Azure
/
caf-terraform-landingzones
зеркало из https://github.com/Azure/caf-terraform-landingzones.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

2006 release (#49) 

* Change ci name

* Modern activity logs #39

* Housekeeping and versioning update

* Updating foundations CI + formatting

* Support for NSG naming, extended fields, and update to address-prefixes #44

* azurerm 2.15

* Update config for CI

* Add VSCodespace

* Documentation update

* Changelog

* Latest log_analytics

* Updating readme, adding documentation and adding devcontainer settings.

* Remove workspace

* Rename devcontainer

* launchpad light 2006

* Add support for environment

* Add environment and update tags

* Backward support for environment

* Introducing Azure Virtual WAN landing zones (#48)

* Initial commit hub_mesh

* Update readme

* Fix output

* Addind explicit dependency for fw rg

* Secured vhub by default for CI

* Update ci-vnext with launchpad light

* Update path

* Add tf/caf/ mapping

* Update vnext

* Fix logged_in user

* Fix destroy vnext CI

* Fix environment attribute in ci

* pickup environment from launchpad

* Add ci job id as prefix

* Remove workspace tags

* Fix prefix in ci

* Add support to overwride prefix in caf foundations

* Update prefix startwith alphe for keyvault

* Update documentation

* Update formating of files

* Adding a g in prefix for ci to avoid errors
with event hub or keyvault

* ci-vnext: remove prefix in LZ as coming
from foundation

* ci-vnext - remove prefix on lz destroy

* Fix testing-job-id typo

* ci var should be testing_job_id for jmespath

* Update module conventions documentation

* Including rover release

* landingzones vnext

* Update CI for master

* Add breaking changes and depreceated section

* Update doc for VSCodespace and CI to exclude docs

Co-authored-by: lolorol <lalesle@microsoft.com>
Co-authored-by: lolorol <LaurentLesle@users.noreply.github.com>
This commit is contained in:
Arnaud Lheureux 2020-07-02 12:30:30 +08:00 коммит произвёл GitHub
Родитель 5d7414311a
Коммит 925e867ed5
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
192 изменённых файлов: 6972 добавлений и 4602 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
.devcontainer/devcontainer.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"name": "Azure CAF rover",
"name": "Azure CAF landing zones",
// Update the 'dockerComposeFile' list if you have more compose files or use different names.
"dockerComposeFile": "docker-compose.yml",
@ -15,8 +15,10 @@
// Use 'settings' to set *default* container specific settings.json values on container create.
// You can edit these settings after create using File > Preferences > Settings > Remote.
"settings": {
// If you are using an Alpine-based image, change this to /bin/ash
"terminal.integrated.shell.linux": "/bin/bash"
"files.eol": "\n",
"terminal.integrated.shell.linux": "/bin/bash",
"editor.tabSize": 2,
"terminal.integrated.scrollback": 2000,
},
// Uncomment the next line if you want start specific services in your Docker Compose config.

2
.devcontainer/docker-compose.yml
Просмотреть файл

@ -6,7 +6,7 @@
version: '3.7'
services:
rover:
image: aztfmod/rover:2005.1510
image: aztfmod/rover:2007.0108
labels:
- "caf=Azure CAF"

86
.github/workflows/ci-branches-vnext.yml поставляемый
Просмотреть файл

@ -3,7 +3,7 @@
# Licensed under the MIT License.
#
name: landingzones
name: landingzones-vnext
on:
pull_request:
@ -12,8 +12,11 @@ on:
push:
branches:
- vnext
paths-ignore:
- 'documentation/**'
- '_pictures/**'
schedule:
- cron: '0 0 * * *'
- cron: '0 2 * * *'
env:
TF_CLI_ARGS: '-no-color'
@ -35,13 +38,14 @@ jobs:
matrix:
region: ["westus2"]
convention: ["random"]
launchpad: ["launchpad_opensource"]
container:
image: aztfmod/roverdev:vnext
options: --user 0
steps:
- uses: actions/checkout@v2
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
@ -51,12 +55,16 @@ jobs:
- name: Locate launchpad
run: |
id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id)
ln -s ${GITHUB_WORKSPACE} /tf/caf
id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.environment=='${{ github.run_id }}']" -o json | jq -r .[0].id)
if [ "${id}" == "null" ]; then
/tf/rover/launchpad.sh /tf/launchpads/${{ matrix.launchpad }} apply \
/tf/rover/rover.sh /tf/caf/landingzones/launchpad apply \
-launchpad \
--environment ${{ github.run_id }} \
-var prefix=g${{ github.run_id}} \ \
-var location=${{ matrix.region }} \
-var environment=${{ github.run_id }} \
'-var tags={testing_job_id="${{ github.run_id }}"}'
fi
@ -88,8 +96,8 @@ jobs:
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
workspace='caffoundationsci'
echo ::set-env name=TF_VAR_workspace::${workspace}
# workspace='caffoundationsci'
# echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
@ -98,15 +106,13 @@ jobs:
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy caf_foundations
run: |
/tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars'
--environment ${{ github.run_id }} \
-var prefix=g${{ github.run_id}} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars'
landingzones:
name: landingzones
@ -117,7 +123,7 @@ jobs:
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_hub_spoke", "landingzone_secure_vnet_dmz", "landingzone_starter", "landingzone_vdc_demo"]
landingzone: ["landingzone_hub_spoke", "landingzone_secure_vnet_dmz", "landingzone_starter", "landingzone_vdc_demo", "landingzone_hub_mesh"]
region: ["westus2"]
convention: ["cafrandom"]
environment: ["integration-tests"]
@ -136,9 +142,9 @@ jobs:
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
job_id=${{ job.container.id }}
workspace=${job_id:0:63}
echo ::set-env name=TF_VAR_workspace::${workspace}
# job_id=${{ job.container.id }}
# workspace=${job_id:0:63}
# echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
@ -147,30 +153,20 @@ jobs:
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy landing_zone
run: |
/tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \
'-var workspace=caffoundationsci'
-env ${{ github.run_id }} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars'
- name: destroy landing_zone
if: always()
run: |
/tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} destroy \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \
'-var workspace=caffoundationsci'
- name: cleanup workspace
if: always()
run: |
stg_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].name)
az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login
--environment ${{ github.run_id }} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars'
caf_foundations_destroy:
name: caf_foundations_destroy
@ -200,8 +196,8 @@ jobs:
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
workspace='caffoundationsci'
echo ::set-env name=TF_VAR_workspace::${workspace}
# workspace='caffoundationsci'
# echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
@ -213,9 +209,11 @@ jobs:
- name: destroy caf_foundations
run: |
/tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} destroy \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' \
'-auto-approve'
--environment ${{ github.run_id }} \
-var prefix=g${{ github.run_id}} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' \
'-auto-approve'
level0_destroy:
name: level0_destroy
@ -234,6 +232,8 @@ jobs:
options: --user 0
steps:
- uses: actions/checkout@v2
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
@ -243,9 +243,13 @@ jobs:
- name: Remove launchpad
run: |
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource destroy \
ln -s ${GITHUB_WORKSPACE} /tf/caf
/tf/rover/rover.sh /tf/caf/landingzones/launchpad destroy \
-launchpad \
-env ${{ github.run_id }} \
-var prefix=g${{ github.run_id}} \
-var location=${{ env.region }} \
-var environment=${{ github.run_id }} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
-auto-approve

172
.github/workflows/ci-landingzone_hub_spoke.yml поставляемый
Просмотреть файл

@ -1,172 +0,0 @@
#
# Copyright (c) Microsoft Corporation
# Licensed under the MIT License.
#
name: landingzone_hub_spoke
on:
push:
paths:
- 'landingzones/landingzone_hub_spoke/**'
- 'environments/**/landingzone_hub_spoke/**'
- '.github/workflows/ci-landingzone_hub_spoke.yml'
branches-ignore:
- master
env:
TF_CLI_ARGS: '-no-color'
TF_CLI_ARGS_destroy: '-auto-approve -refresh=false'
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }}
TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }}
TFVARS_PATH: '/tf/caf/environments'
jobs:
level0:
name: level0
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
region: ["westus2"]
convention: ["random"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: Locate launchpad
run: |
id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id)
if [ "${id}" == "null" ]; then
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }}
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }}
fi
caf_foundations:
name: caf_foundations
runs-on: ubuntu-latest
needs: level0
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_caf_foundations"]
region: ["westus2"]
convention: ["random"]
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- uses: actions/checkout@v2
- name: setup context
id: context
run: |
ln -s ${GITHUB_WORKSPACE} /tf/caf
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
workspace='caffoundationsci'
echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy caf_foundations
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars'
landingzone_hub_spoke:
name: landingzone_hub_spoke
runs-on: ubuntu-latest
needs: [level0, caf_foundations]
strategy:
fail-fast: false
#max-parallel: 1
matrix:
landingzone: ["landingzone_hub_spoke"]
region: ["westus2"]
convention: ["cafrandom"]
environment: ["integration-tests"]
scenario: ["bastion","no_bastion" ]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- uses: actions/checkout@v2
- name: setup context
id: context
run: |
ln -s ${GITHUB_WORKSPACE} /tf/caf
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
job_id=${{ job.container.id }}
workspace=${job_id:0:63}
echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy hub_spoke
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_hub_spoke apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.scenario }}.tfvars' \
'-var workspace=caffoundationsci'
- name: destroy hub_spoke
if: always()
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_hub_spoke destroy \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.scenario }}.tfvars' \
'-var workspace=caffoundationsci'
- name: cleanup workspace
if: always()
run: |
stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name)
az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login

173
.github/workflows/ci-landingzone_secure_vnet_dmz.yml поставляемый
Просмотреть файл

@ -1,173 +0,0 @@
#
# Copyright (c) Microsoft Corporation
# Licensed under the MIT License.
#
name: landingzone_secure_vnet_dmz
on:
push:
paths:
- 'landingzones/landingzone_secure_vnet_dmz/**'
- 'environments/**/landingzone_secure_vnet_dmz/**'
- '.github/workflows/ci-landingzone_secure_vnet_dmz.yml'
branches-ignore:
- master
env:
TF_CLI_ARGS: '-no-color'
TF_CLI_ARGS_destroy: '-auto-approve -refresh=false'
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }}
TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }}
TFVARS_PATH: '/tf/caf/environments'
jobs:
level0:
name: level0
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
region: ["westus2"]
convention: ["random"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: Locate launchpad
run: |
id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id)
if [ "${id}" == "null" ]; then
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }}
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }}
fi
caf_foundations:
name: caf_foundations
runs-on: ubuntu-latest
needs: level0
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_caf_foundations"]
region: ["westus2"]
convention: ["random"]
environment: ["integration-tests"]
container:
image: aztfmod/rover:2004.1606
options: --user 0
steps:
- uses: actions/checkout@v2
- name: setup context
id: context
run: |
ln -s ${GITHUB_WORKSPACE} /tf/caf
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
workspace='caffoundationsci'
echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy caf_foundations
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars'
landingzone_secure_vnet_dmz:
name: landingzone_secure_vnet_dmz
runs-on: ubuntu-latest
needs: [level0, caf_foundations]
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_secure_vnet_dmz"]
region: ["westus2"]
convention: ["random"]
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- uses: actions/checkout@v2
- name: setup context
id: context
run: |
ln -s ${GITHUB_WORKSPACE} /tf/caf
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
job_id=${{ job.container.id }}
workspace=${job_id:0:63}
echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy secure_vnet_dmz
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_secure_vnet_dmz apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \
'-var workspace=caffoundationsci'
- name: destroy secure_vnet_dmz
if: always()
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_secure_vnet_dmz destroy \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \
'-var workspace=caffoundationsci'
- name: cleanup workspace
if: always()
run: |
stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name)
az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login

169
.github/workflows/ci-landingzone_starter.yml поставляемый
Просмотреть файл

@ -1,169 +0,0 @@
#
# Copyright (c) Microsoft Corporation
# Licensed under the MIT License.
#
name: landingzone_starter
on:
push:
paths:
- 'landingzones/landingzone_starter/**'
- 'environments/**/landingzone_starter/**'
- '.github/workflows/ci-landingzone_starter.yml'
branches-ignore:
- master
env:
TF_CLI_ARGS: '-no-color'
TF_CLI_ARGS_destroy: '-auto-approve -refresh=false'
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }}
TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }}
TFVARS_PATH: '/tf/caf/environments'
jobs:
level0:
name: level0
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
region: ["westus2"]
convention: ["random"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: Locate launchpad
run: |
id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id)
if [ "${id}" == "null" ]; then
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }}
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }}
fi
caf_foundations:
name: caf_foundations
runs-on: ubuntu-latest
needs: level0
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_caf_foundations"]
region: ["westus2"]
convention: ["random"]
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- uses: actions/checkout@v2
- name: setup context
id: context
run: |
ln -s ${GITHUB_WORKSPACE} /tf/caf
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
workspace='caffoundationsci'
echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy caf_foundations
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars'
landingzone_starter:
name: landingzone_starter
runs-on: ubuntu-latest
needs: [level0, caf_foundations]
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_starter"]
region: ["westus2"]
convention: ["random"]
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- uses: actions/checkout@v2
- name: setup context
id: context
run: |
ln -s ${GITHUB_WORKSPACE} /tf/caf
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
job_id=${{ job.container.id }}
workspace=${job_id:0:63}
echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy starter
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_starter apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var workspace=caffoundationsci'
- name: destroy starter
if: always()
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_starter destroy \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var workspace=caffoundationsci'
- name: cleanup
run: |
stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name)
az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login

169
.github/workflows/ci-landingzone_vdc_demo.yml поставляемый
Просмотреть файл

@ -1,169 +0,0 @@
#
# Copyright (c) Microsoft Corporation
# Licensed under the MIT License.
#
name: landingzone_vdc_demo
on:
push:
paths:
- 'landingzones/landingzone_vdc_demo/**'
- 'environments/**/landingzone_vdc_demo/**'
- '.github/workflows/ci-landingzone_vdc_demo.yml'
branches-ignore:
- master
env:
TF_CLI_ARGS: '-no-color'
TF_CLI_ARGS_destroy: '-auto-approve -refresh=false'
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
TF_VAR_azure_devops_pat_token: ${{ secrets.TF_VAR_azure_devops_pat_token }}
TF_VAR_azure_devops_url_organization: ${{ secrets.TF_VAR_azure_devops_url_organization }}
TFVARS_PATH: '/tf/caf/environments'
jobs:
level0:
name: level0
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
region: ["westus2"]
convention: ["random"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: Locate launchpad
run: |
id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id)
if [ "${id}" == "null" ]; then
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource plan -var location=${{ matrix.region }}
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource apply -var location=${{ matrix.region }}
fi
caf_foundations:
name: caf_foundations
runs-on: ubuntu-latest
needs: level0
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_caf_foundations"]
region: ["westus2"]
convention: ["random"]
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- uses: actions/checkout@v2
- name: setup context
id: context
run: |
ln -s ${GITHUB_WORKSPACE} /tf/caf
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
workspace='caffoundationsci'
echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy caf_foundations
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars'
landingzone_vdc_demo:
name: landingzone_vdc_demo
runs-on: ubuntu-latest
needs: [level0, caf_foundations]
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_vdc_demo"]
region: ["westus2"]
convention: ["random", "cafrandom"]
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
options: --user 0
steps:
- uses: actions/checkout@v2
- name: setup context
id: context
run: |
ln -s ${GITHUB_WORKSPACE} /tf/caf
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
job_id=${{ job.container.id }}
workspace=${job_id:0:63}
echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
az account set -s ${{ env.ARM_SUBSCRIPTION_ID }}
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy vdc_demo
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_vdc_demo apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \
'-var workspace=caffoundationsci'
- name: destroy vdc_demo
if: always()
run: |
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_vdc_demo destroy \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \
'-var workspace=caffoundationsci'
- name: cleanup workspace
if: always()
run: |
stg_name=$(az storage account list --query "[?tags.tfstate=='level0']" -o json | jq -r .[0].name)
az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login

94
.github/workflows/ci-branches.yml → .github/workflows/master.yml поставляемый
Просмотреть файл

@ -12,8 +12,11 @@ on:
push:
branches:
- master
paths-ignore:
- 'documentation/**'
- '_pictures/**'
schedule:
- cron: '0 2 * * *'
- cron: '0 0 * * *'
env:
TF_CLI_ARGS: '-no-color'
@ -35,13 +38,14 @@ jobs:
matrix:
region: ["westus2"]
convention: ["random"]
launchpad: ["launchpad_opensource"]
container:
image: aztfmod/rover:2005.1510
image: aztfmod/rover:2007.0108
options: --user 0
steps:
- uses: actions/checkout@v2
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
@ -51,12 +55,16 @@ jobs:
- name: Locate launchpad
run: |
id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].id)
ln -s ${GITHUB_WORKSPACE} /tf/caf
id=$(az storage account list --query "[?tags.tfstate=='level0' && tags.environment=='${{ github.run_id }}']" -o json | jq -r .[0].id)
if [ "${id}" == "null" ]; then
/tf/rover/launchpad.sh /tf/launchpads/${{ matrix.launchpad }} apply \
/tf/rover/rover.sh /tf/caf/landingzones/launchpad apply \
-launchpad \
--environment ${{ github.run_id }} \
-var prefix=g${{ github.run_id}} \ \
-var location=${{ matrix.region }} \
-var environment=${{ github.run_id }} \
'-var tags={testing_job_id="${{ github.run_id }}"}'
fi
@ -75,7 +83,7 @@ jobs:
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
image: aztfmod/rover:2007.0108
options: --user 0
steps:
@ -88,8 +96,8 @@ jobs:
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
workspace='caffoundationsci'
echo ::set-env name=TF_VAR_workspace::${workspace}
# workspace='caffoundationsci'
# echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
@ -98,15 +106,13 @@ jobs:
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy caf_foundations
run: |
/tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars'
--environment ${{ github.run_id }} \
-var prefix=g${{ github.run_id}} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars'
landingzones:
name: landingzones
@ -117,13 +123,13 @@ jobs:
strategy:
fail-fast: false
matrix:
landingzone: ["landingzone_hub_spoke", "landingzone_secure_vnet_dmz", "landingzone_starter", "landingzone_vdc_demo"]
landingzone: ["landingzone_hub_spoke", "landingzone_secure_vnet_dmz", "landingzone_starter", "landingzone_vdc_demo", "landingzone_hub_mesh"]
region: ["westus2"]
convention: ["cafrandom"]
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
image: aztfmod/rover:2007.0108
options: --user 0
steps:
@ -136,9 +142,9 @@ jobs:
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
job_id=${{ job.container.id }}
workspace=${job_id:0:63}
echo ::set-env name=TF_VAR_workspace::${workspace}
# job_id=${{ job.container.id }}
# workspace=${job_id:0:63}
# echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
@ -147,30 +153,20 @@ jobs:
echo "local user: $(whoami)"
- name: workspace
run: |
/tf/rover/launchpad.sh workspace create ${TF_VAR_workspace}
- name: deploy landing_zone
run: |
/tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} apply \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \
'-var workspace=caffoundationsci'
-env ${{ github.run_id }} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars'
- name: destroy landing_zone
if: always()
run: |
/tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} destroy \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars' \
'-var workspace=caffoundationsci'
- name: cleanup workspace
if: always()
run: |
stg_name=$(az storage account list --query "[?tags.tfstate=='level0' && tags.workspace=='level0']" -o json | jq -r .[0].name)
az storage container delete --account-name ${stg_name} --name ${TF_VAR_workspace} --auth-mode login
--environment ${{ github.run_id }} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}.tfvars'
caf_foundations_destroy:
name: caf_foundations_destroy
@ -187,7 +183,7 @@ jobs:
environment: ["integration-tests"]
container:
image: aztfmod/rover:2005.1510
image: aztfmod/rover:2007.0108
options: --user 0
steps:
@ -200,8 +196,8 @@ jobs:
echo "ls /tf/caf" && ls -lsa /tf/caf
ls -lsa /tmp
workspace='caffoundationsci'
echo ::set-env name=TF_VAR_workspace::${workspace}
# workspace='caffoundationsci'
# echo ::set-env name=TF_VAR_workspace::${workspace}
- name: Login azure
run: |
@ -213,9 +209,11 @@ jobs:
- name: destroy caf_foundations
run: |
/tf/rover/rover.sh /tf/caf/landingzones/${{ matrix.landingzone }} destroy \
'-var tags={testing-job-id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' \
'-auto-approve'
--environment ${{ github.run_id }} \
-var prefix=g${{ github.run_id}} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
'-var-file ${{ env.TFVARS_PATH }}/${{ matrix.environment }}/${{ matrix.landingzone }}/${{ matrix.landingzone }}_${{ matrix.region }}_${{ matrix.convention }}.tfvars' \
'-auto-approve'
level0_destroy:
name: level0_destroy
@ -230,10 +228,12 @@ jobs:
convention: ["random"]
container:
image: aztfmod/rover:2005.1510
image: aztfmod/rover:2007.0108
options: --user 0
steps:
- uses: actions/checkout@v2
- name: Login azure
run: |
az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
@ -243,9 +243,13 @@ jobs:
- name: Remove launchpad
run: |
/tf/rover/launchpad.sh /tf/launchpads/launchpad_opensource destroy \
ln -s ${GITHUB_WORKSPACE} /tf/caf
/tf/rover/rover.sh /tf/caf/landingzones/launchpad destroy \
-launchpad \
-env ${{ github.run_id }} \
-var prefix=g${{ github.run_id}} \
-var location=${{ env.region }} \
-var environment=${{ github.run_id }} \
'-var tags={testing_job_id="${{ github.run_id }}"}' \
-auto-approve

24
CHANGELOG.md
Просмотреть файл

@ -1,9 +1,29 @@
## v6.0.2006 (June 2020)
BREAKING CHANGES:
* New launchpad. You must destroy the 2005:1510 first before redelpoying this version of the launchap.
FEATURES:
* **feature:** Update new Azure Activity Logs capability [#39](https://github.com/Azure/caf-terraform-landingzones/issues/39)
* **feature:** New landing_zone for networking using hub spoke with Azure Virtual WAN [#41](https://github.com/Azure/caf-terraform-landingzones/issues/41)
* **feature:** Support for NSG naming, extended fields, and update to address-prefixes [#44](https://github.com/Azure/caf-terraform-landingzones/issues/44)
* **feature:** Added support for [Visual Studio Codespaces](https://online.visualstudio.com/environments/new?name=caf%20landing%20zones&repo=azure/caf-terraform-landingzones)
* **workspace:** Increased command history, tab size set to 2 and eol settings.
* **rover :** upgrade to rover 2006 - support for Terraform 0.28 - added toolset for development and bootstrap process, decoupling launchpad and rover.
* **added support for azurerm 2.16 :** On all sample landing zones [azurerm provider](https://github.com/terraform-providers/terraform-provider-azurerm/releases/tag/v2.16.0)
* **documentation :** Iterating on documentation, adding clarifications on component roles, modules engineering criteria, architecture and delivery techniques.
DEPRECATED:
* launchpad command has been merged into the rover command. See getting started.
## v5.1.2005 (May 2020)
FEATURES:
* **rover :** upgrade to rover 2005.1510 - improved support for Azure DevOps and GitHub Actions
* **added support for azurerm 2.11 :** On all sample landing zones [azurerm provider](https://github.com/terraform-providers/terraform-provider-azurerm/releases/tag/v2.11.0)
* **added support for azurerm 2.11 :** On all sample landing zones [azurerm provider](https://github.com/terraform-providers/terraform-provider-azurerm/releases/tag/v2.11.0)
* **documentation :** revamp doc and added guidance on Azure DevOps and GitHub actions pipelines [#28](https://github.com/Azure/caf-terraform-landingzones/issues/28)
## v5.0.2005 (May 2020)
@ -11,7 +31,7 @@ FEATURES:
FEATURES:
* **rover :** upgrade to rover 2005.1314 - improved support for Azure DevOps and GitHub Actions
* **added support for azurerm 2.9 :** On all sample landing zones [azurerm provider](https://github.com/terraform-providers/terraform-provider-azurerm/releases/tag/v2.9.0)
* **added support for azurerm 2.9 :** On all sample landing zones [azurerm provider](https://github.com/terraform-providers/terraform-provider-azurerm/releases/tag/v2.9.0)
* **documentation :** added guidance and documentation on LZ hierarchy and delivery [#32](https://github.com/Azure/caf-terraform-landingzones/pull/32)
* **devops :** added GitHub actions workflows to implement integration tests on public repository [25](https://github.com/Azure/caf-terraform-landingzones/issues/25)

36
README.md
Просмотреть файл

@ -1,4 +1,6 @@
![landingzones](https://github.com/Azure/caf-terraform-landingzones/workflows/landingzones/badge.svg)
![landingzones](https://github.com/Azure/caf-terraform-landingzones/workflows/landingzones-vnext/badge.svg)
[![VScodespaces](https://img.shields.io/endpoint?url=https%3A%2F%2Faka.ms%2Fvso-badge)](https://online.visualstudio.com/environments/new?name=caf%20landing%20zones&repo=azure/caf-terraform-landingzones)
# Azure Cloud Adoption Framework landing zones for Terraform
@ -23,7 +25,9 @@ Cloud Adoption Framework for Azure Terraform landing zones is an Open Source pro
## Getting started
See our [Getting Started](./documentation/getting_started/getting_started.md)
See our [Getting Started](./documentation/getting_started/getting_started.md) on your laptop, or on the web with [Getting Started on VSCodespaces](./documentation/getting_started/getting_started_codespaces.md).
See our [Getting Started Video](https://www.youtube.com/watch?v=t1exCkWft60)
## Documentation
@ -33,24 +37,24 @@ More details on how to develop, deploy and operate with landing zones can be fou
Currently we provide you with the following sample landing zones:
| Name | Purpose | Depends on | Tested with launchpad
| -------------------------------------------------------------------------- | ---------------- | -- | -- |
| [landingzone_caf_foundations](./landingzones/landingzone_caf_foundations) | setup all the fundamentals for a subscription (logging, accounting, security.). You can find all details of the caf_foundations landing zone [Here](./landingzones/landingzone_caf_foundations/readme.md) | N/A | launchpad_opensource_light, launchpad_opensource |
| [landingzone_hub_spoke](./landingzones/landingzone_hub_spoke) | example of [hub and spoke environment](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) documentation [here](./landingzones/landingzone_hub_spoke/readme.md) | landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
| [landingzone_vdc_demo](./landingzones/landingzone_vdc_demo) | setup a demo environment of a hub-spoke topology including shared services, as well as various DMZ (ingress, egress, transit). You can find all details of the vdc_demo landing zone [Here](./landingzones/landingzone_vdc_demo/readme.md)| landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
| [landingzone_secure_vnet_dmz](./landingzones/landingzone_secure_vnet_dmz) | (preview) this is an early implementation of the reference architecture [secure_vnet_dmz](https://docs.microsoft.com/en-gb/azure/architecture/reference-architectures/dmz/secure-vnet-dmz). This is a work in progress used to illustrate landing zone creation process as described [here](./documentation/code_architecture/how_to_code_a_landingzone.md) . You can find all details of the secure vnet dmz landing zone [Here](./landingzones/landingzone_secure_vnet_dmz/readme.md)| landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
| [landingzone_starter](./landingzones/landingzone_starter) | this is an empty landing zones to use as a template to develop a level 2 landing zone. You can find all details of the starter landing zone [Here](./landingzones/landingzone_starter/readme.md)| landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
| Name | Purpose | Depends on | Tested with launchpad |
|---------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|--------------------------------------------------|
| [landingzone_caf_foundations](./landingzones/landingzone_caf_foundations) | setup all the fundamentals for a subscription (logging, accounting, security.). You can find all details of the caf_foundations landing zone [Here](./landingzones/landingzone_caf_foundations/readme.md) | N/A | launchpad_opensource_light, launchpad_opensource |
| [landingzone_hub_spoke](./landingzones/landingzone_hub_spoke) | example of [hub and spoke environment](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) documentation [here](./landingzones/landingzone_hub_spoke/readme.md) | landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
| [landingzone_hub_mesh](./landingzones/landingzone_hub_mesh) | example of [hub and mesh environment with Azure Virtual WAN](https://docs.microsoft.com/en-us/azure/virtual-wan) documentation [here](./landingzones/landingzone_hub_mesh/readme.md) | landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
| [landingzone_vdc_demo](./landingzones/landingzone_vdc_demo) | setup a demo environment of a hub-spoke topology including shared services, as well as various DMZ (ingress, egress, transit). You can find all details of the vdc_demo landing zone [Here](./landingzones/landingzone_vdc_demo/readme.md) | landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
| [landingzone_secure_vnet_dmz](./landingzones/landingzone_secure_vnet_dmz) | (preview) this is an early implementation of the reference architecture [secure_vnet_dmz](https://docs.microsoft.com/en-gb/azure/architecture/reference-architectures/dmz/secure-vnet-dmz). This is a work in progress used to illustrate landing zone creation process as described [here](./documentation/code_architecture/how_to_code_a_landingzone.md) . You can find all details of the secure vnet dmz landing zone [Here](./landingzones/landingzone_secure_vnet_dmz/readme.md) | landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
| [landingzone_starter](./landingzones/landingzone_starter) | this is an empty landing zones to use as a template to develop a level 2 landing zone. You can find all details of the starter landing zone [Here](./landingzones/landingzone_starter/readme.md) | landingzone_caf_foundations | launchpad_opensource_light, launchpad_opensource |
## Repositories
| Repo | Description |
| -----| ------------|
| [caf-terraform-landingzones](https://github.com/azure/caf-terraform-landingzones) (You are here!) | landing zones repo with sample and core documentations |
| [rover](https://github.com/aztfmod/rover) | devops toolset for operating landing zones |
| [launchpads](https://github.com/aztfmod/level0) | launchpads to support landing zones deployments |
| [azure_caf_provider](https://github.com/aztfmod/terraform-provider-azurecaf) | custom provider for naming conventions |
| [modules](https://registry.terraform.io/modules/aztfmod) | set of curated modules available in the Terraform registry |
| Repo | Description |
|---------------------------------------------------------------------------------------------------|------------------------------------------------------------|
| [caf-terraform-landingzones](https://github.com/azure/caf-terraform-landingzones) (You are here!) | landing zones repo with sample and core documentations |
| [rover](https://github.com/aztfmod/rover) | devops toolset for operating landing zones |
| [launchpads](https://github.com/aztfmod/level0) | launchpads to support landing zones deployments |
| [azure_caf_provider](https://github.com/aztfmod/terraform-provider-azurecaf) | custom provider for naming conventions |
| [modules](https://registry.terraform.io/modules/aztfmod) | set of curated modules available in the Terraform registry |
## Community

Двоичные данные
_pictures/code_architecture/components.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 155 KiB

После

Ширина:  |  Высота:  |  Размер: 36 KiB

Двоичные данные
_pictures/code_architecture/landingzone_composition.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 89 KiB

Двоичные данные
_pictures/code_architecture/landingzone_state.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 12 KiB

Двоичные данные
_pictures/delivery/code_repo.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 37 KiB

Двоичные данные
_pictures/delivery/config_repo.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 33 KiB

Двоичные данные
_pictures/getting_started/vs_codespaces_create.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 107 KiB

Двоичные данные
_pictures/getting_started/vs_codespaces_create2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 58 KiB

Двоичные данные
_pictures/getting_started/vs_codespaces_create3.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 177 KiB

Двоичные данные
_pictures/getting_started/vs_codespaces_create4.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 134 KiB

Двоичные данные
_pictures/getting_started/vs_codespaces_docker.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 148 KiB

Двоичные данные
_pictures/getting_started/vs_codespaces_getting_started.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 67 KiB

Двоичные данные
_pictures/getting_started/vs_codespaces_rover.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 160 KiB

Двоичные данные
_pictures/hub_spoke/virtual_wan_lz.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 48 KiB

43
documentation/README.md
Просмотреть файл

@ -2,23 +2,17 @@
In this series of articles, we describe the development, code architecture, the delivery mechanisms and operations guide for enterprise adoption of landing zones.
## Development and code architecture
## Getting started
[Getting started on your laptop](./getting_started/getting_started.md)
[Getting started on Visual Studio CodeSpaces](./getting_started/getting_started_codespaces.md)
## Landing zones architecture
[Introduction to Azure landing zones architecture](./code_architecture/intro_architecture.md)
[Introduction to service composition inside landing zones](./code_architecture/service_composition.md)
[Create your first landing zone in 10 easy steps - part 1](./code_architecture/how_to_code_a_landingzone.md)
[Unit and integration testing modules](./test/unit_test.md)
[CAF landing zones hierarchy model](./code_architecture/hierarchy.md)
[CAF module development conventions](./code_architecture/module_conventions.md)
Soon - [Create your first landing zone in 10 easy steps - part 2]()
Soon - [Developing landing zones, modules, blueprints]()
[Entreprise landing zones hierarchy model](./code_architecture/hierarchy.md)
## Delivery of landing zones
@ -30,10 +24,23 @@ Soon - [Developing landing zones, modules, blueprints]()
Soon - [Deployment guide for Azure CAF landing zones]()
## Operating an environment with landing zones
## Development and code
[Modules development conventions](./code_architecture/module_conventions.md)
[Modules Unit and integration testing](./test/unit_test.md)
Soon - [Landing zones development conventions]()
[Introduction to service composition inside landing zones](./code_architecture/service_composition.md)
[Create your first landing zone in 10 easy steps - part 1](./code_architecture/how_to_code_a_landingzone.md)
Soon - [Create your first landing zone in 10 easy steps - part 2]()
Soon - [Developing landing zones, modules, blueprints]()
Soon - [Deep-dive on launchpad]()
Soon - [Introduction to GitOps for landing zones]()
Soon - [The people, procedures and policies]()

0
documentation/code_architecture/dev_environment.md
Просмотреть файл

41
documentation/code_architecture/hierarchy.md
Просмотреть файл

@ -1,10 +1,10 @@
# Understanding landing zones hierarchy
Isolation of different Terraform state files is an important factor of reliability in an enterprise deployment.
To address enterprise complexity, we recommend isolating different landing zones and therefore the separation of different Terraform state files.
## Layered approach
Separating the Terraform states enables:
Separating the Terraform states enables us to:
- **Control blast radius**: if one configuration is deficient, its only impact the landing zone in scope and does not compromise the whole environment.
- **Enforce standard configuration**: by using different Terraform state, you can compose a complex environment very fast.
@ -17,30 +17,32 @@ Cloud Adoption Framework for Azure proposes a hierarchy of landing zones based o
### Level 0: Transition from manual to automation
Create the subscriptions (for levels 0 to level 4), creates the Terraform state repository for the different environments (sandpit, production, dev), created the privileged access workstation, and service principals.
Level 0 also enables the connection to the Azure DevOps environment as well as the creation of the DevOps private agents and the needed Azure AD groups for collaboration between the developers of the environment.
Level 0 creates and onboards the desired subscriptions, creates the Terraform state repository for the different environments (sandpit, production, dev), creates the privileged access workstation, and service principals. Level 0 also enables the connection to the Azure DevOps environment as well as the creation of the DevOps private agents as well as the necessary Azure AD groups for collaboration between the developers of the environment.
### Level 1: Core security, Governance and Accounting
Level 1 is responsible for RBAC enforcement on the subscriptions, subscription behavior configuration using Azure Management groups and Azure Policies ensures deployment of preventive and reactive controls.
This level is also in charge of deploying the fundamental configuration for Azure Monitor and Log analytics, shared security services, including Azure Event Hub namespace for integration with third parties SIEM solutions.
Level 1 is responsible for Role Based Access Control (RBAC) enforcement of the subscriptions, subscription behavior configuration using Azure Management groups. Azure Policies ensures deployment of preventive and reactive controls. This level is also in charge of deploying the fundamental configuration for Azure Monitor and Log analytics, shared security services, including Azure Event Hub namespace for integration with third parties SIEM solutions.
### Level 2: Shared services
Shared services include each environments the core networking components (using hub and spoke or any other network topology). Level 2 also includes services like Azure Site Recovery Vault for Backup and Disaster Recovery, Azure monitor settings for the monitoring of the environment alongside with Azure Automation for patch management of the resources.
Other resources could be image management for virtual machines in the environment.
Shared services include each environment's core networking components (using hub and spoke or any other network topology). Level 2 also includes services like Azure Site Recovery Vault for Backup and Disaster Recovery, Azure Monitor settings for the monitoring of the environment alongside with Azure Automation for patch management of the resources. Other resources could be image management for virtual machines in the environment.
### Level 3: Application infrastructure
This layer is responsible for enforcing the application environment overall configuration for instance the Azure AppService environment, the Azure Kubernetes Services Cluster, the API Management services and all its dependency to deliver a service: deploying the Azure Application Gateway, Web Application Firewall.
This layer is responsible for enforcing the application's environment overall configuration for instance the Azure AppService environment, the Azure Kubernetes Services Cluster, the API Management services and all its dependency to deliver a service: deploying the Azure Application Gateway, Web Application Firewall.
### Level 4: Application layer
This level contains the application configuration and links to the source repository and frameworks. It describes which framework is used (for instance Springboot microservices, dotnet core, etc.) and described the configuration of the application (how many instances, how to link to the database, etc.).
This level contains the application configuration and links to the source repository and frameworks. It describes which framework is used (for instance Springboot microservices, dotnet core, etc.) and describes the configuration of the application (how many instances, how to link to the database, etc.).
## Operate with landing zones hierarchy
A deployment will typically contain little "level 0" landing zones, a few "level 1" and "2", couple of "level 3" and as many "level 4" as applications will exist in an environment.
A deployment will typically contain:
* one \"level 0\" landing zones
* a few \"level 1\" and \"2\"
* a couple of \"level 3\"
* many \"level 4\" applications will exist in an environment.
It is important to keep in mind that each landing zone will be enforced by a pipeline as showing below:
@ -50,6 +52,21 @@ For a given "level" in the environment, each Agent VM will be assigned a managed
- The target Azure Subscription
- The Terraform state file: will be Read and Write permissions for the current level, will be Read only permissions for a "lower" level type of landing zone, avoiding alterations on more privileged environments.
In the example above, each pipeline will have its lifecycle management (typically, level 0 and 1 will be initiated at every new subscription creation, while level 4 could be initiated as many times a day you deploy code in your application environment).
In the example above, each pipeline will have its lifecycle management:
* Level 0 and 1 will be called at every new subscription creation
* Level 2 will be triggered when you are opening a new regional hub
* Level 3 will be triggered when you deploy a new service (Application Gateway, App Service Environment, Azure Kubernetes Services, etc.)
* Level 4 can be initiated as many times a day as you deploy code in your application environment).
### Service composition across layers
To deliver a complete environment, just as for any other software project, we want to avoid a monolithic configuration and instead compose an environment calling multiple landing zones.
With Terraform, you can read a state file's output and use it as input variables for another landing zone. We use this feature to compose complex architectures as illustrated below:
![Composition](../../_pictures/code_architecture/landingzone_composition.png)
For more details, you can refer to: [Introduction to service composition inside landing zones](./code_architecture/service_composition.md)
[Back to summary](../README.md)

95
documentation/code_architecture/intro_architecture.md
Просмотреть файл

@ -1,6 +1,7 @@
# Introduction to Azure landing zones components
Azure landing zones help you deploy a complete environment. The solution as published on this repository is composed of the following components:
Azure landing zones help you deploy a complete environment leveraging
the following elements:
![Overview](../../_pictures/code_architecture/components.png)
@ -12,41 +13,22 @@ In order to bootstrap an environment, we provide the following minimal DevOps co
[Source here](https://github.com/aztfmod/rover)
The "rover" is part of the fundamental tool set of the Azure Cloud Adoption Framework landing zones, it will allow you to deploy all the landing zones in a consistent and automated way.
The \"rover\" is part of the fundamental toolset of the Azure CAF landing zone model. The rover allows you to deploy all landing zones in a consistent and automated way:
+ It is Docker container running on all platforms transparently: Windows, Linux, Mac.
+ Allows validated **versioned** tool set
+ Helps you preserving stability across components versions
+ Helps you testing different versions of binaries (new version of Terraform, Azure CLI, etc.)
+ Facilitates the transition to CI/CD
+ Simplifies setup across DevOps teams: everyone works with the same versions of the tools
+ Integrates standard Cloud Adoption Framework and demo landing zones
* It is a Docker **container** running on all platforms transparently: Windows, Linux, Mac.
* Allows a validated **versioned** tool set.
Advantages of using the rover compared to running Terraform directly on your machine:
* Simplifies setup and configuration across DevOps teams: everyone works with the same versions of the tools.
* Abstracts and helps with the Terraform state management.
* Helps preserve stability across components versions.
* Helps testing different versions of binaries (new version of Terraform, Azure CLI, jq, tflint etc.)
* Facilitates the identity transition to any CI/CD.
* Allows easy transition from one DevOps environment to another (GitHub Actions, Azure DevOps, Jenkins, CircleCI etc.)
![Rover](../../_pictures/code_architecture/rover.png)
### launchpad
[Source here](https://github.com/aztfmod/level0)
Launchpad acts as a your toolbox to deploy and manage the fundamentals of a deployment:
+ It will help you manage the Terraform states
+ Manage different environments (subscriptions, accounts, etc.)
+ Bootstraps the initial blueprints
![Launchpad](../../_pictures/code_architecture/launchpad.png)
In order to manage different subscriptions and environment, the launchpad can rely on **level0 blueprints**
A level0 blueprint is the foundation of account and subscription management, as such it is in charge of:
+ Defining how to store and retrieve the Terraform state
+ Defining the core of secrets protection for the Terraform state
+ Defining the management of the principals or identities for a complex environnement
+ Defining how to access/partition the different subscriptions
Currently we support an open source version of [level0 blueprints](https://github.com/aztfmod/level0). We are currently working on a [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html) edition of level0 blueprint, feel free to join the corresponding working Channel on Teams.
## Modules
[Source here](https://github.com/aztfmod/)
@ -57,24 +39,47 @@ Modules must have a strong versioning, in the CAF modules, we use semantic versi
![Modules](../../_pictures/code_architecture/modules.png)
## Blueprints, or services
[Source here](https://github.com/aztfmod/blueprints)
A blueprint is a reusable set of infrastructure components put together to deliver a service. In its structure, it calls a set of modules, and may call directly resources in order to stich components together.
![Blueprints](../../_pictures/code_architecture/blueprints.png)
## Landing zone
[Source here](https://github.com/aztfmod/landginzones)
A landing zone is a composition of multiple blueprints and resources to deliver a full application environment.
The landing zone is **responsible** for the **Terraform state**, and will export outputs that may be reused by other landing zones.
The delivery of a full landing zone might be decomposed in multiples levels in other to manage different personas and contain the blast radius that a mistake could incur in one landing zone.
A landing zone is a composition of multiple resources (modules, blueprints/services) that deliver a full application environment.
![Landingzone](../../_pictures/code_architecture/landingzone.png)
The landing zone is **responsible** for the **Terraform state** and will produce outputs that may be reused by other landing zones as follow:
![Landingzone](../../_pictures/code_architecture/landingzone_state.png)
A landing zone can contain subparts called blueprints, also called services, which are reusable sets of infrastructure components that have been assembled to deliver a service, for instance, an egress DMZ or a solution like Network Virtual Appliance from a third party vendor.
Blueprints/Services can be stored either inside the landing zones (as a subdirectory for instance) or re-used across landing zones while stored in another directory.
The delivery of a full landing zone might be decomposed in multiples levels in order to manage different personas and contain the blast radius that a mistake might incur in one landing zone.
### Launchpad
[Source here](https://github.com/aztfmod/level0)
A special landing zone is called launchpad and it acts as your toolbox to deploy the resources that in turn helps manage the fundamentals of a full landing zone deployment:
* Manage the Terraform states of the deployed landing zones
* Manage different setup (subscriptions, accounts, etc.) and environment (DEV, UAT, PROD)
* Bootstraps the initial blueprints
![Launchpad](../../_pictures/code_architecture/launchpad.png)
To manage different subscriptions and environment, the launchpad relies
on a **level0 landing zone:**
A level0 landing zone is the foundation of account and subscription management. As such it defines:
* Defining how to store and retrieve the Terraform state.
* Defining the core of secrets protection for the Terraform state.
* Defining the management of the principals or identities for a complex environment.
* Defining how to access/partition the different subscriptions.
Currently we support an open source version of [level0 blueprints](https://github.com/aztfmod/level0).
We are currently working on a [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html) edition of level0 blueprint.
[Back to summary](../README.md)

263
documentation/code_architecture/module_conventions.md
Просмотреть файл

@ -1,46 +1,152 @@
# Conventions for module creation
# Conventions for module development
All modules shall be stored inside a different repository, and must use the convention as described [here](https://www.terraform.io/docs/registry/modules/publish.html).Module must use semantic versioning.
This document summarizes our coding practices for modules, they are liberally based on https://www.terraform.io/docs/modules/index.html.
## Structure for the module directory
All modules must be stored inside a different repository, since module will be published on the Terraform Registry they must use the naming convention as described [here](https://www.terraform.io/docs/registry/modules/publish.html).
| Filename| Content |
|--|--|
| main.tf | Contains the entry point data, data sources, etc.|
| module.tf | Contains the main coding for the module logic. |
| variables.tf | Contains the input variables.|
| diagnostics.tf | Contains the call to the diagnostics and operations logs features for the resources created in the module. This will be called via the external diagnostics module using the arguments passed in tfvars. |
| versions.tf | Terraform modules versions constraints if any. Avoid as possible to put version constraints in module and try to manage that in the blueprints. |
| output.tf | Output variables to export. |
| README.MD | Short description of the features the module is achieving, the input and output variables. |
| CHANGELOG.MD | Version history, new features, improvements and bugs with version number aligned with GitHub releases. |
Checklist for module publication:
## Examples
1. Coding conventions described below.
2. Provide example including the main scenario the module is supposed to achieve.
3. Use naming convention.
4. Follow the common engineering criteria.
5. Include code validation hooks.
6. Include unit and integration testing.
## Modules structure convention
### Root file structure
The main module directory will contain at least the following files:
| Filename | Content |
|----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main.tf | Contains the entry point data, data sources, etc. |
| module.tf | Contains the main coding for the module logic. |
| variables.tf | Contains the input variables. |
| diagnostics.tf | Contains the call to the diagnostics and operations logs features for the resources created in the module. This will be called via the external diagnostics module using the arguments passed in tfvars. |
| versions.tf | Terraform modules versions constraints if any. Avoid as possible to put version constraints in module and try to manage that in the blueprints. |
| output.tf | Output variables to export. |
| README.MD | Short description of the features the module is achieving, the input and output variables. |
| CHANGELOG.MD | Version history, new features, improvements and bugs with version number aligned with GitHub releases. |
### Mandatory examples
Each module must have at least an example that must be easy to trigger, you shall use the following structure for examples:
| Filename| Content |
|--|--|
| README.MD | Short description of the example, the input and output variables. |
| locals.tf | Contains the local variable that are necessary to make the module example working. |
| outputs.tf | Output variables to export.|
| test.tf | Contains the logic of the test that will call the module locally and will include dependencies to make the example working |
| Filename | Content |
|------------|----------------------------------------------------------------------------------------------------------------------------|
| README.MD | Short description of the example, the input and output variables. |
| locals.tf | Contains the local variable that are necessary to make the module example working. |
| outputs.tf | Output variables to export. |
| test.tf | Contains the logic of the test that will call the module locally and will include dependencies to make the example working |
In examples, please use *caf_random* or *random* naming convention in order to avoid naming collisions.
In examples, you must use *caf_random* or *random* naming convention in order to avoid naming collisions.
## Unit and Integration testing
### Module Output conventions
Each module must implement integration and unit testing using GitHub Actions following the example here:https://github.com/aztfmod/terraform-azurerm-caf-resource-group
As a convention we will use the following minimal module outputs:
Please refer to the unit and integration testing reference article: https://github.com/Azure/caf-terraform-landingzones/blob/master/documentation/test/unit_test.md
| Output variable name | Content |
|----------------------|----------------------------------|
| id | returns the object identifiers |
| name | returns the object name |
| object | returns the full resource object |
## Module Diagnostics
Any other resource specific outputs.
In order to allow flexibility, the diagnostics settings for each module will be passed as variable with the following object:
## Common engineering criteria
### CEC1: Naming convention provider
Every resource created must use the naming convention provider as published here: https://github.com/aztfmod/terraform-provider-azurecaf
If you are developing a module for which there is no current support for naming convention method, please submit an issue: https://github.com/aztfmod/terraform-provider-azurecaf/issues
Example of naming convention provider usage to create a virtual network:
```hcl
resource "azurecaf_naming_convention" "caf_name_vnet" {
name = var.networking_object.vnet.name
prefix = var.prefix != "" ? var.prefix : null
postfix = var.postfix != "" ? var.postfix : null
max_length = var.max_length != "" ? var.max_length : null
resource_type = "azurerm_virtual_network"
convention = var.convention
}
```
At the resource creation, you use the ```result``` output of the ```azurecaf_naming_convention``` provider:
```hcl
resource "azurerm_virtual_network" "vnet" {
name = azurecaf_naming_convention.caf_name_vnet.result
location = var.location
resource_group_name = var.resource_group_name
address_space = var.networking_object.vnet.address_space
tags
```
In order to support naming convention, the following variables are leveraged for each module:
```hcl
diag_object = {
variable "convention" {
description = "(Required) Naming convention method to use"
}
variable "prefix" {
description = "(Optional) You can use a prefix to the name of the resource"
type = string
default = ""
}
variable "postfix" {
description = "(Optional) You can use a postfix to the name of the resource"
type = string
default = ""
}
variable "max_length" {
description = "(Optional) You can specify a maximum length to the name of the resource"
type = string
default = "60"
}
```
### CEC2: Mandate usage of diagnostics for all components deployed
#### Log repositories
All resources deployed within a module must have diagnostics logging enabled, those diagnostics capabilities are not the module responsibilities and must be implemented outside via the appropriate fundamental modules:
1. [Diagnostics logging](https://github.com/aztfmod/terraform-azurerm-caf-log-analytics)
2. [Log Analytics](https://github.com/aztfmod/terraform-azurerm-caf-diagnostics-logging)
Please refer to the two modules documentation for the output format.
For each module deploying resources with diagnostics capabilities, the output of those two modules will be mandatory input variables as follow:
```hcl
variable "diagnostics_map" {
description = "(Required) contains the SA and EH details for operations diagnostics"
}
variable "log_analytics_workspace" {
description = "(Required) contains the log analytics workspace details for operations diagnostics"
}
```
#### Log parameters
To enable diagnostics for a module, you must use input variable ```diagnostics_settings``` as follows:
```hcl
variable "diagnostics_settings" {
description = "(Required) configuration object describing the diagnostics"
}
```
A diagnostic_settings object is structured as follow:
```hcl
diagnostics_settings = {
log = [
["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureBackupReport", true, true, 20],
]
metric = [
@ -49,16 +155,101 @@ diag_object = {
}
```
## Module Output conventions
For readability we don't generally recommend too deep module nesting, but in order to abstract the setting of the diagnostics with the diagnostic structure described above, you can leverage the: [Diagnostics settings module](https://github.com/aztfmod/terraform-azurerm-caf-diagnostics) for Cloud Adoption Framework for Azure landing zones:
As a convention we will use the following minimal module outputs:
### CEC3: Avoid count iterators
| Output variable name | Content |
|--|--|
| id | returns the object identifiers|
| name | returns the object name |
| object | returns the full resource object |
In order to allow reliable iterations within the modules, we recommend using ```for_each``` iteration and decomission usage of count for iterations as much as possible.
Any other resource specific outputs.
```hcl
resource "azurerm_log_analytics_solution" "la_solution" {
for_each = var.solution_plan_map
solution_name = each.key
location = var.location
resource_group_name = var.resource_group_name
workspace_resource_id = azurerm_log_analytics_workspace.log_analytics.id
workspace_name = azurerm_log_analytics_workspace.log_analytics.name
plan {
product = each.value.product
publisher = each.value.publisher
}
}
```
This will allow:
1. More reliable lifecycles for resources your create iteratively.
2. Using ```key`` that can be leveraged in other modules or resources iterations.
3. Better visibility in the log files.
### CEC4: Unicity of deployment
Starting on Terraform 0.13, modules shall not internally iterate on complex structure and this shall the done by the calling landing zone using ```for_each``` capabilities. This shall be slowly adapted and refactored and shall be revised depending on our findings.
### CEC5: Variables custom validation
Starting in Terraform 0.13, you can leverage custom variables validation. As documented [here](https://www.terraform.io/docs/configuration/variables.html) we recommend roll-out of this feature in module, alongside with default variables values including in complex objects.
Example: Custom validation
```hcl
variable convention {
description = "(Required) Naming convention to use"
type = string
default = "cafrandom"
validation {
condition = contains(["cafrandom", "random", "passthrough", "cafclassic"], var.convention)
error_message = "Allowed values are cafrandom, random, passthrough or cafclassic."
}
}
```
Example: Complex objects defaults:
```hcl
variable keyvaults {
description = "(Required) Key Vault objects to create"
default = {
launchpad = {
name = "launchpad"
resource_group_name = "caf-foundations"
region = "southeastasia"
convention = "cafrandom"
sku_name = "standard"
}
}
}
```
## Tooling
Modules must be developed using rover version > 2006.x as it comes with required tools:
* pre-commit: adds Git hooks before commits.
* tfsec: security static code analysis.
* tflint: linting for Terraform code.
* terraform_docs: automated generation of documentation.
Pre-commit minimum set of checks:
```yaml
- id: terraform_fmt
- id: terraform_docs
- id: terraform_tflint
- id: terraform_tfsec
```
## Unit and integration testing
Each module must implement integration and unit testing using GitHub Actions following the example here: https://github.com/aztfmod/terraform-azurerm-caf-resource-group
Please refer to the unit and integration testing reference article: https://github.com/Azure/caf-terraform-landingzones/blob/master/documentation/test/unit_test.md
### GitHub Actions for Testing
New modules must implement the automation of integration testing using GitHub actions and deploying the examples in an Azure test subscription.
This testing must also include static security analysis as https://github.com/triat/terraform-security-scan
[Back to summary](../README.md)

85
documentation/delivery/delivery_landingzones.md
Просмотреть файл

@ -1,10 +1,13 @@
# Delivery model for landing zones
Cloud Adoption Framework for Azure landing zones for Terraform are to be delivered mainly by DevOps, this includes providing guidances and toolset for deploying and operating an environment.
Cloud Adoption Framework for Azure landing zones for Terraform are to be delivered mainly by DevOps pipelines. The example below shows what could be an execution environment for DevOps using a combination of GitHub and Azure DevOps.
## DevOps components
For DevOps and innovation to happen, we will have the following components to enforce configuration and applications inside Microsoft Azure:
The above model illustrates using both GitHub and Azure DevOps, but precisely because we are using the rover, it is relatively easy to pick your favorite enterprise toolset: Terraform Cloud/Enterprise, Jenkins, CircleCI, etc.
In greater detail we see the DevOps pipelines enforcing the landing
zones as below:
- **A inner feedback loop**:
Meant to provide very quick feedback to developers and DevOps engineers, offers the possibility to develop code, test it fast and iterate at fast pace.
@ -15,42 +18,21 @@ A whole execution environment composed of pipelines executed in a customer envir
- **Rover** is the DevOps toolchain that enables deployments as described [here](../code_architecture/intro_architecture.md).
We can distinguish two repositories for the environment:
- **Terraform scripts repositories**: will be used to store and describe logic of Terraform deployments (the script and core code that will be executed)
- **Terraform configuration repositories**: will be used to store and describe the configuration of the environment and of the applications.
Different environments like PROD, DEV, UAT, etc. will be implemented using different configuration files inside the configuration repository.
The Azure pipelines will be using Azure DevOps hosted agents will be authenticated by Azure Active Directory using Managed Identities. In order to control privileges and reduce attack surface, we propose a hierarchy of pipelines that is described [here](../code_architecture/hierarchy.md).
The Azure pipelines will use Azure DevOps hosted agents to run the rover. We will be authenticated by Azure Active Directory with [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) of the DevOps self-hosted agents.
## Repositories topology
During the lifecycle of the landing zones deployment you will find that it is easier to work with mono-repository environment (mixing Terraform and code variable). This is absolutely fine and will mature over time, as you add more modules, more complex environments and you want to move towards a full cycle of release.
Multiple approaches are valid depending on the size of your organization:
- By environment types:
```bash
tfvars
├── uat
| uat_landingzone_caf_foundations.tfvars
| uat_landingzone_networking.tfvars
├── prod
├── sandpit
├── ...
```
- By "classic" team structures
``` bash
tfvars
├── networking
| uat_landingzone_networking.tfvars
| test_landingzone_networking.tfvars
| prod_landingzone_networking.tfvars
├── audit
├── governance
├── etc.
```
The deployment of the self-hosted DevOps agent is completed by the
launchpad\_opensource which will setup the agents and managed identities
as described in the previous chapter (landing zones hierarchy). One
Virtual Machine will be deployed per level and each Virtual Machine will
manage a few self-hosted agents depending on concurrent deployments
needs, in order to control privileges and reduce attack surface, we propose a hierarchy of pipelines that is described [here](../code_architecture/hierarchy.md).
## GitOps for Azure landing zones
@ -61,4 +43,43 @@ Changes in the different environments introduced and promoted following GitOps c
- Changes are promoted only once they have reached quality gates (provided by automation, CI mechanisms and test suites executions) to promote higher quality changes.
- Changes are promoted only once they also have been validated by service owners in the environment (that can be declared in the DevOps configuration of the platform).
## Code and configuration repositories
GitOps leverages Git as a single source of truth for declarative
infrastructure and applications. Having a common code structure and
naming convention is critical to maintain code quality and enhance the
developer experience (especially for new team members).
When we deal with Infra as Code and landing zone deployments, we must
also make sure that the structure of our repository will support the
workflow of the different teams involved and enforce the segregation of
concerns with the multiple environments. *Should the code / variables be
organized by environments or by teams involved in the deployment
process*? Is a legitimate question. Code structure and organization is
always a hot topic, and while one size fits all is rarely the norm, we
tend to recommend starting with either of the following extending's on
Terraform (unclear) documentation.
![config](../../_pictures/delivery/code_repo.png)
For a given environment, ideally the code should remain identical and
only the variables should evolve. The following example illustrates the
two repository we recommend: one for the configuration and one for the code of deployment.
![config](../../_pictures/delivery/config_repo.png)
Looking closer at the configuration repository, we can see that each
environment is represented in a folder and each environment enforces the
following structure:
| **directory name** | **purpose and content** |
| -------------------| ------------------------|
| devops | Contains the DevOps environment variables to configure the Azure DevOps variable groups, and pipeline definitions |
| landingzones | Contains a directory for each landing zone. Each directory will include its own pipeline definition for apply, destroy, etc. Each directory must also contain the landing zones variable definitions files.
| launchpad | Contains the configuration files for the launchpad environment. |
An enterprise environment will consist of a series of pipelines
enforcing the different types of environments in different
subscriptions.
[Back to summary](../README.md)

12
documentation/getting_started/getting_started.md
Просмотреть файл

@ -2,7 +2,7 @@
## Prerequisites
In order to start deploying your with CAF landing zones, you need the following components installed on your machine:
In order to start deploying your with CAF landing zones, you need an Azure subscription (Trial, MSDN, etc.) and you need to install the following components on your machine:
- [Visual Studio Code](https://code.visualstudio.com/)
- [Docker Desktop](https://docs.docker.com/docker-for-windows/install/)
@ -49,24 +49,22 @@ For that we will rely on Azure authentication as completed by Azure Cli, via bro
rover login
```
We recommend that you verify the output of the login and make sure the subscription selected by default is the one you want to work on. If not, you can use the following switch:
We recommend that you verify the output of the login and make sure the subscription selected by default is the one you want to work on. If not, you can use the following switch:
```bash
az account set --subscription <subscription_GUID>
```
On the first run, you need to use the launchpad to create the foundations for Terraform environment, the launchpad_opensource is the current way to set those foundations.
Running the following command:
On the first run, you need to use the launchpad to create the foundations for Terraform environment:
```bash
launchpad /tf/launchpads/launchpad_opensource_light apply
rover /tf/caf/landingzones/launchpad apply -launchpad
```
This command will interactively prompt you for *var.location*, asking for the name of a supported Azure region **where you want to deploy the Terraform state and dependencies**. You can specify that in the argument as in the following example:
```bash
launchpad /tf/launchpads/launchpad_opensource_light apply -var 'location=westus'
rover /tf/caf/landingzones/launchpad apply -launchpad -var 'location=westus'
```
You can then launch your first landing zone!

89
documentation/getting_started/getting_started_codespaces.md Normal file
Просмотреть файл

@ -0,0 +1,89 @@
# Getting stated with Azure Cloud Adoption Framework landing zones on Visual Studio Codespaces
## Introduction
Visual Studio Codespaces is a browser-based editor with support for Git repos, extensions, and a built-in command line interface so you canedit, run, and debugyour applications from any device. For more details on Visual Studio Codespace, you can visit the product page [here](https://visualstudio.microsoft.com/services/visual-studio-codespaces/)
## Prerequisites
In order to start deploying your with CAF landing zones on VS Codespaces, you need:
* an Azure subscription (Trial, MSDN, etc.)
## Create your account
Let's authenticate first:
[https://aka.ms/vso-login](https://aka.ms/vso-login)
![Signin](../../_pictures/getting_started/vs_codespaces_getting_started.png)
## Create the repository in Visual Studio Code
Create the landing zones Codespaces clicking here: [![VScodespaces](https://img.shields.io/endpoint?url=https%3A%2F%2Faka.ms%2Fvso-badge)](https://online.visualstudio.com/environments/new?name=caf%20landing%20zones&repo=azure/caf-terraform-landingzones)
![Create](../../_pictures/getting_started/vs_codespaces_create.png)
The create process will look something like that:
![Create](../../_pictures/getting_started/vs_codespaces_create2.png)
Once ready, you should have your Visual Studio Interface as follow:
![Create](../../_pictures/getting_started/vs_codespaces_create3.png)
Open a Terminal using ```CTRL``` + ```J``` or ```Command``` + ```J```
![Create](../../_pictures/getting_started/vs_codespaces_create4.png)
You are ready to use landing zones by launching the rover as below:
```bash
/tf/rover/rover.sh
```
![Create](../../_pictures/getting_started/vs_codespaces_rover.png)
## Deploying your first landing zone
You must be authenticated first:
For that we will rely on Azure authentication as completed by Azure Cli, via browser method:
```bash
/tf/rover/rover.sh login
```
We recommend that you verify the output of the login and make sure the subscription selected by default is the one you want to work on. If not, you can use the following switch:
```bash
az account set --subscription <subscription_GUID>
```
On the first run, you need to apply the launchpad as the first landing zone:
```bash
/tf/rover/rover.sh /tf/caf/landingzones/launchpad apply -launchpad
```
You can specify a location for the launchpad using the following command:
```bash
/tf/rover/rover.sh /tf/caf/landingzones/launchpad apply -launchpad -var location=westus
```
You can then launch your first landing zone!
Please note that each landing zone come with its own deployment settings, which may deploy resources in different region than where you set the foundations.
You are ready to start:
```bash
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations plan
```
```bash
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations apply
```
```bash
/tf/rover/rover.sh /tf/caf/landingzones/landingzone_caf_foundations destroy
```
Happy deployment with Azure landing zones, let us know your feedback and how you need it to evolve.

180
environments/integration-tests/landingzone_caf_foundations/landingzone_caf_foundations_westus2_cafrandom.tfvars
Просмотреть файл

@ -2,111 +2,123 @@
## globalsettings
global_settings = {
#specifies the set of locations you are going to use in this landing zone
location_map = {
region1 = "westus2"
region2 = "eastasia"
}
#specifies the set of locations you are going to use in this landing zone
location_map = {
region1 = "westus2"
region2 = "eastasia"
}
#naming convention to be used as defined in naming convention module, accepted values are cafclassic, cafrandom, random, passthrough
convention = "cafrandom"
#naming convention to be used as defined in naming convention module, accepted values are cafclassic, cafrandom, random, passthrough
convention = "cafrandom"
#Set of tags for core operations
tags_hub = {
environment = "DEV"
owner = "CAF"
deploymentType = "Terraform"
costCenter = "1664"
BusinessUnit = "SHARED"
DR = "NON-DR-ENABLED"
}
#Set of tags for core operations
tags_hub = {
owner = "CAF"
deploymentType = "Terraform"
costCenter = "1664"
BusinessUnit = "SHARED"
DR = "NON-DR-ENABLED"
}
# Set of resource groups to land the blueprint
resource_groups_hub = {
HUB-CORE-SEC = {
name = "hub-core-sec"
location = "westus2"
}
HUB-OPERATIONS = {
name = "hub-operations"
location = "westus2"
}
# Set of resource groups to land the blueprint
resource_groups_hub = {
HUB-CORE-SEC = {
name = "hub-core-sec"
location = "westus2"
}
HUB-OPERATIONS = {
name = "hub-operations"
location = "westus2"
}
}
}
## accounting settings
accounting_settings = {
# Azure Subscription activity logs retention period
azure_activity_logs_name = "actlogs"
azure_activity_logs_event_hub = false
azure_activity_logs_retention = 365
# Azure Subscription activity logs retention period
azure_activity_logs_name = "actlogs"
azure_activity_logs_event_hub = false
azure_activity_logs_retention = 365
azure_activity_audit = {
log = [
# ["Audit category name", "Audit enabled)"]
["Administrative", true],
["Security", true],
["ServiceHealth", true],
["Alert", true],
["Recommendation", true],
["Policy", true],
["Autoscale", true],
["ResourceHealth", true],
]
}
# Azure diagnostics logs retention period
azure_diagnostics_logs_name = "diaglogs"
azure_diagnostics_logs_event_hub = false
# Azure diagnostics logs retention period
azure_diagnostics_logs_name = "diaglogs"
azure_diagnostics_logs_event_hub = false
#Logging and monitoring
analytics_workspace_name = "caflalogs"
#Logging and monitoring
analytics_workspace_name = "caflalogs"
##Log analytics solutions to be deployed
solution_plan_map = {
NetworkMonitoring = {
"publisher" = "Microsoft"
"product" = "OMSGallery/NetworkMonitoring"
}
##Log analytics solutions to be deployed
solution_plan_map = {
NetworkMonitoring = {
"publisher" = "Microsoft"
"product" = "OMSGallery/NetworkMonitoring"
}
}
}
## governance
governance_settings = {
#current code supports only two levels of managemenr groups and one root
deploy_mgmt_groups = false
management_groups = {
root = {
name = "caf-rootmgmtgroup"
subscriptions = []
#list your subscriptions ID in this field as ["GUID1", "GUID2"]
children = {
child1 = {
name = "tree1child1"
subscriptions = []
}
child2 = {
name = "tree1child2"
subscriptions = []
}
child3 = {
name = "tree1child3"
subscriptions = []
}
}
#current code supports only two levels of managemenr groups and one root
deploy_mgmt_groups = false
management_groups = {
root = {
name = "caf-rootmgmtgroup"
subscriptions = []
#list your subscriptions ID in this field as ["GUID1", "GUID2"]
children = {
child1 = {
name = "tree1child1"
subscriptions = []
}
child2 = {
name = "tree1child2"
subscriptions = []
}
child3 = {
name = "tree1child3"
subscriptions = []
}
}
}
policy_matrix = {
#autoenroll_asc = true - to be implemented via builtin policies
autoenroll_monitor_vm = false
autoenroll_netwatcher = false
}
no_public_ip_spoke = false
cant_create_ip_spoke = false
managed_disks_only = false
restrict_locations = false
list_of_allowed_locs = ["southeastasia", "eastasia"]
restrict_supported_svc = false
list_of_supported_svc = ["Microsoft.Network/publicIPAddresses", "Microsoft.Compute/disks"]
msi_location = "southeastasia"
}
policy_matrix = {
#autoenroll_asc = true - to be implemented via builtin policies
autoenroll_monitor_vm = false
autoenroll_netwatcher = false
no_public_ip_spoke = false
cant_create_ip_spoke = false
managed_disks_only = false
restrict_locations = false
list_of_allowed_locs = ["southeastasia", "eastasia"]
restrict_supported_svc = false
list_of_supported_svc = ["Microsoft.Network/publicIPAddresses", "Microsoft.Compute/disks"]
msi_location = "southeastasia"
}
}
## security
security_settings = {
#Azure Security Center Configuration
enable_security_center = false
security_center = {
contact_email = "email@email.com"
contact_phone = "9293829328"
}
#Enables Azure Sentinel on the Log Analaytics repo
enable_sentinel = true
#Azure Security Center Configuration
enable_security_center = false
security_center = {
contact_email = "email@email.com"
contact_phone = "9293829328"
}
#Enables Azure Sentinel on the Log Analaytics repo
enable_sentinel = true
}

180
environments/integration-tests/landingzone_caf_foundations/landingzone_caf_foundations_westus2_random.tfvars
Просмотреть файл

@ -2,111 +2,123 @@
## globalsettings
global_settings = {
#specifies the set of locations you are going to use in this landing zone
location_map = {
region1 = "westus2"
region2 = "eastasia"
}
#specifies the set of locations you are going to use in this landing zone
location_map = {
region1 = "westus2"
region2 = "eastasia"
}
#naming convention to be used as defined in naming convention module, accepted values are cafclassic, cafrandom, random, passthrough
convention = "random"
#naming convention to be used as defined in naming convention module, accepted values are cafclassic, cafrandom, random, passthrough
convention = "random"
#Set of tags for core operations
tags_hub = {
environment = "DEV"
owner = "CAF"
deploymentType = "Terraform"
costCenter = "1664"
BusinessUnit = "SHARED"
DR = "NON-DR-ENABLED"
}
#Set of tags for core operations
tags_hub = {
owner = "CAF"
deploymentType = "Terraform"
costCenter = "1664"
BusinessUnit = "SHARED"
DR = "NON-DR-ENABLED"
}
# Set of resource groups to land the blueprint
resource_groups_hub = {
HUB-CORE-SEC = {
name = "hub-core-sec"
location = "westus2"
}
HUB-OPERATIONS = {
name = "hub-operations"
location = "westus2"
}
# Set of resource groups to land the blueprint
resource_groups_hub = {
HUB-CORE-SEC = {
name = "hub-core-sec"
location = "westus2"
}
HUB-OPERATIONS = {
name = "hub-operations"
location = "westus2"
}
}
}
## accounting settings
accounting_settings = {
# Azure Subscription activity logs retention period
azure_activity_logs_name = "actlogs"
azure_activity_logs_event_hub = false
azure_activity_logs_retention = 365
# Azure Subscription activity logs retention period
azure_activity_logs_name = "actlogs"
azure_activity_logs_event_hub = false
azure_activity_logs_retention = 365
azure_activity_audit = {
log = [
# ["Audit category name", "Audit enabled)"]
["Administrative", true],
["Security", true],
["ServiceHealth", true],
["Alert", true],
["Recommendation", true],
["Policy", true],
["Autoscale", true],
["ResourceHealth", true],
]
}
# Azure diagnostics logs retention period
azure_diagnostics_logs_name = "diaglogs"
azure_diagnostics_logs_event_hub = false
# Azure diagnostics logs retention period
azure_diagnostics_logs_name = "diaglogs"
azure_diagnostics_logs_event_hub = false
#Logging and monitoring
analytics_workspace_name = "caflalogs"
#Logging and monitoring
analytics_workspace_name = "caflalogs"
##Log analytics solutions to be deployed
solution_plan_map = {
KeyVaultAnalytics = {
"publisher" = "Microsoft"
"product" = "OMSGallery/KeyVaultAnalytics"
}
##Log analytics solutions to be deployed
solution_plan_map = {
KeyVaultAnalytics = {
"publisher" = "Microsoft"
"product" = "OMSGallery/KeyVaultAnalytics"
}
}
}
## governance
governance_settings = {
#current code supports only two levels of managemenr groups and one root
deploy_mgmt_groups = false
management_groups = {
root = {
name = "caf-rootmgmtgroup"
subscriptions = []
#list your subscriptions ID in this field as ["GUID1", "GUID2"]
children = {
child1 = {
name = "tree1child1"
subscriptions = []
}
child2 = {
name = "tree1child2"
subscriptions = []
}
child3 = {
name = "tree1child3"
subscriptions = []
}
}
#current code supports only two levels of managemenr groups and one root
deploy_mgmt_groups = false
management_groups = {
root = {
name = "caf-rootmgmtgroup"
subscriptions = []
#list your subscriptions ID in this field as ["GUID1", "GUID2"]
children = {
child1 = {
name = "tree1child1"
subscriptions = []
}
child2 = {
name = "tree1child2"
subscriptions = []
}
child3 = {
name = "tree1child3"
subscriptions = []
}
}
}
policy_matrix = {
#autoenroll_asc = true - to be implemented via builtin policies
autoenroll_monitor_vm = false
autoenroll_netwatcher = false
}
no_public_ip_spoke = false
cant_create_ip_spoke = false
managed_disks_only = false
restrict_locations = false
list_of_allowed_locs = ["southeastasia", "eastasia"]
restrict_supported_svc = false
list_of_supported_svc = ["Microsoft.Network/publicIPAddresses", "Microsoft.Compute/disks"]
msi_location = "southeastasia"
}
policy_matrix = {
#autoenroll_asc = true - to be implemented via builtin policies
autoenroll_monitor_vm = false
autoenroll_netwatcher = false
no_public_ip_spoke = false
cant_create_ip_spoke = false
managed_disks_only = false
restrict_locations = false
list_of_allowed_locs = ["southeastasia", "eastasia"]
restrict_supported_svc = false
list_of_supported_svc = ["Microsoft.Network/publicIPAddresses", "Microsoft.Compute/disks"]
msi_location = "southeastasia"
}
}
## security
security_settings = {
#Azure Security Center Configuration
enable_security_center = false
security_center = {
contact_email = "email@email.com"
contact_phone = "9293829328"
}
#Enables Azure Sentinel on the Log Analaytics repo
enable_sentinel = true
#Azure Security Center Configuration
enable_security_center = false
security_center = {
contact_email = "email@email.com"
contact_phone = "9293829328"
}
#Enables Azure Sentinel on the Log Analaytics repo
enable_sentinel = true
}

172
environments/integration-tests/landingzone_hub_mesh/landingzone_hub_mesh.tfvars Normal file
Просмотреть файл

@ -0,0 +1,172 @@
# Configuration sample for Azure Virtual WAN hub and spoke
virtual_hub_config = {
virtual_wan = {
resource_group_name = "virtualwan"
name = "ContosovWAN"
dns_name = "private.contoso.com"
hubs = {
hub1 = {
hub_name = "SEA-HUB"
region = "southeastasia"
hub_address_prefix = "10.0.3.0/24"
deploy_firewall = true
peerings = {}
firewall_name = "azfwsg"
firewall_resource_groupe_name = "azfwsg"
deploy_p2s = false
p2s_config = {
name = "caf-sea-vpn-p2s"
scale_unit = 2
connection_configuration = {
name = "client-connections"
vpn_client_address_pool = {
address_prefixes = ["192.168.0.0/24"]
}
}
server_config = {
vpn_authentication_types = ["Certificate"]
client_root_certificate = {
name = "DigiCert-Federated-ID-Root-CA"
public_cert_data = <<EOF
MIIDuzCCAqOgAwIBAgIQCHTZWCM+IlfFIRXIvyKSrjANBgkqhkiG9w0BAQsFADBn
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSYwJAYDVQQDEx1EaWdpQ2VydCBGZWRlcmF0ZWQgSUQg
Um9vdCBDQTAeFw0xMzAxMTUxMjAwMDBaFw0zMzAxMTUxMjAwMDBaMGcxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp
Y2VydC5jb20xJjAkBgNVBAMTHURpZ2lDZXJ0IEZlZGVyYXRlZCBJRCBSb290IENB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAEB4pcCqnNNOWE6Ur5j
QPUH+1y1F9KdHTRSza6k5iDlXq1kGS1qAkuKtw9JsiNRrjltmFnzMZRBbX8Tlfl8
zAhBmb6dDduDGED01kBsTkgywYPxXVTKec0WxYEEF0oMn4wSYNl0lt2eJAKHXjNf
GTwiibdP8CUR2ghSM2sUTI8Nt1Omfc4SMHhGhYD64uJMbX98THQ/4LMGuYegou+d
GTiahfHtjn7AboSEknwAMJHCh5RlYZZ6B1O4QbKJ+34Q0eKgnI3X6Vc9u0zf6DH8
Dk+4zQDYRRTqTnVO3VT8jzqDlCRuNtq6YvryOWN74/dq8LQhUnXHvFyrsdMaE1X2
DwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUGRdkFnbGt1EWjKwbUne+5OaZvRYwHwYDVR0jBBgwFoAUGRdkFnbGt1EW
jKwbUne+5OaZvRYwDQYJKoZIhvcNAQELBQADggEBAHcqsHkrjpESqfuVTRiptJfP
9JbdtWqRTmOf6uJi2c8YVqI6XlKXsD8C1dUUaaHKLUJzvKiazibVuBwMIT84AyqR
QELn3e0BtgEymEygMU569b01ZPxoFSnNXc7qDZBDef8WfqAV/sxkTi8L9BkmFYfL
uGLOhRJOFprPdoDIUBB+tmCl3oDcBy3vnUeOEioz8zAkprcb3GHwHAK+vHmmfgcn
WsfMLH4JCLa/tRYL+Rw/N3ybCkDp00s0WUZ+AoDywSl0Q/ZEnNY0MsFiw6LyIdbq
M/s/1JRtO3bDSzD9TazRVzn2oBqzSa8VgIo5C1nOnoAKJTlsClJKvIhnRlaLQqk=
EOF
}
}
}
deploy_s2s = false
s2s_config = {
name = "caf-sea-vpn-s2s"
scale_unit = 1
}
deploy_er = false
er_config = {
name = "caf-sea-er"
scale_units = 1
}
}
hub2 = {
hub_name = "HK-HUB"
region = "eastasia"
hub_address_prefix = "10.0.4.0/24"
deploy_firewall = true
firewall_name = "azfhk"
firewall_resource_groupe_name = "azfhk"
peerings = {
## this key must match with the key of the virtual network declared in the var.spokes structure
spoke1 = {
# TODO: add support for remote_virtual_network_id = <ID of the virtual network>
# optional if the virtual network has been provisionned outside.
hub_to_vitual_network_traffic_allowed = true
vitual_network_to_hub_gateways_traffic_allowed = true
internet_security_enabled = false
}
}
deploy_p2s = false
p2s_config = {}
deploy_s2s = false
s2s_config = {}
deploy_er = false
er_config = {}
}
}
}
}
spokes = {
spoke1 = {
rg = {
name = "virtualhub-spoke-test"
location = "eastasia"
}
peering_name = "spoke1-hub-hk-link"
network = {
vnet = {
name = "Core-Network"
address_space = ["10.0.10.0/24"]
}
specialsubnets = {}
subnets = {
subnet0 = {
name = "Web_tier"
cidr = ["10.0.10.0/26"]
nsg_name = "Web_tier_nsg"
nsg = [
{
name = "HTTP-In",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "HTTPS-In",
priority = "101"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
]
}
subnet2 = {
name = "Data_tier"
cidr = ["10.0.10.128/26"]
nsg_name = "Data_tier_nsg"
nsg = [
{
name = "TDS-In",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "1433"
source_address_prefix = "*"
destination_address_prefix = "*"
}
]
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
}
}

666
environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke.tfvars
Просмотреть файл

@ -1,265 +1,435 @@
# Configuration sample for a hub and spoke environment
# definition of variables for the virtual network
rg_network = {
CORE-NET = {
name = "network-core"
}
TRANSIT-NET = {
name = "network-transit"
}
EDGE-NET = {
name = "network-edge"
}
CORE-NET = {
name = "network-core"
}
TRANSIT-NET = {
name = "network-transit"
}
EDGE-NET = {
name = "network-edge"
}
}
# settings for the core network blueprint
core_networking = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = "10.0.4.0/24"
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = "10.0.255.224/27"
}
}
subnets = {
subnet0 = {
name = "Active_Directory"
cidr = "10.0.1.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"],
["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"],
["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"],
["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"],
["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"],
["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"],
["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"],
["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"],
["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"],
["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
]
}
subnet1 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = "10.0.0.128/25"
nsg_inbound = [
["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"],
["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"],
]
nsg_outbound = [
["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"],
["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"],
["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"],
]
}
}
diagnostics = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = ["10.0.4.0/24"]
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = ["10.0.255.224/27"]
}
}
subnets = {
subnet0 = {
name = "Active_Directory"
cidr = ["10.0.1.0/24"]
nsg_name = "Active_Directory_nsg"
nsg = [
{
name = "W32Time",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "123"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "RPC-Endpoint-Mapper",
priority = "101"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "135"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "Kerberos-password-change",
priority = "102"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "464"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "RPC-Dynamic-range",
priority = "103"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "49152-65535"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP",
priority = "104"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "389"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-SSL",
priority = "105"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "636"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-GC",
priority = "106"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3268"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-GC-SSL",
priority = "107"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3269"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "DNS",
priority = "108"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "53"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "Kerberos",
priority = "109"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "88"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "SMB",
priority = "110"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "445"
source_address_prefix = "*"
destination_address_prefix = "*"
}
]
}
subnet1 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = ["10.0.0.128/25"]
nsg_name = "AzureBastionSubnet_nsg"
nsg = [
{
name = "bastion-in-allow",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "bastion-control-in-allow-443",
priority = "120"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "135"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
},
{
name = "Kerberos-password-change",
priority = "121"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "4443"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
},
{
name = "bastion-vnet-out-allow-22",
priority = "103"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
},
{
name = "bastion-vnet-out-allow-3389",
priority = "101"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
},
{
name = "bastion-azure-out-allow",
priority = "120"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "AzureCloud"
}
]
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
firewall_ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = false
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
firewall_ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
["AllMetrics", true, true, 30],
]
}
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = true
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
}

496
environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke_bastion.tfvars
Просмотреть файл

@ -1,265 +1,265 @@
# Configuration sample for a hub and spoke environment
# definition of variables for the virtual network
rg_network = {
CORE-NET = {
name = "network-core"
}
TRANSIT-NET = {
name = "network-transit"
}
EDGE-NET = {
name = "network-edge"
}
CORE-NET = {
name = "network-core"
}
TRANSIT-NET = {
name = "network-transit"
}
EDGE-NET = {
name = "network-edge"
}
}
# settings for the core network blueprint
core_networking = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = "10.0.4.0/24"
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = "10.0.255.224/27"
}
}
subnets = {
subnet0 = {
name = "Active_Directory"
cidr = "10.0.1.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"],
["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"],
["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"],
["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"],
["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"],
["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"],
["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"],
["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"],
["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"],
["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
]
}
subnet1 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = "10.0.0.128/25"
nsg_inbound = [
["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"],
["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"],
]
nsg_outbound = [
["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"],
["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"],
["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"],
]
}
}
diagnostics = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = "10.0.4.0/24"
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = "10.0.255.224/27"
}
}
subnets = {
subnet0 = {
name = "Active_Directory"
cidr = "10.0.1.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"],
["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"],
["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"],
["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"],
["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"],
["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"],
["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"],
["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"],
["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"],
["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
]
}
subnet1 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = "10.0.0.128/25"
nsg_inbound = [
["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"],
["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"],
]
nsg_outbound = [
["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"],
["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"],
["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"],
]
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
firewall_ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = true
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
firewall_ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
["AllMetrics", true, true, 30],
]
}
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = true
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
}

496
environments/integration-tests/landingzone_hub_spoke/landingzone_hub_spoke_no_bastion.tfvars
Просмотреть файл

@ -1,265 +1,265 @@
# Configuration sample for a hub and spoke environment
# definition of variables for the virtual network
rg_network = {
CORE-NET = {
name = "network-core"
}
TRANSIT-NET = {
name = "network-transit"
}
EDGE-NET = {
name = "network-edge"
}
CORE-NET = {
name = "network-core"
}
TRANSIT-NET = {
name = "network-transit"
}
EDGE-NET = {
name = "network-edge"
}
}
# settings for the core network blueprint
core_networking = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = "10.0.4.0/24"
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = "10.0.255.224/27"
}
}
subnets = {
subnet0 = {
name = "Active_Directory"
cidr = "10.0.1.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"],
["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"],
["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"],
["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"],
["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"],
["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"],
["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"],
["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"],
["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"],
["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
]
}
subnet1 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = "10.0.0.128/25"
nsg_inbound = [
["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"],
["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"],
]
nsg_outbound = [
["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"],
["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"],
["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"],
]
}
}
diagnostics = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = "10.0.4.0/24"
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = "10.0.255.224/27"
}
}
subnets = {
subnet0 = {
name = "Active_Directory"
cidr = "10.0.1.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"],
["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"],
["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"],
["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"],
["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"],
["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"],
["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"],
["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"],
["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"],
["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
]
}
subnet1 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = "10.0.0.128/25"
nsg_inbound = [
["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"],
["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"],
]
nsg_outbound = [
["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"],
["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"],
["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"],
]
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
firewall_ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = false
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
firewall_ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
["AllMetrics", true, true, 30],
]
}
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = false
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
}

727
environments/integration-tests/landingzone_secure_vnet_dmz/landingzone_secure_vnet_dmz.tfvars
Просмотреть файл

@ -1,337 +1,420 @@
# definition of variables for the virtual network
rg_network = {
CORE-NET = {
name = "-network-core"
}
TRANSIT-NET = {
name = "-network-transit"
}
EDGE-NET = {
name = "-network-edge"
}
CORE-NET = {
name = "-network-core"
}
TRANSIT-NET = {
name = "-network-transit"
}
EDGE-NET = {
name = "-network-edge"
}
}
# settings for the core network blueprint
core_networking = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = "10.0.4.0/24"
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = "10.0.255.224/27"
}
}
subnets = {
subnet0 = {
name = "Web_tier"
cidr = "10.0.1.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["HTTP-In", "100", "Inbound", "Allow", "tcp", "*", "80", "*", "*"],
["HTTPS-In", "101", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
]
}
subnet1 = {
name = "Business_tier"
cidr = "10.0.2.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["HTTP-In", "100", "Inbound", "Allow", "tcp", "*", "80", "*", "*"],
["HTTPS-In", "101", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
]
nsg_outbound = [
["HTTP-Out", "100", "Outbound", "Allow", "tcp", "*", "80", "*", "*"],
["HTTPS-Out", "101", "Outbound", "Allow", "tcp", "*", "443", "*", "*"],
]
}
subnet2 = {
name = "Data_tier"
cidr = "10.0.3.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["TDS-In", "100", "Inbound", "Allow", "tcp", "*", "1433", "*", "*"],
]
}
subnet3 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = "10.0.0.128/25"
nsg_inbound = [
["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"],
["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"],
]
nsg_outbound = [
["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"],
["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"],
["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"],
]
}
}
diagnostics = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = ["10.0.4.0/24"]
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = ["10.0.255.224/27"]
}
}
subnets = {
subnet0 = {
name = "Web_tier"
cidr = ["10.0.1.0/24"]
nsg_name = "Web_tier_nsg"
nsg = [
{
name = "HTTP-In",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "HTTPS-In",
priority = "101"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
]
}
subnet1 = {
name = "Business_tier"
cidr = ["10.0.2.0/24"]
nsg_name = "Business_tier_nsg"
nsg = [
{
name = "HTTP-In",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "HTTPS-In",
priority = "101"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "HTTP-Out",
priority = "100"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "HTTPS-Out",
priority = "101"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
]
}
subnet2 = {
name = "Data_tier"
cidr = ["10.0.3.0/24"]
nsg_name = "Data_tier_nsg"
nsg = [
{
name = "TDS-In",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "1433"
source_address_prefix = "*"
destination_address_prefix = "*"
}
]
}
subnet3 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = ["10.0.0.128/25"]
nsg_name = "AzureBastionSubnet_nsg"
nsg = [
{
name = "bastion-in-allow",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "bastion-control-in-allow-443",
priority = "120"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "135"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
},
{
name = "Kerberos-password-change",
priority = "121"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "4443"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
},
{
name = "bastion-vnet-out-allow-22",
priority = "103"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
},
{
name = "bastion-vnet-out-allow-3389",
priority = "101"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
},
{
name = "bastion-azure-out-allow",
priority = "120"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "AzureCloud"
}
]
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
# netwatcher = {
# create = true
# #create the network watcher for a subscription and for the location of the vnet
# name = "arnaud-nw-test"
# #name of the network watcher to be created
# flow_logs_settings = {
# enabled = true
# retention = true
# period = 7
# }
# traffic_analytics_settings = {
# enabled = true
# }
# }
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = true
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastionalz"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
["AllMetrics", true, true, 30],
]
}
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = false
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
}
# configuration for application sets
rg_app = {
web_tier = {
name = "-app-frontend"
}
app_tier = {
name = "-app-application"
}
db_tier = {
name = "-app-database"
}
}
web_tier = {
as = {
name = "as-web"
tags = {
tier = "web"
}
}
lb = {
name = "ilb-web"
frontend_name = "PrivateIPAddress-ilb-web"
tags = {
tier = "web"
}
}
}
app_tier = {
as = {
name = "as-app"
tags = {
tier = "app"
}
}
lb = {
name = "ilb-app"
frontend_name = "PrivateIPAddress-ilb-app"
tags = {
tier = "app"
}
}
}
db_tier = {
as = {
name = "as-db"
tags = {
tier = "db"
}
}
lb = {
name = "ilb-app"
frontend_name = "PrivateIPAddress-ilb-db"
tags = {
tier = "db"
}
}
}
}

825
environments/integration-tests/landingzone_vdc_demo/landingzone_vdc_demo.tfvars
Просмотреть файл

@ -1,400 +1,577 @@
# settings for the shared network blueprint
resource_groups_shared_services = {
HUB-CORE-NET = {
name = "-hub-network-shared"
location = "southeastasia"
}
HUB-CORE-NET = {
name = "-hub-network-shared"
location = "southeastasia"
}
}
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
shared_services_vnet = {
vnet = {
name = "Shared-Services"
address_space = ["10.101.4.0/22"]
dns = []
vnet = {
name = "Shared-Services"
address_space = ["10.101.4.0/22"]
dns = []
}
specialsubnets = {
}
subnets = {
subnet0 = {
name = "Critical_Applications"
cidr = ["10.101.4.0/25"]
nsg_name = "Critical_Applications_nsg"
service_endpoints = []
}
subnet1 = {
name = "Active_Directory"
cidr = ["10.101.4.128/27"]
service_endpoints = []
nsg_name = "Active_Directory_nsg"
nsg = [
{
name = "W32Time",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "123"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "RPC-Endpoint-Mapper",
priority = "101"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "135"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "Kerberos-password-change",
priority = "102"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "464"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "RPC-Dynamic-range",
priority = "103"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "49152-65535"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP",
priority = "104"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "389"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-SSL",
priority = "105"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "636"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-GC",
priority = "106"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3268"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-GC-SSL",
priority = "107"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3269"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "DNS",
priority = "108"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "53"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "Kerberos",
priority = "109"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "88"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "SMB",
priority = "110"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "445"
source_address_prefix = "*"
destination_address_prefix = "*"
}
specialsubnets = {
}
subnets = {
subnet0 = {
name = "Critical_Applications"
cidr = "10.101.4.0/25"
service_endpoints = []
nsg_inbound = []
nsg_outbound = []
}
subnet1 = {
name = "Active_Directory"
cidr = "10.101.4.128/27"
service_endpoints = []
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["LDAP", "100", "Inbound", "Allow", "*", "*", "389", "*", "*"],
["RPC-EPM", "102", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
["SMB-In", "103", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
]
nsg_outbound = [
["o-LDAP-t", "100", "Outbound", "Allow", "*", "*", "389", "*", "*"],
["o-SMB-In", "103", "Outbound", "Allow", "tcp", "*", "445", "*", "*"],
]
}
subnet2 = {
name = "SQL_Servers"
cidr = "10.101.4.160/27"
service_endpoints = []
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["TDS-In", "100", "Inbound", "Allow", "tcp", "*", "1433", "*", "*"],
]
nsg_outbound = []
}
subnet4 = {
name = "AzureBastionSubnet"
cidr = "10.101.4.192/27"
service_endpoints = []
nsg_inbound = [
["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"],
["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"],
]
nsg_outbound = [
["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"],
["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"],
["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"],
]
}
]
}
subnet2 = {
name = "SQL_Servers"
cidr = ["10.101.4.160/27"]
service_endpoints = []
nsg_name = "Data_tier_nsg"
nsg = [
{
name = "TDS-In",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "1433"
source_address_prefix = "*"
destination_address_prefix = "*"
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
]
}
subnet4 = {
name = "AzureBastionSubnet"
cidr = ["10.101.4.192/27"]
nsg_name = "AzureBastionSubnet_nsg"
nsg = [
{
name = "bastion-in-allow",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "bastion-control-in-allow-443",
priority = "120"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "135"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
},
{
name = "Kerberos-password-change",
priority = "121"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "4443"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
},
{
name = "bastion-vnet-out-allow-22",
priority = "103"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
},
{
name = "bastion-vnet-out-allow-3389",
priority = "101"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
},
{
name = "bastion-azure-out-allow",
priority = "120"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "AzureCloud"
}
]
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = true
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
ip_name = "caf-pip-bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
ip_diags = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# settings for the shared egress blueprint
resource_groups_shared_egress = {
HUB-EGRESS-NET = {
name = "-hub-network-egress"
location = "southeastasia"
}
}
# Settings for the shared services egress vnet - note that Azure Firewall subnet must be at least /26
networking_egress = {
vnet = {
name = "Shared-Egress"
address_space = ["10.0.0.0/25"]
dns = ["192.168.0.16", "192.168.0.64"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet"
cidr = "10.0.0.0/26"
service_endpoints = []
}
}
subnets = {
subnet1 = {
name = "Network_Monitoring"
cidr = "10.0.0.64/26"
service_endpoints = []
nsg_inbound = []
nsg_outbound = []
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for egress
# Must be standard and static for Azure Firewall
ip_addr_config = {
ip_name = "caf-pip-egress"
allocation_method = "Static"
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
ip_name = "caf-pip-bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
ip_diags = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# settings for the shared egress blueprint
resource_groups_shared_egress = {
HUB-EGRESS-NET = {
name = "-hub-network-egress"
location = "southeastasia"
}
}
# Settings for the shared services egress vnet - note that Azure Firewall subnet must be at least /26
networking_egress = {
vnet = {
name = "Shared-Egress"
address_space = ["10.0.0.0/25"]
dns = ["192.168.0.16", "192.168.0.64"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet"
cidr = ["10.0.0.0/26"]
service_endpoints = []
}
}
subnets = {
subnet1 = {
name = "Network_Monitoring"
cidr = ["10.0.0.64/26"]
nsg_name = "Network_Monitoring_nsg"
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for egress
# Must be standard and static for Azure Firewall
ip_addr_config = {
ip_name = "caf-pip-egress"
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "az-fw-caf"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
name = "az-fw-caf"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the UDR object
udr_object = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "myWay"
subnets_to_udr = ""
nexthop_ip = ""
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "myWay"
subnets_to_udr = ""
nexthop_ip = ""
}
# settings for the transit network blueprint
#resource group creation
resource_groups_shared_transit = {
HUB-NET-TRANSIT = {
name = "-hub-network-transit"
location = "southeastasia"
}
HUB-NET-TRANSIT = {
name = "-hub-network-transit"
location = "southeastasia"
}
}
# Settings for the shared services egress vnet
networking_transit = {
vnet = {
name = "Shared-Transit"
address_space = ["172.16.0.0/23"]
dns = ["192.168.0.16", "192.168.0.64"]
}
specialsubnets = {
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = "172.16.0.0/24"
service_endpoints = []
}
}
subnets = {
subnet1 = {
name = "NetworkMonitoring"
cidr = "172.16.1.0/24"
service_endpoints = []
nsg_inbound = []
nsg_outbound = []
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
vnet = {
name = "Shared-Transit"
address_space = ["172.16.0.0/23"]
dns = ["192.168.0.16", "192.168.0.64"]
}
specialsubnets = {
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = ["172.16.0.0/24"]
service_endpoints = []
}
}
subnets = {
subnet1 = {
name = "NetworkMonitoring"
cidr = ["172.16.1.0/24"]
nsg_name = "NetworkMonitoring_msg"
service_endpoints = []
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# Settings for the public IP address to be used for egress
public_ip_addr = {
name = "caf-pip-vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
name = "caf-pip-vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "mygateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "mygateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
}
##Settings for the Azure Key Vault
akv_config = {
name = "techakv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
sku_name = "premium"
# network_acls = {
# bypass = "AzureServices"
# default_action = "Deny"
# }
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
name = "techakv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
sku_name = "premium"
# network_acls = {
# bypass = "AzureServices"
# default_action = "Deny"
# }
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
# settings for the operations blueprint
# #Azure Site Recovery Configuration
asr_config = {
asr_vault_name = "asr"
asr_diags = {
log_analytics_destination_type = "Dedicated"
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureBackupReport", true, true, 30],
["CoreAzureBackup", true, true, 30],
["AddonAzureBackupAlerts", true, true, 30],
["AddonAzureBackupJobs", true, true, 30],
["AddonAzureBackupPolicy", true, true, 30],
["AddonAzureBackupProtectedInstance", true, true, 30],
["AddonAzureBackupStorage", true, true, 30],
["AzureSiteRecoveryJobs", true, true, 30],
["AzureSiteRecoveryEvents", true, true, 30],
["AzureSiteRecoveryReplicatedItems", true, true, 30],
["AzureSiteRecoveryReplicationStats", true, true, 30],
["AzureSiteRecoveryRecoveryPoints", true, true, 30],
["AzureSiteRecoveryReplicationDataUploadRate", true, true, 30],
["AzureSiteRecoveryProtectedDiskDataChurn", true, true, 30],
]
metric = [
#["AllMetrics", 60, True],
]
}
asr_vault_name = "asr"
asr_diags = {
log_analytics_destination_type = "Dedicated"
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureBackupReport", true, true, 30],
["CoreAzureBackup", true, true, 30],
["AddonAzureBackupAlerts", true, true, 30],
["AddonAzureBackupJobs", true, true, 30],
["AddonAzureBackupPolicy", true, true, 30],
["AddonAzureBackupProtectedInstance", true, true, 30],
["AddonAzureBackupStorage", true, true, 30],
["AzureSiteRecoveryJobs", true, true, 30],
["AzureSiteRecoveryEvents", true, true, 30],
["AzureSiteRecoveryReplicatedItems", true, true, 30],
["AzureSiteRecoveryReplicationStats", true, true, 30],
["AzureSiteRecoveryRecoveryPoints", true, true, 30],
["AzureSiteRecoveryReplicationDataUploadRate", true, true, 30],
["AzureSiteRecoveryProtectedDiskDataChurn", true, true, 30],
]
metric = [
#["AllMetrics", 60, True],
]
}
}
#Azure Automation account name
auto_config = {
auto_account = "azauto"
auto_diags = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["JobLogs", true, true, 30],
["JobStreams", true, true, 30],
["DscNodeStatus", true, true, 30],
]
metric = [
# ["Category name", "Metric Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 30],
]
}
auto_account = "azauto"
auto_diags = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["JobLogs", true, true, 30],
["JobStreams", true, true, 30],
["DscNodeStatus", true, true, 30],
]
metric = [
# ["Category name", "Metric Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 30],
]
}
}

228
landingzones/landingzone_caf_foundations/blueprint_foundations.sandpit.auto.tfvars
Просмотреть файл

@ -2,135 +2,147 @@
## globalsettings
global_settings = {
#specifies the set of locations you are going to use in this landing zone
location_map = {
region1 = "southeastasia"
region2 = "eastasia"
}
#specifies the set of locations you are going to use in this landing zone
location_map = {
region1 = "southeastasia"
region2 = "eastasia"
}
#naming convention to be used as defined in naming convention module, accepted values are cafclassic, cafrandom, random, passthrough
convention = "cafrandom"
#naming convention to be used as defined in naming convention module, accepted values are cafclassic, cafrandom, random, passthrough
convention = "cafrandom"
#Set of tags for core operations
tags_hub = {
environment = "DEV"
owner = "CAF"
deploymentType = "Terraform"
costCenter = "1664"
BusinessUnit = "SHARED"
DR = "NON-DR-ENABLED"
}
#Set of tags for core operations
tags_hub = {
owner = "CAF"
deploymentType = "Terraform"
costCenter = "1664"
BusinessUnit = "SHARED"
DR = "NON-DR-ENABLED"
}
# Set of resource groups to land the blueprint
resource_groups_hub = {
HUB-CORE-SEC = {
name = "hub-core-sec"
location = "southeastasia"
}
HUB-OPERATIONS = {
name = "hub-operations"
location = "southeastasia"
}
# Set of resource groups to land the blueprint
resource_groups_hub = {
HUB-CORE-SEC = {
name = "hub-core-sec"
location = "southeastasia"
}
HUB-OPERATIONS = {
name = "hub-operations"
location = "southeastasia"
}
}
}
## accounting settings
accounting_settings = {
# Azure Subscription activity logs retention period
azure_activity_logs_name = "actlogs"
azure_activity_logs_event_hub = false
azure_activity_logs_retention = 365
# Azure Subscription activity logs retention period
azure_activity_logs_name = "actlogs"
azure_activity_logs_event_hub = false
azure_activity_logs_retention = 365
azure_activity_audit = {
log = [
# ["Audit category name", "Audit enabled)"]
["Administrative", true],
["Security", true],
["ServiceHealth", true],
["Alert", true],
["Recommendation", true],
["Policy", true],
["Autoscale", true],
["ResourceHealth", true],
]
}
# Azure diagnostics logs retention period
azure_diagnostics_logs_name = "diaglogs"
azure_diagnostics_logs_event_hub = false
# Azure diagnostics logs retention period
azure_diagnostics_logs_name = "diaglogs"
azure_diagnostics_logs_event_hub = false
#Logging and monitoring
analytics_workspace_name = "caflalogs"
#Logging and monitoring
analytics_workspace_name = "caflalogs"
##Log analytics solutions to be deployed
solution_plan_map = {
NetworkMonitoring = {
"publisher" = "Microsoft"
"product" = "OMSGallery/NetworkMonitoring"
},
ADAssessment = {
"publisher" = "Microsoft"
"product" = "OMSGallery/ADAssessment"
},
ADReplication = {
"publisher" = "Microsoft"
"product" = "OMSGallery/ADReplication"
},
AgentHealthAssessment = {
"publisher" = "Microsoft"
"product" = "OMSGallery/AgentHealthAssessment"
},
DnsAnalytics = {
"publisher" = "Microsoft"
"product" = "OMSGallery/DnsAnalytics"
},
ContainerInsights = {
"publisher" = "Microsoft"
"product" = "OMSGallery/ContainerInsights"
},
KeyVaultAnalytics = {
"publisher" = "Microsoft"
"product" = "OMSGallery/KeyVaultAnalytics"
}
##Log analytics solutions to be deployed
solution_plan_map = {
NetworkMonitoring = {
"publisher" = "Microsoft"
"product" = "OMSGallery/NetworkMonitoring"
},
ADAssessment = {
"publisher" = "Microsoft"
"product" = "OMSGallery/ADAssessment"
},
ADReplication = {
"publisher" = "Microsoft"
"product" = "OMSGallery/ADReplication"
},
AgentHealthAssessment = {
"publisher" = "Microsoft"
"product" = "OMSGallery/AgentHealthAssessment"
},
DnsAnalytics = {
"publisher" = "Microsoft"
"product" = "OMSGallery/DnsAnalytics"
},
ContainerInsights = {
"publisher" = "Microsoft"
"product" = "OMSGallery/ContainerInsights"
},
KeyVaultAnalytics = {
"publisher" = "Microsoft"
"product" = "OMSGallery/KeyVaultAnalytics"
}
}
}
## governance
governance_settings = {
#current code supports only two levels of managemenr groups and one root
deploy_mgmt_groups = false
management_groups = {
root = {
name = "caf-rootmgmtgroup"
subscriptions = []
#list your subscriptions ID in this field as ["GUID1", "GUID2"]
children = {
child1 = {
name = "tree1child1"
subscriptions = []
}
child2 = {
name = "tree1child2"
subscriptions = []
}
child3 = {
name = "tree1child3"
subscriptions = []
}
}
#current code supports only two levels of managemenr groups and one root
deploy_mgmt_groups = false
management_groups = {
root = {
name = "caf-rootmgmtgroup"
subscriptions = []
#list your subscriptions ID in this field as ["GUID1", "GUID2"]
children = {
child1 = {
name = "tree1child1"
subscriptions = []
}
child2 = {
name = "tree1child2"
subscriptions = []
}
child3 = {
name = "tree1child3"
subscriptions = []
}
}
}
policy_matrix = {
#autoenroll_asc = true - to be implemented via builtin policies
autoenroll_monitor_vm = true
autoenroll_netwatcher = false
}
no_public_ip_spoke = false
cant_create_ip_spoke = false
managed_disks_only = true
restrict_locations = false
list_of_allowed_locs = ["southeastasia", "eastasia"]
restrict_supported_svc = false
list_of_supported_svc = ["Microsoft.Network/publicIPAddresses", "Microsoft.Compute/disks"]
msi_location = "southeastasia"
}
policy_matrix = {
#autoenroll_asc = true - to be implemented via builtin policies
autoenroll_monitor_vm = true
autoenroll_netwatcher = false
no_public_ip_spoke = false
cant_create_ip_spoke = false
managed_disks_only = true
restrict_locations = false
list_of_allowed_locs = ["southeastasia", "eastasia"]
restrict_supported_svc = false
list_of_supported_svc = ["Microsoft.Network/publicIPAddresses", "Microsoft.Compute/disks"]
msi_location = "southeastasia"
}
}
## security
security_settings = {
#Azure Security Center Configuration
enable_security_center = false
security_center = {
contact_email = "email@email.com"
contact_phone = "9293829328"
}
#Enables Azure Sentinel on the Log Analaytics repo
enable_sentinel = true
#Azure Security Center Configuration
enable_security_center = false
security_center = {
contact_email = "email@email.com"
contact_phone = "9293829328"
}
#Enables Azure Sentinel on the Log Analaytics repo
enable_sentinel = true
}

63
landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/blueprint.tf
Просмотреть файл

@ -1,18 +1,18 @@
#Create the resource groups to host the blueprint
resource "azurecaf_naming_convention" "rg_coresec_name" {
name = var.resource_groups_hub.HUB-CORE-SEC.name
prefix = var.prefix
resource_type = "rg"
max_length = 50
convention = var.convention
resource "azurecaf_naming_convention" "rg_coresec_name" {
name = var.resource_groups_hub.HUB-CORE-SEC.name
prefix = var.prefix
resource_type = "rg"
max_length = 50
convention = var.convention
}
resource "azurecaf_naming_convention" "rg_operations_name" {
name = var.resource_groups_hub.HUB-OPERATIONS.name
prefix = var.prefix
resource_type = "rg"
max_length = 50
convention = var.convention
resource "azurecaf_naming_convention" "rg_operations_name" {
name = var.resource_groups_hub.HUB-OPERATIONS.name
prefix = var.prefix
resource_type = "rg"
max_length = 50
convention = var.convention
}
resource "azurerm_resource_group" "rg_coresec" {
@ -30,16 +30,18 @@ resource "azurerm_resource_group" "rg_operations" {
#Specify the subscription logging repositories
module "activity_logs" {
source = "aztfmod/caf-activity-logs/azurerm"
version = "2.0.0"
convention = var.convention
name = var.accounting_settings.azure_activity_logs_name
logs_rentention = var.accounting_settings.azure_activity_logs_retention
enable_event_hub = var.accounting_settings.azure_activity_logs_event_hub
prefix = var.prefix
resource_group_name = azurerm_resource_group.rg_coresec.name
location = var.location
tags = local.tags
version = "3.0.0"
convention = var.convention
enable_event_hub = var.accounting_settings.azure_activity_logs_event_hub
prefix = var.prefix
resource_group_name = azurerm_resource_group.rg_coresec.name
location = var.location
tags = local.tags
log_analytics_workspace_id = module.log_analytics.id
diagnostic_name = var.accounting_settings.azure_activity_logs_name
name = var.accounting_settings.azure_activity_logs_name
audit_settings_object = var.accounting_settings.azure_activity_audit
}
#Specify the operations diagnostic logging repositories
@ -47,19 +49,19 @@ module "diagnostics_logging" {
source = "aztfmod/caf-diagnostics-logging/azurerm"
version = "2.0.1"
convention = var.convention
name = var.accounting_settings.azure_diagnostics_logs_name
enable_event_hub = var.accounting_settings.azure_diagnostics_logs_event_hub
prefix = var.prefix
resource_group_name = azurerm_resource_group.rg_operations.name
location = var.location
tags = local.tags
convention = var.convention
name = var.accounting_settings.azure_diagnostics_logs_name
enable_event_hub = var.accounting_settings.azure_diagnostics_logs_event_hub
prefix = var.prefix
resource_group_name = azurerm_resource_group.rg_operations.name
location = var.location
tags = local.tags
}
#Create the Azure Monitor - Log Analytics workspace
module "log_analytics" {
source = "aztfmod/caf-log-analytics/azurerm"
version = "2.0.1"
version = "2.2.0"
convention = var.convention
prefix = var.prefix
@ -68,4 +70,5 @@ module "log_analytics" {
resource_group_name = azurerm_resource_group.rg_operations.name
location = var.location
tags = local.tags
retention_in_days = var.accounting_settings.azure_activity_logs_retention
}

16
landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/main.tf
Просмотреть файл

@ -1,22 +1,14 @@
data "azurerm_client_config" "current" {
}
# provider "azurerm" {
# version = "<= 1.44"
# }
provider "azuread" {
version = "<=0.7.0"
}
terraform {
backend "azurerm" {
}
backend "azurerm" {
}
}
locals {
blueprint_tag = {
blueprint_tag = {
"blueprint" = basename(abspath(path.module))
}
tags = merge(var.tags, var.tags_hub,local.blueprint_tag)
tags = merge(var.tags, var.tags_hub, local.blueprint_tag)
}

14
landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/output.tf
Просмотреть файл

@ -1,12 +1,12 @@
#outputs the ops log repositories
output "diagnostics_map" {
value = module.diagnostics_logging.diagnostics_map
value = module.diagnostics_logging.diagnostics_map
description = "outputs diagnostics map as desribed in the diagnostics logging module doc"
}
#outputs the sec log repositories
output "activity_logs_map" {
value = module.activity_logs.seclogs_map
value = module.activity_logs.seclogs_map
description = "outputs subscription activity logs map as desribed in the activity logging module doc"
}
@ -23,26 +23,26 @@ output "activity_logs_map" {
#log analytics workspace
output "log_analytics_workspace" {
value = module.log_analytics
value = module.log_analytics
description = "outputs the log analytics configuration settings as documented in log analytics module"
}
output "location" {
value = var.location
value = var.location
description = "exports the location where objects from foundation have been created"
}
output "tags" {
value = var.tags_hub
value = var.tags_hub
description = "exports the tags created in this blueprint"
}
output "prefix" {
value = var.prefix
value = var.prefix
description = "exports the prefix as generated in level0"
}
output "resource_group_operations" {
value = azurerm_resource_group.rg_operations
value = azurerm_resource_group.rg_operations
description = "rg_group_operations"
}

4
landingzones/landingzone_caf_foundations/blueprint_foundations_accounting/variable.tf
Просмотреть файл

@ -1,6 +1,6 @@
variable "prefix" {
description = "(Optional) Prefix to uniquely identify the deployment"
description = "(Optional) Prefix to uniquely identify the deployment"
}
variable "resource_groups_hub" {
@ -37,7 +37,7 @@ variable "location" {
variable "tags_hub" {
description = "map of the tags to be applied"
type = map(string)
type = map(string)
}
variable "tags" {}

20
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/blueprint.tf
Просмотреть файл

@ -2,9 +2,9 @@
module "management_groups" {
source = "./management_group"
management_groups = var.governance_settings.management_groups
deploy_mgmt_groups = var.governance_settings.deploy_mgmt_groups
tags = var.tags_hub
management_groups = var.governance_settings.management_groups
deploy_mgmt_groups = var.governance_settings.deploy_mgmt_groups
tags = var.tags_hub
}
@ -13,16 +13,16 @@ module "custom_policies" {
source = "./policies/custom"
policies_matrix = var.governance_settings.policy_matrix
log_analytics = var.log_analytics.name
scope = data.azurerm_subscription.current.id
policies_matrix = var.governance_settings.policy_matrix
log_analytics = var.log_analytics.name
scope = data.azurerm_subscription.current.id
}
module "builtin_policies" {
source = "./policies/builtin"
policies_matrix = var.governance_settings.policy_matrix
log_analytics = var.log_analytics.name
policies_matrix = var.governance_settings.policy_matrix
log_analytics = var.log_analytics.name
//log_analytics needed for policies with auto-remediation
scope = data.azurerm_subscription.current.id
scope = data.azurerm_subscription.current.id
}

16
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/main.tf
Просмотреть файл

@ -4,22 +4,14 @@ data "azurerm_client_config" "current" {
data "azurerm_subscription" "current" {}
# provider "azurerm" {
# version = "<= 1.44"
# }
provider "azuread" {
version = "<=0.7.0"
}
terraform {
backend "azurerm" {
}
backend "azurerm" {
}
}
locals {
blueprint_tag = {
blueprint_tag = {
"blueprint" = basename(abspath(path.module))
}
tags = merge(var.tags, var.tags_hub,local.blueprint_tag)
tags = merge(var.tags, var.tags_hub, local.blueprint_tag)
}

4
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/management_group/main.tf
Просмотреть файл

@ -1,8 +1,8 @@
data "azurerm_client_config" "current" {}
locals {
module_tag = {
module_tag = {
"module" = basename(abspath(path.module))
}
tags = merge(var.tags,local.module_tag)
tags = merge(var.tags, local.module_tag)
}

12
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/management_group/module.tf
Просмотреть файл

@ -1,14 +1,14 @@
resource "azurerm_management_group" "parent_management_group" {
count = var.deploy_mgmt_groups ? 1 : 0
display_name = var.management_groups.root.name
display_name = var.management_groups.root.name
}
resource "azurerm_management_group" "l1children" {
for_each = var.deploy_mgmt_groups ? var.management_groups.root.children : {}
parent_management_group_id = azurerm_management_group.parent_management_group[0].id
display_name = each.value.name
subscription_ids = each.value.subscriptions
for_each = var.deploy_mgmt_groups ? var.management_groups.root.children : {}
parent_management_group_id = azurerm_management_group.parent_management_group[0].id
display_name = each.value.name
subscription_ids = each.value.subscriptions
}

6
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/output.tf
Просмотреть файл

@ -1,15 +1,15 @@
#outputs the management group objects
output "management_groups" {
value = module.management_groups
value = module.management_groups
description = "management groups output"
}
output "custom_policies" {
value = module.custom_policies
value = module.custom_policies
description = "management groups output"
}
output "builtin_policies" {
value = module.builtin_policies
value = module.builtin_policies
description = "management groups output"
}

4
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/allowed_locations.tf
Просмотреть файл

@ -6,9 +6,9 @@ locals {
}
resource "azurerm_policy_assignment" "res_location" {
count = var.policies_matrix.restrict_locations ? 1 : 0
count = var.policies_matrix.restrict_locations ? 1 : 0
name = "res_location"
scope = var.scope
scope = var.scope
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c"
description = "Policy Assignment with Terraform"
display_name = "TF Restrict Deployment of Azure Resources in specific location"

4
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/allowed_resource_type.tf
Просмотреть файл

@ -2,9 +2,9 @@
#Name: Allowed resource types
resource "azurerm_policy_assignment" "res_type" {
count = var.policies_matrix.restrict_supported_svc ? 1 : 0
count = var.policies_matrix.restrict_supported_svc ? 1 : 0
name = "res_svc"
scope = var.scope
scope = var.scope
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c"
description = "Policy Assignment with Terraform"
display_name = "TF Restrict Deployment of specified Azure Resources"

4
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/enable_az_monitor.tf
Просмотреть файл

@ -2,7 +2,7 @@
#Name: Enable Azure Monitor for VMs
resource "azurerm_policy_assignment" "vm_auto_monitor" {
count = var.policies_matrix.autoenroll_monitor_vm ? 1 : 0
count = var.policies_matrix.autoenroll_monitor_vm ? 1 : 0
name = "vm_auto_monitor"
scope = var.scope
policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a"
@ -10,7 +10,7 @@ resource "azurerm_policy_assignment" "vm_auto_monitor" {
display_name = "TF Enable Azure Monitor for VMs"
location = var.policies_matrix.msi_location
identity {
type = "SystemAssigned"
type = "SystemAssigned"
}
parameters = <<PARAMETERS
{

2
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/managed_disks.tf
Просмотреть файл

@ -2,7 +2,7 @@
#Name : Audit VMs that do not use managed disks
resource "azurerm_policy_assignment" "pol_managed_disks_assignment" {
count = var.policies_matrix.managed_disks_only ? 1 : 0
count = var.policies_matrix.managed_disks_only ? 1 : 0
name = "vm_no_managed_disks"
scope = var.scope
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"

4
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/builtin/net_watcher.tf
Просмотреть файл

@ -3,7 +3,7 @@
resource "azurerm_policy_assignment" "pol_net_watcher" {
count = var.policies_matrix.autoenroll_netwatcher ? 1 : 0
count = var.policies_matrix.autoenroll_netwatcher ? 1 : 0
name = "nets_network_watcher"
scope = var.scope
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9"
@ -11,7 +11,7 @@ resource "azurerm_policy_assignment" "pol_net_watcher" {
display_name = "Deploy network watcher when virtual networks are created"
location = var.policies_matrix.msi_location
identity {
type = "SystemAssigned"
type = "SystemAssigned"
}
}

4
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/create_pip.tf
Просмотреть файл

@ -21,8 +21,8 @@ POLICY_RULE
}
resource "azurerm_policy_assignment" "deny-publicip-spoke" {
count = var.policies_matrix.cant_create_ip_spoke ? 1 : 0
name = "deny-publicip-spoke"
count = var.policies_matrix.cant_create_ip_spoke ? 1 : 0
name = "deny-publicip-spoke"
scope = var.scope
policy_definition_id = azurerm_policy_definition.deny_publicip_spoke[0].id
description = "Policy Assignment for deny public IP creatin in spokes"

6
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/policies/custom/pip_on_nic.tf
Просмотреть файл

@ -1,6 +1,6 @@
resource "azurerm_policy_definition" "deny_publicips_on_nics" {
count = var.policies_matrix.no_public_ip_spoke ? 1 : 0
count = var.policies_matrix.no_public_ip_spoke ? 1 : 0
name = "pol-deny-publicips-on-nics"
policy_type = "Custom"
mode = "Indexed"
@ -29,8 +29,8 @@ POLICY_RULE
}
resource "azurerm_policy_assignment" "publicIP-deny-on-nics" {
count = var.policies_matrix.no_public_ip_spoke ? 1 : 0
name = "deny-publicip-on-nics"
count = var.policies_matrix.no_public_ip_spoke ? 1 : 0
name = "deny-publicip-on-nics"
scope = var.scope
policy_definition_id = azurerm_policy_definition.deny_publicips_on_nics[0].id
description = "Policy Assignment for deny public IP on NICs"

2
landingzones/landingzone_caf_foundations/blueprint_foundations_governance/variable.tf
Просмотреть файл

@ -8,7 +8,7 @@ variable "location" {
}
variable "log_analytics" {
}
variable "tags_hub" {}

22
landingzones/landingzone_caf_foundations/blueprint_foundations_security/blueprint.tf
Просмотреть файл

@ -2,20 +2,20 @@
module "security_center" {
source = "aztfmod/caf-security-center/azurerm"
version = "1.0.0"
enable_security_center = var.security_settings.enable_security_center
contact_email = var.security_settings.security_center.contact_email
contact_phone = var.security_settings.security_center.contact_phone
scope_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
workspace_id = var.log_analytics.id
enable_security_center = var.security_settings.enable_security_center
contact_email = var.security_settings.security_center.contact_email
contact_phone = var.security_settings.security_center.contact_phone
scope_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
workspace_id = var.log_analytics.id
}
#Create the Azure Sentinel Configuration
module "sentinel" {
source = "./sentinel"
enable_sentinel = var.security_settings.enable_sentinel
log_analytics = var.log_analytics
rg = var.resource_groups_hub.name
location = var.location
enable_sentinel = var.security_settings.enable_sentinel
log_analytics = var.log_analytics
rg = var.resource_groups_hub.name
location = var.location
}

16
landingzones/landingzone_caf_foundations/blueprint_foundations_security/main.tf
Просмотреть файл

@ -1,22 +1,14 @@
data "azurerm_client_config" "current" {
}
# provider "azurerm" {
# version = "<= 1.44"
# }
provider "azuread" {
version = "<=0.7.0"
}
terraform {
backend "azurerm" {
}
backend "azurerm" {
}
}
locals {
blueprint_tag = {
blueprint_tag = {
"blueprint" = basename(abspath(path.module))
}
tags = merge(var.tags, var.tags_hub,local.blueprint_tag)
tags = merge(var.tags, var.tags_hub, local.blueprint_tag)
}

26
landingzones/landingzone_caf_foundations/blueprint_foundations_security/sentinel/sentinel.tf
Просмотреть файл

@ -1,17 +1,17 @@
resource "azurerm_log_analytics_solution" "sentinel" {
count = var.enable_sentinel ? 1 : 0
count = var.enable_sentinel ? 1 : 0
solution_name = "SecurityInsights"
location = var.location
resource_group_name = var.rg
workspace_resource_id = var.log_analytics.id
workspace_name = var.log_analytics.name
solution_name = "SecurityInsights"
location = var.location
resource_group_name = var.rg
workspace_resource_id = var.log_analytics.id
workspace_name = var.log_analytics.name
// tags = var.tags
// Tags not implemented in TF for azurerm_log_analytics_solution
// tags = var.tags
// Tags not implemented in TF for azurerm_log_analytics_solution
plan {
product = "OMSGallery/SecurityInsights"
publisher = "Microsoft"
}
}
plan {
product = "OMSGallery/SecurityInsights"
publisher = "Microsoft"
}
}

4
landingzones/landingzone_caf_foundations/blueprint_foundations_security/variable.tf
Просмотреть файл

@ -6,13 +6,13 @@ variable "location" {
}
variable "tags_hub" {
}
variable "tags" {}
variable "log_analytics" {
}
variable "resource_groups_hub" {

46
landingzones/landingzone_caf_foundations/foundations.tf
Просмотреть файл

@ -1,36 +1,36 @@
## calling the blueprints
module "blueprint_foundations_accounting" {
source = "./blueprint_foundations_accounting/"
source = "./blueprint_foundations_accounting/"
prefix = local.prefix
tags = var.tags
location = var.global_settings.location_map.region1
tags_hub = var.global_settings.tags_hub
resource_groups_hub = var.global_settings.resource_groups_hub
convention = var.global_settings.convention
accounting_settings = var.accounting_settings
prefix = local.prefix
tags = local.tags
location = var.global_settings.location_map.region1
tags_hub = local.tags_hub
resource_groups_hub = var.global_settings.resource_groups_hub
convention = var.global_settings.convention
accounting_settings = var.accounting_settings
}
module "blueprint_foundations_security" {
source = "./blueprint_foundations_security/"
source = "./blueprint_foundations_security/"
tags = var.tags
location = var.global_settings.location_map.region1
tags_hub = var.global_settings.tags_hub
resource_groups_hub = module.blueprint_foundations_accounting.resource_group_operations
log_analytics = module.blueprint_foundations_accounting.log_analytics_workspace
tags = local.tags
location = var.global_settings.location_map.region1
tags_hub = local.tags_hub
resource_groups_hub = module.blueprint_foundations_accounting.resource_group_operations
log_analytics = module.blueprint_foundations_accounting.log_analytics_workspace
security_settings = var.security_settings
security_settings = var.security_settings
}
module "blueprint_foundations_governance" {
source = "./blueprint_foundations_governance/"
source = "./blueprint_foundations_governance/"
tags = var.tags
tags_hub = var.global_settings.tags_hub
location = var.global_settings.location_map.region1
log_analytics = module.blueprint_foundations_accounting.log_analytics_workspace
governance_settings = var.governance_settings
tags = local.tags
tags_hub = local.tags_hub
location = var.global_settings.location_map.region1
log_analytics = module.blueprint_foundations_accounting.log_analytics_workspace
governance_settings = var.governance_settings
}

23
landingzones/landingzone_caf_foundations/main.tf
Просмотреть файл

@ -1,34 +1,31 @@
provider "azurerm" {
version = "~>2.11.0"
features {}
}
provider "azurecaf" {
}
terraform {
backend "azurerm" {
}
backend "azurerm" {
}
}
locals {
landingzone_tag = {
"landingzone" = basename(abspath(path.module))
}
tags = merge(var.tags, local.landingzone_tag)
tags = merge(var.tags, local.landingzone_tag)
}
data "terraform_remote_state" "level0_launchpad" {
backend = "azurerm"
config = {
storage_account_name = var.lowerlevel_storage_account_name
container_name = var.lowerlevel_container_name
key = var.lowerlevel_key
resource_group_name = var.lowerlevel_resource_group_name
storage_account_name = var.lowerlevel_storage_account_name
container_name = var.lowerlevel_container_name
key = var.lowerlevel_key
resource_group_name = var.lowerlevel_resource_group_name
}
}
locals {
prefix = data.terraform_remote_state.level0_launchpad.outputs.prefix
prefix = var.prefix == null ? data.terraform_remote_state.level0_launchpad.outputs.prefix : var.prefix
environment = lookup(data.terraform_remote_state.level0_launchpad.outputs, "environment", "sandpit")
tags_hub = merge({ "environment" = local.environment }, var.global_settings.tags_hub)
}

22
landingzones/landingzone_caf_foundations/output.tf
Просмотреть файл

@ -1,38 +1,44 @@
output "blueprint_foundations_accounting" {
depends_on = [module.blueprint_foundations_accounting]
depends_on = [module.blueprint_foundations_accounting]
sensitive = true # to hide content from logs
sensitive = true # to hide content from logs
value = module.blueprint_foundations_accounting
description = "Full output of the foundations logging blueprint"
}
output "blueprint_foundations_security" {
depends_on = [module.blueprint_foundations_security]
depends_on = [module.blueprint_foundations_security]
sensitive = true # to hide content from logs
sensitive = true # to hide content from logs
value = module.blueprint_foundations_security
description = "Full output of the foundations logging blueprint"
}
output "blueprint_foundations_governance" {
depends_on = [module.blueprint_foundations_governance]
depends_on = [module.blueprint_foundations_governance]
sensitive = false # to hide content from logs
sensitive = false # to hide content from logs
value = module.blueprint_foundations_governance
description = "Full output of the foundations logging blueprint"
}
output "prefix" {
value = local.prefix
value = local.prefix
description = "prefix from level0"
}
output "environment" {
value = local.environment
description = "environment from level0"
}
# output "tags" {
# value = var.global_settings.tags_hub
# description = "default tags for the objects in foundations blueprint"
# }
output "global_settings" {
value = var.global_settings
value = var.global_settings
description = "global settings of the landing zone"
}

19
landingzones/landingzone_caf_foundations/variables.tf
Просмотреть файл

@ -1,26 +1,31 @@
# Map of the remote data state filled by the rover at runtime
variable "lowerlevel_storage_account_name" {}
variable "lowerlevel_container_name" {}
variable "lowerlevel_key" {} # Keeping the key for the lower level0 access
variable "lowerlevel_key" {} # Keeping the key for the lower level0 access
variable "lowerlevel_resource_group_name" {}
# Set of variables for the CAF foundations landing zone
variable "tags" {
type = map
default = {}
type = map
default = {}
}
variable "global_settings" {
description = "(Required) object describing global settings for landing zone configuration (region, naming convention etc.)"
description = "(Required) object describing global settings for landing zone configuration (region, naming convention etc.)"
}
variable "accounting_settings" {
description = "(Required) object describing accounting settings for landing zone configuration (azure monitor log analytics, storage accounts, etc.)"
description = "(Required) object describing accounting settings for landing zone configuration (azure monitor log analytics, storage accounts, etc.)"
}
variable "security_settings" {
description = "(Required) object describing security settings for landing zone configuration (azure security center standard, azure sentinel enablement.)"
description = "(Required) object describing security settings for landing zone configuration (azure security center standard, azure sentinel enablement.)"
}
variable "governance_settings" {
description = "(Required) object describing governance settings for landing zone configuration (azure policies and azure management groups)"
description = "(Required) object describing governance settings for landing zone configuration (azure policies and azure management groups)"
}
variable prefix {
description = "(Optional) By default CAF Foundation gets the prefix from the launchpad. You can overwride it by setting a value."
default = null
}

17
landingzones/landingzone_caf_foundations/versions.tf Normal file
Просмотреть файл

@ -0,0 +1,17 @@
terraform {
required_providers {
azurecaf = {
# source = "aztfmod/azurecaf"
# source supported only on Terraform > 0.13
# version = "0.4.3"
}
azurerm = {
# source = "hashicorp/azurerm"
version = "~>2.16.0"
}
terraform = {
# source = "hashicorp/terraform"
}
}
}

172
landingzones/landingzone_hub_mesh/configuration_virtual_wan.auto.tfvars Normal file
Просмотреть файл

@ -0,0 +1,172 @@
# Configuration sample for Azure Virtual WAN hub and spoke
virtual_hub_config = {
virtual_wan = {
resource_group_name = "virtualwan"
name = "ContosovWAN"
dns_name = "private.contoso.com"
hubs = {
hub1 = {
hub_name = "SEA-HUB"
region = "southeastasia"
hub_address_prefix = "10.0.3.0/24"
deploy_firewall = true
peerings = {}
firewall_name = "azfwsg"
firewall_resource_groupe_name = "azfwsg"
deploy_p2s = false
p2s_config = {
name = "caf-sea-vpn-p2s"
scale_unit = 2
connection_configuration = {
name = "client-connections"
vpn_client_address_pool = {
address_prefixes = ["192.168.0.0/24"]
}
}
server_config = {
vpn_authentication_types = ["Certificate"]
client_root_certificate = {
name = "DigiCert-Federated-ID-Root-CA"
public_cert_data = <<EOF
MIIDuzCCAqOgAwIBAgIQCHTZWCM+IlfFIRXIvyKSrjANBgkqhkiG9w0BAQsFADBn
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSYwJAYDVQQDEx1EaWdpQ2VydCBGZWRlcmF0ZWQgSUQg
Um9vdCBDQTAeFw0xMzAxMTUxMjAwMDBaFw0zMzAxMTUxMjAwMDBaMGcxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp
Y2VydC5jb20xJjAkBgNVBAMTHURpZ2lDZXJ0IEZlZGVyYXRlZCBJRCBSb290IENB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAEB4pcCqnNNOWE6Ur5j
QPUH+1y1F9KdHTRSza6k5iDlXq1kGS1qAkuKtw9JsiNRrjltmFnzMZRBbX8Tlfl8
zAhBmb6dDduDGED01kBsTkgywYPxXVTKec0WxYEEF0oMn4wSYNl0lt2eJAKHXjNf
GTwiibdP8CUR2ghSM2sUTI8Nt1Omfc4SMHhGhYD64uJMbX98THQ/4LMGuYegou+d
GTiahfHtjn7AboSEknwAMJHCh5RlYZZ6B1O4QbKJ+34Q0eKgnI3X6Vc9u0zf6DH8
Dk+4zQDYRRTqTnVO3VT8jzqDlCRuNtq6YvryOWN74/dq8LQhUnXHvFyrsdMaE1X2
DwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUGRdkFnbGt1EWjKwbUne+5OaZvRYwHwYDVR0jBBgwFoAUGRdkFnbGt1EW
jKwbUne+5OaZvRYwDQYJKoZIhvcNAQELBQADggEBAHcqsHkrjpESqfuVTRiptJfP
9JbdtWqRTmOf6uJi2c8YVqI6XlKXsD8C1dUUaaHKLUJzvKiazibVuBwMIT84AyqR
QELn3e0BtgEymEygMU569b01ZPxoFSnNXc7qDZBDef8WfqAV/sxkTi8L9BkmFYfL
uGLOhRJOFprPdoDIUBB+tmCl3oDcBy3vnUeOEioz8zAkprcb3GHwHAK+vHmmfgcn
WsfMLH4JCLa/tRYL+Rw/N3ybCkDp00s0WUZ+AoDywSl0Q/ZEnNY0MsFiw6LyIdbq
M/s/1JRtO3bDSzD9TazRVzn2oBqzSa8VgIo5C1nOnoAKJTlsClJKvIhnRlaLQqk=
EOF
}
}
}
deploy_s2s = false
s2s_config = {
name = "caf-sea-vpn-s2s"
scale_unit = 1
}
deploy_er = false
er_config = {
name = "caf-sea-er"
scale_units = 1
}
}
hub2 = {
hub_name = "HK-HUB"
region = "eastasia"
hub_address_prefix = "10.0.4.0/24"
deploy_firewall = true
firewall_name = "azfhk"
firewall_resource_groupe_name = "azfhk"
peerings = {
## this key must match with the key of the virtual network declared in the var.spokes structure
spoke1 = {
# TODO: add support for remote_virtual_network_id = <ID of the virtual network>
# optional if the virtual network has been provisionned outside.
hub_to_vitual_network_traffic_allowed = true
vitual_network_to_hub_gateways_traffic_allowed = true
internet_security_enabled = false
}
}
deploy_p2s = false
p2s_config = {}
deploy_s2s = false
s2s_config = {}
deploy_er = false
er_config = {}
}
}
}
}
spokes = {
spoke1 = {
rg = {
name = "virtualhub-spoke-test"
location = "eastasia"
}
peering_name = "spoke1-hub-hk-link"
network = {
vnet = {
name = "Core-Network"
address_space = ["10.0.10.0/24"]
}
specialsubnets = {}
subnets = {
subnet0 = {
name = "Web_tier"
cidr = ["10.0.10.0/26"]
nsg_name = "Web_tier_nsg"
nsg = [
{
name = "HTTP-In",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "HTTPS-In",
priority = "101"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
]
}
subnet2 = {
name = "Data_tier"
cidr = ["10.0.10.128/26"]
nsg_name = "Data_tier_nsg"
nsg = [
{
name = "TDS-In",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "1433"
source_address_prefix = "*"
destination_address_prefix = "*"
}
]
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
}
}

32
landingzones/landingzone_hub_mesh/main.tf Normal file
Просмотреть файл

@ -0,0 +1,32 @@
provider "azurerm" {
features {}
}
terraform {
backend "azurerm" {
}
}
locals {
landingzone_tag = {
"landingzone" = basename(abspath(path.module))
}
tags = merge(var.tags, local.landingzone_tag)
}
data "terraform_remote_state" "landingzone_caf_foundations" {
backend = "azurerm"
config = {
storage_account_name = var.lowerlevel_storage_account_name
container_name = var.workspace
key = "landingzone_caf_foundations.tfstate"
resource_group_name = var.lowerlevel_resource_group_name
}
}
locals {
prefix = data.terraform_remote_state.landingzone_caf_foundations.outputs.prefix
caf_foundations_accounting = data.terraform_remote_state.landingzone_caf_foundations.outputs.blueprint_foundations_accounting
caf_foundations_security = data.terraform_remote_state.landingzone_caf_foundations.outputs.blueprint_foundations_security
global_settings = data.terraform_remote_state.landingzone_caf_foundations.outputs.global_settings
}

32
landingzones/landingzone_hub_mesh/output.tf Normal file
Просмотреть файл

@ -0,0 +1,32 @@
output "virtual_wan" {
description = "Output the full Virtual WAN object"
sensitive = false # to hide content from logs
value = azurerm_virtual_wan.vwan
}
output "hub1" {
description = "Output the full object for Virtual Hub 1"
sensitive = false # to hide content from logs
value = module.virtual_hub_region1
}
output "hub2" {
description = "Output the full object for Virtual Hub 2"
sensitive = false # to hide content from logs
value = module.virtual_hub_region2
}
## re-exporting level1 settings (caf_foundations) for level 3 consumption
output "prefix" {
value = local.prefix
}
output "landingzone_caf_foundations_accounting" {
sensitive = true # to hide content from logs
value = local.caf_foundations_accounting
}
output "landingzone_caf_foundations_global_settings" {
sensitive = true # to hide content from logs
value = local.global_settings
}

54
landingzones/landingzone_hub_mesh/readme.md Normal file
Просмотреть файл

@ -0,0 +1,54 @@
# Introduction to hub and spoke mesh landing zone
Welcome to Azure Terraform hub and spoke topology architecture series.
This landing zone demo is a quick hub and spoke setup in order to setup a hub-spoke architecture for you to use in demo/POC.
**WARNING! This is demo-quality and code should have major refactoring at Terraform 0.13 using iterative structure to make it more reusable.**
For more reference on the Hub and Spoke topology using Azure Virtual WAN, please refer to the [Architecture Center](https://docs.microsoft.com/en-us/azure/virtual-wan)
## Capabilities
This landing zone allows you to easily create a Virtual WAN (Standard SKU) environment as well as flexible structure to onboard new HUB iteratively with its associated features:
- [Azure Firewall](https://docs.microsoft.com/en-us/azure/virtual-wan/howto-firewall)
- [Site to Site Gateway](https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal)
- [Point to Site Gateway](https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-point-to-site-portal)
- [Express Route Gateway](https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-expressroute-portal)
- [Peering Virtual Network to the region hub](https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about)
- [Inter-hub and VNet-to-VNet transiting through the virtual hub](https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-global-transit-network-architecture)
## Prerequisites
This landing zone is a "level 2" type of landing zone, which **requires** you have deployed the foundations. The supported lower level landing zone is **landingzone_caf_foundations** which can be found in the same release and must have been applied successfully **before** applying this one.
## Overall architecture
The following diagram shows the environment we are deploying for this POC:
![Overall hub spoke demo diagram](../../_pictures/hub_spoke/virtual_wan_lz.png)
## Getting Started
To deploy a landing zone, use the execution environnement as described at the root of the landing zone repository.
## Deploying this landing zone
```
rover /tf/caf/landingzones/landingzone_hub_mesh plan
```
Review the configuration and if you are ok with it, deploy it by running:
```
rover /tf/caf/landingzones/landingzone_hub_mesh apply
```
Have fun playing with the landing zone an once you are done, you can simply delete the deployment using:
```
rover /tf/caf/landingzones/landingzone_hub_mesh destroy
```
More details about this landing zone can also be found in the landing zone folder and its blueprints subfolders.
## Contribute
Pull requests are welcome to evolve the framework and integrate new features.

46
landingzones/landingzone_hub_mesh/spoke.tf Normal file
Просмотреть файл

@ -0,0 +1,46 @@
## Create the RG for the spoke
resource "azurecaf_naming_convention" "rg_virtualwan_spoke" {
name = var.spokes.spoke1.rg.name
prefix = local.prefix != "" ? local.prefix : null
resource_type = "azurerm_resource_group"
convention = local.global_settings.convention
max_length = 25
}
resource "azurerm_resource_group" "rg_virtualwan_spoke" {
name = azurecaf_naming_convention.rg_virtualwan_spoke.result
location = var.spokes.spoke1.rg.location
tags = local.tags
}
## Create a spoke VNET
module "virtual_network" {
# source = "github.com/aztfmod/terraform-azurerm-caf-virtual-network?ref=vnext"
source = "aztfmod/caf-virtual-network/azurerm"
version = "3.0.0"
convention = local.global_settings.convention
resource_group_name = azurerm_resource_group.rg_virtualwan_spoke.name
prefix = local.prefix
location = local.global_settings.location_map.region1
networking_object = var.spokes.spoke1.network
tags = local.tags
diagnostics_map = local.caf_foundations_accounting.diagnostics_map
log_analytics_workspace = local.caf_foundations_accounting.log_analytics_workspace
diagnostics_settings = var.spokes.spoke1.network.diagnostics
max_length = 25
}
# TODO TF13: iterate on hubs and spokes
# Create the peering between spoke vnet and hub
# resource "azurerm_virtual_hub_connection" "hub_to_spoke" {
# name = var.spokes.spoke1.peering_name
# virtual_hub_id = module.virtual_hub_region2.id
# remote_virtual_network_id = module.virtual_network.vnet.vnet_id
# hub_to_vitual_network_traffic_allowed = var.virtual_hub_config.virtual_wan.hubs.hub2.peerings.spoke1.hub_to_vitual_network_traffic_allowed
# vitual_network_to_hub_gateways_traffic_allowed = var.virtual_hub_config.virtual_wan.hubs.hub2.peerings.spoke1.vitual_network_to_hub_gateways_traffic_allowed
# # optional fields:
# internet_security_enabled = lookup(var.virtual_hub_config.virtual_wan.hubs.hub2.peerings.spoke1,"internet_security_enabled", null)
# }

40
landingzones/landingzone_hub_mesh/variables.tf Normal file
Просмотреть файл

@ -0,0 +1,40 @@
# Map of the remote data state for lower level
variable "lowerlevel_storage_account_name" {}
variable "lowerlevel_container_name" {}
variable "lowerlevel_key" {} # Keeping the key for the lower level0 access
variable "lowerlevel_resource_group_name" {}
variable "workspace" {}
variable "tags" {
type = map
default = {}
}
variable "virtual_hub_config" {
description = "(Required) Configuration object for the hub"
}
variable "spokes" {
description = "(Optional) Set of configuration objects for spoke virtual networks"
# default = {
# spoke1 = { "test"
# rg = {
# name = "test"
# location = "southeastasia"
# }
# peering_name = "test"
# network = {}
# }
# }
# type = list(object({
# rg = object(
# {name = string
# location = string}
# )
# peering_name = string
# network = object # networking object as defined in the Virtual Network module
# })
# )
}

17
landingzones/landingzone_hub_mesh/versions.tf Normal file
Просмотреть файл

@ -0,0 +1,17 @@
terraform {
required_providers {
azurecaf = {
# source = "aztfmod/azurecaf"
# source supported only on Terraform >= 0.13, should raise a warning on TF 0.12
#version = "0.4.3"
}
azurerm = {
# source = "hashicorp/azurerm"
version = "~>2.15.0"
}
terraform = {
#source = "hashicorp/terraform"
}
}
}

58
landingzones/landingzone_hub_mesh/virtual_hub/arm_template_vhub_firewall.json Normal file
Просмотреть файл

@ -0,0 +1,58 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vwan_id": {
"type": "string",
"metadata": {
"displayName": "ID of the virtual WAN object",
"description": "ID of the virtual WAN object"
}
},
"name": {
"type": "string",
"metadata": {
"displayName": "Name of the Azure Firewall",
"description": "Name of the Azure Firewall"
}
},
"location": {
"type": "string",
"metadata": {
"displayName": "Location of the Azure Firewall",
"description": "Location of the Azure Firewall"
}
},
"Tier": {
"type": "string",
"metadata": {
"displayName": "Tier of the Azure Firewall",
"description": "Tier of the Azure Firewall"
}
}
},
"variables": {},
"resources": [
{
"apiVersion": "2019-09-01",
"type": "Microsoft.Network/azureFirewalls",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"virtualHub": {
"id": "[parameters('vwan_id')]"
},
"sku": {
"Name": "AZFW_Hub",
"Tier": "Standard"
}
}
}
],
"outputs": {
"resourceID": {
"type": "string",
"value": "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]"
}
}
}

41
landingzones/landingzone_hub_mesh/virtual_hub/azure_firewall.tf Normal file
Просмотреть файл

@ -0,0 +1,41 @@
# While the Azure Firewall object is using ARM template snippet, we store each object in a different RG to simplify lifecycles
resource "azurecaf_naming_convention" "rg_virtualhub_fw" {
count = var.virtual_hub_config.deploy_firewall ? 1 : 0
name = var.virtual_hub_config.firewall_resource_groupe_name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_resource_group"
convention = var.global_settings.convention
}
resource "azurerm_resource_group" "rg_virtualhub_fw" {
depends_on = [azurerm_virtual_hub.vwan_hub] #adding explicit dependency for destroy time since we use ARM template.
count = var.virtual_hub_config.deploy_firewall ? 1 : 0
name = azurecaf_naming_convention.rg_virtualhub_fw.0.result
location = var.global_settings.location_map.region1
tags = local.tags
}
resource "azurecaf_naming_convention" "virtualhub_fw" {
count = var.virtual_hub_config.deploy_firewall ? 1 : 0
name = var.virtual_hub_config.firewall_name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_virtual_network"
convention = var.global_settings.convention
}
# As per https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-09-01/azurefirewalls
resource "azurerm_template_deployment" "arm_template_vhub_firewall" {
count = var.virtual_hub_config.deploy_firewall ? 1 : 0
name = var.virtual_hub_config.firewall_name
resource_group_name = azurerm_resource_group.rg_virtualhub_fw.0.name
template_body = file("${path.module}/arm_template_vhub_firewall.json")
parameters = {
"vwan_id" = azurerm_virtual_hub.vwan_hub.id,
"name" = var.virtual_hub_config.firewall_name,
"location" = var.location,
"Tier" = "Standard",
}
deployment_mode = "Incremental"
}

17
landingzones/landingzone_hub_mesh/virtual_hub/express_route_gateway.tf Normal file
Просмотреть файл

@ -0,0 +1,17 @@
## create the ER Gateway
resource "azurerm_express_route_gateway" "er_gateway" {
depends_on = [azurerm_virtual_hub.vwan_hub]
count = var.virtual_hub_config.deploy_er ? 1 : 0
name = azurecaf_naming_convention.er_gateway.0.result
location = var.location
resource_group_name = var.resource_group_name
tags = local.tags
virtual_hub_id = azurerm_virtual_hub.vwan_hub.id
scale_units = var.virtual_hub_config.er_config.scale_units
timeouts {
create = "60m"
delete = "120m"
}
}

31
landingzones/landingzone_hub_mesh/virtual_hub/main.tf Normal file
Просмотреть файл

@ -0,0 +1,31 @@
terraform {
backend "azurerm" {
}
}
data "azurerm_subscription" "current" {
}
locals {
blueprint_tag = {
"blueprint" = basename(abspath(path.module))
}
tags = merge(var.global_settings.tags_hub, local.blueprint_tag)
}
terraform {
required_providers {
azurecaf = {
# source = "aztfmod/azurecaf"
# source supported only on Terraform >= 0.13, should raise a warning on TF 0.12
# version = "0.4.3"
}
azurerm = {
#source = "hashicorp/azurerm"
#version = "~>2.14.0"
}
terraform = {
#source = "hashicorp/terraform"
}
}
}

35
landingzones/landingzone_hub_mesh/virtual_hub/output.tf Normal file
Просмотреть файл

@ -0,0 +1,35 @@
output "id" {
description = "Resource ID of the Virtual Hub"
value = azurerm_virtual_hub.vwan_hub.id
}
output "object" {
description = "Full Virtual Hub Object"
value = azurerm_virtual_hub.vwan_hub
}
output "name" {
description = "Name of the Virtual Hub"
value = azurerm_virtual_hub.vwan_hub.name
}
output "firewall_id" {
description = "Resource ID of the Azure Firewall for Virtual Hub"
value = var.virtual_hub_config.deploy_firewall ? azurerm_template_deployment.arm_template_vhub_firewall.*.outputs.resourceID : null
}
# output virtual network gateway objects: p2s, s2s, er objects
output "er_gateway" {
description = "Full Object for Virtual Network Gateway - Express Route"
value = var.virtual_hub_config.deploy_er ? azurerm_express_route_gateway.er_gateway.0 : null
}
output "s2s_gateway" {
description = "Full Object for Virtual Network Gateway - Site 2 Site"
value = var.virtual_hub_config.deploy_s2s ? azurerm_vpn_gateway.s2s_gateway.0 : null
}
output "p2s_gateway" {
description = "Full Object for Virtual Network Gateway - Point to Site"
value = var.virtual_hub_config.deploy_p2s ? azurerm_point_to_site_vpn_gateway.p2s_gateway.0 : null
}

57
landingzones/landingzone_hub_mesh/virtual_hub/point_to_site_gateway.tf Normal file
Просмотреть файл

@ -0,0 +1,57 @@
## create the VPN P2S if var.vwan.p2s_gateway is set to true
resource "azurerm_point_to_site_vpn_gateway" "p2s_gateway" {
depends_on = [azurerm_virtual_hub.vwan_hub, azurerm_vpn_server_configuration.p2s_configuration]
count = var.virtual_hub_config.deploy_p2s ? 1 : 0
name = azurecaf_naming_convention.p2s_gateway.0.result
location = var.location
resource_group_name = var.resource_group_name
tags = local.tags
virtual_hub_id = azurerm_virtual_hub.vwan_hub.id
vpn_server_configuration_id = azurerm_vpn_server_configuration.p2s_configuration[0].id
scale_unit = var.virtual_hub_config.p2s_config.scale_unit
dynamic "connection_configuration" {
for_each = lookup(var.virtual_hub_config.p2s_config, "connection_configuration", {}) != {} ? [1] : []
content {
name = var.virtual_hub_config.p2s_config.connection_configuration.name
dynamic "vpn_client_address_pool" {
for_each = var.virtual_hub_config.p2s_config.connection_configuration.vpn_client_address_pool
content {
address_prefixes = var.virtual_hub_config.p2s_config.connection_configuration.vpn_client_address_pool.address_prefixes
}
}
}
}
timeouts {
create = "60m"
delete = "120m"
}
}
# ## creates the VPN P2S server configuration, this is required for P2S site.
# ## TBD: https://www.terraform.io/docs/providers/azurerm/r/vpn_server_configuration.html
resource "azurerm_vpn_server_configuration" "p2s_configuration" {
depends_on = [azurerm_virtual_hub.vwan_hub]
count = var.virtual_hub_config.deploy_p2s ? 1 : 0
name = azurecaf_naming_convention.p2s_gateway.0.result
resource_group_name = var.resource_group_name
location = var.location
tags = local.tags
vpn_authentication_types = var.virtual_hub_config.p2s_config.server_config.vpn_authentication_types
client_root_certificate {
name = var.virtual_hub_config.p2s_config.server_config.client_root_certificate.name
public_cert_data = var.virtual_hub_config.p2s_config.server_config.client_root_certificate.public_cert_data
}
}

27
landingzones/landingzone_hub_mesh/virtual_hub/site_to_site_gateway.tf Normal file
Просмотреть файл

@ -0,0 +1,27 @@
## create the VPN S2S if var.vwan.s2s_gateway is set to true
resource "azurerm_vpn_gateway" "s2s_gateway" {
depends_on = [azurerm_virtual_hub.vwan_hub]
count = var.virtual_hub_config.deploy_s2s ? 1 : 0
name = azurecaf_naming_convention.s2s_gateway.0.result
location = var.location
resource_group_name = var.resource_group_name
tags = local.tags
virtual_hub_id = azurerm_virtual_hub.vwan_hub.id
scale_unit = var.virtual_hub_config.s2s_config.scale_unit
dynamic "bgp_settings" {
for_each = lookup(var.virtual_hub_config.s2s_config, "bgp_settings", {}) != {} ? [1] : []
content {
asn = var.virtual_hub_config.s2s_config.bgp_settings.asn
peer_weight = var.virtual_hub_config.s2s_config.bgp_settings.peer_weight
}
}
timeouts {
create = "60m"
delete = "120m"
}
}

43
landingzones/landingzone_hub_mesh/virtual_hub/variables.tf Normal file
Просмотреть файл

@ -0,0 +1,43 @@
variable "prefix" {
description = "(Optional) Prefix to uniquely identify the deployment"
type = string
}
variable "global_settings" {
description = "global settings"
}
variable "caf_foundations_accounting" {
description = "caf_foundations_accounting"
}
variable "virtual_hub_config" {
description = "core_networking"
}
variable "location" {
description = "(Required) Location where to create the hub resources"
type = string
}
variable "resource_group_name" {
description = "(Required) Name of the resource group to create the hub resources"
type = string
}
variable "firewall_resource_groupe_name" {
description = "(Required) Name of the resource group for Azure Firewall"
type = string
}
variable "vwan_id" {
description = "(Required) Resource ID for the Virtual WAN object"
type = string
}
variable "tags" {
type = map
default = {}
}

50
landingzones/landingzone_hub_mesh/virtual_hub/virtual_hub.tf Normal file
Просмотреть файл

@ -0,0 +1,50 @@
## naming conventions
resource "azurecaf_naming_convention" "vwan_hub" {
name = var.virtual_hub_config.hub_name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_virtual_network"
convention = var.global_settings.convention
max_length = 20
}
resource "azurecaf_naming_convention" "s2s_gateway" {
count = var.virtual_hub_config.deploy_s2s ? 1 : 0
name = lookup(var.virtual_hub_config.s2s_config, "name", null)
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_virtual_network"
convention = var.global_settings.convention
}
resource "azurecaf_naming_convention" "p2s_gateway" {
count = var.virtual_hub_config.deploy_p2s ? 1 : 0
name = lookup(var.virtual_hub_config.p2s_config, "name", null)
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_virtual_network"
convention = var.global_settings.convention
}
resource "azurecaf_naming_convention" "er_gateway" {
count = var.virtual_hub_config.deploy_er ? 1 : 0
name = lookup(var.virtual_hub_config.er_config, "name", null)
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_virtual_network"
convention = var.global_settings.convention
}
## creates a virtual hub in the region
resource "azurerm_virtual_hub" "vwan_hub" {
name = azurecaf_naming_convention.vwan_hub.result
resource_group_name = var.resource_group_name
location = var.location
virtual_wan_id = var.vwan_id
address_prefix = var.virtual_hub_config.hub_address_prefix
tags = local.tags
timeouts {
create = "60m"
delete = "180m"
}
}

34
landingzones/landingzone_hub_mesh/virtual_hubs.tf Normal file
Просмотреть файл

@ -0,0 +1,34 @@
## TODO TF13: loop iterate on the module
## create a virtual hub with settings for a region
module "virtual_hub_region1" {
source = "./virtual_hub"
global_settings = local.global_settings
prefix = local.prefix
caf_foundations_accounting = local.caf_foundations_accounting
location = var.virtual_hub_config.virtual_wan.hubs.hub1.region
virtual_hub_config = var.virtual_hub_config.virtual_wan.hubs.hub1
resource_group_name = azurerm_resource_group.rg_virtualwan.name
firewall_resource_groupe_name = var.virtual_hub_config.virtual_wan.hubs.hub1.firewall_resource_groupe_name
vwan_id = azurerm_virtual_wan.vwan.id
tags = local.tags
}
module "virtual_hub_region2" {
source = "./virtual_hub"
global_settings = local.global_settings
prefix = local.prefix
caf_foundations_accounting = local.caf_foundations_accounting
location = var.virtual_hub_config.virtual_wan.hubs.hub2.region
virtual_hub_config = var.virtual_hub_config.virtual_wan.hubs.hub2
resource_group_name = azurerm_resource_group.rg_virtualwan.name
firewall_resource_groupe_name = var.virtual_hub_config.virtual_wan.hubs.hub2.firewall_resource_groupe_name
vwan_id = azurerm_virtual_wan.vwan.id
tags = local.tags
}

44
landingzones/landingzone_hub_mesh/virtual_wan.tf Normal file
Просмотреть файл

@ -0,0 +1,44 @@
##create the RG for the virtual WAN
resource "azurecaf_naming_convention" "rg_virtualwan" {
name = var.virtual_hub_config.virtual_wan.resource_group_name
prefix = local.prefix != "" ? local.prefix : null
resource_type = "azurerm_resource_group"
convention = local.global_settings.convention
max_length = 25
}
resource "azurecaf_naming_convention" "virtualwan" {
name = var.virtual_hub_config.virtual_wan.name
prefix = local.prefix != "" ? local.prefix : null
resource_type = "azurerm_virtual_network"
# need to create a naming convention method for it
convention = local.global_settings.convention
max_length = 25
}
resource "azurerm_resource_group" "rg_virtualwan" {
name = azurecaf_naming_convention.rg_virtualwan.result
location = local.global_settings.location_map.region1
tags = local.tags
}
## Create the global private DNS zone
resource "azurerm_dns_zone" "connectivity_dns" {
name = var.virtual_hub_config.virtual_wan.dns_name
resource_group_name = azurerm_resource_group.rg_virtualwan.name
tags = local.tags
}
## Create the global virtual WAN
resource "azurerm_virtual_wan" "vwan" {
name = azurecaf_naming_convention.virtualwan.result
resource_group_name = azurerm_resource_group.rg_virtualwan.name
location = local.global_settings.location_map.region1
tags = local.tags
type = lookup(var.virtual_hub_config.virtual_wan, "type", null)
disable_vpn_encryption = lookup(var.virtual_hub_config.virtual_wan, "disable_vpn_encryption", null)
allow_branch_to_branch_traffic = lookup(var.virtual_hub_config.virtual_wan, "allow_branch_to_branch_traffic", null)
allow_vnet_to_vnet_traffic = lookup(var.virtual_hub_config.virtual_wan, "allow_vnet_to_vnet_traffic", null)
office365_local_breakout_category = lookup(var.virtual_hub_config.virtual_wan, "office365_local_breakout_category", null)
}

697
landingzones/landingzone_hub_spoke/hub_network.sandpit.auto.tfvars
Просмотреть файл

@ -1,281 +1,450 @@
# Configuration sample for a hub and spoke environment
# definition of variables for the virtual network
rg_network = {
CORE-NET = {
name = "network-core"
}
TRANSIT-NET = {
name = "network-transit"
}
EDGE-NET = {
name = "network-edge"
}
CORE-NET = {
name = "network-core"
}
TRANSIT-NET = {
name = "network-transit"
}
EDGE-NET = {
name = "network-edge"
}
}
# settings for the core network blueprint
core_networking = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = "10.0.4.0/24"
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = "10.0.255.224/27"
}
}
subnets = {
subnet0 = {
name = "Active_Directory"
cidr = "10.0.1.0/24"
nsg_inbound = [
# {"Name", "Priority", "Direction", "Action", "Protocol", "source_port_range", "destination_port_range", "source_address_prefix", "destination_address_prefix" },
["W32Time", "100", "Inbound", "Allow", "udp", "*", "123", "*", "*"],
["RPC-Endpoint-Mapper", "101", "Inbound", "Allow", "tcp", "*", "135", "*", "*"],
["Kerberos-password-change", "102", "Inbound", "Allow", "*", "*", "464", "*", "*"],
["RPC-Dynamic-range", "103", "Inbound", "Allow", "tcp", "*", "49152-65535", "*", "*"],
["LDAP", "104", "Inbound", "Allow", "*", "*", "389", "*", "*"],
["LDAP-SSL", "105", "Inbound", "Allow", "tcp", "*", "636", "*", "*"],
["LDAP-GC", "106", "Inbound", "Allow", "tcp", "*", "3268", "*", "*"],
["LDAP-GC-SSL", "107", "Inbound", "Allow", "tcp", "*", "3269", "*", "*"],
["DNS", "108", "Inbound", "Allow", "*", "*", "53", "*", "*"],
["Kerberos", "109", "Inbound", "Allow", "*", "*", "88", "*", "*"],
["SMB", "110", "Inbound", "Allow", "tcp", "*", "445", "*", "*"],
]
}
subnet1 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = "10.0.0.128/25"
nsg_inbound = [
["bastion-in-allow", "100", "Inbound", "Allow", "tcp", "*", "443", "*", "*"],
["bastion-control-in-allow-443", "120", "Inbound", "Allow", "tcp", "*", "443", "GatewayManager", "*"],
["bastion-control-in-allow-4443", "121", "Inbound", "Allow", "tcp", "*", "4443", "GatewayManager", "*"],
]
nsg_outbound = [
["bastion-vnet-out-allow-22", "100", "Outbound", "Allow", "tcp", "*", "22", "*", "VirtualNetwork"],
["bastion-vnet-out-allow-3389", "101", "Outbound", "Allow", "tcp", "*", "3389", "*", "VirtualNetwork"],
["bastion-azure-out-allow", "120", "Outbound", "Allow", "tcp", "*", "443", "*", "AzureCloud"],
]
}
}
diagnostics = {
shared_services_vnet = {
vnet = {
name = "Core-Network"
address_space = ["10.0.0.0/8"]
}
specialsubnets = {
AzureFirewallSubnet = {
name = "AzureFirewallSubnet" #Must be called AzureFirewallSubnet
cidr = ["10.0.4.0/24"]
}
GatewaySubnet = {
name = "GatewaySubnet" #Must be called GateWaySubnet in order to host a Virtual Network Gateway
cidr = ["10.0.255.224/27"]
}
}
subnets = {
subnet0 = {
name = "Active_Directory"
cidr = ["10.0.1.0/24"]
nsg_name = "Active_Directory_nsg"
nsg = [
{
name = "W32Time",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "123"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "RPC-Endpoint-Mapper",
priority = "101"
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "135"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "Kerberos-password-change",
priority = "102"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "464"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "RPC-Dynamic-range",
priority = "103"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "49152-65535"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP",
priority = "104"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "389"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-SSL",
priority = "105"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "636"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-GC",
priority = "106"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3268"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "LDAP-GC-SSL",
priority = "107"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3269"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "DNS",
priority = "108"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "53"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "Kerberos",
priority = "109"
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "88"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "SMB",
priority = "110"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "445"
source_address_prefix = "*"
destination_address_prefix = "*"
}
]
}
subnet1 = {
name = "AzureBastionSubnet" #Must be called AzureBastionSubnet
cidr = ["10.0.0.128/25"]
nsg_name = "AzureBastionSubnet_nsg"
nsg = [
{
name = "bastion-in-allow",
priority = "100"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
},
{
name = "bastion-control-in-allow-443",
priority = "120"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "135"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
},
{
name = "Kerberos-password-change",
priority = "121"
direction = "Inbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "4443"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
},
{
name = "bastion-vnet-out-allow-22",
priority = "103"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
},
{
name = "bastion-vnet-out-allow-3389",
priority = "101"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
},
{
name = "bastion-azure-out-allow",
priority = "120"
direction = "Outbound"
access = "Allow"
protocol = "tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "AzureCloud"
}
]
}
}
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
netwatcher = {
create = true
#create the network watcher for a subscription and for the location of the vnet
name = "arnaud-nw-test"
#name of the network watcher to be created
flow_logs_settings = {
enabled = true
retention = true
period = 7
}
traffic_analytics_settings = {
enabled = true
}
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
firewall_ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = false
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["VMProtectionAlerts", true, true, 60],
]
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
netwatcher = {
create = true
#create the network watcher for a subscription and for the location of the vnet
name = "arnaud-nw-test"
#name of the network watcher to be created
flow_logs_settings = {
enabled = true
retention = true
period = 7
}
traffic_analytics_settings = {
enabled = true
}
}
}
# Settings for the public IP address to be used for Azure Firewall
# Must be standard and static for
firewall_ip_addr_config = {
ip_name = "firewall"
allocation_method = "Static"
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
["AllMetrics", true, true, 30],
]
}
}
}
# Settings for the Azure Firewall settings
az_fw_config = {
name = "azfw"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AzureFirewallApplicationRule", true, true, 30],
["AzureFirewallNetworkRule", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
# Settings for the UDR object
udr_web_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "0.0.0.0/0"
route_name = "web_to_az_firewall"
subnet_to_udr = "Web_tier"
nexthop_ip = ""
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
udr_transit_to_az_firewall = {
nexthop_type = "VirtualAppliance"
prefix = "10.0.1.0/24"
route_name = "transit_to_az_firewall"
subnet_to_udr = "GatewaySubnet"
nexthop_ip = ""
}
## DDoS standard configuration
enable_ddos_standard = false
ddos_name = "ddos_protection_plan"
## settings for Azure bastion configuration
## not enabled, uncomment the code in the networking shared services blueprint.
enable_bastion = false
bastion_ip_addr_config = {
ip_name = "bastion"
ip_addr = {
allocation_method = "Static"
#Dynamic Public IP Addresses aren't allocated until they're assigned to a resource (such as a Virtual Machine or a Load Balancer) by design within Azure
#properties below are optional
sku = "Standard" #defaults to Basic
ip_version = "IPv4" #defaults to IP4, Only dynamic for IPv6, Supported arguments are IPv4 or IPv6, NOT Both
#dns_prefix = "arnaudmytest"
#timeout = 15 #TCP timeout for idle connections. The value can be set between 4 and 30 minutes.
#zones = [1] #1 zone number, IP address must be standard, ZoneRedundant argument is not supported in provider at time of writing
#reverse_fqdn = ""
#public_ip_prefix_id = "/subscriptions/00000000-00000-0000-0000-000000000000/resourceGroups/uqvh-hub-ingress-net/providers/Microsoft.Network/publicIPPrefixes/myprefix"
#refer to the prefix and check sku types are same in IP and prefix
}
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
bastion_config = {
name = "azurebastion"
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["BastionAuditLogs", true, true, 30],
]
metric = [
# ["AllMetrics", true, true, 30],
]
}
}
# Settings for the Virtual Network gateway to be created
provision_gateway = false
gateway_config = {
gateway_type = "VPN"
# Possible values are "VPN" or "ExpressRoute"
vpn_gateway_name = "vpngateway"
active_active = false
#An active-active gateway requires a HighPerformance or an UltraPerformance sku. If false, an active-standby gateway will be created. Defaults to false.
enable_bgp = false
#If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.
vpn_gateway_sku = "Basic"
#Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw1AZ, ErGw2AZ, ErGw3AZ, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, and VpnGw3AZ
#and depend on the gateway_type (ER or VPN) and vpn_type arguments, ie: PolicyBased gateway only supports the Basic sku.
vpn_gateway_type = "RouteBased"
#The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["GatewayDiagnosticLog", true, true, 30],
["TunnelDiagnosticLog", true, true, 30],
["RouteDiagnosticLog", true, true, 30],
["IKEDiagnosticLog", true, true, 30],
["P2SDiagnosticLog", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
pip = {
name = "vpn"
allocation_method = "Dynamic"
sku = "Basic"
#For basic SKU, you can pick the zone to be deployed - if you want multi zone - pick Standard IP and pick AZ aware VPN gateway SKU
#dns_prefix = "arnaudvpn"
#zones = ["1"]
diagnostics = {
log = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["DDoSProtectionNotifications", true, true, 30],
["DDoSMitigationFlowLogs", true, true, 30],
["DDoSMitigationReports", true, true, 30],
]
metric = [
["AllMetrics", true, true, 30],
]
}
}
}
#Settings for the connection to be established
#Settings for the local network connection
connection_name = "onpremconnection"
remote_network_connect = true
remote_network = {
gateway_name = "caf_local_network"
gateway_ip = "1.2.3.4"
gateway_adress_space = ["1.0.0.0/8"]
bgp_settings = {
# asn =
# bgp_peering_address =
# peer_weight =
}
}
##Settings for the Azure Key Vault
akv_config = {
name = "vpn-akv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = true
enabled_for_template_deployment = true
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
sku_name = "standard"
diagnostics = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
}
}

20
landingzones/landingzone_hub_spoke/hub_network.tf
Просмотреть файл

@ -1,12 +1,12 @@
module "hub_network" {
source = "./hub_network"
tags = var.tags
global_settings = local.global_settings
prefix = local.prefix
location = local.global_settings.location_map["region1"]
caf_foundations_accounting = local.caf_foundations_accounting
core_networking = var.core_networking
rg_network = var.rg_network
logged_user_objectId = var.logged_user_objectId
source = "./hub_network"
tags = local.tags
global_settings = local.global_settings
prefix = local.prefix
location = local.global_settings.location_map["region1"]
caf_foundations_accounting = local.caf_foundations_accounting
core_networking = var.core_networking
rg_network = var.rg_network
logged_user_objectId = var.logged_user_objectId
}

236
landingzones/landingzone_hub_spoke/hub_network/blueprint.tf
Просмотреть файл

@ -1,58 +1,58 @@
resource "azurecaf_naming_convention" "rg_network_name" {
name = var.rg_network.CORE-NET.name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_resource_group"
convention = var.global_settings.convention
resource "azurecaf_naming_convention" "rg_network_name" {
name = var.rg_network.CORE-NET.name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_resource_group"
convention = var.global_settings.convention
}
resource "azurecaf_naming_convention" "rg_transit_name" {
name = var.rg_network.TRANSIT-NET.name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_resource_group"
convention = var.global_settings.convention
resource "azurecaf_naming_convention" "rg_transit_name" {
name = var.rg_network.TRANSIT-NET.name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_resource_group"
convention = var.global_settings.convention
}
resource "azurecaf_naming_convention" "rg_edge_name" {
name = var.rg_network.EDGE-NET.name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_resource_group"
convention = var.global_settings.convention
resource "azurecaf_naming_convention" "rg_edge_name" {
name = var.rg_network.EDGE-NET.name
prefix = var.prefix != "" ? var.prefix : null
resource_type = "azurerm_resource_group"
convention = var.global_settings.convention
}
resource "azurerm_resource_group" "rg_network" {
name = azurecaf_naming_convention.rg_network_name.result
location = var.global_settings.location_map.region1
tags = var.global_settings.tags_hub
tags = local.tags
}
resource "azurerm_resource_group" "rg_transit" {
name = azurecaf_naming_convention.rg_transit_name.result
location = var.global_settings.location_map.region1
tags = var.global_settings.tags_hub
tags = local.tags
}
resource "azurerm_resource_group" "rg_edge" {
name = azurecaf_naming_convention.rg_edge_name.result
location = var.global_settings.location_map.region1
tags = var.global_settings.tags_hub
tags = local.tags
}
## Shared service virtual network
module "core_network" {
source = "aztfmod/caf-virtual-network/azurerm"
version = "2.0.0"
version = "3.0.0"
convention = var.global_settings.convention
resource_group_name = azurerm_resource_group.rg_network.name
prefix = var.prefix
location = var.global_settings.location_map.region1
networking_object = var.core_networking.shared_services_vnet
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace
diagnostics_settings = var.core_networking.shared_services_vnet.diagnostics
ddos_id = var.core_networking.enable_ddos_standard ? module.ddos_protection_std.id : ""
convention = var.global_settings.convention
resource_group_name = azurerm_resource_group.rg_network.name
prefix = var.prefix
location = var.global_settings.location_map.region1
networking_object = var.core_networking.shared_services_vnet
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace
diagnostics_settings = var.core_networking.shared_services_vnet.diagnostics
ddos_id = var.core_networking.enable_ddos_standard ? module.ddos_protection_std.id : ""
}
@ -61,59 +61,59 @@ module "az_firewall_ip" {
source = "aztfmod/caf-public-ip/azurerm"
version = "2.0.0"
convention = var.global_settings.convention
name = var.core_networking.firewall_ip_addr_config.ip_name
location = var.location
resource_group_name = azurerm_resource_group.rg_edge.name
ip_addr = var.core_networking.firewall_ip_addr_config
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id
diagnostics_settings = var.core_networking.firewall_ip_addr_config.diagnostics
convention = var.global_settings.convention
name = var.core_networking.firewall_ip_addr_config.ip_name
location = var.location
resource_group_name = azurerm_resource_group.rg_edge.name
ip_addr = var.core_networking.firewall_ip_addr_config
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id
diagnostics_settings = var.core_networking.firewall_ip_addr_config.diagnostics
}
module "az_firewall" {
source = "aztfmod/caf-azure-firewall/azurerm"
version = "2.0.0"
convention = var.global_settings.convention
name = var.core_networking.az_fw_config.name
resource_group_name = azurerm_resource_group.rg_network.name
subnet_id = lookup(module.core_network.vnet_subnets, "AzureFirewallSubnet", null)
public_ip_id = module.az_firewall_ip.id
location = var.global_settings.location_map.region1
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
la_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id
diagnostics_settings = var.core_networking.az_fw_config.diagnostics
convention = var.global_settings.convention
name = var.core_networking.az_fw_config.name
resource_group_name = azurerm_resource_group.rg_network.name
subnet_id = lookup(module.core_network.vnet_subnets, "AzureFirewallSubnet", null)
public_ip_id = module.az_firewall_ip.id
location = var.global_settings.location_map.region1
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
la_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id
diagnostics_settings = var.core_networking.az_fw_config.diagnostics
}
module "firewall_dashboard" {
source = "./firewall_dashboard"
fw_id = module.az_firewall.id
pip_id = module.az_firewall_ip.id
location = var.location
rg = azurerm_resource_group.rg_network.name
name = basename(abspath(path.module))
tags = local.tags
fw_id = module.az_firewall.id
pip_id = module.az_firewall_ip.id
location = var.location
rg = azurerm_resource_group.rg_network.name
name = basename(abspath(path.module))
tags = local.tags
}
module "firewall_rules" {
source = "./firewall_rules"
az_firewall_settings = module.az_firewall.az_firewall_config
az_firewall_settings = module.az_firewall.az_firewall_config
}
# Azure DDoS protection configuration
module "ddos_protection_std" {
source = "./ddos_protection"
enable_ddos_standard = var.core_networking.enable_ddos_standard
name = var.core_networking.ddos_name
rg = azurerm_resource_group.rg_edge.name
location = var.location
tags = local.tags
enable_ddos_standard = var.core_networking.enable_ddos_standard
name = var.core_networking.ddos_name
rg = azurerm_resource_group.rg_edge.name
location = var.location
tags = local.tags
}
# Azure Bastion Configuration
@ -122,35 +122,35 @@ module "bastion_ip" {
source = "aztfmod/caf-public-ip/azurerm"
version = "2.0.0"
convention = var.global_settings.convention
name = var.core_networking.bastion_ip_addr_config.ip_name
location = var.location
resource_group_name = azurerm_resource_group.rg_edge.name
ip_addr = var.core_networking.bastion_ip_addr_config.ip_addr
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id
diagnostics_settings = var.core_networking.bastion_ip_addr_config.diagnostics
convention = var.global_settings.convention
name = var.core_networking.bastion_ip_addr_config.ip_name
location = var.location
resource_group_name = azurerm_resource_group.rg_edge.name
ip_addr = var.core_networking.bastion_ip_addr_config.ip_addr
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id
diagnostics_settings = var.core_networking.bastion_ip_addr_config.diagnostics
}
module "bastion" {
source = "aztfmod/caf-azure-bastion/azurerm"
version = "0.1.0"
enable_bastion = var.core_networking.enable_bastion
bastion_config = var.core_networking.bastion_config
name = var.core_networking.bastion_config.name
resource_group_name = azurerm_resource_group.rg_edge.name
subnet_id = lookup(module.core_network.vnet_subnets, "AzureBastionSubnet", null)
public_ip_address_id = module.bastion_ip.id
location = var.global_settings.location_map.region1
tags = local.tags
convention = var.global_settings.convention
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace
diagnostics_settings = var.core_networking.bastion_config.diagnostics
enable_bastion = var.core_networking.enable_bastion
bastion_config = var.core_networking.bastion_config
name = var.core_networking.bastion_config.name
resource_group_name = azurerm_resource_group.rg_edge.name
subnet_id = lookup(module.core_network.vnet_subnets, "AzureBastionSubnet", null)
public_ip_address_id = module.bastion_ip.id
location = var.global_settings.location_map.region1
tags = local.tags
convention = var.global_settings.convention
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace
diagnostics_settings = var.core_networking.bastion_config.diagnostics
}
@ -160,49 +160,49 @@ module "vpn_pip" {
source = "aztfmod/caf-public-ip/azurerm"
version = "2.0.0"
convention = var.global_settings.convention
name = var.core_networking.gateway_config.pip.name
location = var.location
resource_group_name = azurerm_resource_group.rg_transit.name
ip_addr = var.core_networking.gateway_config.pip
tags = var.global_settings.tags_hub
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id
diagnostics_settings = var.core_networking.gateway_config.pip.diagnostics
convention = var.global_settings.convention
name = var.core_networking.gateway_config.pip.name
location = var.location
resource_group_name = azurerm_resource_group.rg_transit.name
ip_addr = var.core_networking.gateway_config.pip
tags = local.tags
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
log_analytics_workspace_id = var.caf_foundations_accounting.log_analytics_workspace.id
diagnostics_settings = var.core_networking.gateway_config.pip.diagnostics
}
# VPN gateway is deployed only if var.core_networking.provision_gateway is set to true
module "vpn_gateway" {
source = "./vpn_gateway"
provision_gateway = var.core_networking.provision_gateway
location = var.location
resource_group_name = azurerm_resource_group.rg_transit.name
tags = local.tags
gateway_config = var.core_networking.gateway_config
remote_network = var.core_networking.remote_network
remote_network_connect = var.core_networking.remote_network_connect
connection_name = var.core_networking.connection_name
public_ip_addr = module.vpn_pip.id
gateway_subnet = lookup(module.core_network.vnet_subnets, "GatewaySubnet", null)
diagnostics_map = var.core_networking.gateway_config.diagnostics
caf_foundations_accounting = var.caf_foundations_accounting
keyvaultid = module.keyvault_vpn.id
logged_user_objectId = var.logged_user_objectId
provision_gateway = var.core_networking.provision_gateway
location = var.location
resource_group_name = azurerm_resource_group.rg_transit.name
tags = local.tags
gateway_config = var.core_networking.gateway_config
remote_network = var.core_networking.remote_network
remote_network_connect = var.core_networking.remote_network_connect
connection_name = var.core_networking.connection_name
public_ip_addr = module.vpn_pip.id
gateway_subnet = lookup(module.core_network.vnet_subnets, "GatewaySubnet", null)
diagnostics_map = var.core_networking.gateway_config.diagnostics
caf_foundations_accounting = var.caf_foundations_accounting
keyvaultid = module.keyvault_vpn.id
logged_user_objectId = var.logged_user_objectId
}
# deploying a Keyvault to store the PSK of the S2S VPN
module "keyvault_vpn" {
source = "aztfmod/caf-keyvault/azurerm"
version = "2.0.0"
convention = var.global_settings.convention
resource_group_name = azurerm_resource_group.rg_transit.name
akv_config = var.core_networking.akv_config
prefix = var.prefix
location = var.location
tags = local.tags
log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace
diagnostics_settings = var.core_networking.akv_config.diagnostics
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
convention = var.global_settings.convention
resource_group_name = azurerm_resource_group.rg_transit.name
akv_config = var.core_networking.akv_config
prefix = var.prefix
location = var.location
tags = local.tags
log_analytics_workspace = var.caf_foundations_accounting.log_analytics_workspace
diagnostics_settings = var.core_networking.akv_config.diagnostics
diagnostics_map = var.caf_foundations_accounting.diagnostics_map
}

8
landingzones/landingzone_hub_spoke/hub_network/ddos_protection/output.tf
Просмотреть файл

@ -1,10 +1,10 @@
output "ddos_protection" {
depends_on = [azurerm_network_ddos_protection_plan.ddos_protection_plan]
value = var.enable_ddos_standard ? azurerm_network_ddos_protection_plan.ddos_protection_plan.0 : null
depends_on = [azurerm_network_ddos_protection_plan.ddos_protection_plan]
value = var.enable_ddos_standard ? azurerm_network_ddos_protection_plan.ddos_protection_plan.0 : null
}
output "id" {
depends_on = [azurerm_network_ddos_protection_plan.ddos_protection_plan]
value = var.enable_ddos_standard ? azurerm_network_ddos_protection_plan.ddos_protection_plan.0.id : null
depends_on = [azurerm_network_ddos_protection_plan.ddos_protection_plan]
value = var.enable_ddos_standard ? azurerm_network_ddos_protection_plan.ddos_protection_plan.0.id : null
}
#

6
landingzones/landingzone_hub_spoke/hub_network/firewall_dashboard/module.tf
Просмотреть файл

@ -6,10 +6,10 @@ resource "azurerm_dashboard" "egress_dashboard" {
dashboard_properties = templatefile("${path.module}/egress-dashboard.tpl",
{
md_content = "CAF landing zones - Egress Dashboard"
md_content = "CAF landing zones - Egress Dashboard"
pip_id = var.pip_id
fw_id = var.fw_id
pip_id = var.pip_id
fw_id = var.fw_id
})
}

10
landingzones/landingzone_hub_spoke/hub_network/firewall_dashboard/variables.tf
Просмотреть файл

@ -3,23 +3,23 @@ variable "fw_id" {
}
variable "pip_id" {
}
variable "name" {
}
variable "rg" {
}
variable "location" {
}
variable "tags" {
}

2
landingzones/landingzone_hub_spoke/hub_network/firewall_rules/network_rule_collection.tf
Просмотреть файл

@ -13,7 +13,7 @@ resource "azurerm_firewall_network_rule_collection" "http_https" {
]
destination_ports = [
"80","443",
"80", "443",
]
destination_addresses = [

13
landingzones/landingzone_hub_spoke/hub_network/main.tf
Просмотреть файл

@ -1,19 +1,16 @@
terraform {
required_version = ">= 0.12.6"
backend "azurerm" {
}
required_version = ">= 0.12.6"
backend "azurerm" {
}
}
data "azurerm_subscription" "current" {
}
data "azurerm_client_config" "current" {
}
locals {
blueprint_tag = {
"blueprint" = basename(abspath(path.module))
}
tags = merge(var.tags, var.global_settings.tags_hub,local.blueprint_tag)
tags = merge(var.tags, var.global_settings.tags_hub)
}

10
landingzones/landingzone_hub_spoke/hub_network/udr/module.tf
Просмотреть файл

@ -6,13 +6,13 @@ resource "azurerm_route_table" "user_route" {
resource_group_name = var.route_resource_group
disable_bgp_route_propagation = false
tags = var.tags
tags = var.tags
route {
name = var.route_name
address_prefix = var.route_prefix
next_hop_type = var.route_nexthop_type
name = var.route_name
address_prefix = var.route_prefix
next_hop_type = var.route_nexthop_type
//theoritcally should be: next_hop_in_ip_address = var.route_nexthop_type == "VirtualAppliance" ? "${var.route_nexthop_ip}" : null
next_hop_in_ip_address = var.route_nexthop_ip
next_hop_in_ip_address = var.route_nexthop_ip
}
}

12
landingzones/landingzone_hub_spoke/hub_network/udr/variables.tf
Просмотреть файл

@ -12,7 +12,7 @@ variable "tags" {
variable "route_resource_group" {
description = "(Required) resource group where to deploy the route table object"
}
variable "subnet_id" {
@ -21,15 +21,15 @@ variable "subnet_id" {
}
variable "route_prefix" {
description = "(Required) route prefix for the route table object"
description = "(Required) route prefix for the route table object"
}
variable "route_nexthop_type" {
description = "(Required) route nexthop type for the route table object, can be VirtualNetworkGateway, VnetLocal, Internet, VirtualAppliance and None."
description = "(Required) route nexthop type for the route table object, can be VirtualNetworkGateway, VnetLocal, Internet, VirtualAppliance and None."
}
variable "route_nexthop_ip" {
description = "(Optional) route nexthop IP for the route table object - Next hop values are only allowed in routes where the next hop type is VirtualAppliance"
default = ""
description = "(Optional) route nexthop IP for the route table object - Next hop values are only allowed in routes where the next hop type is VirtualAppliance"
default = ""
}

6
landingzones/landingzone_hub_spoke/hub_network/variables.tf
Просмотреть файл

@ -1,5 +1,5 @@
variable "prefix" {
description = "(Optional) Prefix to uniquely identify the deployment"
description = "(Optional) Prefix to uniquely identify the deployment"
}
# variable "virtual_network_rg" {
@ -21,11 +21,11 @@ variable "global_settings" {
}
variable "caf_foundations_accounting" {
description = "caf_foundations_accounting"
description = "caf_foundations_accounting"
}
variable "core_networking" {
description = "core_networking"
description = "core_networking"
}
variable "location" {

2
landingzones/landingzone_hub_spoke/hub_network/vpn_gateway/access_policies.tf
Просмотреть файл

@ -20,7 +20,7 @@ resource "azurerm_key_vault_access_policy" "vpn_akv_current_user" {
key_vault_id = var.keyvaultid
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = var.logged_user_objectId
object_id = var.logged_user_objectId
key_permissions = []

16
landingzones/landingzone_hub_spoke/hub_network/vpn_gateway/connect.tf
Просмотреть файл

@ -2,12 +2,12 @@ resource "random_string" "psk_connection" {
length = 128
upper = true
special = true
number = true
number = true
}
resource "azurerm_virtual_network_gateway_connection" "connection_object" {
count = var.provision_gateway && var.remote_network_connect == true ? 1 : 0
depends_on = [azurerm_virtual_network_gateway.vpn_gateway, azurerm_local_network_gateway.remote_network]
count = var.provision_gateway && var.remote_network_connect == true ? 1 : 0
depends_on = [azurerm_virtual_network_gateway.vpn_gateway, azurerm_local_network_gateway.remote_network]
name = var.connection_name
location = var.location
@ -23,10 +23,10 @@ depends_on = [azurerm_virtual_network_gateway.vpn_gateway, azurerm_local_network
}
resource "azurerm_key_vault_secret" "psk" {
depends_on = [random_string.psk_connection, azurerm_key_vault_access_policy.vpn_akv_rover, azurerm_key_vault_access_policy.vpn_akv_current_user]
depends_on = [random_string.psk_connection, azurerm_key_vault_access_policy.vpn_akv_rover, azurerm_key_vault_access_policy.vpn_akv_current_user]
name = "pskconnection"
value = random_string.psk_connection.result
key_vault_id = var.keyvaultid
tags = var.tags
name = "pskconnection"
value = random_string.psk_connection.result
key_vault_id = var.keyvaultid
tags = var.tags
}

2
landingzones/landingzone_hub_spoke/hub_network/vpn_gateway/diagnostics.tf
Просмотреть файл

@ -1,7 +1,7 @@
# module "diagnostics_vpn" {
# source = "aztfmod/caf-diagnostics/azurerm"
# version = "1.0.0"
# #depends_on = [azurerm_virtual_network_gateway.vpn_gateway]
# #count = "${var.gateway_config.gateway_type == "VPN" && var.provision_gateway ? 1 : 0}"

12
landingzones/landingzone_hub_spoke/hub_network/vpn_gateway/local_network.tf
Просмотреть файл

@ -1,5 +1,5 @@
resource "azurerm_local_network_gateway" "remote_network" {
name = var.remote_network.gateway_name
resource_group_name = var.resource_group_name
location = var.location
@ -7,9 +7,9 @@ resource "azurerm_local_network_gateway" "remote_network" {
address_space = var.remote_network.gateway_adress_space
tags = var.tags
# bgp_settings {
# asn =
# bgp_peering_address =
# peer_weight =
# }
# bgp_settings {
# asn =
# bgp_peering_address =
# peer_weight =
# }
}

22
landingzones/landingzone_hub_spoke/hub_network/vpn_gateway/variables.tf
Просмотреть файл

@ -1,48 +1,48 @@
variable "location" {
}
variable "resource_group_name" {
}
variable "tags" {
}
variable "remote_network" {
}
variable "remote_network_connect" {
}
variable "connection_name" {
}
variable "public_ip_addr" {
}
variable "gateway_subnet" {
}
variable "gateway_config" {
}
variable "diagnostics_map" {
}
variable "provision_gateway" {
}
variable "keyvaultid" {
}
variable "caf_foundations_accounting" {

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше