keys()].network_profiles is defined
# ansible.builtin.template:
# src: "{{ item }}"
# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
# force: yes
# with_fileglob:
# - "{{ resource_template_folder }}/network_profiles.tfvars.j2"
# - name: "[{{resources.relative_destination_folder}}] launchpad"
# ansible.builtin.template:
# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2"
# dest: "{{destination_path}}/{{ item }}.tfvars"
# force: yes
# loop:
# - dynamic_secrets
# - global_settings
# - keyvaults
# - landingzone
# - role_mappings
# - storage_accounts
# - name: "[{{resources.relative_destination_folder}}] Clean-up identity files"
# file:
# path: "{{destination_path}}/{{ item }}.tfvars"
# state: absent
# when: config.platform_identity.azuread_identity_mode == "logged_in_user"
# loop:
# - azuread_api_permissions
# - azuread_applications
# - azuread_group_members
# - azuread_groups
# - azuread_roles
# - keyvault_policies
# - service_principals
# - name: "[{{resources.relative_destination_folder}}] lauchpad - identity - service_principal"
# ansible.builtin.template:
# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2"
# dest: "{{destination_path}}/{{ item }}.tfvars"
# force: yes
# when: config.platform_identity.azuread_identity_mode != 'logged_in_user'
# loop:
# - azuread_api_permissions
# - azuread_applications
# - azuread_group_members
# - azuread_groups
# - azuread_roles
# - keyvault_policies
# - service_principals
# - name: "[{{resources.relative_destination_folder}}] Deploy the launchpad"
# when: boostrap_launchpad | bool | default(false)
# shell: |
# /tf/rover/rover.sh \
# -lz /tf/caf/landingzones/caf_launchpad \
# -var-folder {{destination_path}} \
# -tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
# -target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
# -tfstate {{ config.tfstates.platform.launchpad.tfstate }} \
# -log-severity {{ config.gitops.rover_log_error }} \
# -launchpad \
# -env {{ config.caf_terraform.launchpad.caf_environment }} \
# -level {{ level }} \
# -a apply
#
# Check if the launchpad and the credentials for service principal have been deployed.
#
- name: "Creates cache directory"
file:
path: "{{ job_cache_base_path }}/launchpad"
state: directory
- name: "[{{resources.relative_destination_folder}}] Get tfstate account name"
register: launchpad_storage_account
@ -233,10 +89,3 @@
file:
path: "~/.terraform.cache/launchpad/{{ config.tfstates.platform.launchpad.tfstate }}"
state: absent
# Update readme
# - name: "[{{resources.relative_destination_folder}}] launchpad - readme"
# ansible.builtin.template:
# src: "{{ level }}/{{ base_folder }}/readme.md"
# dest: "{{destination_path}}/readme.md"
# force: yes

44
templates/platform/level0/launchpad/azuread_applications.tfvars.j2.old
Просмотреть файл

@ -1,44 +0,0 @@
azuread_applications = {
level0 = {
application_name = "sp-caf-level0"
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
identity = {
application_name = "sp-caf-identity"
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
management = {
application_name = "sp-caf-management"
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
eslz = {
application_name = "sp-caf-eslz"
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
connectivity = {
application_name = "sp-caf-connectivity"
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
subscription_creation_platform = {
application_name = "sp-caf-subscription-creation-platform"
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
subscription_creation_landingzones = {
application_name = "sp-caf-subscription-creation-landingzones"
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
}

16
templates/platform/level0/launchpad/azuread_group_members.tfvars.j2
Просмотреть файл

@ -10,26 +10,26 @@ azuread_groups_membership = {
{% endif %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
members = {
{% if config.platform_identity.caf_platform_maintainers.user_principal_names is defined %}
user_principal_names = [
"{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}",
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user'%}
{% for user in config.platform_identity.caf_platform_maintainers %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_identity.caf_platform_maintainers.user_principal_names is mapping%}
{% for user in config.platform_identity.caf_platform_maintainers.user_principal_names %}
"{{ user }}",
{% endfor %}
{% endif %}
]
{% endif %}
}
{% endif %}
}
caf_platform_contributors = {
members = {
user_principal_names = [
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_identity.caf_platform_contributors is defined %}
{% for user in config.platform_identity.caf_platform_contributors %}
"{{ user }}",
{% endfor %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if config.platform_identity.caf_platform_maintainers.user_principal_names is mapping %}
user_principal_names = {{ config.platform_identity.caf_platform_maintainers.user_principal_names | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }}
{% endif %}
{% endif %}
]
}
}
}

101
templates/platform/level0/launchpad/azuread_groups.tfvars.j2
Просмотреть файл

@ -1,101 +0,0 @@
{% if config.platform_identity.enable_azuread_groups %}
azuread_groups = {
caf_platform_maintainers = {
name = "caf-platform-maintainers"
description = "High privileged group to run all CAF deployments from vscode. Can be used to bootstrap or troubleshoot deployments."
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
caf_platform_contributors = {
name = "caf-platform-contributors"
description = "Can only execute terraform plans for level1 and level2. They can test platform improvements and propose PR."
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
}
level0 = {
name = "caf-level0"
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
members = {
azuread_service_principal_keys = ["level0"]
}
}
eslz = {
name = "caf-eslz"
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
members = {
azuread_service_principal_keys = ["eslz"]
}
}
identity = {
name = "caf-identity"
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
members = {
azuread_service_principal_keys = ["identity"]
}
}
management = {
name = "caf-management"
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
members = {
azuread_service_principal_keys = ["management"]
}
}
connectivity = {
name = "caf-connectivity"
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
members = {
azuread_service_principal_keys = ["connectivity"]
}
}
subscription_creation_platform = {
name = "caf-subscription_creation_platform"
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
members = {
azuread_service_principal_keys = ["subscription_creation_platform"]
}
}
subscription_creation_landingzones = {
name = "caf-subscription_creation_landingzones"
prevent_duplicate_name = true
{% if config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id is defined %}
owners = ["{{ config.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"] // EA account
{% endif %}
members = {
azuread_service_principal_keys = ["subscription_creation_landingzones"]
}
}
}
{% else %}
# Azure AD Groups in config.platform_identity.enable_azuread_groups is not set to true
{% endif %}

64
templates/platform/level0/launchpad/keyvault_policies.tfvars.j2.old
Просмотреть файл

@ -1,64 +0,0 @@
keyvault_access_policies = {
# A maximum of 16 access policies per keyvault
level0 = {
sp_level0 = {
azuread_group_key = "level0"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
identity = {
azuread_group_key = "identity"
secret_permissions = ["Get"]
}
}
# A maximum of 16 access policies per keyvault
level1 = {
sp_level0 = {
# Allow level1 devops agent to be managed from agent pool level0
azuread_group_key = "level0"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
identity = {
azuread_group_key = "identity"
secret_permissions = ["Get"]
}
management = {
azuread_group_key = "management"
secret_permissions = ["Get"]
}
eslz = {
azuread_group_key = "eslz"
secret_permissions = ["Get"]
}
subscription_creation_platform = {
azuread_group_key = "subscription_creation_platform"
secret_permissions = ["Get"]
}
}
# A maximum of 16 access policies per keyvault
level2 = {
sp_level0 = {
azuread_group_key = "level0"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
connectivity = {
azuread_group_key = "connectivity"
secret_permissions = ["Get"]
}
identity = {
azuread_group_key = "identity"
secret_permissions = ["Get"]
}
management = {
azuread_group_key = "management"
secret_permissions = ["Get"]
}
{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %}
subscription_creation_landingzones = {
azuread_group_key = "subscription_creation_landingzones"
secret_permissions = ["Get"]
}
{% endif %}
}
}

5
templates/platform/level0/launchpad/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,5 +0,0 @@
landingzone = {
backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}"
level = "{{ config.tfstates.platform.launchpad.level }}"
key = "{{ config.tfstates.platform.launchpad.lz_key_name }}"
}

17
templates/platform/level0/launchpad/readme.md
Просмотреть файл

@ -42,21 +42,20 @@ az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?ap
{% endif %}
rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terraform.launchpad.subscription_id }}
cd /tf/caf/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ config.gitops.caf_landingzone_branch }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
git pull
rover \
{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_launchpad \
-lz {{ landingzones_folder }}/caf_launchpad \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.platform.launchpad.tfstate }} \
-log-severity {{ config.gitops.rover_log_error }} \
-launchpad \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
@ -75,12 +74,11 @@ rover \
{% if ((config.platform_identity.azuread_identity_mode != "logged_in_user") and (credentials_tfstate_exists.rc == 0)) %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_launchpad \
-lz {{ landingzones_folder }}/caf_launchpad \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.platform.launchpad.tfstate }} \
-log-severity {{ config.gitops.rover_log_error }} \
-launchpad \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
@ -93,10 +91,11 @@ rover \
# On success, re-execute the rover ignite
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
--playbook {{ base_templates_folder }}/ansible.yaml \
-e base_templates_folder={{ base_templates_folder }} \
-e resource_template_folder={{resource_template_folder}} \
-e config_folder={{ config_folder }}
-e config_folder={{ config_folder }} \
-e landingzones_folder={{ landingzones_folder }}
```

213
templates/platform/level0/launchpad/role_mappings.tfvars.j2.OLD
Просмотреть файл

@ -1,213 +0,0 @@
#
# Services supported: subscriptions, storage accounts and resource groups
# Can assign roles to: AD groups, AD object ID, AD applications, Managed identities
#
role_mapping = {
built_in_role_mapping = {
{% if config.platform_core_setup %}
management_group = {
{{ config.platform_core_setup.enterprise_scale.root_parent_id | default('root') }} = {
"User Access Administrator" = {
{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %}
logged_in = {
keys = ["user"]
}
{% endif %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
azuread_groups = {
keys = ["level0"]
}
{% endif %}
}
"Management Group Contributor" = {
{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %}
logged_in = {
keys = ["user"]
}
{% endif %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
azuread_groups = {
keys = ["eslz", "caf_platform_maintainers"]
}
{% endif %}
}
"Owner" = {
{% if config.platform_identity.azuread_identity_mode == 'logged_in_user' %}
logged_in = {
keys = ["user"]
}
{% endif %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
azuread_groups = {
keys = ["eslz", "caf_platform_maintainers"]
}
{% endif %}
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
"Reader" = {
azuread_groups = {
keys = ["caf_platform_contributors"]
}
}
{% endif %}
}
}
{% endif %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
subscriptions = {
logged_in_subscription = {
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
"Owner" = {
azuread_groups = {
keys = ["level0", "caf_platform_maintainers", "subscription_creation_platform"]
}
}
{% endif %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
"Reader" = {
azuread_groups = {
keys = ["identity"]
}
}
{% endif %}
}
}
{% endif %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
resource_groups = {
level0 = {
"Reader" = {
azuread_groups = {
keys = [
"identity",
"subscription_creation_platform",
"caf_platform_contributors"
]
}
}
}
level1 = {
"Reader" = {
azuread_groups = {
keys = [
"identity",
"management",
"eslz",
"subscription_creation_platform",
"caf_platform_contributors"
]
}
}
}
level2 = {
"Reader" = {
azuread_groups = {
keys = [
"identity",
"connectivity",
"management",
"subscription_creation_landingzones",
"caf_platform_contributors"
]
}
}
}
}
{% endif %}
storage_accounts = {
level0 = {
"Storage Blob Data Contributor" = {
logged_in = {
keys = ["user"]
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
azuread_groups = {
keys = ["level0", "caf_platform_maintainers", "identity"]
}
{% endif %}
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
"Storage Blob Data Reader" = {
azuread_groups = {
keys = [
"management",
"eslz",
"subscription_creation_platform",
"caf_platform_contributors"
]
}
}
{% endif %}
}
level1 = {
"Storage Blob Data Contributor" = {
logged_in = {
keys = ["user"]
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
azuread_groups = {
keys = [
"caf_platform_maintainers",
"identity",
"management",
"eslz",
"subscription_creation_platform"
]
}
{% endif %}
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
"Storage Blob Data Reader" = {
azuread_groups = {
keys = [
"connectivity",
"caf_platform_contributors",
{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %}
"level0"
{% endif %}
]
}
}
{% endif %}
}
level2 = {
"Storage Blob Data Contributor" = {
logged_in = {
keys = ["user"]
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
azuread_groups = {
keys = [
"identity",
"connectivity",
"management",
"caf_platform_maintainers",
{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %}
"level0"
{% endif %}
]
}
{% endif %}
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
"Storage Blob Data Reader" = {
azuread_groups = {
keys = [
"caf_platform_contributors",
{% if config.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %}
"subscription_creation_landingzones"
{% endif %}
]
}
}
{% endif %}
}
}
}
}

44
templates/platform/level0/launchpad/service_principals.tfvars.j2.old
Просмотреть файл

@ -1,44 +0,0 @@
azuread_service_principals = {
# Manage the deployment of the level0
level0 = {
azuread_application = {
key = "level0"
}
}
# Manage the deployment of Enterprise Scale
eslz = {
azuread_application = {
key = "eslz"
}
}
# Manage the deployment of the connectivity services
connectivity = {
azuread_application = {
key = "connectivity"
}
}
# Manage the deployment of the shared services
management = {
azuread_application = {
key = "management"
}
}
# Manage the deployment of the identity services
identity = {
azuread_application = {
key = "identity"
}
}
# Has delegation to create platform subscriptions
subscription_creation_platform = {
azuread_application = {
key = "subscription_creation_platform"
}
}
# Has delegation to create landingzone subscriptions
subscription_creation_landingzones = {
azuread_application = {
key = "subscription_creation_landingzones"
}
}
}

1
templates/platform/level1/eslz/enterprise_scale.tfvars.j2
Просмотреть файл

@ -1,3 +1,4 @@
# relative path to {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz
library_path = "../../../../{{ config.configuration_folders.platform.destination_relative_path }}/{{ tfstate_object.sub_template_folder }}/lib"
{% if config.platform_core_setup.enterprise_scale.root_parent_id is defined %}
root_parent_id = "{{ config.platform_core_setup.enterprise_scale.root_parent_id }}"

2
templates/platform/level1/eslz/landingzone.tfvars.j2
Просмотреть файл

@ -12,7 +12,7 @@ landingzone = {
level = "current"
tfstate = "{{ config.tfstates.platform.management.tfstate }}"
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'single_reuse' %}
{{ config.tfstates.platform.platform_subscriptions.lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.platform_subscriptions.tfstate }}"

7
templates/platform/level1/eslz/readme.md
Просмотреть файл

@ -9,19 +9,18 @@ az account clear
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ config.platform_core_setup.enterprise_scale.private_lib[config.platform_core_setup.enterprise_scale.private_lib.version_to_deploy].caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_eslz.vault_uri }} \
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution/add-ons/caf_eslz \
-lz {{ landingzones_folder }}/caf_solution/add-ons/caf_eslz \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.platform.eslz.tfstate }} \
-log-severity ERROR \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.eslz.tfstate }}.tfplan \

14
templates/platform/level1/eslz/subscription_id_overrides.tfvars.j2
Просмотреть файл

@ -5,12 +5,6 @@ subscription_id_overrides = {
{% else %}
root = []
{% endif %}
{% else %}
{% if config.platform_core_setup.enterprise_scale.subscription_deployment_mode == 'single_reuse' %}
root = [
"{{ config.caf_terraform.launchpad.subscription_id }}"
]
{% endif %}
{% endif %}
{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides is defined %}
{% if config.platform_core_setup.enterprise_scale.subscription_id_overrides.decommissioned is defined %}
@ -48,8 +42,14 @@ subscription_id_overrides = {
{% else %}
identity = []
{% endif %}
{% else %}
{% if config.platform_core_setup.enterprise_scale.subscription_deployment_mode == 'single_reuse' %}
root = [
"{{ config.caf_terraform.launchpad.subscription_id }}"
]
{% else %}
root = []
{% endif %}
decommissioned = []
sandboxes = []
landing-zones = []
@ -60,7 +60,7 @@ subscription_id_overrides = {
{% endif %}
}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if config.platform_identity.azuread_identity_mode != 'logged_in_user' and config.platform_core_setup.enterprise_scale.subscription_deployment_mode != 'single_reuse' %}
subscription_id_overrides_by_keys = {
connectivity = {
connectivity = {

73
templates/platform/level1/identity/ansible.yaml.old
Просмотреть файл

@ -1,73 +0,0 @@
- name: "[{{ level }}-{{ base_folder }}] Clean-up directory"
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: absent
when: config.configuration_folders.platform.cleanup_destination | bool
- name: "[{{ level }}-{{ base_folder }}] Creates directory"
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: directory
- name: "[{{ level }}-{{ base_folder }}] - Set variables"
set_fact:
destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
- name: "[{{ level }}-{{ base_folder }}] - Load variables"
include_vars:
name: resources
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "identity.yaml|identity.caf.platform.yaml"
#
# resource_groups
#
- name: "[{{ level }}-{{ base_folder }}] - resources - resource_groups"
when:
- resources.subscriptions[subscription_key].resource_groups is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/resource_groups.tfvars.j2"
#
# recovery_vaults
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - recovery_vaults"
when:
- resources.subscriptions[subscription_key].recovery_vaults is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/recovery_vaults.tfvars.j2"
#
# service_health_alerts
#
- name: "[{{ level }}-{{ base_folder }}] - resources - service_health_alerts"
when:
- resources.subscriptions[subscription_key].service_health_alerts is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/servicehealth.tfvars.j2"
- name: "[{{ level }}-{{ base_folder }}] generate configuration files."
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/*.tfvars.j2"
- "{{ level }}/{{ base_folder }}/*.md"

12
templates/platform/level1/identity/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,12 +0,0 @@
landingzone = {
backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}"
global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}"
level = "{{ config.tfstates.platform.identity.level }}"
key = "{{ config.tfstates.platform.identity.lz_key_name }}"
tfstates = {
{{ config.tfstates.platform.launchpad.lz_key_name }} = {
level = "lower"
tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}"
}
}
}

7
templates/platform/level1/identity/readme.md
Просмотреть файл

@ -16,12 +16,10 @@ rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terra
{% endif %}
rover \
{% if platform_subscriptions_details.eslz is defined %}
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}
@ -32,7 +30,6 @@ rover \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates.platform.identity.tfstate }} \
-log-severity {{ config.gitops.rover_log_error }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.identity.tfstate }}.tfplan \

162
templates/platform/level1/management/ansible.yaml.old
Просмотреть файл

@ -1,162 +0,0 @@
- name: "[{{ level }}-{{ base_folder }}] Clean-up directory"
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: absent
when:
- config.configuration_folders.platform.cleanup_destination | bool
- name: "[{{ level }}-{{ base_folder }}] Creates directory"
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: directory
- name: "[{{ level }}-{{ base_folder }}] - Set variables"
set_fact:
destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
- name: "[{{ level }}-{{ base_folder }}] - Load variables"
include_vars:
name: resources
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "management.yaml|configuration.caf.platform.yaml"
#
# automation_accounts
#
- name: "[{{ level }}-{{ base_folder }}] - resources - automation_accounts"
when:
- resources.subscriptions[subscription_key].automation_accounts is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/automation_accounts.tfvars.j2"
#
# diagnostic_log_analytics
#
- name: "[{{ level }}-{{ base_folder }}] - resources - diagnostic_log_analytics"
when:
- resources.subscriptions[subscription_key].diagnostic_log_analytics is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/diagnostic_log_analytics.tfvars.j2"
#
# diagnostic_storage_accounts
#
- name: "[{{ level }}-{{ base_folder }}] - resources - diagnostic_storage_accounts"
when:
- resources.subscriptions[subscription_key].diagnostic_storage_accounts is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/diagnostic_storage_accounts.tfvars.j2"
# diagnostics_definition
#
- name: "[{{ level }}-{{ base_folder }}] - resources - diagnostics_definition"
when:
- resources.subscriptions[subscription_key].diagnostics_definition is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/diagnostics_definition.tfvars.j2"
# diagnostics_destinations
#
- name: "[{{ level }}-{{ base_folder }}] - resources - diagnostics_destinations"
when:
- resources.subscriptions[subscription_key].diagnostics_destinations is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/diagnostics_destinations.tfvars.j2"
#
# monitor_action_groups
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - monitor_action_groups"
when:
- resources.subscriptions[subscription_key].monitor_action_groups is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/monitor_action_groups.tfvars.j2"
#
# recovery_vaults
#
- name: "[{{ level }}-{{ subscription_key }}] - resources - recovery_vaults"
when:
- resources.subscriptions[subscription_key].recovery_vaults is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/recovery_vaults.tfvars.j2"
#
# resource_groups
#
- name: "[{{ level }}-{{ base_folder }}] - resources - resource_groups"
when:
- resources.subscriptions[subscription_key].resource_groups is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/resource_groups.tfvars.j2"
#
# service_health_alerts
#
- name: "[{{ level }}-{{ base_folder }}] - resources - service_health_alerts"
when:
- resources.subscriptions[subscription_key].service_health_alerts is defined
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/servicehealth.tfvars.j2"
#
# Readme
#
- name: "[{{ level }}-{{ base_folder }}] - resources - *.md"
# when: always
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/*.md"
#
# Legacy calls
#
- name: "[{{ level }}-{{ base_folder }}] - generate configuration files."
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/*.tfvars.j2"

12
templates/platform/level1/management/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,12 +0,0 @@
landingzone = {
backend_type = "{{ caf_terraform.launchpad.backend_type | default("azurerm")}}"
global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}"
level = "{{ config.tfstates.platform.management.level }}"
key = "{{ config.tfstates.platform.management.lz_key_name }}"
tfstates = {
{{ config.tfstates.platform.launchpad.lz_key_name }} = {
level = "lower"
tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}"
}
}
}

5
templates/platform/level1/management/readme.md
Просмотреть файл

@ -18,10 +18,10 @@ rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terra
rover \
{% if platform_subscriptions_details.eslz is defined %}
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_management.vault_uri }} \
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}
@ -32,7 +32,6 @@ rover \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates.platform.management.tfstate }} \
-log-severity {{ config.gitops.rover_log_error }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.management.tfstate }}.tfplan \

88
templates/platform/level1/subscriptions/ansible.yaml.old
Просмотреть файл

@ -1,88 +0,0 @@
- name: "[{{ level }}-{{ base_folder }}] Clean-up directory"
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: absent
when: config.configuration_folders.platform.cleanup_destination | bool
- name: "[{{ level }}-{{ base_folder }}] Creates directory"
register: level1_subscriptions
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: directory
- name: "[{{ level }}-{{ base_folder }}] generate configuration files."
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/*.tfvars.j2"
- "{{ level }}/{{ base_folder }}/*.md"
# Create the subscriptions
- name: "[{{ level }}-{{ base_folder }}] Create subscriptions."
when: deploy_subscriptions | bool
shell: |
/tf/rover/rover.sh \
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_platform.vault_uri }} \
-lz /tf/caf/landingzones/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.platform.platform_subscriptions.tfstate }} \
-log-severity {{ config.gitops.rover_log_error }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-a apply
- name: "[{{ level }}-{{ base_folder }}] Get latest cache folder"
set_fact:
job_cache_base_path: "/home/vscode/.terraform.cache"
- name: "[{{ level }}-{{ base_folder }}] Get tfstate details"
register: subscription_tfstate_file_name
shell: |
az storage account list \
--subscription {{ config.caf_terraform.launchpad.subscription_id }} \
--query "[?tags.caf_tfstate=='{{ config.tfstates.platform.platform_subscriptions.level }}' && tags.caf_environment=='{{ config.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name
- debug:
msg: "{{ subscription_tfstate_file_name.stdout }}"
- name: "[{{ level }}-{{ base_folder }}] Download tfstate details"
register: platform_subscriptions_tfstate_exists
ignore_errors: true
shell: |
az storage blob download \
--name "{{ config.tfstates.platform.platform_subscriptions.tfstate }}" \
--account-name "{{ subscription_tfstate_file_name.stdout }}" \
--container-name "tfstate" \
--auth-mode "login" \
--file "{{ job_cache_base_path }}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}"
- name: "[{{ level }}-{{ base_folder }}] Get platform_subscriptions details"
shell: "cat {{ job_cache_base_path }}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}"
register: platform_subscriptions
when: platform_subscriptions_tfstate_exists.rc == 0
- name: "[{{ level }}-{{ base_folder }}] Get platform_subscriptions json data"
when: platform_subscriptions_tfstate_exists.rc == 0
set_fact:
platform_sub_jsondata: "{{ platform_subscriptions.stdout | from_json }}"
- name: "[{{ level }}-{{ base_folder }}] Get subscriptions list"
when: platform_subscriptions_tfstate_exists.rc == 0
set_fact:
platform_subscriptions_details: "{{ platform_sub_jsondata | json_query(path) }}"
vars:
path: 'outputs.objects.value.{{ config.tfstates.platform.platform_subscriptions.lz_key_name }}.subscriptions'
- name: "[{{ level }}-{{ base_folder }}] cleanup"
when: platform_subscriptions_tfstate_exists.rc == 0
file:
path: "{{ job_cache_base_path }}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}"
state: absent
- debug:
msg: "Platform subscriptions - {{ platform_subscriptions_details }}"
when: platform_subscriptions_tfstate_exists.rc == 0

12
templates/platform/level1/subscriptions/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,12 +0,0 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "{{ config.tfstates.platform.launchpad.lz_key_name }}"
level = "{{ config.tfstates.platform.platform_subscriptions.level }}"
key = "{{ config.tfstates.platform.platform_subscriptions.lz_key_name }}"
tfstates = {
{{ config.tfstates.platform.launchpad.lz_key_name }} = {
level = "lower"
tfstate = "{{ config.tfstates.platform.launchpad.tfstate }}"
}
}
}

5
templates/platform/level1/subscriptions/readme.md
Просмотреть файл

@ -10,14 +10,13 @@ rover login -t {{ config.platform_identity.tenant_name }} -s {{ config.caf_terra
rover \
{% if platform_subscriptions_details.eslz is defined %}
{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_subscription_creation_platform.vault_uri }} \
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ config.tfstates.platform.platform_subscriptions.tfstate }} \
-log-severity {{ config.gitops.rover_log_error }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.platform_subscriptions.tfstate }}.tfplan \

29
templates/platform/level2/ansible_deployment.yaml.old
Просмотреть файл

@ -1,29 +0,0 @@
- name: "{{display_name}} Load variable for deployments {{deployment}} - {{resource_folder}}"
include_vars:
name: deployments
dir: "{{config_folder}}/deployments/{{deployment}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "{{ files_matching }}"
- name: "{{display_name}} Load variable for resources {{deployment}} - {{resource_folder}}"
include_vars:
name: resources
dir: "{{config_folder}}/deployments/{{deployment}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "{{ files_matching }}"
- name: "{{display_name}} - Content of resources - {{deployment}}"
debug:
msg: "{{resources}}"
- name: "{{display_name}} - {{deployment}}"
include_tasks: "{{ level }}/ansible_resource_deployment.yaml"
when:
- config.tfstates.platform[resource_folder] is defined
- resources.deployments.keys is defined
loop: "{{ resources.deployments.keys() }}"
loop_control:
loop_var: subscription_key

42
templates/platform/level2/ansible_resource_deployment.yaml.old
Просмотреть файл

@ -1,42 +0,0 @@
- name: "{{display_name}} - {{level}} - {{subscription_key}} - set destination paths"
set_fact:
destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{resource_folder}}/{{ deployment }}"
- name: "{{display_name}} - {{level}} - {{subscription_key}} - Clean-up directory - {{ destination_path }}"
file:
path: "{{ destination_path }}"
state: absent
when: config.configuration_folders.asvm.cleanup_destination | default(true) | bool
- name: "{{display_name}} - {{level}} - {{subscription_key}} - Creates directory - {{ destination_path }}"
file:
path: "{{ destination_path }}"
state: directory
#
# landingzone
#
- name: "{{display_name}} - {{level}} - {{subscription_key}} - {{ deployment }} - landingzone.tfvars"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/landingzone.tfvars.j2"
- name: "{{display_name}} - {{level}} - {{subscription_key}} - {{ deployment }} - Tfvars"
include_tasks: "{{ level }}/ansible_resource_type.yaml"
loop: "{{ resources.subscriptions[subscription_key].keys() }}"
loop_control:
loop_var: resource_type
- name: "{{display_name}} - {{level}} - {{subscription_key}} - {{ deployment }} - Overrides"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/{{resource_folder}}/*.j2"
- "{{ level }}/{{ base_folder }}/{{resource_folder}}/*.md"

7
templates/platform/level2/ansible_resource_type.yaml.old
Просмотреть файл

@ -1,7 +0,0 @@
- name: "{{display_name}} - {{ level }} - {{subscription_key}} - {{ deployment }} - {{ resource_type }}"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ resource_template_folder }}/{{resource_type}}.tfvars.j2"

70
templates/platform/level2/asvm/ansible.yaml
Просмотреть файл

@ -1,28 +1,3 @@
# - name: "[{{ level }}-{{ base_folder }}] - Set variables"
# set_fact:
# destination_path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
# - name: "[{{ level }}-{{ base_folder }}] - Load variable for launchpad"
# include_vars:
# name: resources
# dir: "{{config_folder}}"
# depth: 1
# ignore_unknown_extensions: true
# files_matching: "asvm.yaml"
# - debug:
# msg: "{{resources}}"
# - name: "[{{ level }}-{{ base_folder }}] Clean-up directory"
# file:
# path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
# state: absent
# when: config.configuration_folders.platform.cleanup_destination | bool
# - name: "[{{ level }}-{{ base_folder }}] Creates directory"
# file:
# path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
# state: directory
- name: "[{{resources.relative_destination_folder}}] Get tfstate account name"
register: launchpad_storage_account
@ -90,48 +65,3 @@
- debug:
msg: "{{level2_storage_account}}"
verbosity: 2
# #
# # resource_groups
# #
# - name: "[{{ level }}-{{ base_folder }}] - resource_groups"
# when:
# - resources.subscriptions[subscription_key].resource_groups is defined
# ansible.builtin.template:
# src: "{{ item }}"
# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
# force: yes
# with_fileglob:
# - "{{ resource_template_folder }}/resource_groups.tfvars.j2"
# #
# # azuread_groups
# #
# - name: "[{{ level }}-{{ base_folder }}] - azuread_groups"
# when:
# - resources.subscriptions[subscription_key].azuread_groups is defined
# ansible.builtin.template:
# src: "{{ item }}"
# dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
# force: yes
# with_fileglob:
# - "{{ resource_template_folder }}/azuread_groups.tfvars.j2"
# - name: "[{{ level }}-{{ base_folder }}] asvm"
# ansible.builtin.template:
# src: "{{ level }}/{{ base_folder }}/{{ item }}.tfvars.j2"
# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item }}.tfvars"
# force: yes
# loop:
# - dynamic_secrets
# - keyvaults
# - landingzone
# - role_mappings
# - storage_accounts
# - name: "[{{ level }}-{{ base_folder }}] launchpad - readme"
# ansible.builtin.template:
# src: "{{ level }}/{{ base_folder }}/readme.md"
# dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/readme.md"
# force: yes

12
templates/platform/level2/asvm/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,12 +0,0 @@
landingzone = {
backend_type = "{{ caf_terraform.asvm.backend_type | default("azurerm")}}"
global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}"
level = "{{ config.tfstates.platform.asvm.level }}"
key = "{{ config.tfstates.platform.asvm.lz_key_name }}"
tfstates = {
{{ config.tfstates.platform.management.lz_key_name }} = {
level = "lower"
tfstate = "{{ config.tfstates.platform.management.tfstate }}"
}
}
}

8
templates/platform/level2/asvm/readme.md
Просмотреть файл

@ -4,15 +4,15 @@
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.landingzones }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \

54
templates/platform/level2/asvm/storage_accounts.tfvars.j2.old
Просмотреть файл

@ -1,54 +0,0 @@
storage_accounts = {
level3 = {
name = "{{ resources.subscriptions[subscription_key].storage_accounts.level3.name }}"
resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level3.resource_group_key }}"
account_kind = "BlobStorage"
account_tier = "Standard"
account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}"
tags = {
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
tfstate = "level3"
environment = "{{ config.caf_terraform.launchpad.caf_environment }}"
launchpad = "launchpad"
caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}"
caf_launchpad = "launchpad"
caf_tfstate = "level3"
##
}
blob_properties = {
versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }}
container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }}
delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }}
}
containers = {
{{ config.tfstates.platform.asvm.workspace | default('tfstate') }} = {
name = "{{ config.tfstates.platform.asvm.workspace | default('tfstate') }}"
}
}
}
level4 = {
name = "{{ resources.subscriptions[subscription_key].storage_accounts.level4.name }}"
resource_group_key = "{{ resources.subscriptions[subscription_key].storage_accounts.level4.resource_group_key }}"
account_kind = "BlobStorage"
account_tier = "Standard"
account_replication_type = "{{ config.caf_terraform.launchpad.account_replication_type }}"
tags = {
# Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates.
tfstate = "level4"
environment = "{{ config.caf_terraform.launchpad.caf_environment }}"
launchpad = "launchpad"
caf_environment = "{{ config.caf_terraform.launchpad.caf_environment }}"
caf_launchpad = "launchpad"
caf_tfstate = "level4"
}
blob_properties = {
versioning_enabled = {{ config.caf_terraform.launchpad.blob_versioning_enabled | string | lower | default('true') }}
container_delete_retention_policy = {{ config.caf_terraform.launchpad.container_delete_retention_policy | default(7) }}
delete_retention_policy = {{ config.caf_terraform.launchpad.delete_retention_policy | default(7) }}
}
}
}

95
templates/platform/level2/connectivity/ansible.yaml.old
Просмотреть файл

@ -1,95 +0,0 @@
- name: Creates {{ base_folder }} directory structure
shell: mkdir -p "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
- name: "[{{ level }} {{ subscription_key }}] - virtual_wans"
include_tasks: "{{ level }}/ansible_deployment.yaml"
when:
- config.tfstates.platform.virtual_wans is defined
loop: "{{ config.tfstates.platform.virtual_wans.keys() }}"
loop_control:
loop_var: deployment
vars:
files_matching: "connectivity_virtual_wan.yaml|connectivity_virtual_wan.caf.yaml"
resource_folder: virtual_wans
display_name: Virtual Wan
- name: "[{{ level }} {{ subscription_key }}] - virtual_hubs"
include_tasks: "{{ level }}/ansible_deployment.yaml"
when:
- config.tfstates.platform.virtual_hubs is defined
loop: "{{ config.tfstates.platform.virtual_hubs.keys() }}"
loop_control:
loop_var: deployment
vars:
files_matching: "connectivity_virtual_hubs.yaml|connectivity_virtual_hubs.caf.yaml"
resource_folder: virtual_hubs
display_name: Virtual Wan
# - name: Virtual Hubs
# include_tasks: "{{ level }}/{{ base_folder }}/virtual_hub/ansible.yaml"
# when:
# - connectivity_virtual_hub.virtual_hubs is defined
# loop: "{{ config.tfstates.platform.virtual_hubs.keys() }}"
# loop_control:
# loop_var: virtual_hub
- name: VPN Sites
include_tasks: "{{ level }}/{{ base_folder }}/vpn_site/ansible.yaml"
when:
- connectivity_vpn_sites.vpn_sites is defined
loop: "{{ config.tfstates.platform.vpn_sites.keys() }}"
loop_control:
loop_var: site
- name: Express Route Circuit
include_tasks: "{{ level }}/{{ base_folder }}/express_route_circuit/ansible.yaml"
when:
- connectivity_express_routes.express_route_circuits is defined
loop: "{{ config.tfstates.platform.express_route_circuits.keys() }}"
loop_control:
loop_var: circuit
- name: Express Route Circuit Peerings
include_tasks: "{{ level }}/{{ base_folder }}/express_route_circuit_peering/ansible.yaml"
when:
- connectivity_express_routes.express_route_circuits is defined
- connectivity_express_route_peerings.express_route_circuit_peerings is defined
loop: "{{ config.tfstates.platform.express_route_circuit_peerings.keys() }}"
loop_control:
loop_var: circuit
- name: Private DNS Zones
include_tasks: "{{ level }}/ansible_deployment.yaml"
when:
- config.tfstates.platform.private_dns is defined
loop: "{{ config.tfstates.platform.private_dns.keys() }}"
loop_control:
loop_var: deployment
vars:
files_matching: "connectivity_private_dns.yaml|connectivity_private_dns.caf.yaml"
resource_folder: private_dns
display_name: Private DNS Zones
- name: Firewall Policies
include_tasks: "{{ level }}/ansible_deployment.yaml"
when:
- config.tfstates.platform.azurerm_firewall_policies is defined
loop: "{{ config.tfstates.platform.azurerm_firewall_policies.keys() }}"
loop_control:
loop_var: deployment
vars:
files_matching: "connectivity_firewall_policies.yaml|connectivity_firewall_policies.caf.yaml"
resource_folder: azurerm_firewall_policies
display_name: Firewall Policies
- name: Azure Firewalls
include_tasks: "{{ level }}/ansible_deployment.yaml"
when:
- config.tfstates.platform.azurerm_firewalls is defined
loop: "{{ config.tfstates.platform.azurerm_firewalls.keys() }}"
loop_control:
loop_var: deployment
vars:
files_matching: "connectivity_firewalls.yaml|connectivity_firewalls.caf.yaml"
resource_folder: azurerm_firewalls
display_name: Azure Firewalls

12
templates/platform/level2/connectivity/azurerm_firewall_policies/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,12 +0,0 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "{{ config.tfstates.platform.management.lz_key_name }}"
level = "level2"
key = "{{ config.tfstates.platform.azurerm_firewall_policies[deployment].lz_key_name }}"
tfstates = {
{{ config.tfstates.platform.management.lz_key_name }} = {
level = "lower"
tfstate = "{{ config.tfstates.platform.management.tfstate }}"
}
}
}

8
templates/platform/level2/connectivity/azurerm_firewall_policies/readme.md
Просмотреть файл

@ -3,7 +3,7 @@
## Select the correct branch for the landingzones code
Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy the connectivity services
Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the connectivity services
## {{ environment }}
@ -11,15 +11,15 @@ Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.landingzones }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

18
templates/platform/level2/connectivity/azurerm_firewalls/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,18 +0,0 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "{{ config.tfstates.platform.virtual_hubs[deployment].lz_key_name }}"
level = "{{ config.tfstates.platform.azurerm_firewalls[deployment].level }}"
key = "{{ config.tfstates.platform.azurerm_firewalls[deployment].lz_key_name }}"
tfstates = {
# Virtual Hub
{{ config.tfstates.platform.virtual_hubs[deployment].lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.virtual_hubs[deployment].tfstate }}"
}
# firewall policies
{{ config.tfstates.platform.azurerm_firewall_policies[deployment].lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.azurerm_firewall_policies[deployment].tfstate }}"
}
}
}

8
templates/platform/level2/connectivity/azurerm_firewalls/readme.md
Просмотреть файл

@ -3,7 +3,7 @@
## Select the correct branch for the landingzones code
Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy the connectivity services
Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the connectivity services
## {{ environment }}
@ -11,15 +11,15 @@ Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.landingzones }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

4
templates/platform/level2/connectivity/express_route_circuit/readme.md
Просмотреть файл

@ -11,7 +11,7 @@ Note you need to adjust the branch {{ connectivity_express_routes.gitops.caf_lan
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }}
@ -19,7 +19,7 @@ rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit/{{ circuit }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

4
templates/platform/level2/connectivity/express_route_circuit_peering/readme.md
Просмотреть файл

@ -5,7 +5,7 @@
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ connectivity_express_routes.gitops.caf_landingzone_branch }}
@ -13,7 +13,7 @@ rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/express_route_circuit_peering/{{ circuit }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

20
templates/platform/level2/connectivity/private_dns/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,20 +0,0 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}"
level = "{{ config.tfstates.platform.private_dns[deployment].level }}"
key = "{{ config.tfstates.platform.private_dns[deployment].lz_key_name }}"
tfstates = {
{% if config.tfstates.platform.azurerm_firewalls is defined %}
# Firewall
{{ config.tfstates.platform.azurerm_firewalls[deployment].lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.azurerm_firewalls[deployment].tfstate }}"
}
{% endif %}
# Identity Level2
{{ config.tfstates.platform.identity_level2[deployment].lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.identity_level2[deployment].tfstate }}"
}
}
}

8
templates/platform/level2/connectivity/private_dns/readme.md
Просмотреть файл

@ -3,7 +3,7 @@
## Select the correct branch for the landingzones code
Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy the connectivity services
Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the connectivity services
## {{ environment }}
@ -11,15 +11,15 @@ Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.landingzones }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

151
templates/platform/level2/connectivity/readme.md
Просмотреть файл

@ -1,151 +0,0 @@
# Connectivity
You have selected the vwan networking option to build your Enteprise Scale platform. The following instructions guides you through the steps to follow.
## Select the correct branch for the landingzones code
Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services
{% for folder_name in folders %}
## Virtual Wan
```bash
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
git fetch origin
git checkout {{ config.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ folder_name }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}
-target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \
{% else %}
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates.platform.[folder_name].tfstate }} \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.[folder_name].tfstate }}.tfplan \
-a plan
```
{% endfor %}
## Virtual hubs
{% for virtual_hub in tfstates.virtual_hubs.keys() %}
### {{ virtual_hub }}
```bash
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
git fetch origin
git checkout {{ config.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}
-target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \
{% else %}
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates.platform.virtual_hubs[virtual_hub].tfstate }} \
-log-severity ERROR \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.virtual_hubs[virtual_hub].tfstate }}.tfplan \
-a plan
```
{% endfor %}
{% if connectivity_vpn_sites.vpn_sites is defined %}
## Virtual Hub VPN Sites
{% for vpnsite in connectivity_vpn_sites.vpn_sites.keys() %}
### {{ vpnsite }}
```bash
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
git fetch origin
git checkout {{ config.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ vpnsite }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}
-target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \
{% else %}
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates.platform.vpn_sites[vpnsite].tfstate }} \
-log-severity ERROR \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.vpn_sites[vpnsite].tfstate }}.tfplan \
-a plan
```
{% endfor %}
{% endif %}
{% if tfstates.firewall_policies is defined %}
## Firewall policies
{% for firewall_policy in tfstates.firewall_policies.keys() %}
### {{ firewall_policy }}
```bash
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
git fetch origin
git checkout {{ config.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/firewall_policies/{{ firewall_policy }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}
-target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \
{% else %}
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates.platform.firewall_policies[firewall_policy].tfstate }} \
-log-severity ERROR \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.firewall_policies[firewall_policy].tfstate }}.tfplan \
-a plan
```
{% endfor %}
{% endif %}

20
templates/platform/level2/connectivity/virtual_hubs/ansible.yaml.old
Просмотреть файл

@ -1,20 +0,0 @@
- name: Virtual_hubs {{ virtual_hub }} - Clean-up directory
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }}"
state: absent
when:
- config.configuration_folders.platform.cleanup_destination | bool
- name: Virtual_hubs {{ virtual_hub }} - Creates directory structure
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }}"
state: directory
- name: Virtual_hubs {{ virtual_hub }} - Tfvars
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/virtual_hubs/{{ virtual_hub }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/virtual_hub/*.j2"
- "{{ level }}/{{ base_folder }}/virtual_hub/*.md"

35
templates/platform/level2/connectivity/virtual_hubs/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,35 +0,0 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}"
level = "{{ config.tfstates.platform.virtual_hubs[virtual_hub].level }}"
key = "{{ config.tfstates.platform.virtual_hubs[virtual_hub].lz_key_name }}"
tfstates = {
# Virtual WAN
{{ config.tfstates.platform.virtual_wan.lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.virtual_wan.tfstate }}"
}
{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].enable_er_connections and connectivity_virtual_hub.express_route_connections[virtual_hub] is defined %}
# Express Route Circuit
{{ config.tfstates.platform.express_route_circuits[connectivity_virtual_hub.express_route_connections[virtual_hub].express_route_circuit_authorization.tfstate_key].lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.express_route_circuits[connectivity_virtual_hub.express_route_connections[virtual_hub].express_route_circuit_authorization.tfstate_key].tfstate }}"
}
{% endif %}
{% if connectivity_virtual_hub.virtual_hubs[virtual_hub].enable_er_connections and connectivity_virtual_hub.express_route_connections[virtual_hub].circuit_peering is defined %}
# Express Route Circuit Peerings
{{ config.tfstates.platform.express_route_circuit_peerings[connectivity_virtual_hub.express_route_connections[virtual_hub].circuit_peering.tfstate_key].lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.express_route_circuit_peerings[connectivity_virtual_hub.express_route_connections[virtual_hub].circuit_peering.tfstate_key].tfstate }}"
}
{% endif %}
}
}
{% if connectivity_virtual_hub.custom_variables[virtual_hub] is defined %}
custom_variables = {
{% for key, value in connectivity_virtual_hub.custom_variables[virtual_hub].items() %}
{{key}} = "{{value}}"
{% endfor %}
}
{% endif %}

6
templates/platform/level2/connectivity/virtual_hubs/readme.md
Просмотреть файл

@ -10,15 +10,15 @@ Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.landingzones }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

35
templates/platform/level2/connectivity/virtual_hubs/virtual_hubs_route_tables.tfvars.j2
Просмотреть файл

@ -1,35 +0,0 @@
{% if connectivity_virtual_hub[virtual_hub].virtual_hub_route_tables is defined %}
virtual_hub_route_tables = {
{% for key, route_table in connectivity_virtual_hub[virtual_hub].virtual_hub_route_tables.items() %}
{{ key }} = {
name = "{{ route_table.name }}"
virtual_hub = {
key = "{{ virtual_hub }}"
}
# labels = ["label1"]
# routes = {
# egress_internet = {
# name = "egress-internet"
# destinations_type = "CIDR"
# destinations = ["0.0.0.0/0"]
# # Either next_hop or next_hop_id can be used
# #
# # When using next_hop, the virtual_hub_connection must be deployed in a different landingzone. This cannot be tested in the standalone module.
# # Will be covered in the landingzone starter production configuration in future releases.
# #
# next_hop = {
# lz_key = "" #
# resource_type = "virtual_hub_connection" # Only supported value.
# resource_key = "egress-fw"
# }
# #to cather for external object
# #next_hop_id = "Azure_Resource_ID"
# }
# }
}
{% endfor %}
}
{% endif %}

6
templates/platform/level2/connectivity/virtual_wans/readme.md
Просмотреть файл

@ -4,15 +4,15 @@
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.landingzones }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

20
templates/platform/level2/connectivity/vpn_site/ansible.yaml
Просмотреть файл

@ -1,20 +0,0 @@
- name: VPN Site {{ site }} - Clean-up directory
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }}"
state: absent
when:
- config.configuration_folders.platform.cleanup_destination | bool
- name: VPN Site {{ site }} - Creates directory structure
file:
path: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }}"
state: directory
- name: VPN Site {{ site }} - Tfvars
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ level }}/{{ base_folder }}/vpn_site/*.j2"
- "{{ level }}/{{ base_folder }}/vpn_site/*.md"

16
templates/platform/level2/connectivity/vpn_site/landingzone.tfvars.j2.old
Просмотреть файл

@ -1,16 +0,0 @@
landingzone = {
backend_type = "azurerm"
global_settings_key = "{{ config.tfstates.platform.virtual_wan.lz_key_name }}"
level = "{{ config.tfstates.platform.vpn_sites[site].level }}"
key = "{{ config.tfstates.platform.vpn_sites[site].lz_key_name }}"
tfstates = {
{{ config.tfstates.platform.virtual_wan.lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.virtual_wan.tfstate }}"
}
{{ config.tfstates.platform.virtual_hubs[connectivity_vpn_gateway_connections.vpn_gateway_connections[site].vpn_site.key].lz_key_name }} = {
level = "current"
tfstate = "{{ config.tfstates.platform.virtual_hubs[connectivity_vpn_gateway_connections.vpn_gateway_connections[site].vpn_site.key].tfstate }}"
}
}
}

39
templates/platform/level2/connectivity/vpn_site/readme.md
Просмотреть файл

@ -1,39 +0,0 @@
# VPN Sites
## Select the correct branch for the landingzones code
Note you need to adjust the branch {{ config.gitops.caf_landingzone_branch }} to deploy the connectivity services
{% for site in config.tfstates.platform.vpn_sites.keys() %}
site
```bash
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
git fetch origin
git checkout {{ config.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_connectivity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-var-folder {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/vpn_sites/{{ site }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}
-target_subscription {{ platform_subscriptions_details.connectivity.subscription_id }} \
{% else %}
-target_subscription {{ config.caf_terraform.launchpad.subscription_id }} \
{% endif %}
-tfstate {{ config.tfstates.platform.vpn_sites[site].tfstate }} \
-log-severity ERROR \
-env {{ config.caf_terraform.launchpad.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ config.tfstates.platform.vpn_sites[site].tfstate }}.tfplan \
-a plan
```
{% endfor %}

38
templates/platform/level2/identity/ansible.yaml.old
Просмотреть файл

@ -1,38 +0,0 @@
- name: Creates {{ base_folder }} directory structure
shell: mkdir -p "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
- name: "[{{ level }} {{ subscription_key }}] - Azure Identity level2"
include_tasks: "{{ level }}/ansible_deployment.yaml"
when:
- config.tfstates.platform.identity_level2 is defined
loop: "{{ config.tfstates.platform.identity_level2.keys() }}"
loop_control:
loop_var: deployment
vars:
files_matching: "identity_level2.yaml|identity_level2.caf.yaml"
resource_folder: identity_level2
display_name: Azure Identity level2
- name: "[{{ level }} {{ subscription_key }}] - Azure Active Directory Domain Services (AADDS) - Azure managed"
include_tasks: "{{ level }}/ansible_deployment.yaml"
when:
- config.tfstates.platform.identity_level2_aadds is defined
loop: "{{ config.tfstates.platform.identity_level2_aadds.keys() }}"
loop_control:
loop_var: deployment
vars:
files_matching: "identity_level2_aadds.yaml|identity_level2_aadds.caf.yaml"
resource_folder: identity_level2_aadds
display_name: Azure Active Directory Domain Services (AADDS Azure Managed)
- name: "[{{ level }} {{ subscription_key }}] - Active Directory Domain Services in Virtual Machines"
include_tasks: "{{ level }}/ansible_deployment.yaml"
when:
- config.tfstates.platform.identity_level2_adds is defined
loop: "{{ config.tfstates.platform.identity_level2_adds.keys() }}"
loop_control:
loop_var: deployment
vars:
files_matching: "identity_level2_adds.yaml|identity_level2_adds.caf.yaml"
resource_folder: identity_level2_adds
display_name: Active Directory Domain Services (ADDS in VM)

2
templates/platform/level2/identity/identity_level2/readme.md
Просмотреть файл

@ -13,7 +13,7 @@ rover \
{% if config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ platform_subscriptions_details.identity.subscription_id }} \

8
templates/platform/level2/identity/identity_level2_aadds/readme.md
Просмотреть файл

@ -3,7 +3,7 @@
## Select the correct branch for the landingzones code
Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy the AADDS services
Note you need to adjust the branch {{ resources.gitops.caf_landingzone_branch }} to deploy the AADDS services
## {{ environment }}
@ -11,15 +11,15 @@ Note you need to adjust the branch {{ resources.gitops.landingzones }} to deploy
# login a with a user member of the caf-platform-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.landingzones }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

6
templates/platform/level2/identity/identity_level2_adds/readme.md
Просмотреть файл

@ -7,15 +7,15 @@ Deploy 2 domain controllers in the primary region
# login a with a user member of the caf-maintainers group
rover login -t {{ config.platform_identity.tenant_name }}
cd {{ destination_base }}/landingzones
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.landingzones }}
git checkout {{ resources.gitops.caf_landingzone_branch }}
rover \
{% if keyvaults is defined and config.platform_identity.azuread_identity_mode != "logged_in_user" %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_identity.vault_uri }} \
{% endif %}
-lz {{ destination_base }}/landingzones/caf_solution \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ config.caf_terraform.launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}

26
templates/platform/process_deployments.yaml
Просмотреть файл

@ -6,15 +6,33 @@
resources: "{{ lookup('file', '{{ file_to_process.path }}') | from_yaml }}"
- set_fact:
env: "{{resources.deployments.tfstate.values() | first | default('')}}"
lz_type: "{{resources.deployments.landingzone.tfstate.keys() | first}}"
- name: "{{tfstates[tfstate]}} - Set tfstate_object"
- set_fact:
tfstate: "{{resources.deployments.landingzone.tfstate[lz_type].keys() | first}}"
env: "{{resources.deployments.landingzone.tfstate[lz_type].values() | first | default('')}}"
- debug:
msg:
- "{{config}}"
- "{{lz_type}}"
- "{{tfstate}}"
- "{{env}}"
verbosity: 2
- name: "Set tfstate_object"
set_fact:
tfstate_object: '{{config.tfstates.platform[resources.deployments.tfstate.keys() | first] if env == "" else config.tfstates.platform[resources.deployments.tfstate.keys() | first][env]}}'
tfstate_object: '{{config.tfstates[lz_type][tfstate] if env == "" else config.tfstates[lz_type][tfstate][env] }}'
- debug:
msg:
- "{{tfstate_object}}"
- name: "Including tasks process_tfstate.yaml"
include_tasks: "process_tfstate.yaml"
loop: ["{{resources.deployments.tfstate.keys() | first }}"]
loop: ["{{ tfstate }}"]
loop_control:
loop_var: deployment
vars:

3
templates/platform/process_foundations.yaml
Просмотреть файл

@ -7,4 +7,5 @@
loop_control:
loop_var: tfstate
vars:
tfstates: "{{bootstrap[step][stage]}}"
tfstates: "{{bootstrap[step][stage]}}"
lz_type: platform

40
templates/platform/process_stages.yaml
Просмотреть файл

@ -1,33 +1,39 @@
- debug:
msg: "tfstate {{tfstate}} - {{tfstates[tfstate]}}"
msg:
- "tfstate {{tfstate}} - {{tfstates[tfstate]}}"
- "{{lz_type}}"
- set_fact:
tfstate_key: "{{ tfstates[tfstate].keys() | first }}"
env: "{{ tfstates[tfstate].values() | first | default('') }}"
- name: "{{tfstates[tfstate]}} - Set env"
- name: "Set tfstate_object"
set_fact:
env: "{{tfstates[tfstate].values() | first | default()}}"
verbosity: 2
tfstate_object: '{{config.tfstates[lz_type][tfstate_key] if env == "" else config.tfstates[lz_type][tfstate_key][env] }}'
- name: "{{tfstates[tfstate]}} - Set tfstate_object"
- name: "Set config_folder"
set_fact:
tfstate_object: '{{config.tfstates.platform[tfstates[tfstate].keys() | first] if env == "" else config.tfstates.platform[tfstates[tfstate].keys() | first][env]}}'
verbosity: 2
- name: "{{tfstates[tfstate]}} - Set config_file"
set_fact:
config_file: "{{config_folder + '/' + tfstate_object.config_file }}"
config_folder: '{{ tfstate_object.sub_template_folder | default() }}'
- debug:
msg: '{{ config_file }}'
msg:
- "{{config}}"
- "{{lz_type}}"
- "{{tfstate_key}}"
- "{{env}}"
- "{{tfstate_object}}"
- "{{config_folder}}"
verbosity: 2
- set_fact:
resources: "{{ lookup('file', '{{ config_folder + \"/\" + tfstate_object.config_file }}') | from_yaml }}"
- name: "Including tasks process_tfstate.yaml"
include_tasks: "process_tfstate.yaml"
loop: "{{tfstates[tfstate].keys()}}"
loop: ["{{tfstate_key}}"]
loop_control:
loop_var: deployment
vars:
key: "{{tfstates[tfstate]}}"
resources: "{{ lookup('file', '{{ config_file }}') | from_yaml }}"
deployments: "{{ lookup('file', '{{ config_file }}') | from_yaml }}"
config_file: "{{config_folder + '/' + tfstate_object.config_file }}"

2
templates/platform/process_subscription_resources.yaml
Просмотреть файл

@ -65,7 +65,7 @@
#
# overrides
#
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - overrides"
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }}"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"

10
templates/platform/process_tfstate.yaml
Просмотреть файл

@ -1,15 +1,17 @@
- debug:
msg:
- "{{lz_type}}"
- name: "Verify {{deployment}} {{key[deployment] | default()}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :"
- name: "Verify {{deployment}} {{lz_type}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :"
debug:
msg:
- "{{config.tfstates.platform[deployment]}}"
- "{{config.tfstates[lz_type][deployment]}}"
- "resources - {{resources}}"
- name: "{{deployment}} - tfstate_object sub_template_folder and config_file - {{env}}"
- name: "{{deployment}} - tfstate_object sub_template_folder- {{env}}"
debug:
msg:
- 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}'
- 'config_file - {{tfstate_object.config_file | default()}}'
- 'tfstate_object - {{tfstate_object}}'
verbosity: 2

14
templates/resources/azuread_groups.tfvars.j2
Просмотреть файл

@ -14,24 +14,20 @@ azuread_groups = {
group_names = {{ ad_group.members.group_names | replace('None','[]') | replace('\'','\"') }}
{% endif %}
{% if ad_group.members.object_ids is defined %}
object_ids = {{ ad_group.members.object_ids | replace('None','[]') | replace('\'','\"') }}
object_ids = {{ ad_group.members.object_ids | string | replace('None','[]') | replace('\'','\"') }}
{% endif %}
{% if ad_group.members.group_keys is defined %}
group_keys = {{ ad_group.members.group_keys | replace('None','[]') | replace('\'','\"') }}
{% endif %}
{% if ad_group.members.service_principal_keys is defined %}
service_principal_keys = {{ ad_group.members.service_principal_keys | replace('None','[]') | replace('\'','\"') }}
{% if ad_group.members.azuread_service_principal_keys is defined %}
azuread_service_principal_keys = {{ ad_group.members.azuread_service_principal_keys | replace('None','[]') | replace('\'','\"') }}
{% endif %}
}
{% endif %}
{% if ad_group.owners is defined %}
owners = {
{% if ad_group.owners.user_principal_names is defined %}
user_principal_names = {{ ad_group.owners.user_principal_names | replace('None','[]') | replace('\'','\"') }}
owners = {{ ad_group.owners| string | replace('None','[]') | replace('\'','\"') }}
{% endif %}
}
{% endif %}
prevent_duplicate_name = {{ ad_group.owners.prevent_duplicate_name | default(false) | string | lower }}
prevent_duplicate_name = {{ ad_group.owners.prevent_duplicate_name | default(true) | string | lower }}
}
{% endfor %}
}

44
templates/resources/landingzone.tfvars.j2
Просмотреть файл

@ -1,52 +1,32 @@
landingzone = {
backend_type = "{{ config.caf_terraform.launchpad.backend_type | default("azurerm") }}"
{% if config.tfstates['asvm'][subscription_key].level is defined %}
{% set level = config.tfstates['asvm'][subscription_key].level %}
level = "{{ level }}"
{% elif resources.deployments.landingzone.key.platform.values() | first %}
{% set level = config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first][resources.deployments.landingzone.key.platform.values() | first].level %}
level = "{{ level }}"
{% elif resources.deployments.landingzone is defined %}
{% set level = config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].level %}
level = "{{config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].level}}"
{% else %}
{% set level = config.tfstates['platform'][resources.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].level %}
level = "{{ level }}"
{% endif %}
{% if resources.deployments.landingzone.key.asvm is defined %}
{% for l_key, l_value in resources.deployments.landingzone.key.asvm.items() %}
key = "{{ config.tfstates['asvm'][l_key][l_value].lz_key_name}}"
{% endfor %}
{% elif resources.deployments.landingzone.key.platform.values() | first %}
key = "{{ config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first][resources.deployments.landingzone.key.platform.values() | first].lz_key_name }}"
{% elif resources.deployments.landingzone.key.platform is defined %}
key = "{{config.tfstates['platform'][resources.deployments.landingzone.key.platform.keys() | first].lz_key_name}}"
{% else %}
key = "{{ config.tfstates['platform'][resources.deployments[subscription_key][deployment].landingzone.key.platform.keys() | first].lz_key_name }}"
{% endif %}
backend_type = "{{ tfstate_object.backend_type | default("azurerm") }}"
level = "{{ tfstate_object.level }}"
key = "{{ tfstate_object.lz_key_name }}"
{% if resources.deployments.landingzone.global_settings_key.platform is defined %}
{% if resources.deployments.landingzone.global_settings_key.platform.values() | first %}
global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first][resources.deployments.landingzone.global_settings_key.platform.values() | first].lz_key_name }}"
{% else %}
global_settings_key = "{{ config.tfstates['platform'][resources.deployments.landingzone.global_settings_key.platform.keys() | first].lz_key_name }}"
{% endif %}
{% elif resources.deployments[subscription_key].landingzone.global_settings_key.platform is defined %}
global_settings_key = "{{ config.tfstates['platform'][resources.deployments[subscription_key].landingzone.global_settings_key.platform.keys() | first].lz_key_name }}"
{% elif resources.deployments[subscription_key].landingzone.global_settings_key.platform is not defined %}
{% else %}
{% for m_key, m_value in resources.deployments[subscription_key][deployment].landingzone.global_settings_key.asvm.items() %}
global_settings_key = "{{ config.tfstates['asvm'][m_key][m_value].lz_key_name }}"
{% endfor %}
{% elif resources.deployments.landingzone.global_settings_key.asvm is defined %}
global_settings_key = "{{ config.tfstates['asvm'][resources.deployments.landingzone.global_settings_key.asvm.keys() | first].lz_key_name }}"
{% endif %}
{% if resources.deployments.landingzone.remote_tfstates is defined %}
tfstates = {
{% if resources.deployments.landingzone.remote_tfstates.asvm is defined %}
{% if resources.deployments.landingzone.remote_tfstates.asvm.values() | first %}
{% for a_key, a_value in resources.deployments.landingzone.remote_tfstates.asvm.items() %}
{{ config.tfstates['asvm'][a_key][a_value].lz_key_name }} = {
tfstate = "{{ config.tfstates['asvm'][a_key][a_value].tfstate }}"
workspace = "{{ config.tfstates['asvm'][a_key].workspace }}"
}
{% endfor %}
{% else %}
{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].lz_key_name }} = {
fstate = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].tfstate }}"
workspace = "{{ config.tfstates['asvm'][resources.deployments.landingzone.remote_tfstates.asvm.keys() | first].workspace | default('tfstate')}}"
}
{% endif %}
{% endif %}
{% if resources.deployments.landingzone.remote_tfstates.platform is defined %}
{% for p_key in resources.deployments.landingzone.remote_tfstates.platform.keys() %}

6
templates/resources/subscriptions.tfvars.j2
Просмотреть файл

@ -1,7 +1,8 @@
subscriptions = {
{% for key, value in resources.subscriptions[subscription_key].items() %}
{% for key, value in resources.subscriptions[subscription_key].subscriptions.items() %}
{{ key }} = {
name = "{{ value.name }}"
{% if value.subscription_id is not defined %}
billing_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.billing_account_name }}"
enrollment_account_name = "{{ config.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}"
{% if value.management_group_suffix is defined %}
@ -16,6 +17,9 @@ subscriptions = {
{{ tag_key }} = "{{ value.tags[tag_key] }}"
{% endfor %}
}
{% endif %}
{% else %}
subscription_id = "{{value.subscription_id}}"
{% endif %}
}
{% endfor %}