Azure
/
caf-terraform-landingzones
зеркало из https://github.com/Azure/caf-terraform-landingzones.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update template generator for feb release

This commit is contained in:
LaurentLesle 2022-02-28 02:02:30 +00:00
Родитель 43e09b5efb
Коммит 4efffaab44
241 изменённых файлов: 3994 добавлений и 7793 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
caf_launchpad/landingzone.tf
Просмотреть файл

@ -1,9 +1,8 @@
module "launchpad" {
# source = "aztfmod/caf/azurerm"
# version = "5.5.1"
# version = "~> 5.5.1"
source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network"
source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=AL-azurerm2931"
# source = "../../aztfmod"
providers = {

4
caf_solution/landingzone.tf
Просмотреть файл

@ -1,8 +1,8 @@
module "solution" {
# source = "aztfmod/caf/azurerm"
# version = "5.5.1"
# version = "~> 5.5.1"
source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network"
source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=AL-azurerm2931"
# source = "../../aztfmod"
providers = {

31
templates/enterprise-scale/contoso/platform/create_subscriptions/README.md
Просмотреть файл

@ -1,31 +0,0 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform
## Commands
### clone the landingzone project (Terraform base code)
```bash
cd /tf/caf/landingzones
git pull
git checkout aci_network
```
### Rover ignite the platform
Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps.
Rover ignite creates the tfvars and also the documentation.
```bash
rover login -t tenantname<replace> -s <management subscription guid><replace>
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/platform \
-e resource_template_folder=/tf/caf/landingzones/templates/resources \
-e config_folder=/tf/caf/orgs/contoso/platform
```
### Next step
Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created.

38
templates/enterprise-scale/contoso/platform/create_subscriptions/asvm.yaml
Просмотреть файл

@ -1,38 +0,0 @@
gitops:
landingzones: aci_network
subscriptions:
asvm:
resource_groups:
level3:
name: caf-level3
tags:
level: level3
level4:
name: caf-level4
tags:
level: level4
storage_accounts:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
keyvaults:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
azuread_groups:
caf_ac_landingzone_maintainers_non_prod:
name: caf_ac_landingzone_maintainers_non_prod
caf_ac_landingzone_maintainers_prod:
name: caf_ac_landingzone_maintainers_prod

39
templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_routes.yaml
Просмотреть файл

@ -1,39 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
express_route_circuits:
prod:
name: er-1-prod
resource_group_key: prod
service_provider_name: XL Axiata
peering_location: Jakarta
tier: Standard
family: MeteredData
bandwidth_in_mbps: 50
non_prod:
name: er-1-nonprod
resource_group_key: non_prod
service_provider_name: XL Axiata
peering_location: Jakarta
tier: Standard
family: MeteredData
bandwidth_in_mbps: 50
express_route_circuit_authorizations:
prod:
vhub-prod:
name: er-auth-vhub-prod
resource_group_key: prod
non_prod:
vhub-non-prod:
name: er-auth-vhub-non-prod
resource_group_key: dev
resource_groups:
prod:
name: connectivity-express-route-prod
region_key: region1
non_prod:
name: connectivity-express-route-non-prod
region_key: region1

67
templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_hub.yaml
Просмотреть файл

@ -1,67 +0,0 @@
custom_variables:
prod:
virtual_hub_lz_key: connectivity_virtual_hub_prod
# ddos_protection_plan_id: put ddos plan resource id
non_prod:
virtual_hub_lz_key: connectivity_virtual_hub_non_prod
# ddos_protection_plan_id: put ddos plan resource id
virtual_hubs:
prod:
name: Production
virtual_wan:
lz_key: virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: <replace>
deploy_s2s: false
s2s_config:
name: prod
scale_unit: 1
deploy_er: false
enable_er_connections: false
er_config:
name: prod
scale_units: 1
non_prod:
name: Non Production
virtual_wan:
lz_key: virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: <replace>
deploy_s2s: false
s2s_config:
name: non-prod
scale_unit: 1
deploy_er: false
enable_er_connections: false
er_config:
name: non-prod
scale_units: 1
express_route_connections:
prod:
name: erc-er-1-prod
virtual_hub:
key: prod
circuit_peering:
tfstate_key: prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: prod
key: vhub-prod
non_prod:
name: er-1-non-prod
virtual_hub:
key: non_prod
circuit_peering:
tfstate_key: non_prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: non_prod
key: vhub-non-prod

19
templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_wan.yaml
Просмотреть файл

@ -1,19 +0,0 @@
virtual_wans:
global_wan:
name: vwan
resource_group_key: global_wan
region_key: region1
resource_groups:
global_wan:
name: connectivity-global-wan
region_key: region1
ddos_services:
name: connectivity-ddos
region_key: region1
ddos_services:
region1:
name: ddos-re1
region_key: region1
resource_group_key: ddos_services

132
templates/enterprise-scale/contoso/platform/create_subscriptions/contoso.caf.platform.yaml
Просмотреть файл

@ -1,132 +0,0 @@
caf_terraform:
naming_convention:
# When set to false use the CAF provider to generate names aligned to CAF guidance
# true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace.
passthrough: false
inherit_tags: false
# set: define the prefix to add to all resource names
# unset: if passthrough is set to false, generate a random prefix
prefix: cont
# if passthrough is set to false, add random suffix to name, up to the random_lenght value.
random_length: 5
launchpad:
caf_environment: contoso
account_replication_type: GRS
regions:
region1:
# set the short form of the Azure region
name: southeastasia<replace> # Use the lower-case region's name, short version with no space
slug: sea
region2:
name: eastasia<replace> # Use the lower-case region's name, short version with no space
slug: ea
default_region_key: region1
# Define the number of CAF levels to use. Recommeded is 3 for the platform.
number_of_levels: 3
blob_versioning_enabled: true
container_delete_retention_policy: 7
delete_retention_policy: 7
# Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd.
subscription_id: <replace>
subscription_name: contoso-caf-launchpad
tenant_id: <replace>
# Global tags
tags:
application_owner: sre
billing_subscription_role_delegations:
# true: enable this deployment. The remaining attributes are required.
# false: disable this deployment.
# azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform
# azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running:
# az ad signed-in-user show --query objectId -o tsv
# The remaining attributes are ignored: [billing_account_name, enrollment_account_name]
enable: false
# Azure Active Directory User (UPN) that is Account Owner in the EA portal
# if enable=false, set the upn of the user doing the manual deployment
azuread_user_ea_account_owner: <replace>
# see comments above to get the object_id
azuread_user_ea_account_owner_object_id: <replace>
# Only set the following two attributes when enable=true
billing_account_name: <replace>
enrollment_account_name: <replace>
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
platform:
# true: force the destination folder to be deleted and re-created before the files are created.
# false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is.
cleanup_destination: true
# base destination folder where rover ignite will store the tfvars files. No / at the end
destination_base_path: /tf/caf
# destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end
destination_relative_path: configuration/contoso/platform
platform_core_setup:
sku:
keyvault: standard
enterprise_scale:
enable: true
scenario: contoso
model: demo
management_group_name: "Contoso Industries"
management_group_prefix: contoso
deploy_core_landing_zones: true
enable_azure_subscription_vending_machine: true
clean_up_destination_folder: false
update_lib_folder: true
subscription_deployment_mode: dedicated_new
private_lib:
version_to_deploy: v1.1.1
v0.1.x:
caf_landingzone_branch: "2107.1"
v0.3.3:
caf_landingzone_branch: "patch.5.4.4"
v1.1.1:
caf_landingzone_branch: "aci_network"
# subscription_id_overrides:
# decommissioned:
# - guid1
# connectivity:
# - guid2
# - guid3
# management:
# - guid4
# identity:
# -
platform_management:
enable: true
networking_topology:
deployment_option: virtual_wan
platform_identity:
# Set the Azure Active Directory tenant name (primary domain name)
# has to be the default domain name (custom dns name or tenantname.onmicrosoft.com)
# check the AAD property
tenant_name: <replace>
# Supported values
# - service_principal
# - logged_in_user
azuread_identity_mode: service_principal
# UPNs you want to add in the caf_platform_maintainers Azure AD group
# Can use user or guest accounts
# Those users will have full permissions on platform.
# Once setup, you can remove them from here or add them from
# Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts.
caf_platform_maintainers:
- <replace>
notifications:
service_health_alerts:
emails:
support1:
name: <replace>
email_address: <replace>
security_center_email_contact: <replace>
gitops:
caf_landingzone_branch: "aci_network"
deployment_mode: interactive
rover_log_error: ERROR

34
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,34 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
landingzone:
key:
platform:
private_dns: non_prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
asvm:
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-non-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "non-prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

77
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,77 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
landingzone:
key:
platform:
azurerm_firewalls: non_prod
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
platform:
virtual_hubs: non_prod
azurerm_firewall_policies: non_prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-non-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-non-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.201.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.201.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-non-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_non_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-non-prod-fw-plinks-TO-vhub-non_prod
virtual_hub:
lz_key: connectivity_virtual_hub_non_prod
key: non_prod
vnet:
vnet_key: vnet

189
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,189 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
landingzone:
key:
platform:
private_dns: non_prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
asvm:
subscriptions:
connectivity:
resource_groups:
dns_connectivity_non_prod:
name: dns-connectivity-non-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.southeastasia<replace>.azmk8s.io:
name: privatelink.southeastasia<replace>.azmk8s.io
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.southeastasia<replace>.backup.windowsazure.com:
name: privatelink.southeastasia<replace>.backup.windowsazure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.oms.opinsights.non_prod.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-non-prod-private-dns-extended
useprefix: true
description: "(non-prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
role_mapping:
custom_role_mapping:
resource_groups:
dns_connectivity_prod:
landgingzone_extended:
azuread_groups:
lz_key: identity_level2
keys:
- caf_non_prod_landingzones_dns_contributors
built_in_role_mapping:
resource_groups:
dns_connectivity_non_prod:
Private DNS Zone Contributor:
azuread_groups:
lz_key: identity_level2
keys:
- caf_non_prod_landingzones_dns_contributors

34
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,34 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
private_dns: prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
asvm:
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

78
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,78 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
azurerm_firewalls: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
virtual_hubs: prod
azurerm_firewall_policies: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.101.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.101.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_prod_plinks_01:
name: fw-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet

191
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,191 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
private_dns: prod
global_settings_key:
platform:
virtual_wan:
remote_tfstates:
platform:
virtual_wan:
azurerm_firewalls: prod
identity_level2: prod
subscriptions:
connectivity:
resource_groups:
dns_connectivity_prod:
name: dns-connectivity-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia<replace>.azmk8s.io:
name: privatelink.southeastasia<replace>.azmk8s.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia<replace>.backup.windowsazure.com:
name: privatelink.southeastasia<replace>.backup.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.oms.opinsights.azure.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-private-dns-extended
useprefix: true
description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
role_mapping:
custom_role_mapping:
resource_groups:
dns_connectivity_prod:
landgingzone_extended:
azuread_groups:
lz_key: identity_level2
keys:
- caf_prod_landingzones_dns_contributors
built_in_role_mapping:
resource_groups:
dns_connectivity_prod:
Private DNS Zone Contributor:
azuread_groups:
lz_key: identity_level2
keys:
- caf_prod_landingzones_dns_contributors

64
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2.yaml
Просмотреть файл

@ -1,64 +0,0 @@
gitops:
landingzones: aci_network
deployments:
identity:
prod:
landingzone:
key:
platform:
identity_level2: prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
subscriptions:
identity:
resource_groups:
management:
name: management
azuread_groups:
caf_non_prod_landingzones_dns_contributors:
name: caf ac non_prod landingzones dns contributors
caf_prod_landingzones_dns_contributors:
name: caf ac prod landingzones dns contributors
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday

398
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_adds.yaml
Просмотреть файл

@ -1,398 +0,0 @@
gitops:
landingzones: aci_network
deployments:
identity:
prod:
landingzone:
key:
platform:
identity_level2_adds: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
management:
virtual_hubs: prod
identity_level2: prod
subscriptions:
identity:
resource_groups:
rg:
name: identity-prod-adds
region_key: region1
virtual_networks:
vnet:
name: vnet-identity-prod-adds
resource_group_key: rg
region_key: region1
address_space:
- 10.10.100.0/27
dns_servers:
- 10.10.100.4
- 10.10.100.5
subnets:
adds:
name: snet-adds
cidr:
- 10.10.100.0/28
nsg_key: adds_re1
management:
name: snet-adds-management
cidr:
- 10.10.100.16/28
keyvaults:
adds_credentials:
name: addskv
resource_group_key: rg
sku_name: premium
purge_protection_enabled: false
creation_policies:
logged_in_user:
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
dynamic_keyvault_secrets:
adds_credentials:
vmadmin-username:
secret_name: vmadmin-username
value: vmadmin
vmadmin-password:
secret_name: vmadmin-password
value: Very@Str5ngP!44w0rdToChaNge#
virtual_machines:
adds1:
resource_group:
key: rg
region: region1
os_type: windows
keyvault_key: adds_credentials
backup:
vault_key: asr
policy_key: default
lz_key: identity_level2
virtual_machine_settings:
windows:
computer_name: adds1
name: adds1
admin_password_key: vmadmin-password
admin_username_key: vmadmin-username
network_interface_keys:
- nic0
provision_vm_agent: true
size: Standard_F2
zone: 1
os_disk:
name: adds1-os
caching: ReadWrite
storage_account_type: Standard_LRS
disk_size_gb: 128
# identity:
# type: SystemAssigned, UserAssigned
# managed_identity_keys:
# - id1
# remote:
# lz_key_name1:
# managed_identity_keys:
# - id2
# - id3
# lz_key_name2:
# managed_identity_keys:
# - id4
# - id5
# custom_image_id:
source_image_reference:
publisher: MicrosoftWindowsServer
offer: WindowsServer
sku: 2019-Datacenter
version: latest
data_disks:
lun1:
name: adds1-data1
lun: "1"
caching: None
storage_account_type: Standard_LRS
create_option: Empty
disk_size_gb: 10
zones:
- "1"
networking_interfaces:
nic0:
name: 0
vnet_key: vnet
subnet_key: adds
enable_ip_forwarding: false
internal_dns_name_label: adds1-nic0
private_ip_address_allocation: Static
private_ip_address: 10.10.100.4
primary: true
tags:
adds: "ok"
dns_servers:
# - Set on-prem dns
- 10.10.100.5
network_security_group:
key: adds_re1
# ip_configurations:
# conf2:
# name: 0-conf
# vnet_key: vnet
# subnet_key: management
# enable_ip_forwarding: false
# private_ip_address_allocation: Static
# private_ip_address: 10.10.100.20
adds2:
resource_group:
key: rg
region: region1
os_type: windows
keyvault_key: adds_credentials
backup:
vault_key: asr
policy_key: default
lz_key: identity_level2
virtual_machine_settings:
windows:
computer_name: adds2
name: adds2
admin_password_key: vmadmin-password
admin_username_key: vmadmin-username
network_interface_keys:
- nic0
provision_vm_agent: true
size: Standard_F2
zone: 2
os_disk:
name: adds2-os
caching: ReadWrite
storage_account_type: Standard_LRS
disk_size_gb: 128
# identity:
# type: SystemAssigned, UserAssigned
# managed_identity_keys:
# - id1
# remote:
# lz_key_name1:
# managed_identity_keys:
# - id2
# - id3
# lz_key_name2:
# managed_identity_keys:
# - id4
# - id5
source_image_reference:
publisher: MicrosoftWindowsServer
offer: WindowsServer
sku: 2019-Datacenter
version: latest
data_disks:
lun1:
name: adds2-data1
lun: "1"
storage_account_type: Standard_LRS
create_option: Empty
disk_size_gb: 10
zones:
- "2"
networking_interfaces:
nic0:
name: 0
vnet_key: vnet
subnet_key: adds
enable_ip_forwarding: false
internal_dns_name_label: adds2-nic0
private_ip_address_allocation: Static
private_ip_address: 10.10.100.5
primary: true
tags:
adds: "ok"
dns_servers:
# - Set on-prem ADDS dns
- 10.10.100.4
network_security_group:
key: adds_re1
# ip_configurations:
# conf2:
# name: 0-conf
# vnet_key: vnet
# subnet_key: management
# enable_ip_forwarding: false
# private_ip_address_allocation: Static
# private_ip_address: 10.10.100.21
virtual_hub_connections:
vnet_to_hub:
name: vnet-identity-prod-adds-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet
network_security_group_definition:
adds_re1:
version: 1
resource_group_key: rg
region: region1
name: nsg-adds-re1
# Reference - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts
# following is for Windows Server 2008 and later
nsg:
Inbound:
400:
name: W32Time.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
# source_address_prefixes:
# - on-prem CIDR for ADDS
source_port_range: "49152-65535"
destination_port_range: "123"
destination_address_prefix: "*"
401:
name: RPC Endpoint Mapper.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "135"
destination_address_prefix: "*"
402:
name: Kerberos password change tcp.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "464"
destination_address_prefix: "*"
403:
name: Kerberos password change udp.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "464"
destination_address_prefix: "*"
404:
name: RPC for LSA, SAM, NetLogon.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "49152-65535"
destination_address_prefix: "*"
405:
name: LDAP-tcp.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "389"
destination_address_prefix: "*"
406:
name: LDAP-udp.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "389"
destination_address_prefix: "*"
407:
name: LDAP SSL.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "636"
destination_address_prefix: "*"
408:
name: LDAP GC.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "3268"
destination_address_prefix: "*"
409:
name: LDAP GC SSL.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "3269"
destination_address_prefix: "*"
410:
name: DNS tcp.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_ranges:
- "53"
- "49152-65535"
destination_port_range: "53"
destination_address_prefix: "*"
411:
name: DNS udp.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
source_port_ranges:
- "53"
- "49152-65535"
destination_port_range: "53"
destination_address_prefix: "*"
412:
name: Kerberos tcp.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "88"
destination_address_prefix: "*"
413:
name: Kerberos udp.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "88"
destination_address_prefix: "*"
414:
name: SMB.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "445"
destination_address_prefix: "*"
# Adjust the following based on your RPC custom ports configuration
415:
name: FRS RPC.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "49152-65535"
destination_address_prefix: "*"

310
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml
Просмотреть файл

@ -1,310 +0,0 @@
archetype_definitions:
root:
archetype_id: root
policy_assignments:
Allowed-Locations:
listOfAllowedLocations:
- southeastasia<replace> # Use the lower-case region's name, short version with no space
- eastasia<replace>
Deny-RSG-Locations:
listOfAllowedLocations:
- southeastasia<replace>
- eastasia<replace>
# Set to Audit as Terraform cannot combine both in one operation yet.
Deny-Subnet-Without-Nsg:
effect: Audit
# Set to Audit as Terraform cannot combine both in one operation yet.
Deny-Subnet-Without-Udr:
effect: Audit
# More details on in the parameters in the Azure Policy definition (Azure Security Benchmark) 1f3afdf9-d0c9-4c3d-847f-89da613e70a8
# Change the attributes values as they are not the same. Some are DeployIfNotExist, Some Disabled, Enabled...
Deploy-ASC-Monitoring:
aadAuthenticationInSqlServerMonitoringEffect: Disabled
diskEncryptionMonitoringEffect: Disabled
encryptionOfAutomationAccountMonitoringEffect: Disabled
identityDesignateLessThanOwnersMonitoringEffect: Disabled
identityDesignateMoreThanOneOwnerMonitoringEffect: Disabled
identityEnableMFAForWritePermissionsMonitoringEffect: Disabled
identityRemoveDeprecatedAccountMonitoringEffect: Disabled
identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithReadPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithWritePermissionsMonitoringEffect: Disabled
jitNetworkAccessMonitoringEffect: Disabled
networkSecurityGroupsOnSubnetsMonitoringEffect: Disabled
sqlDbEncryptionMonitoringEffect: Disabled
sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled
sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled
sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled
sqlServerAdvancedDataSecurityMonitoringEffect: Disabled
systemUpdatesMonitoringEffect: Disabled
useRbacRulesMonitoringEffect: Disabled
vmssSystemUpdatesMonitoringEffect: Disabled
windowsDefenderExploitGuardMonitoringEffect: Disabled
Deploy-ASCDF-Config:
emailSecurityContact: <replace>
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
enableAscForKubernetes: DeployIfNotExists
enableAscForSql: DeployIfNotExists
enableAscForSqlOnVm: DeployIfNotExists
enableAscForDns: DeployIfNotExists
enableAscForArm: DeployIfNotExists
enableAscForOssDb: DeployIfNotExists
enableAscForAppServices: DeployIfNotExists
enableAscForRegistries: DeployIfNotExists
enableAscForKeyVault: DeployIfNotExists
enableAscForStorage: DeployIfNotExists
enableAscForServers: DeployIfNotExists
Deploy-AzActivity-Log:
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-LX-Arc-Monitoring:
Deploy-Resource-Diag:
profileName: eslz-diagnostic-log
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-WS-Arc-Monitoring:
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-VM-Monitoring:
logAnalytics_1:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-VMSS-Monitoring:
logAnalytics_1:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
policy_definitions:
Append-AppService-httpsonly:
Append-AppService-latestTLS:
Append-KV-SoftDelete:
Append-Redis-disableNonSslPort:
Append-Redis-sslEnforcement:
Audit-MachineLearning-PrivateEndpointId:
Deny-AA-child-resources:
Deny-AppGW-Without-WAF:
Deny-AppServiceApiApp-http:
Deny-AppServiceFunctionApp-http:
Deny-AppServiceWebApp-http:
Deny-Databricks-NoPublicIp:
Deny-Databricks-Sku:
Deny-Databricks-VirtualNetwork:
Deny-MachineLearning-Aks:
Deny-MachineLearning-Compute-SubnetId:
Deny-MachineLearning-Compute-VmSize:
Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess:
Deny-MachineLearning-ComputeCluster-Scale:
Deny-MachineLearning-HbiWorkspace:
Deny-MachineLearning-PublicAccessWhenBehindVnet:
Deny-MachineLearning-PublicNetworkAccess:
Deny-MySql-http:
Deny-PostgreSql-http:
Deny-Private-DNS-Zones:
Deny-PublicEndpoint-MariaDB:
Deny-PublicIP:
Deny-RDP-From-Internet:
Deny-Redis-http:
Deny-Sql-minTLS:
Deny-SqlMi-minTLS:
Deny-Storage-minTLS:
Deny-Subnet-Without-Nsg:
Deny-Subnet-Without-Udr:
Deny-VNET-Peer-Cross-Sub:
Deny-VNet-Peering:
Deploy-ASC-SecurityContacts:
Deploy-Budget:
Deploy-Custom-Route-Table:
Deploy-DDoSProtection:
Deploy-Diagnostics-AA:
Deploy-Diagnostics-ACI:
Deploy-Diagnostics-ACR:
Deploy-Diagnostics-AnalysisService:
Deploy-Diagnostics-ApiForFHIR:
Deploy-Diagnostics-APIMgmt:
Deploy-Diagnostics-ApplicationGateway:
Deploy-Diagnostics-CDNEndpoints:
Deploy-Diagnostics-CognitiveServices:
Deploy-Diagnostics-CosmosDB:
Deploy-Diagnostics-Databricks:
Deploy-Diagnostics-DataExplorerCluster:
Deploy-Diagnostics-DataFactory:
Deploy-Diagnostics-DLAnalytics:
Deploy-Diagnostics-EventGridSub:
Deploy-Diagnostics-EventGridSystemTopic:
Deploy-Diagnostics-EventGridTopic:
Deploy-Diagnostics-ExpressRoute:
Deploy-Diagnostics-Firewall:
Deploy-Diagnostics-FrontDoor:
Deploy-Diagnostics-Function:
Deploy-Diagnostics-HDInsight:
Deploy-Diagnostics-iotHub:
Deploy-Diagnostics-LoadBalancer:
Deploy-Diagnostics-LogicAppsISE:
Deploy-Diagnostics-MariaDB:
Deploy-Diagnostics-MediaService:
Deploy-Diagnostics-MlWorkspace:
Deploy-Diagnostics-MySQL:
Deploy-Diagnostics-NetworkSecurityGroups:
Deploy-Diagnostics-NIC:
Deploy-Diagnostics-PostgreSQL:
Deploy-Diagnostics-PowerBIEmbedded:
Deploy-Diagnostics-RedisCache:
Deploy-Diagnostics-Relay:
Deploy-Diagnostics-SignalR:
Deploy-Diagnostics-SQLElasticPools:
Deploy-Diagnostics-SQLMI:
Deploy-Diagnostics-TimeSeriesInsights:
Deploy-Diagnostics-TrafficManager:
Deploy-Diagnostics-VirtualNetwork:
Deploy-Diagnostics-VM:
Deploy-Diagnostics-VMSS:
Deploy-Diagnostics-VNetGW:
Deploy-Diagnostics-WebServerFarm:
Deploy-Diagnostics-Website:
Deploy-Diagnostics-WVDAppGroup:
Deploy-Diagnostics-WVDHostPools:
Deploy-Diagnostics-WVDWorkspace:
Deploy-FirewallPolicy:
Deploy-MySQL-sslEnforcement:
Deploy-Nsg-FlowLogs-to-LA:
Deploy-Nsg-FlowLogs:
Deploy-PostgreSQL-sslEnforcement:
Deploy-Sql-AuditingSettings:
Deploy-SQL-minTLS:
Deploy-Sql-SecurityAlertPolicies:
Deploy-Sql-Tde:
Deploy-Sql-vulnerabilityAssessments:
Deploy-SqlMi-minTLS:
Deploy-Storage-sslEnforcement:
Deploy-Windows-DomainJoin:
policy_set_definitions:
Deny-PublicPaaSEndpoints:
Deploy-ASCDF-Config:
Deploy-Diagnostics-LogAnalytics:
Deploy-Sql-Security:
Enforce-Encryption-CMK:
Enforce-EncryptTransit:
remediation:
policy:
policy_set_definitions:
# policyDefinitionReferenceId = https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/c7958266bd227e52dc1a3468e8c881633bc1b373/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json#L766
# /providers/microsoft.management/managementgroups/contlle/providers/microsoft.authorization/policyassignments/deploy-resource-diag
Deploy-Diagnostics-LogAnalytics:
- ExpressRouteDeployDiagnosticLogDeployLogAnalytics
- FirewallDeployDiagnosticLogDeployLogAnalytics
- KeyVaultDeployDiagnosticLogDeployLogAnalytics
- LoadBalancerDeployDiagnosticLogDeployLogAnalytics
- NetworkNICDeployDiagnosticLogDeployLogAnalytics
- NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics
- NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics
- RecoveryVaultDeployDiagnosticLogDeployLogAnalytics
- storageaccountdeploydiagnosticlogdeployloganalytics
- VirtualNetworkDeployDiagnosticLogDeployLogAnalytics
- VNetGWDeployDiagnosticLogDeployLogAnalytics
Deploy-ASCDF-Config:
- defenderForOssDb
- defenderForVM
- defenderForSqlServerVirtualMachines
- defenderForAppServices
- defenderForStorageAccounts
- defenderForKubernetesService
- defenderForContainerRegistry
- defenderForKeyVaults
- defenderForDns
- defenderForArm
- defenderForSqlPaas
- securityEmailContact
- ascExport
landing-zones:
archetype_id: landing-zones
policy_assignments:
Deny-IP-Forwarding:
Deny-Priv-Containers-AKS:
Deny-Priv-Escalation-AKS:
Deny-RDP-From-Internet:
Deny-Storage-http:
Deploy-AKS-Policy:
Deploy-SQL-DB-Auditing:
Deploy-SQL-Threat:
Enable-DDoS-VNET:
Enforce-AKS-HTTPS:
Enforce-TLS-SSL:
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- subscription_creation_landingzones
connectivity:
archetype_id: platform_connectivity
policy_assignments:
Enable-DDoS-VNET:
role_definitions:
CAF-network-vhub-peering:
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- connectivity
'[<replace_with_management_group_prefix_in_UPPER_CASE>-CONNECTIVITY] CAF-network-vhub-peering':
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- subscription_creation_landingzones
management:
archetype_id: platform_management
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- management
identity:
archetype_id: platform_identity
policy_assignments:
Deny-RDP-From-Internet:
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- identity
decommissioned:
archetype_id: platform_decommissioned
platform:
archetype_id: platform
sandboxes:
archetype_id: platform_sandboxes

31
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/custom_landing_zones.caf.platform.yaml
Просмотреть файл

@ -1,31 +0,0 @@
archetype_definitions:
corp:
display_name: Corp
archetype_id: landingzone_corp
parent_management_group_id: landing-zones
# subscription_ids:
# policy_assignments:
online:
display_name: Online
archetype_id: landingzone_online
parent_management_group_id: landing-zones
# subscription_ids:
# policy_assignments:
corp-prod:
display_name: Production
archetype_id: landingzone_prod
parent_management_group_id: corp
# subscription_ids:
# policy_assignments:
corp-non-prod:
display_name: Non Production
archetype_id: landingzone_non_prod
parent_management_group_id: corp
# subscription_ids:
# policy_assignments:
online-web:
display_name: Non Production
archetype_id: landingzone_online_web
parent_management_group_id: online
# subscription_ids:
# policy_assignments:

10
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy assignments
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments

18
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json
Просмотреть файл

@ -1,18 +0,0 @@
{
"name": "aks-capability",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)",
"displayName": "Kubernetes cluster containers should only use allowed capabilities.",
"notScopes": [],
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
"scope": "${current_scope_resource_id}",
"enforcementMode": true
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}

18
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json
Просмотреть файл

@ -1,18 +0,0 @@
{
"name": "Allowed-Locations",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Specifies the allowed locations (regions) where Resources can be deployed.",
"displayName": "Limit allowed locations for Resources",
"notScopes": [],
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"scope": "${current_scope_resource_id}",
"enforcementMode": null
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}

10
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_definitions/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions

10
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/policy_set_definitions/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy set definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions

2
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/readme.md
Просмотреть файл

@ -1,2 +0,0 @@
# Custom ESLZ library
In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance.

11
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/README.md
Просмотреть файл

@ -1,11 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default role defitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions

27
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json
Просмотреть файл

@ -1,27 +0,0 @@
{
"name": "48ec94a9-9a14-488d-928d-5e73f96b335c",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "CAF-network-vhub-peering",
"description": "Authorize vnet peerings to the vhub.",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"${current_scope_resource_id}"
]
}
}

69
templates/enterprise-scale/contoso/platform/create_subscriptions/identity.yaml
Просмотреть файл

@ -1,69 +0,0 @@
subscriptions:
identity:
resource_groups:
management:
name: management
alerts:
name: alerts
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: lalesle@microsoft.com
use_common_alert_schema: false
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday
# Bring here you existing active directory security groups.
# Those are the groups you will inject to RBAC in the Enterprise Scale deployment.
# Note Terraform will create a new Azure AD group and add the existing as a member
#
# level1:
# azuread_groups:
# network_ops_team:
# name: netops
# members:
# # Set the list of the existing groups
# objects_ids:
# - existing_azure_ad_group_object_id

37
templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad.yaml
Просмотреть файл

@ -1,37 +0,0 @@
subscriptions:
launchpad:
resource_groups:
level0:
name: caf-level0
tags:
level: level0
level1:
name: caf-level1
tags:
level: level1
level2:
name: caf-level2
tags:
level: level2
storage_accounts:
level0:
name: l0
resource_group_key: level0
level1:
name: l1
resource_group_key: level1
level2:
name: l2
resource_group_key: level2
keyvaults:
level0:
name: l0
resource_group_key: level0
level1:
name: l1
resource_group_key: level1
level2:
name: l2
resource_group_key: level2

415
templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad_credentials.yaml
Просмотреть файл

@ -1,415 +0,0 @@
subscriptions:
launchpad_credentials:
resource_groups:
sp_credentials:
name: credentials
keyvaults:
cred_ea_account_owner:
name: eaowner
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_level0:
name: idl0
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
level0:
lz_key: launchpad
azuread_group_key: level0
secret_permissions:
- Get
cred_identity:
name: id
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_management:
name: mg
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
management_azuread_group:
lz_key: launchpad
azuread_group_key: management
secret_permissions:
- Get
cred_eslz:
name: es
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
eslz_azuread_group:
lz_key: launchpad
azuread_group_key: eslz
secret_permissions:
- Get
cred_connectivity:
name: co
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
connectivity_azuread_group:
lz_key: launchpad
azuread_group_key: connectivity
secret_permissions:
- Get
cred_subscription_creation_platform:
name: scp
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
cred_subscription_creation_landingzones:
name: scl
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_landingzones
secret_permissions:
- Get
cred_gitops:
name: gitops
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
cred_ea_account_owner:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_level0:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_identity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_management:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_eslz:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_connectivity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_platform:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_landingzones:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_gitops:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
azuread_applications:
gitops:
application_name: app-azure-platform-credentials-for-gitops
azuread_service_principals:
gitops:
azuread_application:
key: gitops
azuread_credentials:
gitops:
type: password
azuread_credential_policy_key: gitops
azuread_application:
key: gitops
keyvaults:
cred_gitops:
secret_prefix: sp
level0:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: level0
keyvaults:
cred_level0:
secret_prefix: sp
identity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: identity
keyvaults:
cred_identity:
secret_prefix: sp
management:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: management
keyvaults:
cred_management:
secret_prefix: sp
eslz:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: eslz
keyvaults:
cred_eslz:
secret_prefix: sp
connectivity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: connectivity
keyvaults:
cred_connectivity:
secret_prefix: sp
subscription_creation_platform:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_platform
keyvaults:
cred_subscription_creation_platform:
secret_prefix: sp
subscription_creation_landingzones:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_landingzones
keyvaults:
cred_subscription_creation_landingzones:
secret_prefix: sp
azuread_credential_policies:
gitops:
length: 250
special: false
upper: true
number: true
expire_in_days: 360
rotation_key0:
days: 181
rotation_key1:
days: 300
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 65
rotation_key0:
days: 33
rotation_key1:
days: 58

84
templates/enterprise-scale/contoso/platform/create_subscriptions/management.yaml
Просмотреть файл

@ -1,84 +0,0 @@
subscriptions:
management:
resource_groups:
management:
name: management
alerts:
name: alerts
diagnostic_log_analytics:
# if you change this key you also need to change it in the ESLZ deployment
# eslz/archetype_config_overrides.caf.platform.yaml
# eslz/custom_landing_zones.caf.platform.yaml
region1:
name: logre1
resource_group_key: management
monitor_action_groups:
networking_operations:
resource_group_key: management
action_group_name: Networking Operations
shortname: netops
arm_role_alert:
contributors:
name: Monitoring Contributor
role_name: Monitoring Contributor
use_common_alert_schema: false
email_receiver:
noc:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
automation_accounts:
account1:
name: automationAccount1
resource_group_key: management
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday

16
templates/enterprise-scale/contoso/platform/create_subscriptions/subscriptions.yaml
Просмотреть файл

@ -1,16 +0,0 @@
platform_subscriptions:
management:
alias: "management"
name: "<replace>-management"
# Do not set the subscription_id when using the automated subscripiton creation
# In that case delete the following attribute.
# When re-using an existing subscripiton, set the GUID of the subscripiton.
subscription_id: <replace>
identity:
alias: "identity"
name: "<replace>-identity"
subscription_id: <replace>
connectivity:
alias: "connectivity"
name: "<replace>-connectivity"
subscription_id: <replace>

148
templates/enterprise-scale/contoso/platform/create_subscriptions/tfstates.yaml
Просмотреть файл

@ -1,148 +0,0 @@
tfstates:
platform:
### Level0 ###
launchpad:
lz_key_name: launchpad
tfstate: caf_launchpad.tfstate
workspace: tfstate
base_config_path: launchpad
level: level0
billing_subscription_role_delegations:
lz_key_name: billing_subscription_role_delegations
tfstate: billing_subscription_role_delegations.tfstate
base_config_path: billing_subscription_role_delegations
level: level0
launchpad_credentials:
lz_key_name: launchpad_credentials_rotation
tfstate: launchpad_credentials_rotation.tfstate
base_config_path: credentials
level: level0
### Level1 ###
management:
lz_key_name: management
tfstate: management.tfstate
base_config_path: management
level: level1
identity:
lz_key_name: identity
tfstate: identity.tfstate
base_config_path: identity
level: level1
eslz:
lz_key_name: eslz
tfstate: eslz.tfstate
base_config_path: eslz
level: level1
platform_subscriptions:
lz_key_name: platform_subscriptions
tfstate: platform_subscriptions.tfstate
base_config_path: subscriptions
level: level1
## Level2 ##
identity_level2:
prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
non_prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
identity_level2_aadds:
prod:
lz_key_name: identity_level2_aadds
tfstate: identity_level2_aadds.tfstate
level: level2
virtual_wan:
lz_key_name: connectivity_virtual_wan
tfstate: connectivity_virtual_wan.tfstate
base_config_path: connectivity/virtual_wan
level: level2
virtual_hubs:
prod:
lz_key_name: connectivity_virtual_hub_prod
tfstate: connectivity_virtual_hub_prod.tfstate
workspace: tfstate
base_config_path: connectivity/virtual_hub
level: level2
non_prod:
lz_key_name: connectivity_virtual_hub_non_prod
tfstate: connectivity_virtual_hub_non_prod.tfstate
workspace: tfstate
base_config_path: connectivity/virtual_hub
level: level2
vpn_sites:
prod:
lz_key_name: connectivity_vpn_sites_prod
tfstate: connectivity_vpn_sites_prod.tfstate
base_config_path: connectivity/vpn_sites
level: level2
non_prod:
lz_key_name: connectivity_vpn_sites_non_prod
tfstate: connectivity_vpn_sites_non_prod.tfstate
base_config_path: connectivity/vpn_sites
level: level2
express_route_circuits:
prod:
lz_key_name: connectivity_express_route_prod
tfstate: connectivity_express_route_prod.tfstate
base_config_path: connectivity/express_route
level: level2
non_prod:
lz_key_name: connectivity_express_route_non_prod
tfstate: connectivity_express_route_non_prod.tfstate
base_config_path: connectivity/express_route
level: level2
express_route_circuit_peerings:
prod:
lz_key_name: connectivity_express_route_peerings_prod
tfstate: connectivity_express_route_peerings_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_express_route_peerings_non_prod
tfstate: connectivity_express_route_peerings_non_prod.tfstate
level: level2
azurerm_firewalls:
prod:
lz_key_name: connectivity_firewalls_prod
tfstate: connectivity_firewalls_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_firewalls_non_prod
tfstate: connectivity_firewalls_non_prod.tfstate
level: level2
azurerm_firewall_policies:
prod:
lz_key_name: connectivity_firewall_policies_prod
tfstate: connectivity_firewall_policies_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_firewall_policies_non_prod
tfstate: connectivity_firewall_policies_non_prod.tfstate
level: level2
private_dns:
prod:
lz_key_name: connectivity_private_dns_prod
tfstate: connectivity_private_dns_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_private_dns_non_prod
tfstate: connectivity_private_dns_non_prod.tfstate
level: level2
asvm:
lz_key_name: asvm
tfstate: asvm_subscription_vending_machine.tfstate
level: level2

37
templates/enterprise-scale/contoso/platform/reuse_subscriptions/README.md
Просмотреть файл

@ -1,37 +0,0 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform
:rocket: START HERE: [Follow the onboarding guide from](https://aztfmod.github.io/documentation/docs/enterprise-scale/landingzones/platform/org-setup)
For further executions or command, you can refer to the following sections
## Commands
### Clone the landingzone project (Terraform base code)
```bash
git clone https://github.com/Azure/caf-terraform-landingzones.git /tf/caf/landingzones
cd /tf/caf/landingzones
git pull
git checkout aci_network
```
### Rover ignite the platform
Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps.
Rover ignite creates the tfvars and also the documentation.
```bash
rover login -t tenantname<replace> -s <management subscription guid><replace>
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/platform \
-e resource_template_folder=/tf/caf/landingzones/templates/resources \
-e config_folder=/tf/caf/definitions/platform
```
### Next step
Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created.

38
templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml
Просмотреть файл

@ -1,38 +0,0 @@
gitops:
landingzones: aci_network
subscriptions:
asvm:
resource_groups:
level3:
name: caf-level3
tags:
level: level3
level4:
name: caf-level4
tags:
level: level4
storage_accounts:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
keyvaults:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
# azuread_groups:
# caf_ac_landingzone_maintainers_non_prod:
# name: caf_ac_landingzone_maintainers_non_prod
# caf_ac_landingzone_maintainers_prod:
# name: caf_ac_landingzone_maintainers_prod

132
templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml
Просмотреть файл

@ -1,132 +0,0 @@
caf_terraform:
naming_convention:
# When set to false use the CAF provider to generate names aligned to CAF guidance
# true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace.
passthrough: false
inherit_tags: false
# set: define the prefix to add to all resource names
# unset: if passthrough is set to false, generate a random prefix
prefix: cont
# if passthrough is set to false, add random suffix to name, up to the random_lenght value.
random_length: 5
launchpad:
caf_environment: <replace>
account_replication_type: GRS
regions:
region1:
# set the short form of the Azure region
name: southeastasia # Use the lower-case region's name, short version with no space
slug: sea
region2:
name: eastasia # Use the lower-case region's name, short version with no space
slug: ea
default_region_key: region1
# Define the number of CAF levels to use. Recommeded is 3 for the platform.
number_of_levels: 3
blob_versioning_enabled: true
container_delete_retention_policy: 7
delete_retention_policy: 7
# Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd.
subscription_id: <replace>
subscription_name: <replace>
tenant_id: <replace>
global_tags_propagated: yes
tags:
test: <replace>
date: <replace>
billing_subscription_role_delegations:
# true: enable this deployment. The remaining attributes are required.
# false: disable this deployment.
# azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform
# azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running:
# az ad signed-in-user show --query objectId -o tsv
# The remaining attributes are ignored: [billing_account_name, enrollment_account_name]
enable: false
# Azure Active Directory User (UPN) that is Account Owner in the EA portal
# if enable=false, set the upn of the user doing the manual deployment
azuread_user_ea_account_owner: <replace>
# see comments above to get the object_id
azuread_user_ea_account_owner_object_id: <replace>
# Only set the following two attributes when enable=true
billing_account_name: <replace>
enrollment_account_name: <replace>
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
platform:
# true: force the destination folder to be deleted and re-created before the files are created.
# false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is.
cleanup_destination: true
# base destination folder where rover ignite will store the tfvars files. No / at the end
destination_base_path: /tf/caf
# destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end
destination_relative_path: configuration/contoso/platform
platform_core_setup:
enterprise_scale:
enable: true
management_group_name: <replace>
management_group_prefix: <replace>
deploy_core_landing_zones: true
enable_azure_subscription_vending_machine: true
clean_up_destination_folder: false
update_lib_folder: true
# resuse_subscriptions - do not create subscriptions through API automation. Requires the following subscription_id_overrides to be set with 4 subscriptions
subscription_deployment_mode: reuse_subscriptions
# Option only set if you've be given a delegated management group ID.
# Comment to deploy to deploy at the tenant root level
root_parent_id: lab
private_lib:
version_to_deploy: v1.1.1
v0.1.x:
caf_landingzone_branch: "2107.1"
v0.3.3:
caf_landingzone_branch: "patch.5.4.4"
v1.1.1:
caf_landingzone_branch: "aci_network"
subscription_id_overrides:
connectivity:
- <replace>
management:
- <replace> # launchpad
- <replace>
identity:
- <replace>
platform_management:
enable: true
networking_topology:
deployment_option: virtual_wan
platform_identity:
# Set the Azure Active Directory tenant name (primary domain name)
# has to be the default domain name (custom dns name or tenantname.onmicrosoft.com)
# check the AAD property
tenant_name: terraformdev.onmicrosoft.com
# only service_principal supported with rover ignite at the moment
azuread_identity_mode: logged_in_user
# UPNs you want to add in the caf_platform_maintainers Azure AD group
# Can use user or guest accounts
# Those users will have full permissions on platform.
# Once setup, you can remove them from here or add them from
# Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts.
caf_platform_maintainers:
- <replace>
caf_platform_contributors:
- <replace>
notifications:
service_health_alerts:
emails:
support1:
name: <replace>
email_address: <replace>
security_center_email_contact: <replace>
gitops:
caf_landingzone_branch: "aci_network"
deployment_mode: interactive
rover_log_error: ERROR

34
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,34 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
non_prod:
landingzone:
key:
platform:
azurerm_firewall_policies: non_prod
global_settings_key:
platform:
azurerm_firewalls: non_prod
remote_tfstates:
platform:
azurerm_firewalls: non_prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-non-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "non-prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

78
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,78 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
non_prod:
landingzone:
key:
platform:
azurerm_firewalls: non_prod
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
platform:
virtual_hubs: non_prod
azurerm_firewall_policies: non_prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-non-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-non-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.101.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.101.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-non-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_non_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-non-prod-fw-plinks-TO-vhub-non_prod
virtual_hub:
lz_key: connectivity_virtual_hub_non_prod
key: non_prod
vnet:
vnet_key: vnet

189
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,189 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
non_prod:
landingzone:
key:
platform:
private_dns: non_prod
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
platform:
virtual_hubs: non_prod
subscriptions:
connectivity:
resource_groups:
dns_connectivity_non_prod:
name: dns-connectivity-non-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.southeastasia.azmk8s.io:
name: privatelink.southeastasia.azmk8s.io
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.southeastasia.backup.windowsazure.com:
name: privatelink.southeastasia.backup.windowsazure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.oms.opinsights.non_prod.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-non-prod-private-dns-extended
useprefix: true
description: "(non-prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
# role_mapping:
# custom_role_mapping:
# resource_groups:
# dns_connectivity_prod:
# landgingzone_extended:
# azuread_groups:
# lz_key: identity_level2
# keys:
# - caf_non_prod_landingzones_dns_contributors
# built_in_role_mapping:
# resource_groups:
# dns_connectivity_non_prod:
# Private DNS Zone Contributor:
# azuread_groups:
# lz_key: identity_level2
# keys:
# - caf_non_prod_landingzones_dns_contributors

54
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml
Просмотреть файл

@ -1,54 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
non_prod:
landingzone:
key:
platform:
virtual_hubs: non_prod
global_settings_key:
platform:
virtual_wans: prod
remote_tfstates:
platform:
virtual_wans: prod
custom_variables:
virtual_hub_lz_key: connectivity_virtual_hub_non_prod
# ddos_protection_plan_id:
subscriptions:
connectivity:
virtual_hubs:
non_prod:
name: non_production
virtual_wan:
lz_key: virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: 10.201.51.0/24
deploy_s2s: false
s2s_config:
name: non_prod
scale_unit: 1
deploy_er: false
er_config:
name: non_prod
scale_units: 1
express_route_connections:
non_prod:
enable_er_connections: true
name: er-1-non_prod
virtual_hub:
key: non_prod
circuit_peering:
tfstate_key: non_prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: non_prod
key: vhub-non_prod

33
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,33 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
azurerm_firewall_policies: prod
global_settings_key:
platform:
azurerm_firewalls: prod
remote_tfstates:
platform:
azurerm_firewalls: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

78
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,78 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
azurerm_firewalls: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
virtual_hubs: prod
azurerm_firewall_policies: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.101.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.101.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_prod_plinks_01:
name: fw-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet

191
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,191 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
private_dns: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
virtual_hubs: prod
subscriptions:
connectivity:
# role_mapping:
# custom_role_mapping:
# resource_groups:
# dns_connectivity_prod:
# landgingzone_extended:
# azuread_groups:
# lz_key: identity_level2
# keys:
# - caf_prod_landingzones_dns_contributors
# built_in_role_mapping:
# resource_groups:
# dns_connectivity_prod:
# Private DNS Zone Contributor:
# azuread_groups:
# lz_key: identity_level2
# keys:
# - caf_prod_landingzones_dns_contributors
resource_groups:
dns_connectivity_prod:
name: dns-connectivity-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia.azmk8s.io:
name: privatelink.southeastasia.azmk8s.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia.backup.windowsazure.com:
name: privatelink.southeastasia.backup.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.oms.opinsights.azure.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-private-dns-extended
useprefix: true
description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write

53
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml
Просмотреть файл

@ -1,53 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
virtual_hubs: prod
global_settings_key:
platform:
virtual_wans: prod
remote_tfstates:
platform:
virtual_wans: prod
custom_variables:
virtual_hub_lz_key: connectivity_virtual_hub_prod
# ddos_protection_plan_id:
subscriptions:
connectivity:
virtual_hubs:
prod:
name: Production
virtual_wan:
lz_key: virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: 10.101.51.0/24
deploy_s2s: false
s2s_config:
name: prod
scale_unit: 1
deploy_er: false
er_config:
name: prod
scale_units: 1
express_route_connections:
prod:
enable_er_connections: false
name: erc-er-1-prod
virtual_hub:
key: prod
circuit_peering:
tfstate_key: prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: prod
key: vhub-prod

29
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml
Просмотреть файл

@ -1,29 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
virtual_wans: prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
subscriptions:
connectivity:
virtual_wans:
global_wan:
name: vwan
resource_group_key: global_wan
region_key: region1
resource_groups:
global_wan:
name: connectivity-global-wan
region_key: region1

13
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml
Просмотреть файл

@ -1,13 +0,0 @@
gitops:
landingzones: aci_network
deployments:
identity:
subscriptions:
identity:
azuread_groups:
caf_non_prod_landingzones_dns_contributors:
name: caf ac non_prod landingzones dns contributors
caf_prod_landingzones_dns_contributors:
name: caf ac prod landingzones dns contributors

10
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy assignments
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments

18
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json
Просмотреть файл

@ -1,18 +0,0 @@
{
"name": "aks-capability",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)",
"displayName": "Kubernetes cluster containers should only use allowed capabilities.",
"notScopes": [],
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
"scope": "${current_scope_resource_id}",
"enforcementMode": true
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}

18
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json
Просмотреть файл

@ -1,18 +0,0 @@
{
"name": "Allowed-Locations",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Specifies the allowed locations (regions) where Resources can be deployed.",
"displayName": "Limit allowed locations for Resources",
"notScopes": [],
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"scope": "${current_scope_resource_id}",
"enforcementMode": null
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}

10
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_definitions/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions

10
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/policy_set_definitions/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy set definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions

2
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md
Просмотреть файл

@ -1,2 +0,0 @@
# Custom ESLZ library
In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance.

11
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/README.md
Просмотреть файл

@ -1,11 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default role defitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions

27
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json
Просмотреть файл

@ -1,27 +0,0 @@
{
"name": "48ec94a9-9a14-488d-928d-5e73f96b335c",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "CAF-network-vhub-peering",
"description": "Authorize vnet peerings to the vhub and DDOS to be deployed by policy.",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"${current_scope_resource_id}"
]
}
}

69
templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml
Просмотреть файл

@ -1,69 +0,0 @@
subscriptions:
identity:
resource_groups:
management:
name: management
alerts:
name: alerts
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: lalesle@microsoft.com
use_common_alert_schema: false
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday
# Bring here you existing active directory security groups.
# Those are the groups you will inject to RBAC in the Enterprise Scale deployment.
# Note Terraform will create a new Azure AD group and add the existing as a member
#
# level1:
# azuread_groups:
# network_ops_team:
# name: netops
# members:
# # Set the list of the existing groups
# objects_ids:
# - existing_azure_ad_group_object_id

40
templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml
Просмотреть файл

@ -1,40 +0,0 @@
subscriptions:
launchpad:
resource_groups:
level0:
name: caf-level0
tags:
level: level0
level1:
name: caf-level1
tags:
level: level1
level2:
name: caf-level2
tags:
level: level2
storage_accounts:
level0:
name: l0
resource_group_key: level0
level1:
name: l1
resource_group_key: level1
level2:
name: l2
resource_group_key: level2
keyvaults:
level0:
name: l0
sku_name: premium
resource_group_key: level0
level1:
name: l1
sku_name: premium
resource_group_key: level1
level2:
name: l2
sku_name: premium
resource_group_key: level2

415
templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml
Просмотреть файл

@ -1,415 +0,0 @@
subscriptions:
launchpad_credentials:
resource_groups:
sp_credentials:
name: credentials
keyvaults:
cred_ea_account_owner:
name: eaowner
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_level0:
name: idl0
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
level0:
lz_key: launchpad
azuread_group_key: level0
secret_permissions:
- Get
cred_identity:
name: id
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_management:
name: mg
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
management_azuread_group:
lz_key: launchpad
azuread_group_key: management
secret_permissions:
- Get
cred_eslz:
name: es
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
eslz_azuread_group:
lz_key: launchpad
azuread_group_key: eslz
secret_permissions:
- Get
cred_connectivity:
name: co
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
connectivity_azuread_group:
lz_key: launchpad
azuread_group_key: connectivity
secret_permissions:
- Get
cred_subscription_creation_platform:
name: scp
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
cred_subscription_creation_landingzones:
name: scl
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_landingzones
secret_permissions:
- Get
cred_gitops:
name: gitops
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
cred_ea_account_owner:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_level0:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_identity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_management:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_eslz:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_connectivity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_platform:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_landingzones:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_gitops:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
azuread_applications:
gitops:
application_name: app-azure-platform-credentials-for-gitops
azuread_service_principals:
gitops:
azuread_application:
key: gitops
azuread_credentials:
gitops:
type: password
azuread_credential_policy_key: gitops
azuread_application:
key: gitops
keyvaults:
cred_gitops:
secret_prefix: sp
level0:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: level0
keyvaults:
cred_level0:
secret_prefix: sp
identity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: identity
keyvaults:
cred_identity:
secret_prefix: sp
management:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: management
keyvaults:
cred_management:
secret_prefix: sp
eslz:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: eslz
keyvaults:
cred_eslz:
secret_prefix: sp
connectivity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: connectivity
keyvaults:
cred_connectivity:
secret_prefix: sp
subscription_creation_platform:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_platform
keyvaults:
cred_subscription_creation_platform:
secret_prefix: sp
subscription_creation_landingzones:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_landingzones
keyvaults:
cred_subscription_creation_landingzones:
secret_prefix: sp
azuread_credential_policies:
gitops:
length: 250
special: false
upper: true
number: true
expire_in_days: 360
rotation_key0:
days: 181
rotation_key1:
days: 300
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 65
rotation_key0:
days: 33
rotation_key1:
days: 58

84
templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml
Просмотреть файл

@ -1,84 +0,0 @@
subscriptions:
management:
resource_groups:
management:
name: management
alerts:
name: alerts
diagnostic_log_analytics:
# if you change this key you also need to change it in the ESLZ deployment
# eslz/archetype_config_overrides.caf.platform.yaml
# eslz/custom_landing_zones.caf.platform.yaml
region1:
name: logre1
resource_group_key: management
monitor_action_groups:
networking_operations:
action_group_name: Networking Operations
resource_group_key: alerts
shortname: netops
arm_role_alert:
contributors:
name: Monitoring Contributor
role_name: Monitoring Contributor
use_common_alert_schema: false
email_receiver:
noc:
name: email_alert_support1
email_address: arnaul@microsoft.com
use_common_alert_schema: false
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: arnaul@microsoft.com
use_common_alert_schema: false
automation_accounts:
account1:
name: automationAccount1
resource_group_key: management
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday

105
templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml
Просмотреть файл

@ -1,105 +0,0 @@
tfstates:
platform:
### Level0 ###
launchpad:
lz_key_name: launchpad
tfstate: caf_launchpad.tfstate
workspace: tfstate
base_config_path: launchpad
level: level0
launchpad_credentials:
lz_key_name: launchpad_credentials_rotation
tfstate: launchpad_credentials_rotation.tfstate
base_config_path: credentials
level: level0
### Level1 ###
management:
lz_key_name: management
tfstate: management.tfstate
base_config_path: management
level: level1
identity:
lz_key_name: identity
tfstate: identity.tfstate
base_config_path: identity
level: level1
eslz:
lz_key_name: eslz
tfstate: eslz.tfstate
base_config_path: eslz
level: level1
## Level2 ##
identity_level2:
prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
non_prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
identity_level2_aadds:
prod:
lz_key_name: identity_level2_aadds
tfstate: identity_level2_aadds.tfstate
level: level2
virtual_wans:
prod:
lz_key_name: connectivity_virtual_wan
tfstate: connectivity_virtual_wan.tfstate
base_config_path: connectivity/virtual_wan
level: level2
virtual_hubs:
prod:
lz_key_name: connectivity_virtual_hub_prod
tfstate: connectivity_virtual_hub_prod.tfstate
workspace: tfstate
base_config_path: connectivity/virtual_hub
level: level2
non_prod:
lz_key_name: connectivity_virtual_hub_non_prod
tfstate: connectivity_virtual_hub_non_prod.tfstate
workspace: tfstate
base_config_path: connectivity/virtual_hub
level: level2
azurerm_firewalls:
prod:
lz_key_name: connectivity_firewalls_prod
tfstate: connectivity_firewalls_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_firewalls_non_prod
tfstate: connectivity_firewalls_non_prod.tfstate
level: level2
azurerm_firewall_policies:
prod:
lz_key_name: connectivity_firewall_policies_prod
tfstate: connectivity_firewall_policies_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_firewall_policies_non_prod
tfstate: connectivity_firewall_policies_non_prod.tfstate
level: level2
private_dns:
prod:
lz_key_name: connectivity_private_dns_prod
tfstate: connectivity_private_dns_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_private_dns_non_prod
tfstate: connectivity_private_dns_non_prod.tfstate
level: level2
asvm:
lz_key_name: asvm
tfstate: asvm_subscription_vending_machine.tfstate
level: level2

40
templates/enterprise-scale/contoso/platform/single_subscription/README.md
Просмотреть файл

@ -1,40 +0,0 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform
:rocket: START HERE: [Follow the onboarding guide from](https://aztfmod.github.io/documentation/docs/enterprise-scale/landingzones/platform/org-setup)
For further executions or command, you can refer to the following sections
## Commands
### Clone the landingzone project (Terraform base code)
```bash
# Git Urls or from a fork
# https://github.com/Azure/caf-terraform-landingzones.git
git clone <replace> /tf/caf/landingzones
cd /tf/caf/landingzones
git pull
git checkout aci_network
```
### Rover ignite the platform
Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps.
Rover ignite creates the tfvars and also the documentation.
```bash
rover login -t <replace> -s <replace>
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/platform \
-e resource_template_folder=/tf/caf/landingzones/templates/resources \
-e config_folder=/tf/caf/definitions/single_subscription \
-e landingzones_folder=/tf/caf/landingzones
```
### Next step
Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created.

18
templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml
Просмотреть файл

@ -1,18 +0,0 @@
#
# Set the workflow to bootstrap the Azure platform landing zones
#
deployments:
0:
0:
launchpad:
1:
launchpad_credentials:
# 2:
# subscriptions:
3:
identity:
4:
management:
5:
eslz:

460
templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml
Просмотреть файл

@ -1,460 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level0/credentials
deployments:
landingzone:
tfstate:
platform:
launchpad_credentials:
global_settings_key:
platform:
launchpad:
remote_tfstates:
platform:
launchpad:
subscriptions:
launchpad_credentials:
resource_groups:
sp_credentials:
name: credentials
keyvaults:
cred_ea_account_owner:
name: eaowner
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_ea_account_owner
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_level0:
name: idl0
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_level0
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
level0:
lz_key: launchpad
azuread_group_key: level0
secret_permissions:
- Get
cred_identity:
name: id
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_identity
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_management:
name: mg
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_management
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
management_azuread_group:
lz_key: launchpad
azuread_group_key: management
secret_permissions:
- Get
cred_eslz:
name: es
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_eslz
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
eslz_azuread_group:
lz_key: launchpad
azuread_group_key: eslz
secret_permissions:
- Get
cred_connectivity:
name: co
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_connectivity
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
connectivity_azuread_group:
lz_key: launchpad
azuread_group_key: connectivity
secret_permissions:
- Get
cred_subscription_creation_platform:
name: scp
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_subscription_creation_platform
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
cred_subscription_creation_landingzones:
name: scl
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_subscription_creation_landingzones
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_landingzones
secret_permissions:
- Get
cred_gitops:
name: gitops
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_gitops
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
cred_ea_account_owner:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_level0:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_identity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_management:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_eslz:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_connectivity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_platform:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_landingzones:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_gitops:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
azuread_applications:
gitops:
application_name: app-azure-platform-credentials-for-gitops
azuread_service_principals:
gitops:
azuread_application:
key: gitops
azuread_credentials:
gitops:
type: password
azuread_credential_policy_key: gitops
azuread_application:
key: gitops
keyvaults:
cred_gitops:
secret_prefix: sp
level0:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: level0
keyvaults:
cred_level0:
secret_prefix: sp
identity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: identity
keyvaults:
cred_identity:
secret_prefix: sp
management:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: management
keyvaults:
cred_management:
secret_prefix: sp
eslz:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: eslz
keyvaults:
cred_eslz:
secret_prefix: sp
connectivity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: connectivity
keyvaults:
cred_connectivity:
secret_prefix: sp
subscription_creation_platform:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_platform
keyvaults:
cred_subscription_creation_platform:
secret_prefix: sp
subscription_creation_landingzones:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_landingzones
keyvaults:
cred_subscription_creation_landingzones:
secret_prefix: sp
azuread_credential_policies:
gitops:
length: 250
special: false
upper: true
number: true
expire_in_days: 360
rotation_key0:
days: 181
rotation_key1:
days: 300
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 65
rotation_key0:
days: 33
rotation_key1:
days: 58

89
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml
Просмотреть файл

@ -1,89 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/asvm
deployments:
landingzone:
tfstate:
platform:
asvm:
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
subscriptions:
launchpad:
resource_groups:
level3:
name: caf-level3
tags:
level: level3
level4:
name: caf-level4
tags:
level: level4
storage_accounts:
level3:
name: l3
resource_group_key: level3
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
containers:
tfstate:
name: tfstate
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level3
level4:
name: l4
resource_group_key: level4
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level4
keyvaults:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
azuread_groups:
caf_ac_landingzone_maintainers_non_prod:
name: caf_ac_landingzone_maintainers_non_prod
caf_ac_landingzone_maintainers_prod:
name: caf_ac_landingzone_maintainers_prod

34
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,34 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/connectivity/azurerm_firewall_policies/prod
deployments:
landingzone:
tfstate:
platform:
azurerm_firewall_policies: prod
global_settings_key:
platform:
virtual_wans: prod
remote_tfstates:
platform:
virtual_wans: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

78
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,78 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2//connectivity/azurerm_firewalls/prod
deployments:
landingzone:
tfstate:
platform:
azurerm_firewalls: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
virtual_hubs: prod
azurerm_firewall_policies: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.101.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.101.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_prod_plinks_01:
name: fw-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet

192
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,192 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/connectivity/private_dns/prod
deployments:
landingzone:
tfstate:
platform:
private_dns: prod
global_settings_key:
platform:
azurerm_firewalls: prod
remote_tfstates:
platform:
azurerm_firewalls: prod
identity_level2: prod
subscriptions:
connectivity:
role_mapping:
custom_role_mapping:
resource_groups:
dns_connectivity_prod:
landgingzone_extended:
azuread_groups:
lz_key: identity_level2
keys:
- caf_prod_landingzones_dns_contributors
built_in_role_mapping:
resource_groups:
dns_connectivity_prod:
Private DNS Zone Contributor:
azuread_groups:
lz_key: identity_level2
keys:
- caf_prod_landingzones_dns_contributors
resource_groups:
dns_connectivity_prod:
name: dns-connectivity-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia.azmk8s.io:
name: privatelink.southeastasia.azmk8s.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia.backup.windowsazure.com:
name: privatelink.southeastasia.backup.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.oms.opinsights.azure.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-private-dns-extended
useprefix: true
description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write

52
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml
Просмотреть файл

@ -1,52 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/connectivity/virtual_hubs/prod
deployments:
landingzone:
tfstate:
platform:
virtual_hubs: prod
global_settings_key:
platform:
virtual_wans: prod
remote_tfstates:
platform:
virtual_wans: prod
custom_variables:
virtual_hub_lz_key: connectivity_virtual_hub_prod
# ddos_protection_plan_id:
subscriptions:
connectivity:
virtual_hubs:
prod:
name: Production
virtual_wan:
lz_key: connectivity_virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: 10.101.51.0/24
deploy_s2s: false
s2s_config:
name: prod
scale_unit: 1
deploy_er: false
er_config:
name: prod
scale_units: 1
express_route_connections:
prod:
enable_er_connections: false
name: er-1-prod
virtual_hub:
key: prod
circuit_peering:
tfstate_key: prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: prod
key: vhub-prod

29
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml
Просмотреть файл

@ -1,29 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/connectivity/virtual_wans
deployments:
landingzone:
tfstate:
platform:
virtual_wans: prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
subscriptions:
connectivity:
virtual_wans:
global_wan:
name: vwan
resource_group_key: global_wan
region_key: region1
resource_groups:
global_wan:
name: connectivity-global-wan
region_key: region1

22
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml
Просмотреть файл

@ -1,22 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/identity/prod
deployments:
landingzone:
tfstate:
platform:
identity_level2: prod
global_settings_key:
platform:
identity:
remote_tfstates:
platform:
identity:
subscriptions:
identity:
azuread_groups:
caf_prod_landingzones_dns_contributors:
name: caf ac prod landingzones dns contributors

328
templates/enterprise-scale/contoso/platform/single_subscription/eslz/archetype_config_overrides.caf.platform.yaml
Просмотреть файл

@ -1,328 +0,0 @@
archetype_definitions:
root:
archetype_id: root
policy_assignments:
Allowed-Locations:
listOfAllowedLocations:
- southeastasia # Use the lower-case region's name, short version with no space
- eastasia
Deny-RSG-Locations:
listOfAllowedLocations:
- southeastasia
- eastasia
# Set to Audit as Terraform cannot combine both in one operation yet.
Deny-Subnet-Without-Nsg:
effect: Audit
# Set to Audit as Terraform cannot combine both in one operation yet.
Deny-Subnet-Without-Udr:
effect: Audit
# Deploy-Nsg-FlowLogs:
# retention: 10
# storageAccountResourceId:
# trafficAnalyticsInterval: 10
# flowAnalyticsEnabled: true
# logAnalytics:
# lz_key: management
# output_key: diagnostics
# resource_type: log_analytics
# resource_key: region1
# attribute_key: id
# More details on in the parameters in the Azure Policy definition (Azure Security Benchmark) 1f3afdf9-d0c9-4c3d-847f-89da613e70a8
# Change the attributes values as they are not the same. Some are DeployIfNotExist, Some Disabled, Enabled...
Deploy-ASC-Monitoring:
aadAuthenticationInSqlServerMonitoringEffect: Disabled
diskEncryptionMonitoringEffect: Disabled
encryptionOfAutomationAccountMonitoringEffect: Disabled
identityDesignateLessThanOwnersMonitoringEffect: Disabled
identityDesignateMoreThanOneOwnerMonitoringEffect: Disabled
identityEnableMFAForWritePermissionsMonitoringEffect: Disabled
identityRemoveDeprecatedAccountMonitoringEffect: Disabled
identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithReadPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithWritePermissionsMonitoringEffect: Disabled
jitNetworkAccessMonitoringEffect: Disabled
networkSecurityGroupsOnSubnetsMonitoringEffect: Disabled
sqlDbEncryptionMonitoringEffect: Disabled
sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled
sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled
sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled
sqlServerAdvancedDataSecurityMonitoringEffect: Disabled
systemUpdatesMonitoringEffect: Disabled
useRbacRulesMonitoringEffect: Disabled
vmssSystemUpdatesMonitoringEffect: Disabled
windowsDefenderExploitGuardMonitoringEffect: Disabled
Deploy-ASCDF-Config:
emailSecurityContact: <replace>
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
enableAscForKubernetes: DeployIfNotExists
enableAscForSql: DeployIfNotExists
enableAscForSqlOnVm: DeployIfNotExists
enableAscForDns: DeployIfNotExists
enableAscForArm: DeployIfNotExists
enableAscForOssDb: DeployIfNotExists
enableAscForAppServices: DeployIfNotExists
enableAscForRegistries: DeployIfNotExists
enableAscForKeyVault: DeployIfNotExists
enableAscForStorage: DeployIfNotExists
enableAscForServers: DeployIfNotExists
Deploy-AzActivity-Log:
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-LX-Arc-Monitoring:
Deploy-Resource-Diag:
profileName: eslz-diagnostic-log
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-WS-Arc-Monitoring:
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-VM-Monitoring:
logAnalytics_1:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-VMSS-Monitoring:
logAnalytics_1:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
policy_definitions:
Append-AppService-httpsonly:
Append-AppService-latestTLS:
Append-KV-SoftDelete:
Append-Redis-disableNonSslPort:
Append-Redis-sslEnforcement:
Audit-MachineLearning-PrivateEndpointId:
Deny-AA-child-resources:
Deny-AppGW-Without-WAF:
Deny-AppServiceApiApp-http:
Deny-AppServiceFunctionApp-http:
Deny-AppServiceWebApp-http:
Deny-Databricks-NoPublicIp:
Deny-Databricks-Sku:
Deny-Databricks-VirtualNetwork:
Deny-MachineLearning-Aks:
Deny-MachineLearning-Compute-SubnetId:
Deny-MachineLearning-Compute-VmSize:
Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess:
Deny-MachineLearning-ComputeCluster-Scale:
Deny-MachineLearning-HbiWorkspace:
Deny-MachineLearning-PublicAccessWhenBehindVnet:
Deny-MachineLearning-PublicNetworkAccess:
Deny-MySql-http:
Deny-PostgreSql-http:
Deny-Private-DNS-Zones:
Deny-PublicEndpoint-MariaDB:
Deny-PublicIP:
Deny-RDP-From-Internet:
Deny-Redis-http:
Deny-Sql-minTLS:
Deny-SqlMi-minTLS:
Deny-Storage-minTLS:
Deny-Subnet-Without-Nsg:
Deny-Subnet-Without-Udr:
Deny-VNET-Peer-Cross-Sub:
Deny-VNet-Peering:
Deploy-ASC-SecurityContacts:
Deploy-Budget:
Deploy-Custom-Route-Table:
Deploy-DDoSProtection:
Deploy-Diagnostics-AA:
Deploy-Diagnostics-ACI:
Deploy-Diagnostics-ACR:
Deploy-Diagnostics-AnalysisService:
Deploy-Diagnostics-ApiForFHIR:
Deploy-Diagnostics-APIMgmt:
Deploy-Diagnostics-ApplicationGateway:
Deploy-Diagnostics-CDNEndpoints:
Deploy-Diagnostics-CognitiveServices:
Deploy-Diagnostics-CosmosDB:
Deploy-Diagnostics-Databricks:
Deploy-Diagnostics-DataExplorerCluster:
Deploy-Diagnostics-DataFactory:
Deploy-Diagnostics-DLAnalytics:
Deploy-Diagnostics-EventGridSub:
Deploy-Diagnostics-EventGridSystemTopic:
Deploy-Diagnostics-EventGridTopic:
Deploy-Diagnostics-ExpressRoute:
Deploy-Diagnostics-Firewall:
Deploy-Diagnostics-FrontDoor:
Deploy-Diagnostics-Function:
Deploy-Diagnostics-HDInsight:
Deploy-Diagnostics-iotHub:
Deploy-Diagnostics-LoadBalancer:
Deploy-Diagnostics-LogicAppsISE:
Deploy-Diagnostics-MariaDB:
Deploy-Diagnostics-MediaService:
Deploy-Diagnostics-MlWorkspace:
Deploy-Diagnostics-MySQL:
Deploy-Diagnostics-NetworkSecurityGroups:
Deploy-Diagnostics-NIC:
Deploy-Diagnostics-PostgreSQL:
Deploy-Diagnostics-PowerBIEmbedded:
Deploy-Diagnostics-RedisCache:
Deploy-Diagnostics-Relay:
Deploy-Diagnostics-SignalR:
Deploy-Diagnostics-SQLElasticPools:
Deploy-Diagnostics-SQLMI:
Deploy-Diagnostics-TimeSeriesInsights:
Deploy-Diagnostics-TrafficManager:
Deploy-Diagnostics-VirtualNetwork:
Deploy-Diagnostics-VM:
Deploy-Diagnostics-VMSS:
Deploy-Diagnostics-VNetGW:
Deploy-Diagnostics-WebServerFarm:
Deploy-Diagnostics-Website:
Deploy-Diagnostics-WVDAppGroup:
Deploy-Diagnostics-WVDHostPools:
Deploy-Diagnostics-WVDWorkspace:
Deploy-FirewallPolicy:
Deploy-MySQL-sslEnforcement:
Deploy-Nsg-FlowLogs-to-LA:
Deploy-Nsg-FlowLogs:
Deploy-PostgreSQL-sslEnforcement:
Deploy-Sql-AuditingSettings:
Deploy-SQL-minTLS:
Deploy-Sql-SecurityAlertPolicies:
Deploy-Sql-Tde:
Deploy-Sql-vulnerabilityAssessments:
Deploy-SqlMi-minTLS:
Deploy-Storage-sslEnforcement:
Deploy-Windows-DomainJoin:
policy_set_definitions:
Deny-PublicPaaSEndpoints:
Deploy-ASCDF-Config:
Deploy-Diagnostics-LogAnalytics:
Deploy-Sql-Security:
Enforce-Encryption-CMK:
Enforce-EncryptTransit:
remediation:
policy:
policy_set_definitions:
# policyDefinitionReferenceId = https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/c7958266bd227e52dc1a3468e8c881633bc1b373/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json#L766
# /providers/microsoft.management/managementgroups/contlle/providers/microsoft.authorization/policyassignments/deploy-resource-diag
Deploy-Diagnostics-LogAnalytics:
- ExpressRouteDeployDiagnosticLogDeployLogAnalytics
- FirewallDeployDiagnosticLogDeployLogAnalytics
- KeyVaultDeployDiagnosticLogDeployLogAnalytics
- LoadBalancerDeployDiagnosticLogDeployLogAnalytics
- NetworkNICDeployDiagnosticLogDeployLogAnalytics
- NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics
- NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics
- RecoveryVaultDeployDiagnosticLogDeployLogAnalytics
- storageaccountdeploydiagnosticlogdeployloganalytics
- VirtualNetworkDeployDiagnosticLogDeployLogAnalytics
- VNetGWDeployDiagnosticLogDeployLogAnalytics
Deploy-ASCDF-Config:
- defenderForOssDb
- defenderForVM
- defenderForSqlServerVirtualMachines
- defenderForAppServices
- defenderForStorageAccounts
- defenderForKubernetesService
- defenderForContainerRegistry
- defenderForKeyVaults
- defenderForDns
- defenderForArm
- defenderForSqlPaas
- securityEmailContact
- ascExport
landing-zones:
archetype_id: landing-zones
policy_assignments:
Deny-IP-Forwarding:
Deny-Priv-Containers-AKS:
Deny-Priv-Escalation-AKS:
Deny-RDP-From-Internet:
Deny-Storage-http:
Deploy-AKS-Policy:
Deploy-SQL-DB-Auditing:
Deploy-SQL-Threat:
Enable-DDoS-VNET:
Enforce-AKS-HTTPS:
Enforce-TLS-SSL:
# Deploy-Windows-DomainJoin:
# domainFQDN: aadds-xl.co.id
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- subscription_creation_landingzones
connectivity:
archetype_id: platform_connectivity
policy_assignments:
Enable-DDoS-VNET:
role_definitions:
CAF-network-vhub-peering:
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- connectivity
# Make sure you replace with the Management Group ID in UPPER CASE
'[<replace>-CONNECTIVITY] CAF-network-vhub-peering':
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- subscription_creation_landingzones
- identity
- management
management:
archetype_id: platform_management
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- management
identity:
archetype_id: platform_identity
policy_assignments:
Deny-RDP-From-Internet:
Deny-Public-IP:
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- identity
decommissioned:
archetype_id: platform_decommissioned
platform:
archetype_id: platform
sandboxes:
archetype_id: platform_sandboxes

26
templates/enterprise-scale/contoso/platform/single_subscription/eslz/custom_landing_zones.caf.platform.yaml
Просмотреть файл

@ -1,26 +0,0 @@
archetype_definitions:
corp:
display_name: Corp
archetype_id: landingzone_corp
parent_management_group_id: landing-zones
subscription_ids:
online:
display_name: Online
archetype_id: landingzone_online
parent_management_group_id: landing-zones
subscription_ids:
corp-prod:
display_name: Production
archetype_id: landingzone_prod
parent_management_group_id: corp
subscription_ids:
corp-non-prod:
display_name: Non Production
archetype_id: landingzone_non_prod
parent_management_group_id: corp
subscription_ids:
online-web:
display_name: Non Production
archetype_id: landingzone_online_web
parent_management_group_id: online
subscription_ids:

8
templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml
Просмотреть файл

@ -1,8 +0,0 @@
gitops:
landingzones: aci_network
relative_destination_folder: level1/eslz
# Keep the following to allow rover ignite to process the deployment.
subscriptions:
launchpad:

10
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy assignments
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_assignments

18
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_caf_aks_capability.json
Просмотреть файл

@ -1,18 +0,0 @@
{
"name": "aks-capability",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. (labelSelector example - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements)",
"displayName": "Kubernetes cluster containers should only use allowed capabilities.",
"notScopes": [],
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
"scope": "${current_scope_resource_id}",
"enforcementMode": true
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}

18
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_assignments/policy_assignment_es_allowed_locations.json
Просмотреть файл

@ -1,18 +0,0 @@
{
"name": "Allowed-Locations",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Specifies the allowed locations (regions) where Resources can be deployed.",
"displayName": "Limit allowed locations for Resources",
"notScopes": [],
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"scope": "${current_scope_resource_id}",
"enforcementMode": null
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}

10
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_definitions/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_definitions

10
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/policy_set_definitions/README.md
Просмотреть файл

@ -1,10 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default policy set definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/policy_set_definitions

2
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md
Просмотреть файл

@ -1,2 +0,0 @@
# Custom ESLZ library
In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance.

11
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/README.md
Просмотреть файл

@ -1,11 +0,0 @@
# Public documentation of the custom landingzones
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Custom-Landing-Zone-Archetypes
# List of the default role defitions
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib/role_definitions

27
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json
Просмотреть файл

@ -1,27 +0,0 @@
{
"name": "48ec94a9-9a14-488d-928d-5e73f96b335c",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "CAF-network-vhub-peering",
"description": "Authorize vnet peerings to the vhub and DDOS to be deployed by policy.",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"${current_scope_resource_id}"
]
}
}

86
templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml
Просмотреть файл

@ -1,86 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level1/identity
deployments:
landingzone:
tfstate:
platform:
identity:
global_settings_key:
platform:
launchpad:
remote_tfstates:
platform:
launchpad:
subscriptions:
identity:
resource_groups:
management:
name: management
alerts:
name: alerts
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday
# Bring here you existing active directory security groups.
# Those are the groups you will inject to RBAC in the Enterprise Scale deployment.
# Note Terraform will create a new Azure AD group and add the existing as a member
#
# level1:
# azuread_groups:
# network_ops_team:
# name: netops
# members:
# # Set the list of the existing groups
# objects_ids:
# - existing_azure_ad_group_object_id

510
templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml
Просмотреть файл

@ -1,510 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level0/launchpad
deployments:
landingzone:
tfstate:
platform:
launchpad:
subscriptions:
launchpad:
resource_groups:
level0:
name: caf-level0
level1:
name: caf-level1
level2:
name: caf-level2
storage_accounts:
level0:
name: l0
resource_group_key: level0
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
containers:
tfstate:
name: tfstate
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level0
level1:
name: l1
resource_group_key: level1
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
containers:
tfstate:
name: tfstate
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level1
level2:
name: l2
resource_group_key: level2
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
containers:
tfstate:
name: tfstate
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level2
role_mapping:
built_in_role_mapping:
management_group:
# if you are using a root_parent_id, replace the following root by the root_parent_id value
root:
User Access Administrator:
azuread_groups:
keys:
- level0
Management Group Contributor:
azuread_groups:
keys:
- eslz
- caf_platform_maintainers
Owner:
azuread_groups:
keys:
- eslz
- caf_platform_maintainers
- connectivity # only when deploying in single subscription
- identity # only when deploying in single subscription
- management # only when deploying in single subscription
- subscription_creation_landingzones # # only when deploying in single subscription
Reader:
azuread_groups:
keys:
- caf_platform_contributors
subscriptions:
logged_in_subscription:
Owner:
azuread_groups:
keys:
- level0
- subscription_creation_platform
- caf_platform_maintainers
Reader:
azuread_groups:
keys:
- identity
resource_groups:
level0:
Reader:
azuread_groups:
keys:
- identity
- subscription_creation_platform
- caf_platform_contributors
level1:
Reader:
azuread_groups:
keys:
- identity
- management
- eslz
- subscription_creation_platform
- caf_platform_contributors
level2:
Reader:
azuread_groups:
keys:
- identity
- management
- connectivity
- subscription_creation_platform
- caf_platform_contributors
storage_accounts:
level0:
Storage Blob Data Contributor:
azuread_groups:
keys:
- level0
- identity
- caf_platform_maintainers
Storage Blob Data Reader:
azuread_groups:
keys:
- management
- eslz
- subscription_creation_platform
- caf_platform_contributors
level1:
Storage Blob Data Contributor:
azuread_groups:
keys:
- caf_platform_maintainers
- identity
- management
- eslz
- subscription_creation_platform
Storage Blob Data Reader:
azuread_groups:
keys:
- connectivity
- caf_platform_contributors
- level0
level2:
Storage Blob Data Contributor:
azuread_groups:
keys:
- identity
- connectivity
- management
- caf_platform_maintainers
- level0
Storage Blob Data Reader:
azuread_groups:
keys:
- subscription_creation_landingzones
- caf_platform_contributors
keyvaults:
level0:
name: l0
sku_name: premium
resource_group_key: level0
level1:
name: l1
sku_name: premium
resource_group_key: level1
level2:
name: l2
sku_name: premium
resource_group_key: level2
keyvault_access_policies:
level0:
sp_level0:
azuread_group_key: level0
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity:
azuread_group_key: identity
secret_permissions:
- Get
level1:
sp_level0:
azuread_group_key: level0
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity:
azuread_group_key: identity
secret_permissions:
- Get
management:
azuread_group_key: management
secret_permissions:
- Get
eslz:
azuread_group_key: eslz
secret_permissions:
- Get
subscription_creation_platform:
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
level2:
sp_level0:
azuread_group_key: level0
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity:
azuread_group_key: identity
secret_permissions:
- Get
management:
azuread_group_key: management
secret_permissions:
- Get
connectivity:
azuread_group_key: connectivity
secret_permissions:
- Get
subscription_creation_platform:
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
azuread_applications:
level0:
application_name: sp-caf-level0
identity:
application_name: sp-caf-identity
management:
application_name: sp-caf-management
eslz:
application_name: sp-caf-eslz
connectivity:
application_name: sp-caf-connectivity
subscription_creation_platform:
application_name: sp-caf-subscription_creation_platform
subscription_creation_landingzones:
application_name: sp-caf-subscription_creation_landingzones
azuread_service_principals:
# Manage the deployment of the level0
level0:
azuread_application:
key: level0
# Manage the deployment of Enterprise Scale
eslz:
azuread_application:
key: eslz
# Manage the deployment of the connectivity services
connectivity:
azuread_application:
key: connectivity
# Manage the deployment of the shared services
management:
azuread_application:
key: management
# Manage the deployment of the identity services
identity:
azuread_application:
key: identity
# Has delegation to create platform subscriptions
subscription_creation_platform:
azuread_application:
key: subscription_creation_platform
# Has delegation to create landingzone subscriptions
subscription_creation_landingzones:
azuread_application:
key: subscription_creation_landingzones
azuread_api_permissions:
level0:
microsoft_graph:
resource_app_id: 00000003-0000-0000-c000-000000000000
resource_access:
AppRoleAssignment_ReadWrite_All:
id: 06b708a9-e830-4db3-a914-8e69da51d44f
type: Role
DelegatedPermissionGrant_ReadWrite_All:
id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a
type: Role
DelegatedPermissionGrant_ReadWrite_All:
id: 18a4783c-866b-4cc7-a460-3d5e5662c884
type: Role
identity:
active_directory_graph:
resource_app_id: 00000002-0000-0000-c000-000000000000
resource_access:
Application_ReadWrite_OwnedBy:
id: 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7
type: Role
Directory_ReadWrite_All:
id: 78c8a3c8-a07e-4b9e-af1b-b5ccab50a175
type: Role
microsoft_graph:
resource_app_id: 00000003-0000-0000-c000-000000000000
resource_access:
AppRoleAssignment_ReadWrite_All:
id: 06b708a9-e830-4db3-a914-8e69da51d44f
type: Role
DelegatedPermissionGrant_ReadWrite_All:
id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a
type: Role
GroupReadWriteAll:
id: 62a82d76-70ea-41e2-9197-370581804d09
type: Role
RoleManagement_ReadWrite_Directory:
id: 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8
type: Role
azuread_roles:
azuread_service_principals:
level0:
roles:
- Privileged Role Administrator
- Application Administrator
- Groups Administrator
identity:
roles:
- User Administrator
- Application Administrator
- Groups Administrator
subscription_creation_landingzones:
roles:
- Application Administrator
- Groups Administrator
dynamic_keyvault_secrets:
level0:
subscription_id:
output_key: client_config
attribute_key: subscription_id
secret_name: subscription-id
tenant_id:
output_key: client_config
attribute_key: tenant_id
secret_name: tenant-id
level1:
lower_stg:
output_key: storage_accounts
resource_key: level0
attribute_key: name
secret_name: lower-storage-account-name
lower_rg:
output_key: resource_groups
resource_key: level0
attribute_key: name
secret_name: lower-resource-group-name
subscription_id:
output_key: client_config
attribute_key: subscription_id
secret_name: subscription-id
tenant_id:
output_key: client_config
attribute_key: tenant_id
secret_name: tenant-id
level2:
lower_stg:
output_key: storage_accounts
resource_key: level1
attribute_key: name
secret_name: lower-storage-account-name
lower_rg:
output_key: resource_groups
resource_key: level1
attribute_key: name
secret_name: lower-resource-group-name
subscription_id:
output_key: client_config
attribute_key: subscription_id
secret_name: subscription-id
tenant_id:
output_key: client_config
attribute_key: tenant_id
secret_name: tenant-id
azuread_groups:
caf_platform_maintainers:
name: caf-platform-maintainers
description: High privileged group to run all CAF deployments from vscode. Can be used to bootstrap or troubleshoot deployments.
prevent_duplicate_name: true
owners:
- <replace>
caf_platform_contributors:
name: caf-platform-contributors
description: Can only execute terraform plans for level1 and level2. They can test platform improvements and propose PR.
prevent_duplicate_name: true
owners:
- <replace>
level0:
name: caf-level0
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- level0
eslz:
name: caf-eslz
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- eslz
identity:
name: caf-identity
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- identity
management:
name: caf-management
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- management
connectivity:
name: caf-connectivity
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- connectivity
subscription_creation_platform:
name: caf-subscription_creation_platform
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- subscription_creation_platform
subscription_creation_landingzones:
name: caf-subscription_creation_landingzones
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- subscription_creation_landingzones
# object_ids:
# - 746f54dc-285b-454b-8c55-3d499be91e1f

101
templates/enterprise-scale/contoso/platform/single_subscription/management.yaml
Просмотреть файл

@ -1,101 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level1/management
deployments:
landingzone:
tfstate:
platform:
management:
global_settings_key:
platform:
launchpad:
remote_tfstates:
platform:
launchpad:
subscriptions:
management:
resource_groups:
management:
name: management
alerts:
name: alerts
diagnostic_log_analytics:
# if you change this key you also need to change it in the ESLZ deployment
# eslz/archetype_config_overrides.caf.platform.yaml
# eslz/custom_landing_zones.caf.platform.yaml
region1:
name: logre1
resource_group_key: management
monitor_action_groups:
networking_operations:
action_group_name: Networking Operations
resource_group_key: alerts
shortname: netops
arm_role_alert:
contributors:
name: Monitoring Contributor
role_name: Monitoring Contributor
use_common_alert_schema: false
email_receiver:
noc:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
automation_accounts:
account1:
name: automationAccount1
resource_group_key: management
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday

22
templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml
Просмотреть файл

@ -1,22 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level1/subscriptions
deployments:
landingzone:
tfstate:
platform:
subscriptions:
subscriptions:
launchpad:
subscriptions:
launchpad:
subscription_id: <replace>
identity:
subscription_id: <replace>
connectivity:
subscription_id: <replace>
management:
subscription_id: <replace>

144
templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml
Просмотреть файл

@ -1,144 +0,0 @@
tfstates:
platform:
### Level0 ###
launchpad:
lz_key_name: launchpad
tfstate: caf_launchpad.tfstate
workspace: tfstate
level: level0
identity_aad_key: cred_level0
config_file: launchpad.yaml
sub_template_folder: level0/launchpad
yaml: level0/launchpad/ansible.yaml
launchpad_credentials:
lz_key_name: launchpad_credentials_rotation
tfstate: launchpad_credentials_rotation.tfstate
level: level0
identity_aad_key: cred_identity
config_file: credentials.yaml
sub_template_folder: level0/credentials
### Level1 ###
management:
lz_key_name: management
tfstate: management.tfstate
level: level1
identity_aad_key: cred_management
config_file: management.yaml
identity:
lz_key_name: identity
tfstate: identity.tfstate
level: level1
identity_aad_key: cred_identity
config_file: identity.yaml
sub_template_folder: level1/identity
eslz:
lz_key_name: eslz
tfstate: eslz.tfstate
level: level1
identity_aad_key: cred_eslz
config_file: eslz/eslz.yaml
sub_template_folder: level1/eslz
yaml: level1/eslz/ansible.yaml
platform_subscriptions:
lz_key_name: platform_subscriptions
tfstate: platform_subscriptions.tfstate
level: level1
identity_aad_key: cred_subscription_creation_platform
config_file: subscriptions.yaml
sub_template_folder: level1/subscriptions
## Level2 ##
identity_level2:
prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
identity_aad_key: cred_identity
non_prod:
lz_key_name: identity_level2
tfstate: identity_level2_non_prod.tfstate
level: level2
identity_aad_key: cred_identity
identity_level2_aadds:
prod:
lz_key_name: identity_level2_aadds
tfstate: identity_level2_aadds.tfstate
level:
identity_aad_key: cred_identity
virtual_wans:
prod:
lz_key_name: connectivity_virtual_wan
tfstate: connectivity_virtual_wan.tfstate
level: level2
identity_aad_key: cred_connectivity
virtual_hubs:
prod:
lz_key_name: connectivity_virtual_hub_prod
tfstate: connectivity_virtual_hub_prod.tfstate
workspace: tfstate
level: level2
identity_aad_key: cred_connectivity
non_prod:
lz_key_name: connectivity_virtual_hub_non_prod
tfstate: connectivity_virtual_hub_non_prod.tfstate
workspace: tfstate
level: level2
identity_aad_key: cred_connectivity
azurerm_firewalls:
prod:
lz_key_name: connectivity_firewalls_prod
tfstate: connectivity_firewalls_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
non_prod:
lz_key_name: connectivity_firewalls_non_prod
tfstate: connectivity_firewalls_non_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
azurerm_firewall_policies:
prod:
lz_key_name: connectivity_firewall_policies_prod
tfstate: connectivity_firewall_policies_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
non_prod:
lz_key_name: connectivity_firewall_policies_non_prod
tfstate: connectivity_firewall_policies_non_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
private_dns:
prod:
lz_key_name: connectivity_private_dns_prod
tfstate: connectivity_private_dns_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
non_prod:
lz_key_name: connectivity_private_dns_non_prod
tfstate: connectivity_private_dns_non_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
vpn_sites:
prod:
lz_key_name: connectivity_vpn_sites_prod
tfstate: connectivity_vpn_sites_prod.tfstate
sub_template_folder: level2/connectivity
level: level2
identity_aad_key: cred_connectivity
asvm:
lz_key_name: asvm
tfstate: asvm_subscription_vending_machine.tfstate
level: level2
identity_aad_key: cred_level0
sub_template_folder: level2/asvm
yaml: level2/asvm/ansible.yaml
rover_ignite_dependencies:
- launchpad

0
templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx → templates/platform/IP Address Plan.xlsx
Просмотреть файл

99
templates/platform/ansible.yaml
Просмотреть файл

@ -1,99 +0,0 @@
- name: Process deployment based on bootstrap.yaml
hosts: localhost
tasks:
- name: "load {{ config_folder }}/bootstrap.yaml"
include_vars:
name: bootstrap
dir: "{{ config_folder }}"
depth: 1
ignore_unknown_extensions: true
files_matching: "bootstrap.yaml"
- name: "Load variable for landingzones config"
include_vars:
name: asvm_config__to_merge
dir: "{{config_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "config.asvm.yaml|tfstates.asvm.yaml|deployments.yaml"
- name: "Load variable for platform config"
include_vars:
name: platform_config__to_merge
dir: "{{config_folder_platform | default(config_folder)}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "caf.platform.yaml|tfstates.caf.yaml|tfstates.yaml|subscriptions.yaml"
- name: Merge asvm and platform variables
merge_vars:
suffix_to_merge: config__to_merge
merged_var_name: config
expected_type: 'dict'
recursive_dict_merge: True
- name: "Get latest cache folder"
set_fact:
job_cache_base_path: "/home/vscode/.terraform.cache"
destination_base: '{{config.configuration_folders.platform.destination_base_path}}'
config: "{{ ansible_facts.config }}"
- debug:
msg:
- "{{bootstrap}}"
- "{{config}}"
# verbosity: 2
#
# Generate the foundation services
#
- include_tasks: "process_foundations.yaml"
loop: "{{bootstrap.deployments.keys()}}"
when: bootstrap != {}
loop_control:
loop_var: stage
vars:
step: deployments
#
# Process the deployments folders
#
- find:
paths: "{{config_folder}}/deployments"
recurse: yes
patterns: "*.yaml"
file_type: file
register: files_to_process
- debug:
msg:
- "{{files_to_process}}"
verbosity: 2
- name: Process deployments folder configuration files
include_tasks: "process_deployments.yaml"
loop: "{{files_to_process.files}}"
loop_control:
loop_var: file_to_process
## Platform readme
- name: "[{{ base_templates_folder }}] readme"
ansible.builtin.template:
src: "{{ base_templates_folder }}/readme.md"
dest: "{{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}/readme.md"
force: yes
#
# Formatting & Linters
#
- name: Terraform Formatting
shell: |
terraform fmt -recursive {{ destination_base }}/{{ config.configuration_folders.platform.destination_relative_path }}

99
templates/platform/ansible/ansible.yaml Normal file
Просмотреть файл

@ -0,0 +1,99 @@
- name: Process deployment based on ignite.yaml
hosts: localhost
tasks:
- name: "load {{ config_folder }}/ignite.yaml"
include_vars:
name: bootstrap
dir: "{{ config_folder }}"
depth: 1
ignore_unknown_extensions: true
files_matching: "ignite.yaml"
- name: "Load variable for platform config"
include_vars:
name: resources
dir: "{{config_folder_platform | default(config_folder)}}"
depth: 0
ignore_unknown_extensions: true
files_matching: ".yaml"
ignore_files: "ignite.yaml"
- name: "Set variables"
set_fact:
job_cache_base_path: "/home/vscode/.terraform.cache"
destination_base_path: '{{resources.configuration_folders.platform.destination_base_path}}/{{ resources.configuration_folders.platform.destination_relative_path }}'
- name: "Creates destination directory - {{destination_base_path}}"
file:
path: "{{destination_base_path}}"
state: directory
- debug:
msg:
- "bootstrap: {{bootstrap}}"
- "resources: {{resources}}"
#
# Generate the foundation services
#
- name: Process core deployments
include_tasks: "process_stages.yaml"
loop: "{{bootstrap.deployments.root.keys()}}"
loop_control:
loop_var: tfstate
vars:
lz_type: platform
stage: root
- name: Process eslz deployments
include_tasks: "process_stages.yaml"
loop: "{{bootstrap.deployments.eslz.keys()}}"
loop_control:
loop_var: tfstate
when:
- launchpad_tfstate_exists.rc == 0
vars:
lz_type: platform
stage: eslz
#
# Process the deployments folders
#
- find:
paths: "{{config_folder}}/scale_out_domains"
recurse: yes
patterns: "*.yaml"
file_type: file
register: files_to_process
- name: Process scale out domaines deployments
include_tasks: "process_stages.yaml"
loop: "{{bootstrap.deployments.scale_out_domains.keys()}}"
loop_control:
loop_var: tfstate
when:
- launchpad_tfstate_exists.rc == 0
vars:
lz_type: platform
stage: scale_out_domains
## Platform readme
- name: "[{{ base_templates_folder }}] readme"
ansible.builtin.template:
src: "{{ base_templates_folder }}/readme.md"
dest: "{{ destination_base_path }}/readme.md"
force: yes
#
# Formatting & Linters
#
- name: Terraform Formatting
shell: |
terraform fmt -recursive {{ destination_base_path }}

44
templates/platform/ansible/load_deployments.yaml Normal file
Просмотреть файл

@ -0,0 +1,44 @@
- name: "Process 1 deployment file {{stage}}"
set_fact:
"{{stage}}_{{item}}_deployment__to_merge": "{{ lookup('template', '{{ config_folder_platform_templates + \"/services/\" + topology.deployments[stage][item]}}') | from_yaml }}"
loop: "{{topology.deployments[stage].keys()}}"
when:
- stage == 'root' or stage == 'eslz'
- topologies is not defined
- name: "Copy file {{stage}} from {{config_folder_platform_templates}}/services/"
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][item]}}"
dest: "{{destination_path}}/{{topologies[item].tfstate.config_file}}"
loop: "{{topology.deployments[stage].keys()}}"
when:
- stage == 'root'
- topologies is defined
- name: "Copy file {{stage}} from {{config_folder_platform_templates}}/services/"
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][item]}}"
dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}"
loop: "{{topology.deployments[stage].keys()}}"
when:
- stage == 'eslz'
- topologies is defined
- name: "Process 2 deployment file {{stage}}"
include_tasks: "load_deployments_eslz.yaml"
loop: "{{topology.deployments[stage].keys()}}"
loop_control:
loop_var: service
when:
- stage == 'eslz'
- topologies is defined
- name: "Process 2 deployment file {{stage}}"
include_tasks: "load_deployments_env.yaml"
loop: "{{topology.deployments[stage].keys()}}"
loop_control:
loop_var: service
when:
- stage == 'scale_out_domains'

31
templates/platform/ansible/load_deployments_env.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
- name: "Process 3 deployment file {{stage}}/{{service}}"
set_fact:
"{{service}}_{{env}}_deployment__to_merge": "{{ lookup('template', '{{ config_folder_platform_templates + \"/services/\" + topology.deployments[stage][service][env]}}') | from_yaml }}"
loop: "{{topology.deployments[stage][service].keys()}}"
loop_control:
loop_var: env
when:
- topologies is not defined
- name: "Creates directory"
file:
path: "{{destination_path}}/{{stage}}/{{env}}"
state: directory
loop: "{{topology.deployments[stage][service].keys()}}"
loop_control:
loop_var: env
when:
- topologies is defined
- name: "Copy file {{stage}}/{{service}}"
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][service][env]}}"
dest: "{{destination_path}}/{{stage}}/{{env}}/{{topologies[service + '_' + env].tfstate.config_file}}"
loop: "{{topology.deployments[stage][service].keys()}}"
loop_control:
loop_var: env
when:
- topologies is defined

57
templates/platform/ansible/load_deployments_eslz.yaml Normal file
Просмотреть файл

@ -0,0 +1,57 @@
- name: "{{destination_eslz_path}} - Set tfstate_object"
set_fact:
tfstate_object: "{{topologies['eslz_' + service].tfstate}}"
- name: "{{destination_path}}/{{stage}} - Set landingzone file_path"
set_fact:
destination_eslz_path: "{{destination_path}}/{{stage}}/{{service}}"
template_folder: "{{config_folder_platform_templates}}/{{ tfstate_object.template_lib_folder}}"
- name: "{{destination_eslz_path}} - Set landingzone file_path"
set_fact:
template_lib_folder: "{{template_folder}}/lib/{{ tfstate_object.eslz_version }}"
- name: "{{destination_eslz_path}} - Set landingzone file_path"
set_fact:
mg: "{{ lookup('template', '{{ template_lib_folder }}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}"
mg_custom: "{{ lookup('template', '{{ template_lib_folder }}/custom_landing_zones.caf.platform.yaml') | from_yaml }}"
- debug:
msg: "{{destination_eslz_path}}"
- name: "Clean-up destination directory"
shell: |
rm -rf "{{ destination_eslz_path }}"
when:
- topology.enterprise_scale[service].clean_up_destination_folder
- name: "Creates directory structure - {{template_lib_folder}}"
shell: mkdir -p "{{ destination_eslz_path }}/lib/{{ item.path }}"
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'directory'
- name: " Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_eslz_path }}/lib/{{ item.path }}"
force: yes
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'file'
- item.path is not search(".j2")
- item.path is not search(".yaml") or item.path is search(".json") or item.path is search(".md")
- topologies.platform_core_setup.enterprise_scale[service].update_lib_folder
- name: " Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_eslz_path }}/{{ item.path }}"
force: yes
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'file'
- item.path is search(".yaml")
- topologies.platform_core_setup.enterprise_scale[service].update_lib_folder

38
templates/platform/ansible/process_deployments.yaml Normal file
Просмотреть файл

@ -0,0 +1,38 @@
- debug:
msg:
- "env: {{env}}"
- "lz_type: {{lz_type}}"
- "tfstate: {{tfstate}}"
# - set_fact:
# lz_type: "{{resources.deployments.landingzone.tfstate.keys() | first}}"
# - set_fact:
# # tfstate: "{{resources.deployments.landingzone.tfstate[lz_type].keys() | first}}"
# env: "{{resources.deployments.landingzone.tfstate[lz_type].values() | first | default('')}}"
# - debug:
# msg:
# - "{{config}}"
# - "{{lz_type}}"
# - "{{tfstate}}"
# - "{{env}}"
# verbosity: 2
- name: "Set tfstate_object"
set_fact:
tfstate_object: '{{resources.tfstates[lz_type][tfstate][env] }}'
- debug:
msg:
- "{{tfstate_object}}"
- name: "Including tasks process_tfstate.yaml"
include_tasks: "process_tfstate.yaml"
loop: ["{{ tfstate }}"]
loop_control:
loop_var: deployment

0
templates/platform/process_foundations.yaml → templates/platform/ansible/process_foundations.yaml
Просмотреть файл

4
templates/platform/process_resources.yaml → templates/platform/ansible/process_resources.yaml
Просмотреть файл

@ -1,4 +1,4 @@
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}} - check file to process"
- name: "resources - {{resource_type}} - check file to process"
stat:
path: "{{ansible_to_process}}/{{resource_type}}.tfvars.j2"
register: override_file
@ -20,7 +20,7 @@
#
# resources
#
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}}"
- name: "resources - {{resource_type}}"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"

40
templates/platform/ansible/process_stages.yaml Normal file
Просмотреть файл

@ -0,0 +1,40 @@
- debug:
msg:
- "tfstate {{tfstate}}}}"
- "{{lz_type}}"
- name: "Set tfstate_object"
set_fact:
tfstate_object: "{{resources.tfstates[lz_type]['eslz_' + tfstate] if stage == 'eslz' else resources.tfstates[lz_type][tfstate] }}"
env: ''
- name: "Set config_folder"
set_fact:
config_folder: '{{ tfstate_object.sub_template_folder | default() }}'
- debug:
msg:
- "{{lz_type}}"
- "{{tfstate}}"
- "{{tfstate_object}}"
- "{{config_folder}}"
verbosity: 2
- name: "Including tasks process_tfstate.yaml"
include_tasks: "process_tfstate.yaml"
loop: ["{{tfstate}}"]
loop_control:
loop_var: deployment
vars:
config_file: "{{config_folder + '/' + tfstate_object.config_file }}"
when: stage != 'scale_out_domains'
- name: "Process deployments"
include_tasks: "process_deployments.yaml"
loop: "{{bootstrap.deployments.scale_out_domains[tfstate].keys()}}"
loop_control:
loop_var: env
vars:
deployment: deployment
when: stage == 'scale_out_domains'

31
templates/platform/process_subscription_resources.yaml → templates/platform/ansible/process_subscription_resources.yaml
Просмотреть файл

@ -2,49 +2,56 @@
- debug:
msg:
- "subscription_key {{subscription_key}}"
- "{{resources.subscriptions[subscription_key]}}"
- name: "{{deployment}} - Set ansible_to_process"
set_fact:
ansible_to_process: "{{base_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else base_templates_folder + '/generic'}}"
tfstate_resource: "{{ 'eslz_' + deployment if stage == 'eslz' else deployment if env == '' else deployment + '_' + env }}"
verbosity: 2
- name: "{{deployment}} - Set landingzone file_path"
- debug:
msg:
- "{{env}}"
- "{{tfstate_resource}}"
- name: "{{tfstate_resource}} - Set landingzone file_path"
set_fact:
landingzone_template: "{{resource_template_folder}}/landingzone.tfvars.j2"
landingzone_override: "{{ansible_to_process}}/landingzone.tfvars.j2"
destination_path: "{{config.configuration_folders.platform.destination_base_path}}/{{config.configuration_folders.platform.destination_relative_path}}/{{resources.relative_destination_folder}}"
destination_path: "{{destination_base_path}}/{{resources['eslz_' + deployment].relative_destination_folder if stage == 'eslz' else resources[tfstate_resource].relative_destination_folder}}"
level: "{{tfstate_object.level}}"
verbosity: 2
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - check file to process"
- name: "[{{tfstate_resource}}] - landingzone - check overrides to process in {{ansible_to_process}}"
stat:
path: "{{landingzone_override}}"
register: landingzone_override_file
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - Clean-up directory"
- name: "[{{tfstate_resource}}] - landingzone - Clean-up directory"
file:
path: "{{destination_path}}"
state: absent
when: config.configuration_folders.platform.cleanup_destination | bool
when: resources.configuration_folders.platform.cleanup_destination | bool
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone - Creates directory"
- name: "[{{tfstate_resource}}] - landingzone - Creates directory"
file:
path: "{{destination_path}}"
state: directory
- name: "{{deployment}} - process custom yaml process"
- name: "{{tfstate_resource}} - process custom yaml process"
include_tasks: "{{base_templates_folder}}/{{tfstate_object.yaml}}"
when: tfstate_object.yaml is defined
#
# landingzone.tfvars
#
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - landingzone"
- name: "{{tfstate_resource}} - landingzone"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
@ -56,16 +63,16 @@
# Resources
#
- name: "{{deployment}} - process resources"
- name: "{{tfstate_resource}} - process resources"
include_tasks: "process_resources.yaml"
loop: "{{resources.subscriptions[subscription_key] | list if resources.subscriptions[subscription_key] is mapping else [] }}"
loop: "{{resources[tfstate_resource].subscriptions[subscription_key] | list if resources[tfstate_resource].subscriptions[subscription_key] is mapping else [] }}"
loop_control:
loop_var: resource_type
#
# overrides
#
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }}"
- name: "[{{tfstate_resource}} - {{resources[tfstate_resource].relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }}"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"

8
templates/platform/process_tfstate.yaml → templates/platform/ansible/process_tfstate.yaml
Просмотреть файл

@ -1,23 +1,23 @@
- debug:
msg:
- "{{lz_type}}"
- "{{deployment}}"
- "{{env}}"
- name: "Verify {{deployment}} {{lz_type}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :"
debug:
msg:
- "{{config.tfstates[lz_type][deployment]}}"
- "resources - {{resources}}"
- "{{resources.tfstates[lz_type]['eslz_' + tfstate] if stage == 'eslz' else resources.tfstates[lz_type][deployment] if env == '' else resources.tfstates[lz_type][deployment][env]}}"
- name: "{{deployment}} - tfstate_object sub_template_folder- {{env}}"
debug:
msg:
- 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}'
- 'tfstate_object - {{tfstate_object}}'
verbosity: 2
- name: "{{deployment}} - process subscription resources"
include_tasks: "process_subscription_resources.yaml"
loop: "{{resources.subscriptions.keys()}}"
loop: "{{resources['eslz_' + tfstate].subscriptions.keys() if stage == 'eslz' else resources[tfstate].subscriptions.keys() if env == '' else resources[tfstate + '_' + env].subscriptions.keys() }}"
loop_control:
loop_var: subscription_key
vars:

117
templates/platform/ansible/walk-through.yaml Normal file
Просмотреть файл

@ -0,0 +1,117 @@
- name: Get deployment user object_id
shell: az ad signed-in-user show --query objectId -o tsv
register: object_id
- name: Get deployment user UPN
shell: az ad signed-in-user show --query userPrincipalName -o tsv
register: upn
- name: Get default user's tenant name
shell: az rest --method get --url "https://graph.microsoft.com/v1.0/organization" --query "value[0].verifiedDomains[?isDefault].name" -o tsv
register: tenant_name
- name: Get default user's tenant guid
shell: az account show --query tenantId -o tsv
register: tenant_id
- name: Get default subscription id
shell: az account show --query id -o tsv
register: subscription_id
- name: Get default subscription name
shell: az account show --query name -o tsv
register: subscription_name
- set_fact:
regions: "{{ azure_regions }}"
- set_fact:
topology: "{{ lookup('template', '{{ topology_file }}') | from_yaml }}"
destination_path: "{{destination_base_path + '/' + definitions_relative_path}}"
- name: "Creates directory - {{destination_path}}"
file:
path: "{{destination_path}}"
state: directory
#
# Load the files into variables
#
- include_tasks: "load_deployments.yaml"
loop: "{{topology.deployments.keys()}}"
loop_control:
loop_var: stage
- name: Merge deployment files into topologies variable
merge_vars:
suffix_to_merge: _deployment__to_merge
merged_var_name: merged_topologies
expected_type: 'dict'
recursive_dict_merge: True
- set_fact:
topologies: "{{ merged_topologies }}"
# Need topologies to render the following templates
- name: "load tfstates"
set_fact:
"tfstates_deployment__to_merge": "{{ lookup('template', '{{config_folder_platform_templates}}/services/tfstates.yaml') | from_yaml }}"
- name: "load template.caf.platform"
set_fact:
"caf_platform_deployment__to_merge": "{{ lookup('template', '{{config_folder_platform_templates}}/services/template.caf.platform.yaml') | from_yaml }}"
- name: Merge deployment files into topologies variable
merge_vars:
suffix_to_merge: _deployment__to_merge
merged_var_name: merged_topologies
expected_type: 'dict'
recursive_dict_merge: True
- set_fact:
topologies: "{{ merged_topologies }}"
- debug:
msg: "topologies: {{topologies}}"
#
# Generate target folder structure and files
#
- name: Copy files
include_tasks: "load_deployments.yaml"
loop: "{{topology.deployments.keys()}}"
loop_control:
loop_var: stage
- name: tfstates.yaml
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/tfstates.yaml"
dest: "{{destination_path}}/tfstates.yaml"
- name: ignite.yaml
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/eslz_single_subscription.yaml"
dest: "{{destination_path}}/ignite.yaml"
- name: template.caf.platform.yaml
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/template.caf.platform.yaml"
dest: "{{destination_path}}/{{topology.customer_name}}.caf.platform.yaml"
- name: readme.me
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/README.md"
dest: "{{destination_path}}/GETTING-STARTED.md"
- debug:
msg:
- "You have now initialized the definition of the platform"
- "You can review and adjust the yaml files."
- "configuration folder: - {{destination_path}}"
- "readme: {{destination_path}}/GETTING-STARTED.md"

0
templates/enterprise-scale/contoso/asvm/orion-landingzone/config.asvm.yaml → templates/platform/asvm/orion-landingzone/config.asvm.yaml
Просмотреть файл

0
templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml → templates/platform/asvm/orion-landingzone/deployments/orion_dev.yaml
Просмотреть файл

0
templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml → templates/platform/asvm/orion-landingzone/deployments/orion_prod.yaml
Просмотреть файл

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше