Azure
/
caf-terraform-landingzones
зеркало из https://github.com/Azure/caf-terraform-landingzones.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'int.2202' of https://github.com/LaurentLesle/caf-terraform-landingzones into LaurentLesle-int.2202

This commit is contained in:
Arnaud Lheureux 2022-03-14 11:45:53 +00:00
Родитель f1a35b442d a4159c70f3
Коммит 98437b7733
311 изменённых файлов: 6676 добавлений и 9024 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
caf_launchpad/dynamic_secrets.tf
Просмотреть файл

@ -3,7 +3,7 @@ module "dynamic_keyvault_secrets" {
source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=patch.5.5.4"
for_each = try(var.dynamic_keyvault_secrets, {})

4
caf_launchpad/landingzone.tf
Просмотреть файл

@ -2,8 +2,8 @@ module "launchpad" {
source = "aztfmod/caf/azurerm"
version = "5.5.4"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network"
# during dev cycles for the module, you can pick dev branches from GitHub, or from a local fork
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=patch.5.5.4"
# source = "../../aztfmod"
providers = {

4
caf_solution/add-ons/caf_eslz/enterprise_scale.tf
Просмотреть файл

@ -2,9 +2,9 @@
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "1.1.1"
version = "1.1.3"
# source = "/tf/caf/eslz"
# source = "/tf/caf/alz"
providers = {
azurerm = azurerm

2
caf_solution/dynamic_secrets.tf
Просмотреть файл

@ -2,7 +2,7 @@ module "dynamic_keyvault_secrets" {
source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=patch.5.5.4"
for_each = {
for keyvault_key, secrets in try(var.dynamic_keyvault_secrets, {}) : keyvault_key => {

3
caf_solution/landingzone.tf
Просмотреть файл

@ -2,7 +2,8 @@ module "solution" {
source = "aztfmod/caf/azurerm"
version = "5.5.4"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=aci_network"
# during dev cycles for the module, you can pick dev branches from GitHub, or from a local fork
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=patch.5.5.4"
# source = "../../aztfmod"
providers = {

0
templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc → templates/ansible/action_plugins/__pycache__/merge_vars.cpython-39.pyc
Просмотреть файл

0
templates/platform/action_plugins/merge_vars.py → templates/ansible/action_plugins/merge_vars.py
Просмотреть файл

137
templates/ansible/ansible.yaml Normal file
Просмотреть файл

@ -0,0 +1,137 @@
- name: Process deployment based on ignite.yaml
hosts: localhost
tasks:
- name: "Set variables"
set_fact:
job_cache_base_path: "/home/vscode/.terraform.cache"
destination_base_path: '{{ platform_configuration_folder }}'
resource_template_folder: "{{ public_templates_folder }}/resources"
platform_service_folder: "{{ public_templates_folder }}/platform/services"
- name: "load {{ template_folder | default(platform_definition_folder)}}/ignite.yaml"
include_vars:
name: bootstrap
dir: "{{ template_folder | default(platform_definition_folder)}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "ignite.yaml"
- name: "load _variables files"
include_vars:
name: variables
dir: "{{ template_folder | default(platform_service_folder)}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "_variables"
- name: "Load variable for {{deployment_mode}} config from {{definition_folder}}"
include_vars:
name: asvm_resource__to_merge
dir: "{{definition_folder | default(platform_definition_folder)}}"
depth: 0
# ignore_unknown_extensions: true
files_matching: ".yaml"
when: deployment_mode == 'asvm'
- name: "Load variable for ignite.yaml config from {{platform_definition_folder}}"
include_vars:
name: ignite_resource__to_merge
dir: "{{platform_definition_folder}}"
depth: 0
files_matching: "ignite.yaml"
when: deployment_mode == 'asvm'
- name: "Load variable for tfstates.yaml config from {{platform_definition_folder}}"
include_vars:
name: tfstates_resource__to_merge
dir: "{{platform_definition_folder}}"
depth: 0
files_matching: "tfstates.yaml"
when: deployment_mode == 'asvm'
- name: "Load variable for platform config from {{platform_definition_folder}}"
include_vars:
name: platform_resource__to_merge
dir: "{{platform_definition_folder | default(template_folder)}}"
depth: 0
ignore_unknown_extensions: true
files_matching: ".yaml"
when: deployment_mode == 'platform'
- name: Merge resources variables
merge_vars:
suffix_to_merge: _resource__to_merge
merged_var_name: merged_resources
expected_type: 'dict'
recursive_dict_merge: True
- set_fact:
resources: "{{ merged_resources }}"
- name: "Creates destination directory - {{destination_base_path}}"
file:
path: "{{destination_base_path}}"
state: directory
- debug:
msg:
- "bootstrap: {{bootstrap}}"
- "resources: {{resources}}"
#
# Generate the foundation services
#
- name: Process core deployments
include_tasks: "process_regions.yaml"
loop: "{{bootstrap.deployments[deployment_mode].root.keys()}}"
loop_control:
loop_var: region
vars:
lz_type: "{{deployment_mode}}"
stage: root
- name: Process alz deployments
include_tasks: "process_regions.yaml"
loop: "{{bootstrap.deployments[deployment_mode].alz.keys()}}"
loop_control:
loop_var: region
when:
- bootstrap.deployments[deployment_mode].alz is defined and launchpad_tfstate_exists.rc == 0
vars:
lz_type: "{{deployment_mode}}"
stage: alz
#
# Process the deployments folders
#
- find:
paths: "{{definition_folder | default(platform_definition_folder)}}/scale_out_domains"
recurse: yes
patterns: "*.yaml"
file_type: file
register: files_to_process
- name: "Process deployments"
include_tasks: "process_regions.yaml"
loop: "{{bootstrap.deployments[deployment_mode].scale_out_domains.keys()}}"
loop_control:
loop_var: region
when:
- bootstrap.deployments[deployment_mode].scale_out_domains is defined
- (launchpad_tfstate_exists is defined and launchpad_tfstate_exists.rc == 0) or (storage_account_level3 is defined and storage_account_level3.rc == 0)
vars:
lz_type: "{{deployment_mode}}"
stage: scale_out_domains
#
# Formatting & Linters
#
- name: Terraform Formatting
shell: |
terraform fmt -recursive {{ destination_base_path }}

70
templates/ansible/asvm_definition.yaml Normal file
Просмотреть файл

@ -0,0 +1,70 @@
- name: Process deployment based on ignite.yaml
hosts: localhost
tasks:
- debug:
msg: "{{landingzone_definition}}"
- set_fact:
scale_out_domains: "{{scale_out_domains_input.split(',') }}"
- name: Load templates
set_fact:
subscriptions_asvm: "{{ lookup('template', '{{ template_folder }}/subscriptions.asvm.yaml') }}"
tfstates: "{{ lookup('template', '{{ template_folder }}/tfstates.asvm.yaml') }}"
- name: Load resources template
set_fact:
resources_{{env}}: "{{ lookup('template', '{{ template_folder }}/resources.asvm.yaml') }}"
loop: "{{scale_out_domains}}"
loop_control:
loop_var: env
- debug:
msg:
- "subscriptions_asvm: {{subscriptions_asvm}}"
- "tfstates: {{tfstates}}"
- debug:
msg:
- "{{'resources_' + env}}: {{lookup('vars', 'resources_' + env)}}"
loop: "{{scale_out_domains}}"
loop_control:
loop_var: env
#
# Create definition folder structure
#
- name: "Creates definition directory - {{definition_folder}}"
file:
path: "{{definition_folder}}"
state: directory
- name: "definition - tfstates"
copy:
content: "{{ tfstates }}"
dest: "{{ definition_folder }}/tfstates.asvm.yaml"
- name: "definition - subscriptions_asvm"
copy:
content: "{{ subscriptions_asvm }}"
dest: "{{ definition_folder }}/subscriptions.asvm.yaml"
- name: "definition - resources"
copy:
content: "{{lookup('vars', 'resources_' + env)}}"
dest: "{{ definition_folder }}/{{landingzone_definition}}_{{env}}.asvm.yaml"
loop: "{{scale_out_domains}}"
loop_control:
loop_var: env
- name: "definition - readme"
ansible.builtin.template:
src: "{{ topology_folder }}/readme_definition.md"
dest: "{{ definition_folder }}/readme.md"
- debug:
msg:
- "next steps: {{definition_folder}}/readme.md"

7
templates/ansible/load_alz.yaml Normal file
Просмотреть файл

@ -0,0 +1,7 @@
- include_tasks: "load_deployments_alz.yaml"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: service
when: stage == 'alz'

50
templates/ansible/load_deployments.yaml Normal file
Просмотреть файл

@ -0,0 +1,50 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{stage}}"
- "{{region}}"
- "topology: {{topology}}"
- name: "Process 1 deployment file {{stage}}/{{region}}"
set_fact:
"{{stage}}_{{region}}_{{item}}_deployment__to_merge": "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][item]}}') | from_yaml }}"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
when:
- stage == 'root' or stage == 'alz'
- topologies is not defined
- name: "Copy file {{stage}} from {{platform_service_folder}}"
ansible.builtin.template:
src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}"
dest: "{{destination_path}}/{{topologies[item].tfstate.config_file}}"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
when:
- stage == 'root'
- topologies is defined
- name: "Copy file {{stage}} from {{platform_service_folder}}"
ansible.builtin.template:
src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}"
dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
when:
- stage == 'alz'
- topologies is defined
- name: "Process 2 deployment file {{stage}}"
include_tasks: "load_deployments_alz.yaml"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: service
when:
- stage == 'alz'
- topologies is defined
- name: "Process 2 deployment file {{stage}}"
include_tasks: "load_deployments_env.yaml"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: service
when:
- stage == 'scale_out_domains'

77
templates/ansible/load_deployments_alz.yaml Normal file
Просмотреть файл

@ -0,0 +1,77 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{stage}}"
- "{{region}}"
- "{{service}}"
- name: "{{destination_alz_path}} - Set tfstate_object"
set_fact:
tfstate_object: "{{topologies['alz_' + service].tfstate}}"
- name: "{{destination_path}}/{{stage}} - Set landingzone file_path"
set_fact:
destination_alz_path: "{{destination_path}}/{{stage}}/{{service}}"
alz_template_folder: "{{public_templates_folder}}/{{ tfstate_object.template_lib_folder}}"
- name: "{{destination_alz_path}} - Set landingzone file_path"
set_fact:
template_lib_folder: "{{alz_template_folder}}/lib/{{ tfstate_object.alz_version }}"
- name: "{{destination_alz_path}} - Set landingzone file_path"
set_fact:
mg: "{{ lookup('template', '{{ template_lib_folder }}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}"
mg_custom: "{{ lookup('template', '{{ template_lib_folder }}/custom_landing_zones.caf.platform.yaml') | from_yaml }}"
- debug:
msg: "{{destination_alz_path}}"
- name: "Clean-up destination directory"
shell: |
rm -rf "{{ destination_alz_path }}"
when:
- topology.management_groups[region][service].clean_up_destination_folder | default(True)
- name: "Creates directory structure - {{template_lib_folder}}"
shell: mkdir -p "{{ destination_alz_path }}/lib/{{ item.path }}"
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'directory'
- name: " Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_alz_path }}/lib/{{ item.path }}"
force: yes
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'file'
- item.path is not search(".j2")
- item.path is not search(".yaml") or item.path is search(".json") or item.path is search(".md")
- topology.management_groups[region][service].update_lib_folder | default(False)
- name: " Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_alz_path }}/{{ item.path }}"
force: yes
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'file'
- item.path is search(".yaml")
- topology.management_groups[region][service].update_lib_folder | default(False)
# - name: "{{deployment_mode}}/{{stage}}/{{region}}/{{service}} to {{destination_path}}/{{'alz_' + service}}.yaml"
# ansible.builtin.template:
# src: "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][service]}}') | from_yaml }}"
# dest: "{{destination_path}}/{{'alz_' + service}}.yaml"
# force: yes
# vars:
# item: "{{service}}"
- name: "{{deployment_mode}}/{{stage}}/{{region}}/{{service}} to {{destination_path}}/{{'alz_' + service}}.yaml"
ansible.builtin.template:
src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}"
dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"

38
templates/ansible/load_deployments_env.yaml Normal file
Просмотреть файл

@ -0,0 +1,38 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{stage}}"
- "{{region}}"
- "{{service}}"
- name: "Process 3 deployment file {{stage}}/{{service}}"
set_fact:
"{{service}}_{{env}}_deployment__to_merge": "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][service][env]}}') | from_yaml }}"
loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}"
loop_control:
loop_var: env
when:
- topologies is not defined
- name: "Creates directory"
file:
path: "{{destination_path}}/{{stage}}/{{env}}"
state: directory
loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}"
loop_control:
loop_var: env
when:
- topologies is defined
- name: "Copy file {{stage}}/{{service}}"
ansible.builtin.template:
src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][service][env]}}"
dest: "{{destination_path}}/{{stage}}/{{env}}/{{topologies[service + '_' + env].tfstate.config_file}}"
loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}"
loop_control:
loop_var: env
when:
- topologies is defined

22
templates/ansible/load_regions.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
- include_tasks: "load_deployments.yaml"
loop: "{{topology.deployments[deployment_mode][stage].keys()}}"
loop_control:
loop_var: region
when: stage != 'alz'
- include_tasks: "load_deployments.yaml"
loop: "{{topology.deployments[deployment_mode][stage].keys()}}"
loop_control:
loop_var: region
when:
- stage == 'alz'
- topologies is not defined
- include_tasks: "load_alz.yaml"
loop: "{{topology.deployments[deployment_mode][stage].keys()}}"
loop_control:
loop_var: region
when:
- stage == 'alz'
- topologies is defined

13
templates/ansible/process_deployments.yaml Normal file
Просмотреть файл

@ -0,0 +1,13 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{region}}"
- "{{tfstate}}"
- name: "Including tasks process_tfstate.yaml"
include_tasks: "process_tfstate.yaml"
loop: "{{bootstrap.deployments[deployment_mode].scale_out_domains[region][tfstate].keys()}}"
loop_control:
loop_var: env

19
templates/ansible/process_regions.yaml Normal file
Просмотреть файл

@ -0,0 +1,19 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{lz_type}}"
- "{{stage}}"
- name: Process core deployments
include_tasks: "process_stages.yaml"
loop: "{{bootstrap.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: tfstate
when: stage != 'scale_out_domains'
- name: Process core deployments
include_tasks: "process_deployments.yaml"
loop: "{{bootstrap.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: tfstate
when: stage == 'scale_out_domains'

4
templates/platform/process_resources.yaml → templates/ansible/process_resources.yaml
Просмотреть файл

@ -1,4 +1,4 @@
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}} - check file to process"
- name: "resources - {{resource_type}} - check file to process"
stat:
path: "{{ansible_to_process}}/{{resource_type}}.tfvars.j2"
register: override_file
@ -20,7 +20,7 @@
#
# resources
#
- name: "[{{deployment}} - {{resources.relative_destination_folder}}] - resources - {{resource_type}}"
- name: "resources - {{resource_type}}"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"

34
templates/ansible/process_stages.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
- debug:
msg:
- "tfstate {{tfstate}}"
- "{{lz_type}}"
- "{{stage}}"
- "{{region}}"
- "{{tfstate}}"
- name: "Set tfstate_object"
set_fact:
tfstate_object: "{{resources.tfstates[lz_type]['alz_' + tfstate] if stage == 'alz' else resources.tfstates[lz_type][tfstate] }}"
env: ''
- name: "Set config_folder"
set_fact:
config_folder: '{{ tfstate_object.sub_template_folder | default() }}'
- debug:
msg:
- "{{lz_type}}"
- "{{tfstate}}"
- "{{tfstate_object}}"
- "{{config_folder}}"
verbosity: 2
- name: "Including tasks process_tfstate.yaml"
include_tasks: "process_tfstate.yaml"
loop: ["{{tfstate}}"]
loop_control:
loop_var: deployment
vars:
config_file: "{{config_folder + '/' + tfstate_object.config_file }}"
when: stage != 'scale_out_domains'

86
templates/ansible/process_subscription_resources.yaml Normal file
Просмотреть файл

@ -0,0 +1,86 @@
- debug:
msg:
- "subscription_key {{subscription_key}}"
- "{{deployment_mode}}"
- "{{tfstate}}"
- "{{env}}"
- name: "{{deployment_mode}} - Set ansible_to_process"
set_fact:
ansible_to_process: "{{public_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else public_templates_folder + '/platform/generic'}}"
tfstate_resource: "{{ 'alz_' + tfstate if stage == 'alz' else tfstate if env == '' else tfstate + '_' + env }}"
verbosity: 2
- debug:
msg:
- "{{env}}"
- "{{tfstate_resource}}"
- name: "{{tfstate_resource}} - Set landingzone file_path"
set_fact:
landingzone_template: "{{resource_template_folder}}/landingzone.tfvars.j2"
landingzone_override: "{{ansible_to_process}}/landingzone.tfvars.j2"
destination_path: "{{destination_base_path}}/{{resources['alz_' + tfstate].relative_destination_folder if stage == 'alz' else resources[tfstate_resource].relative_destination_folder}}"
level: "{{tfstate_object.level}}"
verbosity: 2
- name: "[{{tfstate_resource}}] - landingzone - check overrides to process in {{ansible_to_process}}"
stat:
path: "{{landingzone_override}}"
register: landingzone_override_file
- name: "[{{tfstate_resource}}] - landingzone - Clean-up directory"
file:
path: "{{destination_path}}"
state: absent
when: resources.configuration_folders[deployment_mode].cleanup_destination | default(true)
- name: "[{{tfstate_resource}}] - landingzone - Creates directory"
file:
path: "{{destination_path}}"
state: directory
- name: "{{tfstate_resource}} - process custom yaml process"
include_tasks: "{{public_templates_folder}}/{{tfstate_object.yaml}}"
when: tfstate_object.yaml is defined
#
# landingzone.tfvars
#
- name: "{{tfstate_resource}} - landingzone"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{landingzone_override if landingzone_override_file.stat.exists else landingzone_template}}"
#
# Resources
#
- name: "{{tfstate_resource}} - process resources"
include_tasks: "process_resources.yaml"
loop: "{{resources[tfstate_resource].resources[subscription_key] | list if resources[tfstate_resource].resources[subscription_key] is mapping else [] }}"
loop_control:
loop_var: resource_type
#
# overrides
#
- name: "[{{tfstate_resource}} - {{resources[tfstate_resource].relative_destination_folder}}] - resources - overrides from path {{ ansible_to_process }} to {{ destination_path }}"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
with_fileglob:
- "{{ ansible_to_process }}/*.j2"
- "{{ ansible_to_process }}/*.md"

31
templates/ansible/process_tfstate.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{stage}}"
- "{{tfstate}}"
- "{{env}}"
- name: "Set tfstate_object"
set_fact:
tfstate_object: "{{resources.tfstates[deployment_mode]['alz_' + tfstate] if stage == 'alz' else resources.tfstates[deployment_mode][tfstate] if env == '' else resources.tfstates[deployment_mode][tfstate][env]}}"
- name: "Verify {{deployment_mode}}/{{stage}}/{{tfstate}}/{{env | default('')}} is defined under tfstates/{{deployment_mode}} in {{platform_definition_folder}}/tfstates.yaml :"
debug:
msg:
- "{{tfstate_object}}"
- name: "{{deployment_mode}} - tfstate_object sub_template_folder- {{env | default('')}}"
debug:
msg:
- 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}'
- 'tfstate_object - {{tfstate_object}}'
# - "{{resources}}"
- name: "{{deployment_mode}}/{{stage}}/{{tfstate}} - process subscription resources"
include_tasks: "process_subscription_resources.yaml"
loop: "{{resources['alz_' + tfstate].resources.keys() if stage == 'alz' else resources[tfstate].resources.keys() if env == '' else resources[tfstate + '_' + env].resources.keys() }}"
loop_control:
loop_var: subscription_key
vars:
level: "{{tfstate_object.level}}"

61
templates/ansible/walk-through-single.yaml Normal file
Просмотреть файл

@ -0,0 +1,61 @@
#
# Initial script to select a topology and create the base templates for the definitions folder
#
# ansible-playbook /tf/caf/landingzones/templates/platform/walk-through-single.yaml \
# -e topology_file=/tf/caf/landingzones/templates/platform/alz_single_subscription.yaml \
# -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \
# -e landingzones_folder=/tf/caf/landingzones \
# -e destination_base_path=/tf/caf \
# -e definitions_relative_path=definitions/v1 \
# -e configuration_relative_path=configuration/demo
#
- name: Setup platform template repository
hosts: localhost
vars_prompt:
- name: customer_name
prompt: Set the short version of your customer name with no spaces
private: no
default: contoso
- name: caf_environment
prompt: Set the CAF Environment value
private: no
default: contoso
- name: prefix
prompt: Set the prefix to add to all resource.
private: no
default: caf
- name: alz_mg_prefix
prompt: Management group prefix (value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens).
private: no
default: es
- name: alz_mg_name
prompt: Management group name
private: no
default: Contoso
- name: default_email_address
prompt: Email address to send all notifications
private: no
default: email@address.com
- name: azure_regions
prompt: Azure regions (lowercase, short version)
private: no
default:
region1: southeastasia
region2: eastasia
- name: default_region_key
prompt: Default CAF Azure region key
private: no
default: region1
tasks:
- include_tasks: "walk-through.yaml"

147
templates/ansible/walk-through.yaml Normal file
Просмотреть файл

@ -0,0 +1,147 @@
#
# Get launchpad subscription details
#
- name: Get deployment user object_id (make sure you are logged-in to the launchpad Azure subscription first.)
shell: az ad signed-in-user show --query objectId -o tsv
register: object_id
- name: Get deployment user UPN
shell: az ad signed-in-user show --query userPrincipalName -o tsv
register: upn
- name: Get default user's tenant name
shell: az rest --method get --url "https://graph.microsoft.com/v1.0/organization" --query "value[0].verifiedDomains[?isDefault].name" -o tsv
register: tenant_name
- name: Get default user's tenant guid
shell: az account show --query tenantId -o tsv
register: tenant_id
- name: Get default subscription id
shell: az account show --query id -o tsv
register: subscription_id
- name: Get default subscription name
shell: az account show --query name -o tsv
register: subscription_name
- set_fact:
regions: "{{ azure_regions }}"
deployment_mode: "platform"
topology: "{{bootstrap | default()}}"
- set_fact:
topology: "{{ lookup('template', '{{ topology_file }}') | from_yaml }}"
destination_path: "{{definition_folder | default(platform_definition_folder)}}"
resource_template_folder: "{{ public_templates_folder }}/resources"
platform_service_folder: "{{ public_templates_folder }}/platform/services"
public_templates_variables_folder: "{{ public_templates_folder }}/variables"
- name: "Creates directory - {{destination_path}}"
file:
path: "{{destination_path}}"
state: directory
#
# Load the files into variables
#
- name: "load _variables files"
include_vars:
name: variables
dir: "{{ public_templates_variables_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "_variables"
- debug:
msg:
- "variables: {{variables}}"
- "{{topology}}"
- include_tasks: "load_regions.yaml"
loop: "{{topology.deployments[deployment_mode].keys()}}"
loop_control:
loop_var: stage
- name: Merge deployment files into topologies variable
merge_vars:
suffix_to_merge: _deployment__to_merge
merged_var_name: merged_topologies
expected_type: 'dict'
recursive_dict_merge: True
- name: "Topologies merged"
set_fact:
topologies: "{{ merged_topologies }}"
# Need topologies to render the following templates
- name: "load tfstates"
set_fact:
"tfstates_deployment__to_merge": "{{ lookup('template', '{{platform_service_folder}}/tfstates.yaml') | from_yaml }}"
- name: Merge deployment files into topologies variable
merge_vars:
suffix_to_merge: _deployment__to_merge
merged_var_name: merged_topologies
expected_type: 'dict'
recursive_dict_merge: True
- set_fact:
topologies: "{{ merged_topologies }}"
- debug:
msg: "topologies: {{topologies}}"
#
# Generate target folder structure and files
#
- name: Copy files
include_tasks: "load_regions.yaml"
loop: "{{topology.deployments[deployment_mode].keys()}}"
loop_control:
loop_var: stage
- find:
paths: "{{public_templates_variables_folder}}"
recurse: no
patterns: "_variables*.yaml"
file_type: file
register: variable_files_to_process
- name: copy variables files
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{destination_path}}/{{ item.path | basename }}"
loop: "{{variable_files_to_process.files}}"
- name: tfstates.yaml
ansible.builtin.template:
src: "{{platform_service_folder}}/tfstates.yaml"
dest: "{{destination_path}}/tfstates.yaml"
- name: ignite.yaml
ansible.builtin.template:
src: "{{public_templates_folder}}/platform/single_subscription.yaml"
dest: "{{destination_path}}/ignite.yaml"
# - name: template.caf.platform.yaml
# ansible.builtin.template:
# src: "{{platform_service_folder}}/template.caf.platform.yaml"
# dest: "{{destination_path}}/{{topology.customer_name}}.caf.platform.yaml"
- name: readme.md
ansible.builtin.template:
src: "{{platform_service_folder}}/README.md"
dest: "{{destination_path}}/GETTING-STARTED.md"
- debug:
msg:
- "You have now initialized the definition of the platform"
- "You can review and adjust the yaml files."
- "configuration folder: - {{destination_path}}"
- "readme: {{destination_path}}/GETTING-STARTED.md"

17
templates/asvm/orion/deploy_template.sh Executable file
Просмотреть файл

@ -0,0 +1,17 @@
#! /bin/bash
echo -n "Name of the landingzone group definition (no spaces) to create: "
read -r landingzone_definition
export ANSIBLE_DISPLAY_SKIPPED_HOSTS=False
ansible-playbook /tf/caf/landingzones/templates/asvm/orion/walk-through.yaml \
-e topology_folder=/tf/caf/landingzones/templates/asvm/orion \
-e public_templates_folder=/tf/caf/landingzones/templates \
-e landingzones_folder=/tf/caf/landingzones \
-e template_folder=/tf/caf/asvm/${landingzone_definition} \
-e definition_folder=/tf/caf/asvm/${landingzone_definition}/definition \
-e platform_configuration_folder=/tf/caf/configuration \
-e platform_definition_folder=/tf/caf/platform/definition \
-e deployment_mode=asvm \
--extra-vars landingzone_definition=${landingzone_definition}

66
templates/asvm/orion/ignite.yaml Normal file
Просмотреть файл

@ -0,0 +1,66 @@
landingzone_definition: {{landingzone_definition}}
subscriptions:
{% for env in scale_out_domains %}
{{landingzone_definition}}_{{env}}:
name: {{landingzone_definition}}-{{env}}
# Set to false if you do not have permissions to create an alias
create_alias: false
subscription_id: {{subscription_id}}
{% endfor %}
#
# deployments
#
deployments:
asvm:
root:
region1:
asvm_subscriptions: subscriptions.asvm.yaml
{% for env in scale_out_domains %}
{{landingzone_definition}}_{{env}}: subscriptions.asvm.yaml
{% endfor %}
platform_mappings:
{%for key, value in platform_domain_mapping.items() %}
{{key}}: {{value}}
{% endfor %}
#
# If platform folder and config not accessible to the asvm repo you need to add the following variables
#
# caf_terraform:
# launchpad:
# caf_environment: cont0226
# subscription_id:
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
asvm:
cleanup_destination: true
#
# paths
#
topology_folder: {{topology_folder}}
public_templates_folder: {{public_templates_folder}}
landingzones_folder: {{landingzones_folder}}
template_folder: {{template_folder}}
definition_folder: {{definition_folder}}
platform_configuration_folder: {{platform_configuration_folder}}
platform_definition_folder: {{platform_definition_folder}}
deployment_mode: {{deployment_mode}}
#
# Ansible input responses
#
# don't change the structure of the values for ansible to process them properly.
# you can update the values following the structure.
scale_out_domains_input: {{scale_out_domains_input}}
platform_domain_mapping_input: {{platform_domain_mapping_input}}
generate_new_subscriptions: {{generate_new_subscriptions}}

20
templates/asvm/orion/readme.md Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM)
## Generate the definition files
```bash
ansible-playbook {{public_templates_folder}}/ansible/asvm_definition.yaml \
--extra-vars "@{{template_folder}}/ignite.yaml"
```
### Regenerate the template
Note: This playbook will override the customization you have performed in your {{platform_configuration_folder}} folder.
```bash
ansible-playbook {{public_templates_folder}}/asvm/orion/walk-through.yaml \
--extra-vars "@{{template_folder}}/ignite.yaml"
```

17
templates/asvm/orion/readme_definition.md Normal file
Просмотреть файл

@ -0,0 +1,17 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM)
## Generate the configuration files
```bash
ansible-playbook {{public_templates_folder}}/ansible/ansible.yaml \
--extra-vars "@{{template_folder}}/ignite.yaml"
```
## Regenerate the definition folder
```bash
ansible-playbook {{public_templates_folder}}/ansible/asvm_definition.yaml \
--extra-vars "@{{template_folder}}/ignite.yaml"
```

526
templates/asvm/orion/resources.asvm.yaml Normal file
Просмотреть файл

@ -0,0 +1,526 @@
{{landingzone_definition}}_{{env}}:
gitops:
caf_landingzone_branch: 2203.0
relative_destination_folder: level3/{{landingzone_definition}}/{{env}}
deployments:
landingzone:
global_settings_key:
platform:
virtual_hubs: {{platform_mappings[env]}}
remote_tfstates:
asvm:
asvm_subscriptions:
platform:
virtual_hubs: {{platform_mappings[env]}}
virtual_hubs_route_tables: {{platform_mappings[env]}}
secure_firewalls: {{platform_mappings[env]}}
identity_level2: {{platform_mappings[env]}}
asvm:
resources:
{{landingzone_definition}}_{{env}}:
resource_groups:
rg:
name: {{landingzone_definition}}-{{env}}
backup:
name: {{landingzone_definition}}-{{env}}-backup
networking:
name: {{landingzone_definition}}-{{env}}-networking
preparation:
name: {{landingzone_definition}}-{{env}}-preparation
modeling:
name: {{landingzone_definition}}-{{env}}-modeling
consumption:
name: {{landingzone_definition}}-{{env}}-consumption
analytics:
name: {{landingzone_definition}}-{{env}}-analytics
virtual_networks:
vnet:
name: {{landingzone_definition}}-{{env}}
resource_group_key: networking
region_key: region1
dns_servers_keys:
fw_secure_{{platform_mappings[env]}}:
resource_type: azurerm_firewall
lz_key: connectivity_secure_firewalls_{{platform_mappings[env]}}
key: fw_secure_{{platform_mappings[env]}}
address_space:
- 10.101.8.0/23
subnets:
databricks_preparation_egress:
name: databricks-preparation-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.8.0/26
databricks_preparation_private:
name: databricks-preparation-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.8.64/26
databricks_modeling_egress:
name: databricks-modeling-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.9.0/26
databricks_modeling_private:
name: databricks-modeling-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.9.64/26
consumption:
name: consumption
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.8.128/25
databricks_notebooks:
name: databricks-notebooks
service_endpoints:
- Microsoft.Storage
- Microsoft.KeyVault
nsg_key: databricks_notebooks
cidr:
- 10.101.9.128/27
private_endpoints:
name: private-endpoints
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.9.192/27
network_security_group_definition:
databricks_egress:
version: 1
resource_group_key: networking
name: databricks-egress
nsg:
Inbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 5557
destination_address_prefix: "*"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 22
destination_address_prefix: "*"
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
405:
name: ICMP
access: Allow
protocol: icmp
source_port_range: "*"
source_address_prefix: "*"
destination_port_range: "*"
destination_address_prefix: "*"
databricks_private:
version: 1
resource_group_key: networking
name: databricks-private
nsg:
Inbound:
400:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
401:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
consumption:
version: 1
resource_group_key: networking
name: consumption
databricks_notebooks:
version: 1
resource_group_key: networking
name: databricks-notebooks
nsg:
Inbound:
500:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
501:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
500:
name: AzureActiveDirectory
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureActiveDirectory"
destination_port_ranges:
- 80
- 443
501:
name: AzureMachineLearning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureMachineLearning"
destination_port_ranges:
- 443
502:
name: AzureResourceManager
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureResourceManager"
destination_port_ranges:
- 443
503:
name: Storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "Storage"
destination_port_ranges:
- 443
504:
name: AzureFrontDoor Frontend
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.Frontend"
destination_port_ranges:
- 443
505:
name: Container Registry
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureContainerRegistry"
destination_port_ranges:
- 443
506:
name: Microsoft Container Registry
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "MicrosoftContainerRegistry"
destination_port_ranges:
- 443
507:
name: Keyvault
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureKeyVault"
destination_port_ranges:
- 443
508:
name: AzureFrontDoor FirstParty
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.FirstParty"
destination_port_range: "*"
virtual_hub_connections:
vnet_to_{{platform_mappings[env]}}:
name: vnet-{{landingzone_definition}}-{{env}}-TO-{{platform_mappings[env]}}
virtual_hub:
lz_key: connectivity_virtual_hubs_{{platform_mappings[env]}}
key: {{platform_mappings[env]}}
vnet:
vnet_key: vnet
routing:
egress:
lz_key: virtual_hubs_route_tables_{{platform_mappings[env]}}
recovery_vaults:
asr:
name: vault-{{landingzone_definition}}-{{env}}
resource_group_key: backup
backup_policies:
vms:
default:
name: vm-default-policy
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
keyvaults:
kv_delegated_sp:
name: {{landingzone_definition}}{{env}}001
resource_group_key: rg
creation_policies:
logged_in_user:
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
landingzone_maintainers_{{platform_mappings[env]}}:
lz_key: asvm
azuread_group_key: caf_ac_landingzone_maintainers_{{platform_mappings[env]}}
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
kv_delegated_sp:
app_LZContributors:
azuread_service_principal_key: sp_LZContributors
secret_permissions:
- Get
azuread_applications:
app_LZContributors:
application_name: app-asvm-{{landingzone_definition}}-{{env}}-Contributors
azuread_service_principals:
sp_LZContributors:
azuread_application:
key: app_LZContributors
azuread_credentials:
app_LZContributors:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
key: app_LZContributors
keyvaults:
kv_delegated_sp:
secret_prefix: sp
azuread_credential_policies:
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 70
rotation_key0:
days: 33
rotation_key1:
days: 58
azuread_groups_membership:
caf_{{platform_mappings[env]}}_landingzones_dns_contributors:
azuread_service_principals:
sp_LZContributors:
group_lz_key: identity_level2_{{platform_mappings[env]}}
keys:
- sp_LZContributors
caf_ac_landingzone_maintainers_{{platform_mappings[env]}}:
azuread_service_principals:
sp_LZContributors:
group_lz_key: asvm
keys:
- sp_LZContributors
custom_role_definitions:
contributors_extended:
name: lz-{{landingzone_definition}}-{{env}}-contributors-extended
useprefix: true
description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/virtualNetworks/join/action
role_mapping:
custom_role_mapping:
networking:
vnet:
contributors_extended:
azuread_service_principals:
keys:
- sp_LZContributors
built_in_role_mapping:
resource_groups:
preparation:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
modeling:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
consumption:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
analytics:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
storage_containers:
{{landingzone_definition}}_{{env}}_level3:
lz_key: {{landingzone_definition}}_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors
{{landingzone_definition}}_{{env}}_level4:
lz_key: {{landingzone_definition}}_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors

28
templates/asvm/orion/subscriptions.asvm.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
asvm_subscriptions:
gitops:
caf_landingzone_branch: 2203.0
relative_destination_folder: level3/{{landingzone_definition}}/subscriptions
deployments:
landingzone:
global_settings_key:
platform:
asvm:
remote_tfstates:
platform:
asvm:
resources:
asvm_subscriptions:
subscriptions:
{% for region, value in deployments.asvm['root'].items() %}
{% for env, env_value in value.items() %}
{% if env != "asvm_subscriptions" %}
{{env}}:
{% for key, kv in subscriptions[env].items() %}
{{key}}: {{kv}}
{% endfor %}
{% endif %}
{% endfor %}
{% endfor %}

23
templates/asvm/orion/tfstates.asvm.yaml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
tfstates:
asvm:
asvm_subscriptions:
lz_key_name: {{landingzone_definition}}_subscriptions
tfstate: {{landingzone_definition}}_subscriptions.tfstate
workspace: tfstate
level: level3
sub_template_folder: platform/level3/subscriptions
yaml: platform/level3/ansible.yaml
{% for region, value in deployments.asvm['root'].items() %}
{% for env in value.keys() %}
{% if env != "asvm_subscriptions" %}
{{env}}:
lz_key_name: {{env}}_level3
tfstate: {{env}}_level3.tfstate
workspace: {{env | replace('_', '-')}}
level: level3
{% endif %}
{% endfor %}
{% endfor %}

81
templates/asvm/orion/walk-through.yaml Normal file
Просмотреть файл

@ -0,0 +1,81 @@
#
# Initial script to select a topology and create the base templates for the definition folder
#
- name: Deploy template to definition's folder
hosts: localhost
vars_prompt:
- name: landingzone_definition
prompt: Name of the landingzone group definition (no spaces)
private: no
- name: scale_out_domains_input
prompt: List of the scale-out domains. Will create one landingzone per domain.
private: no
default: dev,prod
- name: platform_domain_mapping_input
prompt: Mapping between the landingzones and platform scale-out domains.
private: no
default:
dev: non_prod
prod: prod
- name: generate_new_subscriptions
prompt: Do you want to deploy in the current logged_in subscription (True) or create new one (False)?
private: no
default: True
tasks:
- name: Get default subscription id
shell: az account show --query id -o tsv
register: subscription_id_cmd
when: generate_new_subscriptions
- set_fact:
scale_out_domains: "{{scale_out_domains_input.split(',') }}"
platform_domain_mapping: "{{platform_domain_mapping_input}}"
subscription_id: "{{subscription_id_cmd.stdout}}"
- name: Get template files
register: asvm_files
find:
paths: "{{topology_folder}}"
file_type: file
excludes:
- "readme_definition.md"
- "deploy_template.sh"
- debug:
msg:
- "{{asvm_files}}"
- "{{playbook_dir}}"
verbosity: 1
- name: "Creates template_folder directory - {{template_folder}}"
file:
path: "{{template_folder}}"
state: directory
- name: Deploy files
ansible.builtin.copy:
src: "{{item.path}}"
dest: "{{template_folder}}/{{ item.path | basename }}"
loop: "{{asvm_files.files}}"
- name: Save parameters
ansible.builtin.template:
src: "{{topology_folder}}/ignite.yaml"
dest: "{{template_folder}}/ignite.yaml"
- name: readme
ansible.builtin.template:
src: "{{topology_folder}}/readme.md"
dest: "{{template_folder}}/readme.md"
- debug:
msg:
- "next steps: {{template_folder}}/readme.md"

7
templates/asvm/readme.md Normal file
Просмотреть файл

@ -0,0 +1,7 @@
## Template to generate the defitions for the Orion data and ai landingzones
```bash
/tf/caf/landingzones/templates/asvm/orion/deploy_template.sh
```

4
templates/enterprise-scale/contoso/asvm/orion-landingzone/config.asvm.yaml
Просмотреть файл

@ -1,4 +0,0 @@
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
asvm:
cleanup_destination: true

511
templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_dev.yaml
Просмотреть файл

@ -1,511 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level3/asvm/orion/dev
deployments:
landingzone:
tfstate:
asvm:
orion_dev:
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
asvm:
subscriptions:
platform:
virtual_hubs: non_prod
azurerm_firewalls: non_prod
identity_level2: non_prod
asvm:
subscriptions:
orion_dev:
resource_groups:
rg:
name: orion-dev
backup:
name: orion-dev-backup
networking:
name: orion-dev-networking
preparation:
name: orion-dev-preparation
modeling:
name: orion-dev-modeling
consumption:
name: orion-dev-consumption
analytics:
name: orion-dev-analytics
virtual_networks:
vnet:
name: orion-dev
resource_group_key: networking
region_key: region1
dns_servers_keys:
fw_prod_plinks_01:
resource_type: azurerm_firewall
lz_key: connectivity_firewalls_non_prod
key: fw_non_prod_plinks_01
address_space:
- 10.101.200.0/23
subnets:
databricks_preparation_egress:
name: databricks-preparation-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.200.0/26
databricks_preparation_private:
name: databricks-preparation-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.200.64/26
databricks_modeling_egress:
name: databricks-modeling-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.201.0/26
databricks_modeling_private:
name: databricks-modeling-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.201.64/26
consumption:
name: consumption
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.200.128/25
databricks_notebooks:
name: databricks-notebooks
service_endpoints:
- Microsoft.Storage
- Microsoft.KeyVault
nsg_key: databricks_notebooks
cidr:
- 10.101.201.128/27
private_endpoints:
name: private-endpoints
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.201.192/27
network_security_group_definition:
databricks_egress:
version: 1
resource_group_key: networking
name: databricks-egress
nsg:
Inbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 5557
destination_address_prefix: "*"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 22
destination_address_prefix: "*"
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
405:
name: ICMP
access: Allow
protocol: icmp
source_port_range: "*"
source_address_prefix: "*"
destination_port_range: "*"
destination_address_prefix: "*"
databricks_private:
version: 1
resource_group_key: networking
name: databricks-private
nsg:
Inbound:
400:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
401:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
consumption:
version: 1
resource_group_key: networking
name: consumption
databricks_notebooks:
version: 1
resource_group_key: networking
name: databricks-notebook
nsg:
Inbound:
500:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
501:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
500:
name: AzureActiveDirectory
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureActiveDirectory"
destination_port_ranges:
- 80
- 443
501:
name: AzureMachineLearning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureMachineLearning"
destination_port_ranges:
- 443
502:
name: AzureResourceManager
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureResourceManager"
destination_port_ranges:
- 443
503:
name: Storage SoutheastAsia
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "Storage.SoutheastAsia"
destination_port_ranges:
- 443
504:
name: AzureFrontDoor Frontend
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.Frontend"
destination_port_ranges:
- 443
505:
name: Container Registry SoutheastAsia
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureContainerRegistry.SoutheastAsia"
destination_port_ranges:
- 443
506:
name: Microsoft Container Registry SoutheastAsia
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "MicrosoftContainerRegistry.SoutheastAsia"
destination_port_ranges:
- 443
507:
name: Keyvault SoutheastAsia
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureKeyVault.SoutheastAsia"
destination_port_ranges:
- 443
508:
name: AzureFrontDoor FirstParty
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.FirstParty"
destination_port_range: "*"
virtual_hub_connections:
vnet_to_dev:
name: vnet-orion-dev-TO-non-prod
virtual_hub:
lz_key: connectivity_virtual_hub_non_prod
key: non_prod
vnet:
vnet_key: vnet
recovery_vaults:
asr:
name: vault-orion-dev
resource_group_key: backup
backup_policies:
vms:
default:
name: vm-default-policy
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
keyvaults:
kv_delegated_sp:
name: oriondev0001
resource_group_key: rg
creation_policies:
logged_in_user:
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
landingzone_maintainers_non_prod:
lz_key: asvm
azuread_group_key: caf_ac_landingzone_maintainers_non_prod
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
kv_delegated_sp:
app_LZContributors:
azuread_service_principal_key: sp_LZContributors
secret_permissions:
- Get
azuread_applications:
app_LZContributors:
application_name: app-asvm-orion-dev-Contributors
azuread_service_principals:
sp_LZContributors:
azuread_application:
key: app_LZContributors
azuread_credentials:
app_LZContributors:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
key: app_LZContributors
keyvaults:
kv_delegated_sp:
secret_prefix: sp
azuread_credential_policies:
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 70
rotation_key0:
days: 33
rotation_key1:
days: 58
custom_role_definitions:
contributors_extended:
name: lz-orion-dev-contributors-extended
useprefix: true
description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/virtualNetworks/join/action
role_mapping:
custom_role_mapping:
networking:
vnet:
contributors_extended:
azuread_service_principals:
keys:
- sp_LZContributors
built_in_role_mapping:
resource_groups:
preparation:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
modeling:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
consumption:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
analytics:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
storage_containers:
orion_prod_level3:
lz_key: orion_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors
orion_dev_level4:
lz_key: orion_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors

524
templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/orion_prod.yaml
Просмотреть файл

@ -1,524 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level3/asvm/orion/prod
deployments:
landingzone:
tfstate:
asvm:
orion_prod:
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
asvm:
subscriptions:
platform:
virtual_hubs: prod
azurerm_firewalls: prod
identity_level2: prod
asvm:
subscriptions:
orion_prod:
resource_groups:
rg:
name: orion-prod
backup:
name: orion-prod-backup
networking:
name: orion-prod-networking
preparation:
name: orion-prod-preparation
modeling:
name: orion-prod-modeling
consumption:
name: orion-prod-consumption
analytics:
name: orion-prod-analytics
virtual_networks:
vnet:
name: orion-prod
resource_group_key: networking
region_key: region1
dns_servers_keys:
fw_prod_plinks_01:
resource_type: azurerm_firewall
lz_key: connectivity_firewalls_prod
key: fw_prod_plinks_01
address_space:
- 10.101.8.0/23
subnets:
databricks_preparation_egress:
name: databricks-preparation-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.8.0/26
databricks_preparation_private:
name: databricks-preparation-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.8.64/26
databricks_modeling_egress:
name: databricks-modeling-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.9.0/26
databricks_modeling_private:
name: databricks-modeling-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.9.64/26
consumption:
name: consumption
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.8.128/25
databricks_notebooks:
name: databricks-notebooks
service_endpoints:
- Microsoft.Storage
- Microsoft.KeyVault
nsg_key: databricks_notebooks
cidr:
- 10.101.9.128/27
private_endpoints:
name: private-endpoints
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.9.192/27
network_security_group_definition:
databricks_egress:
version: 1
resource_group_key: networking
name: databricks-egress
nsg:
Inbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 5557
destination_address_prefix: "*"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 22
destination_address_prefix: "*"
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
405:
name: ICMP
access: Allow
protocol: icmp
source_port_range: "*"
source_address_prefix: "*"
destination_port_range: "*"
destination_address_prefix: "*"
databricks_private:
version: 1
resource_group_key: networking
name: databricks-private
nsg:
Inbound:
400:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
401:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
consumption:
version: 1
resource_group_key: networking
name: consumption
databricks_notebooks:
version: 1
resource_group_key: networking
name: databricks-notebooks
nsg:
Inbound:
500:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
501:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
500:
name: AzureActiveDirectory
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureActiveDirectory"
destination_port_ranges:
- 80
- 443
501:
name: AzureMachineLearning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureMachineLearning"
destination_port_ranges:
- 443
502:
name: AzureResourceManager
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureResourceManager"
destination_port_ranges:
- 443
503:
name: Storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "Storage"
destination_port_ranges:
- 443
504:
name: AzureFrontDoor Frontend
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.Frontend"
destination_port_ranges:
- 443
505:
name: Container Registry
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureContainerRegistry"
destination_port_ranges:
- 443
506:
name: Microsoft Container Registry
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "MicrosoftContainerRegistry"
destination_port_ranges:
- 443
507:
name: Keyvault
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureKeyVault"
destination_port_ranges:
- 443
508:
name: AzureFrontDoor FirstParty
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.FirstParty"
destination_port_range: "*"
virtual_hub_connections:
vnet_to_prod:
name: vnet-orion-prod-TO-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet
recovery_vaults:
asr:
name: vault-orion-prod
resource_group_key: backup
backup_policies:
vms:
default:
name: vm-default-policy
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
keyvaults:
kv_delegated_sp:
name: orionprod001
resource_group_key: rg
creation_policies:
logged_in_user:
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
landingzone_maintainers_prod:
lz_key: asvm
azuread_group_key: caf_ac_landingzone_maintainers_prod
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
kv_delegated_sp:
app_LZContributors:
azuread_service_principal_key: sp_LZContributors
secret_permissions:
- Get
azuread_applications:
app_LZContributors:
application_name: app-asvm-orion-prod-Contributors
azuread_service_principals:
sp_LZContributors:
azuread_application:
key: app_LZContributors
azuread_credentials:
app_LZContributors:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
key: app_LZContributors
keyvaults:
kv_delegated_sp:
secret_prefix: sp
azuread_credential_policies:
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 70
rotation_key0:
days: 33
rotation_key1:
days: 58
azuread_groups_membership:
caf_prod_landingzones_dns_contributors:
azuread_service_principals:
sp_LZContributors:
group_lz_key: identity_level2
keys:
- sp_LZContributors
caf_ac_landingzone_maintainers_prod:
azuread_service_principals:
sp_LZContributors:
group_lz_key: asvm
keys:
- sp_LZContributors
custom_role_definitions:
contributors_extended:
name: lz-orion-prod-contributors-extended
useprefix: true
description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/virtualNetworks/join/action
role_mapping:
custom_role_mapping:
networking:
vnet:
contributors_extended:
azuread_service_principals:
keys:
- sp_LZContributors
built_in_role_mapping:
resource_groups:
preparation:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
modeling:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
consumption:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
analytics:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
storage_containers:
orion_prod_level3:
lz_key: orion_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors
orion_prod_level4:
lz_key: orion_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors

31
templates/enterprise-scale/contoso/asvm/orion-landingzone/deployments/subscriptions.yaml
Просмотреть файл

@ -1,31 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level3/asvm/orion/subscriptions
deployments:
landingzone:
tfstate:
asvm:
subscriptions:
global_settings_key:
platform:
asvm:
remote_tfstates:
platform:
asvm:
subscriptions:
launchpad:
subscriptions:
orion_dev:
name: orion-dev
create_alias: false
subscription_id: <replace>
orion_prod:
name: orion-prod
create_alias: false
subscription_id: <replace>

16
templates/enterprise-scale/contoso/asvm/orion-landingzone/readme.md
Просмотреть файл

@ -1,16 +0,0 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM)
## Generate the configuration files
```bash
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/platform \
-e resource_template_folder=/tf/caf/landingzones/templates/resources \
-e config_folder=/tf/caf/definitions/asvm/orion-landingzone \
-e config_folder_platform=/tf/caf/definitions \
-e landingzones_folder=/tf/caf/landingzones
```

28
templates/enterprise-scale/contoso/asvm/orion-landingzone/tfstates.asvm.yaml
Просмотреть файл

@ -1,28 +0,0 @@
# ### orion ###
tfstates:
asvm:
subscriptions:
lz_key_name: orion_subscriptions
tfstate: orion_subscriptions.tfstate
workspace: tfstate
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml
orion_dev:
lz_key_name: orion_dev_level3
tfstate: orion_dev_level3.tfstate
workspace: orion-dev
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml
orion_prod:
lz_key_name: orion_prod_level3
tfstate: orion_prod_level3.tfstate
workspace: orion-prod
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml

31
templates/enterprise-scale/contoso/platform/create_subscriptions/README.md
Просмотреть файл

@ -1,31 +0,0 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform
## Commands
### clone the landingzone project (Terraform base code)
```bash
cd /tf/caf/landingzones
git pull
git checkout aci_network
```
### Rover ignite the platform
Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps.
Rover ignite creates the tfvars and also the documentation.
```bash
rover login -t tenantname<replace> -s <management subscription guid><replace>
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/platform \
-e resource_template_folder=/tf/caf/landingzones/templates/resources \
-e config_folder=/tf/caf/orgs/contoso/platform
```
### Next step
Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created.

38
templates/enterprise-scale/contoso/platform/create_subscriptions/asvm.yaml
Просмотреть файл

@ -1,38 +0,0 @@
gitops:
landingzones: aci_network
subscriptions:
asvm:
resource_groups:
level3:
name: caf-level3
tags:
level: level3
level4:
name: caf-level4
tags:
level: level4
storage_accounts:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
keyvaults:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
azuread_groups:
caf_ac_landingzone_maintainers_non_prod:
name: caf_ac_landingzone_maintainers_non_prod
caf_ac_landingzone_maintainers_prod:
name: caf_ac_landingzone_maintainers_prod

39
templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_express_routes.yaml
Просмотреть файл

@ -1,39 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
express_route_circuits:
prod:
name: er-1-prod
resource_group_key: prod
service_provider_name: XL Axiata
peering_location: Jakarta
tier: Standard
family: MeteredData
bandwidth_in_mbps: 50
non_prod:
name: er-1-nonprod
resource_group_key: non_prod
service_provider_name: XL Axiata
peering_location: Jakarta
tier: Standard
family: MeteredData
bandwidth_in_mbps: 50
express_route_circuit_authorizations:
prod:
vhub-prod:
name: er-auth-vhub-prod
resource_group_key: prod
non_prod:
vhub-non-prod:
name: er-auth-vhub-non-prod
resource_group_key: dev
resource_groups:
prod:
name: connectivity-express-route-prod
region_key: region1
non_prod:
name: connectivity-express-route-non-prod
region_key: region1

67
templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_hub.yaml
Просмотреть файл

@ -1,67 +0,0 @@
custom_variables:
prod:
virtual_hub_lz_key: connectivity_virtual_hub_prod
# ddos_protection_plan_id: put ddos plan resource id
non_prod:
virtual_hub_lz_key: connectivity_virtual_hub_non_prod
# ddos_protection_plan_id: put ddos plan resource id
virtual_hubs:
prod:
name: Production
virtual_wan:
lz_key: virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: <replace>
deploy_s2s: false
s2s_config:
name: prod
scale_unit: 1
deploy_er: false
enable_er_connections: false
er_config:
name: prod
scale_units: 1
non_prod:
name: Non Production
virtual_wan:
lz_key: virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: <replace>
deploy_s2s: false
s2s_config:
name: non-prod
scale_unit: 1
deploy_er: false
enable_er_connections: false
er_config:
name: non-prod
scale_units: 1
express_route_connections:
prod:
name: erc-er-1-prod
virtual_hub:
key: prod
circuit_peering:
tfstate_key: prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: prod
key: vhub-prod
non_prod:
name: er-1-non-prod
virtual_hub:
key: non_prod
circuit_peering:
tfstate_key: non_prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: non_prod
key: vhub-non-prod

19
templates/enterprise-scale/contoso/platform/create_subscriptions/connectivity_virtual_wan.yaml
Просмотреть файл

@ -1,19 +0,0 @@
virtual_wans:
global_wan:
name: vwan
resource_group_key: global_wan
region_key: region1
resource_groups:
global_wan:
name: connectivity-global-wan
region_key: region1
ddos_services:
name: connectivity-ddos
region_key: region1
ddos_services:
region1:
name: ddos-re1
region_key: region1
resource_group_key: ddos_services

132
templates/enterprise-scale/contoso/platform/create_subscriptions/contoso.caf.platform.yaml
Просмотреть файл

@ -1,132 +0,0 @@
caf_terraform:
naming_convention:
# When set to false use the CAF provider to generate names aligned to CAF guidance
# true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace.
passthrough: false
inherit_tags: false
# set: define the prefix to add to all resource names
# unset: if passthrough is set to false, generate a random prefix
prefix: cont
# if passthrough is set to false, add random suffix to name, up to the random_lenght value.
random_length: 5
launchpad:
caf_environment: contoso
account_replication_type: GRS
regions:
region1:
# set the short form of the Azure region
name: southeastasia<replace> # Use the lower-case region's name, short version with no space
slug: sea
region2:
name: eastasia<replace> # Use the lower-case region's name, short version with no space
slug: ea
default_region_key: region1
# Define the number of CAF levels to use. Recommeded is 3 for the platform.
number_of_levels: 3
blob_versioning_enabled: true
container_delete_retention_policy: 7
delete_retention_policy: 7
# Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd.
subscription_id: <replace>
subscription_name: contoso-caf-launchpad
tenant_id: <replace>
# Global tags
tags:
application_owner: sre
billing_subscription_role_delegations:
# true: enable this deployment. The remaining attributes are required.
# false: disable this deployment.
# azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform
# azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running:
# az ad signed-in-user show --query objectId -o tsv
# The remaining attributes are ignored: [billing_account_name, enrollment_account_name]
enable: false
# Azure Active Directory User (UPN) that is Account Owner in the EA portal
# if enable=false, set the upn of the user doing the manual deployment
azuread_user_ea_account_owner: <replace>
# see comments above to get the object_id
azuread_user_ea_account_owner_object_id: <replace>
# Only set the following two attributes when enable=true
billing_account_name: <replace>
enrollment_account_name: <replace>
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
platform:
# true: force the destination folder to be deleted and re-created before the files are created.
# false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is.
cleanup_destination: true
# base destination folder where rover ignite will store the tfvars files. No / at the end
destination_base_path: /tf/caf
# destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end
destination_relative_path: configuration/contoso/platform
platform_core_setup:
sku:
keyvault: standard
enterprise_scale:
enable: true
scenario: contoso
model: demo
management_group_name: "Contoso Industries"
management_group_prefix: contoso
deploy_core_landing_zones: true
enable_azure_subscription_vending_machine: true
clean_up_destination_folder: false
update_lib_folder: true
subscription_deployment_mode: dedicated_new
private_lib:
version_to_deploy: v1.1.1
v0.1.x:
caf_landingzone_branch: "2107.1"
v0.3.3:
caf_landingzone_branch: "patch.5.4.4"
v1.1.1:
caf_landingzone_branch: "aci_network"
# subscription_id_overrides:
# decommissioned:
# - guid1
# connectivity:
# - guid2
# - guid3
# management:
# - guid4
# identity:
# -
platform_management:
enable: true
networking_topology:
deployment_option: virtual_wan
platform_identity:
# Set the Azure Active Directory tenant name (primary domain name)
# has to be the default domain name (custom dns name or tenantname.onmicrosoft.com)
# check the AAD property
tenant_name: <replace>
# Supported values
# - service_principal
# - logged_in_user
azuread_identity_mode: service_principal
# UPNs you want to add in the caf_platform_maintainers Azure AD group
# Can use user or guest accounts
# Those users will have full permissions on platform.
# Once setup, you can remove them from here or add them from
# Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts.
caf_platform_maintainers:
- <replace>
notifications:
service_health_alerts:
emails:
support1:
name: <replace>
email_address: <replace>
security_center_email_contact: <replace>
gitops:
caf_landingzone_branch: "aci_network"
deployment_mode: interactive
rover_log_error: ERROR

34
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,34 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
landingzone:
key:
platform:
private_dns: non_prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
asvm:
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-non-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "non-prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

77
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,77 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
landingzone:
key:
platform:
azurerm_firewalls: non_prod
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
platform:
virtual_hubs: non_prod
azurerm_firewall_policies: non_prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-non-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-non-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.201.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.201.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-non-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_non_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-non-prod-fw-plinks-TO-vhub-non_prod
virtual_hub:
lz_key: connectivity_virtual_hub_non_prod
key: non_prod
vnet:
vnet_key: vnet

189
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/non_prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,189 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
landingzone:
key:
platform:
private_dns: non_prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
asvm:
subscriptions:
connectivity:
resource_groups:
dns_connectivity_non_prod:
name: dns-connectivity-non-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.southeastasia<replace>.azmk8s.io:
name: privatelink.southeastasia<replace>.azmk8s.io
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.southeastasia<replace>.backup.windowsazure.com:
name: privatelink.southeastasia<replace>.backup.windowsazure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.oms.opinsights.non_prod.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-non-prod-private-dns-extended
useprefix: true
description: "(non-prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
role_mapping:
custom_role_mapping:
resource_groups:
dns_connectivity_prod:
landgingzone_extended:
azuread_groups:
lz_key: identity_level2
keys:
- caf_non_prod_landingzones_dns_contributors
built_in_role_mapping:
resource_groups:
dns_connectivity_non_prod:
Private DNS Zone Contributor:
azuread_groups:
lz_key: identity_level2
keys:
- caf_non_prod_landingzones_dns_contributors

34
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,34 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
private_dns: prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
asvm:
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

78
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,78 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
azurerm_firewalls: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
virtual_hubs: prod
azurerm_firewall_policies: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.101.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.101.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_prod_plinks_01:
name: fw-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet

191
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,191 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
private_dns: prod
global_settings_key:
platform:
virtual_wan:
remote_tfstates:
platform:
virtual_wan:
azurerm_firewalls: prod
identity_level2: prod
subscriptions:
connectivity:
resource_groups:
dns_connectivity_prod:
name: dns-connectivity-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia<replace>.azmk8s.io:
name: privatelink.southeastasia<replace>.azmk8s.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia<replace>.backup.windowsazure.com:
name: privatelink.southeastasia<replace>.backup.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.oms.opinsights.azure.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-private-dns-extended
useprefix: true
description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
role_mapping:
custom_role_mapping:
resource_groups:
dns_connectivity_prod:
landgingzone_extended:
azuread_groups:
lz_key: identity_level2
keys:
- caf_prod_landingzones_dns_contributors
built_in_role_mapping:
resource_groups:
dns_connectivity_prod:
Private DNS Zone Contributor:
azuread_groups:
lz_key: identity_level2
keys:
- caf_prod_landingzones_dns_contributors

64
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2.yaml
Просмотреть файл

@ -1,64 +0,0 @@
gitops:
landingzones: aci_network
deployments:
identity:
prod:
landingzone:
key:
platform:
identity_level2: prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
subscriptions:
identity:
resource_groups:
management:
name: management
azuread_groups:
caf_non_prod_landingzones_dns_contributors:
name: caf ac non_prod landingzones dns contributors
caf_prod_landingzones_dns_contributors:
name: caf ac prod landingzones dns contributors
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday

171
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_aadds.yaml
Просмотреть файл

@ -1,171 +0,0 @@
gitops:
landingzones: aci_network
deployments:
identity:
prod:
landingzone:
key:
platform:
identity_aadds: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
management:
virtual_hubs: prod
identity_level2: prod
subscriptions:
identity:
resource_groups:
rg:
name: identity-prod-aadds
region_key: region1
virtual_networks:
vnet:
name: vnet-identity-prod-aadds
resource_group_key: rg
region_key: region1
address_space:
- 10.10.100.0/27
dns_servers:
- 10.10.100.4
- 10.10.100.5
subnets:
aadds:
name: snet-aadds
cidr:
- 10.10.100.0/28
nsg_key: aadds_re1
management:
name: snet-aadds-management
cidr:
- 10.10.100.16/28
virtual_hub_connections:
vnet_to_hub:
name: vnet-identity-prod-aadds-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet
active_directory_domain_service:
aadds:
name: aadds
region: region1
resource_group:
key: rg
domain_name: aadds-contoso.net
sku: Standard
filtered_sync_enabled: false
initial_replica_set:
region: region1
subnet:
vnet_key: vnet
key: aadds
notifications:
additional_recipients:
- notifyA@example.net
- notifyB@example.net
notify_dc_admins: true
notify_global_admins: false
security:
ntlm_v1_enabled: false
sync_kerberos_passwords: true
sync_ntlm_passwords: false
sync_on_prem_passwords: true
tls_v1_enabled: false
azuread_groups:
aad_dc_administrators:
name: AAD DC Administrators
prevent_duplicate_name: true
network_security_group_definition:
aadds_re1:
version: 1
resource_group_key: rg
region: region1
name: nsg-aadds-re1
nsg:
Inbound:
400:
name: Debugging for support.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "3389"
source_address_prefix: CorpNetSaw
destination_address_prefix: "*"
401:
name: Powershell remoting.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "5986"
source_address_prefix: AzureActiveDirectoryDomainServices
destination_address_prefix: "*"
Outbound:
400:
name: Communication with the Azure AD Domain Services management service.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "443"
source_address_prefix: "*"
destination_address_prefix: "AzureActiveDirectoryDomainServices"
401:
name: Monitoring of the virtual machines.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "443"
source_address_prefix: "*"
destination_address_prefix: "AzureMonitor"
402:
name: Communication with Azure Storage.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "443"
source_address_prefix: "*"
destination_address_prefix: "Storage"
403:
name: Communication with Azure Active Directory.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "443"
source_address_prefix: "*"
destination_address_prefix: "AzureActiveDirectory"
404:
name: Communication with Windows Update.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "443"
source_address_prefix: "*"
destination_address_prefix: "AzureUpdateDelivery"
405:
name: Download of patches from Windows Update.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "443"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.FirstParty"
406:
name: Automated management of security patches.
access: Allow
protocol: tcp
source_port_range: "*"
destination_port_range: "443"
source_address_prefix: "*"
destination_address_prefix: "GuestAndHybridManagement"

398
templates/enterprise-scale/contoso/platform/create_subscriptions/deployments/prod/identity_level2_adds.yaml
Просмотреть файл

@ -1,398 +0,0 @@
gitops:
landingzones: aci_network
deployments:
identity:
prod:
landingzone:
key:
platform:
identity_level2_adds: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
management:
virtual_hubs: prod
identity_level2: prod
subscriptions:
identity:
resource_groups:
rg:
name: identity-prod-adds
region_key: region1
virtual_networks:
vnet:
name: vnet-identity-prod-adds
resource_group_key: rg
region_key: region1
address_space:
- 10.10.100.0/27
dns_servers:
- 10.10.100.4
- 10.10.100.5
subnets:
adds:
name: snet-adds
cidr:
- 10.10.100.0/28
nsg_key: adds_re1
management:
name: snet-adds-management
cidr:
- 10.10.100.16/28
keyvaults:
adds_credentials:
name: addskv
resource_group_key: rg
sku_name: premium
purge_protection_enabled: false
creation_policies:
logged_in_user:
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
dynamic_keyvault_secrets:
adds_credentials:
vmadmin-username:
secret_name: vmadmin-username
value: vmadmin
vmadmin-password:
secret_name: vmadmin-password
value: Very@Str5ngP!44w0rdToChaNge#
virtual_machines:
adds1:
resource_group:
key: rg
region: region1
os_type: windows
keyvault_key: adds_credentials
backup:
vault_key: asr
policy_key: default
lz_key: identity_level2
virtual_machine_settings:
windows:
computer_name: adds1
name: adds1
admin_password_key: vmadmin-password
admin_username_key: vmadmin-username
network_interface_keys:
- nic0
provision_vm_agent: true
size: Standard_F2
zone: 1
os_disk:
name: adds1-os
caching: ReadWrite
storage_account_type: Standard_LRS
disk_size_gb: 128
# identity:
# type: SystemAssigned, UserAssigned
# managed_identity_keys:
# - id1
# remote:
# lz_key_name1:
# managed_identity_keys:
# - id2
# - id3
# lz_key_name2:
# managed_identity_keys:
# - id4
# - id5
# custom_image_id:
source_image_reference:
publisher: MicrosoftWindowsServer
offer: WindowsServer
sku: 2019-Datacenter
version: latest
data_disks:
lun1:
name: adds1-data1
lun: "1"
caching: None
storage_account_type: Standard_LRS
create_option: Empty
disk_size_gb: 10
zones:
- "1"
networking_interfaces:
nic0:
name: 0
vnet_key: vnet
subnet_key: adds
enable_ip_forwarding: false
internal_dns_name_label: adds1-nic0
private_ip_address_allocation: Static
private_ip_address: 10.10.100.4
primary: true
tags:
adds: "ok"
dns_servers:
# - Set on-prem dns
- 10.10.100.5
network_security_group:
key: adds_re1
# ip_configurations:
# conf2:
# name: 0-conf
# vnet_key: vnet
# subnet_key: management
# enable_ip_forwarding: false
# private_ip_address_allocation: Static
# private_ip_address: 10.10.100.20
adds2:
resource_group:
key: rg
region: region1
os_type: windows
keyvault_key: adds_credentials
backup:
vault_key: asr
policy_key: default
lz_key: identity_level2
virtual_machine_settings:
windows:
computer_name: adds2
name: adds2
admin_password_key: vmadmin-password
admin_username_key: vmadmin-username
network_interface_keys:
- nic0
provision_vm_agent: true
size: Standard_F2
zone: 2
os_disk:
name: adds2-os
caching: ReadWrite
storage_account_type: Standard_LRS
disk_size_gb: 128
# identity:
# type: SystemAssigned, UserAssigned
# managed_identity_keys:
# - id1
# remote:
# lz_key_name1:
# managed_identity_keys:
# - id2
# - id3
# lz_key_name2:
# managed_identity_keys:
# - id4
# - id5
source_image_reference:
publisher: MicrosoftWindowsServer
offer: WindowsServer
sku: 2019-Datacenter
version: latest
data_disks:
lun1:
name: adds2-data1
lun: "1"
storage_account_type: Standard_LRS
create_option: Empty
disk_size_gb: 10
zones:
- "2"
networking_interfaces:
nic0:
name: 0
vnet_key: vnet
subnet_key: adds
enable_ip_forwarding: false
internal_dns_name_label: adds2-nic0
private_ip_address_allocation: Static
private_ip_address: 10.10.100.5
primary: true
tags:
adds: "ok"
dns_servers:
# - Set on-prem ADDS dns
- 10.10.100.4
network_security_group:
key: adds_re1
# ip_configurations:
# conf2:
# name: 0-conf
# vnet_key: vnet
# subnet_key: management
# enable_ip_forwarding: false
# private_ip_address_allocation: Static
# private_ip_address: 10.10.100.21
virtual_hub_connections:
vnet_to_hub:
name: vnet-identity-prod-adds-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet
network_security_group_definition:
adds_re1:
version: 1
resource_group_key: rg
region: region1
name: nsg-adds-re1
# Reference - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts
# following is for Windows Server 2008 and later
nsg:
Inbound:
400:
name: W32Time.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
# source_address_prefixes:
# - on-prem CIDR for ADDS
source_port_range: "49152-65535"
destination_port_range: "123"
destination_address_prefix: "*"
401:
name: RPC Endpoint Mapper.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "135"
destination_address_prefix: "*"
402:
name: Kerberos password change tcp.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "464"
destination_address_prefix: "*"
403:
name: Kerberos password change udp.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "464"
destination_address_prefix: "*"
404:
name: RPC for LSA, SAM, NetLogon.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "49152-65535"
destination_address_prefix: "*"
405:
name: LDAP-tcp.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "389"
destination_address_prefix: "*"
406:
name: LDAP-udp.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "389"
destination_address_prefix: "*"
407:
name: LDAP SSL.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "636"
destination_address_prefix: "*"
408:
name: LDAP GC.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "3268"
destination_address_prefix: "*"
409:
name: LDAP GC SSL.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "3269"
destination_address_prefix: "*"
410:
name: DNS tcp.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_ranges:
- "53"
- "49152-65535"
destination_port_range: "53"
destination_address_prefix: "*"
411:
name: DNS udp.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
source_port_ranges:
- "53"
- "49152-65535"
destination_port_range: "53"
destination_address_prefix: "*"
412:
name: Kerberos tcp.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "88"
destination_address_prefix: "*"
413:
name: Kerberos udp.
access: Allow
protocol: udp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "88"
destination_address_prefix: "*"
414:
name: SMB.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "445"
destination_address_prefix: "*"
# Adjust the following based on your RPC custom ports configuration
415:
name: FRS RPC.
access: Allow
protocol: tcp
source_address_prefix: "VirtualNetwork"
source_port_range: "49152-65535"
destination_port_range: "49152-65535"
destination_address_prefix: "*"

310
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/archetype_config_overrides.caf.platform.yaml
Просмотреть файл

@ -1,310 +0,0 @@
archetype_definitions:
root:
archetype_id: root
policy_assignments:
Allowed-Locations:
listOfAllowedLocations:
- southeastasia<replace> # Use the lower-case region's name, short version with no space
- eastasia<replace>
Deny-RSG-Locations:
listOfAllowedLocations:
- southeastasia<replace>
- eastasia<replace>
# Set to Audit as Terraform cannot combine both in one operation yet.
Deny-Subnet-Without-Nsg:
effect: Audit
# Set to Audit as Terraform cannot combine both in one operation yet.
Deny-Subnet-Without-Udr:
effect: Audit
# More details on in the parameters in the Azure Policy definition (Azure Security Benchmark) 1f3afdf9-d0c9-4c3d-847f-89da613e70a8
# Change the attributes values as they are not the same. Some are DeployIfNotExist, Some Disabled, Enabled...
Deploy-ASC-Monitoring:
aadAuthenticationInSqlServerMonitoringEffect: Disabled
diskEncryptionMonitoringEffect: Disabled
encryptionOfAutomationAccountMonitoringEffect: Disabled
identityDesignateLessThanOwnersMonitoringEffect: Disabled
identityDesignateMoreThanOneOwnerMonitoringEffect: Disabled
identityEnableMFAForWritePermissionsMonitoringEffect: Disabled
identityRemoveDeprecatedAccountMonitoringEffect: Disabled
identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithReadPermissionsMonitoringEffect: Disabled
identityRemoveExternalAccountWithWritePermissionsMonitoringEffect: Disabled
jitNetworkAccessMonitoringEffect: Disabled
networkSecurityGroupsOnSubnetsMonitoringEffect: Disabled
sqlDbEncryptionMonitoringEffect: Disabled
sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled
sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect: Disabled
sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect: Disabled
sqlServerAdvancedDataSecurityMonitoringEffect: Disabled
systemUpdatesMonitoringEffect: Disabled
useRbacRulesMonitoringEffect: Disabled
vmssSystemUpdatesMonitoringEffect: Disabled
windowsDefenderExploitGuardMonitoringEffect: Disabled
Deploy-ASCDF-Config:
emailSecurityContact: <replace>
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
enableAscForKubernetes: DeployIfNotExists
enableAscForSql: DeployIfNotExists
enableAscForSqlOnVm: DeployIfNotExists
enableAscForDns: DeployIfNotExists
enableAscForArm: DeployIfNotExists
enableAscForOssDb: DeployIfNotExists
enableAscForAppServices: DeployIfNotExists
enableAscForRegistries: DeployIfNotExists
enableAscForKeyVault: DeployIfNotExists
enableAscForStorage: DeployIfNotExists
enableAscForServers: DeployIfNotExists
Deploy-AzActivity-Log:
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-LX-Arc-Monitoring:
Deploy-Resource-Diag:
profileName: eslz-diagnostic-log
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-WS-Arc-Monitoring:
logAnalytics:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-VM-Monitoring:
logAnalytics_1:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
Deploy-VMSS-Monitoring:
logAnalytics_1:
lz_key: management
output_key: diagnostics
resource_type: log_analytics
resource_key: region1
attribute_key: id
policy_definitions:
Append-AppService-httpsonly:
Append-AppService-latestTLS:
Append-KV-SoftDelete:
Append-Redis-disableNonSslPort:
Append-Redis-sslEnforcement:
Audit-MachineLearning-PrivateEndpointId:
Deny-AA-child-resources:
Deny-AppGW-Without-WAF:
Deny-AppServiceApiApp-http:
Deny-AppServiceFunctionApp-http:
Deny-AppServiceWebApp-http:
Deny-Databricks-NoPublicIp:
Deny-Databricks-Sku:
Deny-Databricks-VirtualNetwork:
Deny-MachineLearning-Aks:
Deny-MachineLearning-Compute-SubnetId:
Deny-MachineLearning-Compute-VmSize:
Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess:
Deny-MachineLearning-ComputeCluster-Scale:
Deny-MachineLearning-HbiWorkspace:
Deny-MachineLearning-PublicAccessWhenBehindVnet:
Deny-MachineLearning-PublicNetworkAccess:
Deny-MySql-http:
Deny-PostgreSql-http:
Deny-Private-DNS-Zones:
Deny-PublicEndpoint-MariaDB:
Deny-PublicIP:
Deny-RDP-From-Internet:
Deny-Redis-http:
Deny-Sql-minTLS:
Deny-SqlMi-minTLS:
Deny-Storage-minTLS:
Deny-Subnet-Without-Nsg:
Deny-Subnet-Without-Udr:
Deny-VNET-Peer-Cross-Sub:
Deny-VNet-Peering:
Deploy-ASC-SecurityContacts:
Deploy-Budget:
Deploy-Custom-Route-Table:
Deploy-DDoSProtection:
Deploy-Diagnostics-AA:
Deploy-Diagnostics-ACI:
Deploy-Diagnostics-ACR:
Deploy-Diagnostics-AnalysisService:
Deploy-Diagnostics-ApiForFHIR:
Deploy-Diagnostics-APIMgmt:
Deploy-Diagnostics-ApplicationGateway:
Deploy-Diagnostics-CDNEndpoints:
Deploy-Diagnostics-CognitiveServices:
Deploy-Diagnostics-CosmosDB:
Deploy-Diagnostics-Databricks:
Deploy-Diagnostics-DataExplorerCluster:
Deploy-Diagnostics-DataFactory:
Deploy-Diagnostics-DLAnalytics:
Deploy-Diagnostics-EventGridSub:
Deploy-Diagnostics-EventGridSystemTopic:
Deploy-Diagnostics-EventGridTopic:
Deploy-Diagnostics-ExpressRoute:
Deploy-Diagnostics-Firewall:
Deploy-Diagnostics-FrontDoor:
Deploy-Diagnostics-Function:
Deploy-Diagnostics-HDInsight:
Deploy-Diagnostics-iotHub:
Deploy-Diagnostics-LoadBalancer:
Deploy-Diagnostics-LogicAppsISE:
Deploy-Diagnostics-MariaDB:
Deploy-Diagnostics-MediaService:
Deploy-Diagnostics-MlWorkspace:
Deploy-Diagnostics-MySQL:
Deploy-Diagnostics-NetworkSecurityGroups:
Deploy-Diagnostics-NIC:
Deploy-Diagnostics-PostgreSQL:
Deploy-Diagnostics-PowerBIEmbedded:
Deploy-Diagnostics-RedisCache:
Deploy-Diagnostics-Relay:
Deploy-Diagnostics-SignalR:
Deploy-Diagnostics-SQLElasticPools:
Deploy-Diagnostics-SQLMI:
Deploy-Diagnostics-TimeSeriesInsights:
Deploy-Diagnostics-TrafficManager:
Deploy-Diagnostics-VirtualNetwork:
Deploy-Diagnostics-VM:
Deploy-Diagnostics-VMSS:
Deploy-Diagnostics-VNetGW:
Deploy-Diagnostics-WebServerFarm:
Deploy-Diagnostics-Website:
Deploy-Diagnostics-WVDAppGroup:
Deploy-Diagnostics-WVDHostPools:
Deploy-Diagnostics-WVDWorkspace:
Deploy-FirewallPolicy:
Deploy-MySQL-sslEnforcement:
Deploy-Nsg-FlowLogs-to-LA:
Deploy-Nsg-FlowLogs:
Deploy-PostgreSQL-sslEnforcement:
Deploy-Sql-AuditingSettings:
Deploy-SQL-minTLS:
Deploy-Sql-SecurityAlertPolicies:
Deploy-Sql-Tde:
Deploy-Sql-vulnerabilityAssessments:
Deploy-SqlMi-minTLS:
Deploy-Storage-sslEnforcement:
Deploy-Windows-DomainJoin:
policy_set_definitions:
Deny-PublicPaaSEndpoints:
Deploy-ASCDF-Config:
Deploy-Diagnostics-LogAnalytics:
Deploy-Sql-Security:
Enforce-Encryption-CMK:
Enforce-EncryptTransit:
remediation:
policy:
policy_set_definitions:
# policyDefinitionReferenceId = https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/c7958266bd227e52dc1a3468e8c881633bc1b373/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json#L766
# /providers/microsoft.management/managementgroups/contlle/providers/microsoft.authorization/policyassignments/deploy-resource-diag
Deploy-Diagnostics-LogAnalytics:
- ExpressRouteDeployDiagnosticLogDeployLogAnalytics
- FirewallDeployDiagnosticLogDeployLogAnalytics
- KeyVaultDeployDiagnosticLogDeployLogAnalytics
- LoadBalancerDeployDiagnosticLogDeployLogAnalytics
- NetworkNICDeployDiagnosticLogDeployLogAnalytics
- NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics
- NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics
- RecoveryVaultDeployDiagnosticLogDeployLogAnalytics
- storageaccountdeploydiagnosticlogdeployloganalytics
- VirtualNetworkDeployDiagnosticLogDeployLogAnalytics
- VNetGWDeployDiagnosticLogDeployLogAnalytics
Deploy-ASCDF-Config:
- defenderForOssDb
- defenderForVM
- defenderForSqlServerVirtualMachines
- defenderForAppServices
- defenderForStorageAccounts
- defenderForKubernetesService
- defenderForContainerRegistry
- defenderForKeyVaults
- defenderForDns
- defenderForArm
- defenderForSqlPaas
- securityEmailContact
- ascExport
landing-zones:
archetype_id: landing-zones
policy_assignments:
Deny-IP-Forwarding:
Deny-Priv-Containers-AKS:
Deny-Priv-Escalation-AKS:
Deny-RDP-From-Internet:
Deny-Storage-http:
Deploy-AKS-Policy:
Deploy-SQL-DB-Auditing:
Deploy-SQL-Threat:
Enable-DDoS-VNET:
Enforce-AKS-HTTPS:
Enforce-TLS-SSL:
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- subscription_creation_landingzones
connectivity:
archetype_id: platform_connectivity
policy_assignments:
Enable-DDoS-VNET:
role_definitions:
CAF-network-vhub-peering:
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- connectivity
'[<replace_with_management_group_prefix_in_UPPER_CASE>-CONNECTIVITY] CAF-network-vhub-peering':
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- subscription_creation_landingzones
management:
archetype_id: platform_management
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- management
identity:
archetype_id: platform_identity
policy_assignments:
Deny-RDP-From-Internet:
archetype_config:
access_control:
Owner:
azuread_groups:
lz_key: launchpad
attribute_key: id
resource_keys:
- identity
decommissioned:
archetype_id: platform_decommissioned
platform:
archetype_id: platform
sandboxes:
archetype_id: platform_sandboxes

31
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/custom_landing_zones.caf.platform.yaml
Просмотреть файл

@ -1,31 +0,0 @@
archetype_definitions:
corp:
display_name: Corp
archetype_id: landingzone_corp
parent_management_group_id: landing-zones
# subscription_ids:
# policy_assignments:
online:
display_name: Online
archetype_id: landingzone_online
parent_management_group_id: landing-zones
# subscription_ids:
# policy_assignments:
corp-prod:
display_name: Production
archetype_id: landingzone_prod
parent_management_group_id: corp
# subscription_ids:
# policy_assignments:
corp-non-prod:
display_name: Non Production
archetype_id: landingzone_non_prod
parent_management_group_id: corp
# subscription_ids:
# policy_assignments:
online-web:
display_name: Non Production
archetype_id: landingzone_online_web
parent_management_group_id: online
# subscription_ids:
# policy_assignments:

2
templates/enterprise-scale/contoso/platform/create_subscriptions/eslz/lib/readme.md
Просмотреть файл

@ -1,2 +0,0 @@
# Custom ESLZ library
In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance.

69
templates/enterprise-scale/contoso/platform/create_subscriptions/identity.yaml
Просмотреть файл

@ -1,69 +0,0 @@
subscriptions:
identity:
resource_groups:
management:
name: management
alerts:
name: alerts
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: lalesle@microsoft.com
use_common_alert_schema: false
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday
# Bring here you existing active directory security groups.
# Those are the groups you will inject to RBAC in the Enterprise Scale deployment.
# Note Terraform will create a new Azure AD group and add the existing as a member
#
# level1:
# azuread_groups:
# network_ops_team:
# name: netops
# members:
# # Set the list of the existing groups
# objects_ids:
# - existing_azure_ad_group_object_id

37
templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad.yaml
Просмотреть файл

@ -1,37 +0,0 @@
subscriptions:
launchpad:
resource_groups:
level0:
name: caf-level0
tags:
level: level0
level1:
name: caf-level1
tags:
level: level1
level2:
name: caf-level2
tags:
level: level2
storage_accounts:
level0:
name: l0
resource_group_key: level0
level1:
name: l1
resource_group_key: level1
level2:
name: l2
resource_group_key: level2
keyvaults:
level0:
name: l0
resource_group_key: level0
level1:
name: l1
resource_group_key: level1
level2:
name: l2
resource_group_key: level2

415
templates/enterprise-scale/contoso/platform/create_subscriptions/launchpad_credentials.yaml
Просмотреть файл

@ -1,415 +0,0 @@
subscriptions:
launchpad_credentials:
resource_groups:
sp_credentials:
name: credentials
keyvaults:
cred_ea_account_owner:
name: eaowner
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_level0:
name: idl0
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
level0:
lz_key: launchpad
azuread_group_key: level0
secret_permissions:
- Get
cred_identity:
name: id
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_management:
name: mg
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
management_azuread_group:
lz_key: launchpad
azuread_group_key: management
secret_permissions:
- Get
cred_eslz:
name: es
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
eslz_azuread_group:
lz_key: launchpad
azuread_group_key: eslz
secret_permissions:
- Get
cred_connectivity:
name: co
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
connectivity_azuread_group:
lz_key: launchpad
azuread_group_key: connectivity
secret_permissions:
- Get
cred_subscription_creation_platform:
name: scp
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
cred_subscription_creation_landingzones:
name: scl
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_landingzones
secret_permissions:
- Get
cred_gitops:
name: gitops
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
cred_ea_account_owner:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_level0:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_identity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_management:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_eslz:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_connectivity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_platform:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_landingzones:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_gitops:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
azuread_applications:
gitops:
application_name: app-azure-platform-credentials-for-gitops
azuread_service_principals:
gitops:
azuread_application:
key: gitops
azuread_credentials:
gitops:
type: password
azuread_credential_policy_key: gitops
azuread_application:
key: gitops
keyvaults:
cred_gitops:
secret_prefix: sp
level0:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: level0
keyvaults:
cred_level0:
secret_prefix: sp
identity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: identity
keyvaults:
cred_identity:
secret_prefix: sp
management:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: management
keyvaults:
cred_management:
secret_prefix: sp
eslz:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: eslz
keyvaults:
cred_eslz:
secret_prefix: sp
connectivity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: connectivity
keyvaults:
cred_connectivity:
secret_prefix: sp
subscription_creation_platform:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_platform
keyvaults:
cred_subscription_creation_platform:
secret_prefix: sp
subscription_creation_landingzones:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_landingzones
keyvaults:
cred_subscription_creation_landingzones:
secret_prefix: sp
azuread_credential_policies:
gitops:
length: 250
special: false
upper: true
number: true
expire_in_days: 360
rotation_key0:
days: 181
rotation_key1:
days: 300
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 65
rotation_key0:
days: 33
rotation_key1:
days: 58

84
templates/enterprise-scale/contoso/platform/create_subscriptions/management.yaml
Просмотреть файл

@ -1,84 +0,0 @@
subscriptions:
management:
resource_groups:
management:
name: management
alerts:
name: alerts
diagnostic_log_analytics:
# if you change this key you also need to change it in the ESLZ deployment
# eslz/archetype_config_overrides.caf.platform.yaml
# eslz/custom_landing_zones.caf.platform.yaml
region1:
name: logre1
resource_group_key: management
monitor_action_groups:
networking_operations:
resource_group_key: management
action_group_name: Networking Operations
shortname: netops
arm_role_alert:
contributors:
name: Monitoring Contributor
role_name: Monitoring Contributor
use_common_alert_schema: false
email_receiver:
noc:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
automation_accounts:
account1:
name: automationAccount1
resource_group_key: management
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday

16
templates/enterprise-scale/contoso/platform/create_subscriptions/subscriptions.yaml
Просмотреть файл

@ -1,16 +0,0 @@
platform_subscriptions:
management:
alias: "management"
name: "<replace>-management"
# Do not set the subscription_id when using the automated subscripiton creation
# In that case delete the following attribute.
# When re-using an existing subscripiton, set the GUID of the subscripiton.
subscription_id: <replace>
identity:
alias: "identity"
name: "<replace>-identity"
subscription_id: <replace>
connectivity:
alias: "connectivity"
name: "<replace>-connectivity"
subscription_id: <replace>

148
templates/enterprise-scale/contoso/platform/create_subscriptions/tfstates.yaml
Просмотреть файл

@ -1,148 +0,0 @@
tfstates:
platform:
### Level0 ###
launchpad:
lz_key_name: launchpad
tfstate: caf_launchpad.tfstate
workspace: tfstate
base_config_path: launchpad
level: level0
billing_subscription_role_delegations:
lz_key_name: billing_subscription_role_delegations
tfstate: billing_subscription_role_delegations.tfstate
base_config_path: billing_subscription_role_delegations
level: level0
launchpad_credentials:
lz_key_name: launchpad_credentials_rotation
tfstate: launchpad_credentials_rotation.tfstate
base_config_path: credentials
level: level0
### Level1 ###
management:
lz_key_name: management
tfstate: management.tfstate
base_config_path: management
level: level1
identity:
lz_key_name: identity
tfstate: identity.tfstate
base_config_path: identity
level: level1
eslz:
lz_key_name: eslz
tfstate: eslz.tfstate
base_config_path: eslz
level: level1
platform_subscriptions:
lz_key_name: platform_subscriptions
tfstate: platform_subscriptions.tfstate
base_config_path: subscriptions
level: level1
## Level2 ##
identity_level2:
prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
non_prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
identity_level2_aadds:
prod:
lz_key_name: identity_level2_aadds
tfstate: identity_level2_aadds.tfstate
level: level2
virtual_wan:
lz_key_name: connectivity_virtual_wan
tfstate: connectivity_virtual_wan.tfstate
base_config_path: connectivity/virtual_wan
level: level2
virtual_hubs:
prod:
lz_key_name: connectivity_virtual_hub_prod
tfstate: connectivity_virtual_hub_prod.tfstate
workspace: tfstate
base_config_path: connectivity/virtual_hub
level: level2
non_prod:
lz_key_name: connectivity_virtual_hub_non_prod
tfstate: connectivity_virtual_hub_non_prod.tfstate
workspace: tfstate
base_config_path: connectivity/virtual_hub
level: level2
vpn_sites:
prod:
lz_key_name: connectivity_vpn_sites_prod
tfstate: connectivity_vpn_sites_prod.tfstate
base_config_path: connectivity/vpn_sites
level: level2
non_prod:
lz_key_name: connectivity_vpn_sites_non_prod
tfstate: connectivity_vpn_sites_non_prod.tfstate
base_config_path: connectivity/vpn_sites
level: level2
express_route_circuits:
prod:
lz_key_name: connectivity_express_route_prod
tfstate: connectivity_express_route_prod.tfstate
base_config_path: connectivity/express_route
level: level2
non_prod:
lz_key_name: connectivity_express_route_non_prod
tfstate: connectivity_express_route_non_prod.tfstate
base_config_path: connectivity/express_route
level: level2
express_route_circuit_peerings:
prod:
lz_key_name: connectivity_express_route_peerings_prod
tfstate: connectivity_express_route_peerings_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_express_route_peerings_non_prod
tfstate: connectivity_express_route_peerings_non_prod.tfstate
level: level2
azurerm_firewalls:
prod:
lz_key_name: connectivity_firewalls_prod
tfstate: connectivity_firewalls_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_firewalls_non_prod
tfstate: connectivity_firewalls_non_prod.tfstate
level: level2
azurerm_firewall_policies:
prod:
lz_key_name: connectivity_firewall_policies_prod
tfstate: connectivity_firewall_policies_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_firewall_policies_non_prod
tfstate: connectivity_firewall_policies_non_prod.tfstate
level: level2
private_dns:
prod:
lz_key_name: connectivity_private_dns_prod
tfstate: connectivity_private_dns_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_private_dns_non_prod
tfstate: connectivity_private_dns_non_prod.tfstate
level: level2
asvm:
lz_key_name: asvm
tfstate: asvm_subscription_vending_machine.tfstate
level: level2

38
templates/enterprise-scale/contoso/platform/reuse_subscriptions/asvm.yaml
Просмотреть файл

@ -1,38 +0,0 @@
gitops:
landingzones: aci_network
subscriptions:
asvm:
resource_groups:
level3:
name: caf-level3
tags:
level: level3
level4:
name: caf-level4
tags:
level: level4
storage_accounts:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
keyvaults:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
# azuread_groups:
# caf_ac_landingzone_maintainers_non_prod:
# name: caf_ac_landingzone_maintainers_non_prod
# caf_ac_landingzone_maintainers_prod:
# name: caf_ac_landingzone_maintainers_prod

132
templates/enterprise-scale/contoso/platform/reuse_subscriptions/contoso.caf.platform.yaml
Просмотреть файл

@ -1,132 +0,0 @@
caf_terraform:
naming_convention:
# When set to false use the CAF provider to generate names aligned to CAF guidance
# true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace.
passthrough: false
inherit_tags: false
# set: define the prefix to add to all resource names
# unset: if passthrough is set to false, generate a random prefix
prefix: cont
# if passthrough is set to false, add random suffix to name, up to the random_lenght value.
random_length: 5
launchpad:
caf_environment: <replace>
account_replication_type: GRS
regions:
region1:
# set the short form of the Azure region
name: southeastasia # Use the lower-case region's name, short version with no space
slug: sea
region2:
name: eastasia # Use the lower-case region's name, short version with no space
slug: ea
default_region_key: region1
# Define the number of CAF levels to use. Recommeded is 3 for the platform.
number_of_levels: 3
blob_versioning_enabled: true
container_delete_retention_policy: 7
delete_retention_policy: 7
# Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd.
subscription_id: <replace>
subscription_name: <replace>
tenant_id: <replace>
global_tags_propagated: yes
tags:
test: <replace>
date: <replace>
billing_subscription_role_delegations:
# true: enable this deployment. The remaining attributes are required.
# false: disable this deployment.
# azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform
# azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running:
# az ad signed-in-user show --query objectId -o tsv
# The remaining attributes are ignored: [billing_account_name, enrollment_account_name]
enable: false
# Azure Active Directory User (UPN) that is Account Owner in the EA portal
# if enable=false, set the upn of the user doing the manual deployment
azuread_user_ea_account_owner: <replace>
# see comments above to get the object_id
azuread_user_ea_account_owner_object_id: <replace>
# Only set the following two attributes when enable=true
billing_account_name: <replace>
enrollment_account_name: <replace>
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
platform:
# true: force the destination folder to be deleted and re-created before the files are created.
# false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is.
cleanup_destination: true
# base destination folder where rover ignite will store the tfvars files. No / at the end
destination_base_path: /tf/caf
# destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end
destination_relative_path: configuration/contoso/platform
platform_core_setup:
enterprise_scale:
enable: true
management_group_name: <replace>
management_group_prefix: <replace>
deploy_core_landing_zones: true
enable_azure_subscription_vending_machine: true
clean_up_destination_folder: false
update_lib_folder: true
# resuse_subscriptions - do not create subscriptions through API automation. Requires the following subscription_id_overrides to be set with 4 subscriptions
subscription_deployment_mode: reuse_subscriptions
# Option only set if you've be given a delegated management group ID.
# Comment to deploy to deploy at the tenant root level
root_parent_id: lab
private_lib:
version_to_deploy: v1.1.1
v0.1.x:
caf_landingzone_branch: "2107.1"
v0.3.3:
caf_landingzone_branch: "patch.5.4.4"
v1.1.1:
caf_landingzone_branch: "aci_network"
subscription_id_overrides:
connectivity:
- <replace>
management:
- <replace> # launchpad
- <replace>
identity:
- <replace>
platform_management:
enable: true
networking_topology:
deployment_option: virtual_wan
platform_identity:
# Set the Azure Active Directory tenant name (primary domain name)
# has to be the default domain name (custom dns name or tenantname.onmicrosoft.com)
# check the AAD property
tenant_name: terraformdev.onmicrosoft.com
# only service_principal supported with rover ignite at the moment
azuread_identity_mode: logged_in_user
# UPNs you want to add in the caf_platform_maintainers Azure AD group
# Can use user or guest accounts
# Those users will have full permissions on platform.
# Once setup, you can remove them from here or add them from
# Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts.
caf_platform_maintainers:
- <replace>
caf_platform_contributors:
- <replace>
notifications:
service_health_alerts:
emails:
support1:
name: <replace>
email_address: <replace>
security_center_email_contact: <replace>
gitops:
caf_landingzone_branch: "aci_network"
deployment_mode: interactive
rover_log_error: ERROR

34
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,34 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
non_prod:
landingzone:
key:
platform:
azurerm_firewall_policies: non_prod
global_settings_key:
platform:
azurerm_firewalls: non_prod
remote_tfstates:
platform:
azurerm_firewalls: non_prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-non-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "non-prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

78
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,78 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
non_prod:
landingzone:
key:
platform:
azurerm_firewalls: non_prod
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
platform:
virtual_hubs: non_prod
azurerm_firewall_policies: non_prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-non-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-non-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.101.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.101.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-non-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_non_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-non-prod-fw-plinks-TO-vhub-non_prod
virtual_hub:
lz_key: connectivity_virtual_hub_non_prod
key: non_prod
vnet:
vnet_key: vnet

189
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,189 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
non_prod:
landingzone:
key:
platform:
private_dns: non_prod
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
platform:
virtual_hubs: non_prod
subscriptions:
connectivity:
resource_groups:
dns_connectivity_non_prod:
name: dns-connectivity-non-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.southeastasia.azmk8s.io:
name: privatelink.southeastasia.azmk8s.io
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.southeastasia.backup.windowsazure.com:
name: privatelink.southeastasia.backup.windowsazure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.oms.opinsights.non_prod.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_non_prod
vnet_links:
fw_non_prod_plinks_01:
name: fw-non-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_non_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-non-prod-private-dns-extended
useprefix: true
description: "(non-prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
# role_mapping:
# custom_role_mapping:
# resource_groups:
# dns_connectivity_prod:
# landgingzone_extended:
# azuread_groups:
# lz_key: identity_level2
# keys:
# - caf_non_prod_landingzones_dns_contributors
# built_in_role_mapping:
# resource_groups:
# dns_connectivity_non_prod:
# Private DNS Zone Contributor:
# azuread_groups:
# lz_key: identity_level2
# keys:
# - caf_non_prod_landingzones_dns_contributors

54
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/non_prod/connectivity_virtual_hubs.yaml
Просмотреть файл

@ -1,54 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
non_prod:
landingzone:
key:
platform:
virtual_hubs: non_prod
global_settings_key:
platform:
virtual_wans: prod
remote_tfstates:
platform:
virtual_wans: prod
custom_variables:
virtual_hub_lz_key: connectivity_virtual_hub_non_prod
# ddos_protection_plan_id:
subscriptions:
connectivity:
virtual_hubs:
non_prod:
name: non_production
virtual_wan:
lz_key: virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: 10.201.51.0/24
deploy_s2s: false
s2s_config:
name: non_prod
scale_unit: 1
deploy_er: false
er_config:
name: non_prod
scale_units: 1
express_route_connections:
non_prod:
enable_er_connections: true
name: er-1-non_prod
virtual_hub:
key: non_prod
circuit_peering:
tfstate_key: non_prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: non_prod
key: vhub-non_prod

33
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,33 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
azurerm_firewall_policies: prod
global_settings_key:
platform:
azurerm_firewalls: prod
remote_tfstates:
platform:
azurerm_firewalls: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

78
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,78 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
azurerm_firewalls: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
virtual_hubs: prod
azurerm_firewall_policies: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.101.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.101.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_prod_plinks_01:
name: fw-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet

191
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,191 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
private_dns: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
virtual_hubs: prod
subscriptions:
connectivity:
# role_mapping:
# custom_role_mapping:
# resource_groups:
# dns_connectivity_prod:
# landgingzone_extended:
# azuread_groups:
# lz_key: identity_level2
# keys:
# - caf_prod_landingzones_dns_contributors
# built_in_role_mapping:
# resource_groups:
# dns_connectivity_prod:
# Private DNS Zone Contributor:
# azuread_groups:
# lz_key: identity_level2
# keys:
# - caf_prod_landingzones_dns_contributors
resource_groups:
dns_connectivity_prod:
name: dns-connectivity-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia.azmk8s.io:
name: privatelink.southeastasia.azmk8s.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia.backup.windowsazure.com:
name: privatelink.southeastasia.backup.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.oms.opinsights.azure.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-private-dns-extended
useprefix: true
description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write

53
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_hubs.yaml
Просмотреть файл

@ -1,53 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
virtual_hubs: prod
global_settings_key:
platform:
virtual_wans: prod
remote_tfstates:
platform:
virtual_wans: prod
custom_variables:
virtual_hub_lz_key: connectivity_virtual_hub_prod
# ddos_protection_plan_id:
subscriptions:
connectivity:
virtual_hubs:
prod:
name: Production
virtual_wan:
lz_key: virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: 10.101.51.0/24
deploy_s2s: false
s2s_config:
name: prod
scale_unit: 1
deploy_er: false
er_config:
name: prod
scale_units: 1
express_route_connections:
prod:
enable_er_connections: false
name: erc-er-1-prod
virtual_hub:
key: prod
circuit_peering:
tfstate_key: prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: prod
key: vhub-prod

29
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/connectivity_virtual_wan.yaml
Просмотреть файл

@ -1,29 +0,0 @@
gitops:
landingzones: aci_network
deployments:
connectivity:
prod:
landingzone:
key:
platform:
virtual_wans: prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
subscriptions:
connectivity:
virtual_wans:
global_wan:
name: vwan
resource_group_key: global_wan
region_key: region1
resource_groups:
global_wan:
name: connectivity-global-wan
region_key: region1

13
templates/enterprise-scale/contoso/platform/reuse_subscriptions/deployments/prod/identity_level2.yaml
Просмотреть файл

@ -1,13 +0,0 @@
gitops:
landingzones: aci_network
deployments:
identity:
subscriptions:
identity:
azuread_groups:
caf_non_prod_landingzones_dns_contributors:
name: caf ac non_prod landingzones dns contributors
caf_prod_landingzones_dns_contributors:
name: caf ac prod landingzones dns contributors

2
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/readme.md
Просмотреть файл

@ -1,2 +0,0 @@
# Custom ESLZ library
In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance.

27
templates/enterprise-scale/contoso/platform/reuse_subscriptions/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json
Просмотреть файл

@ -1,27 +0,0 @@
{
"name": "48ec94a9-9a14-488d-928d-5e73f96b335c",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "CAF-network-vhub-peering",
"description": "Authorize vnet peerings to the vhub and DDOS to be deployed by policy.",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"${current_scope_resource_id}"
]
}
}

69
templates/enterprise-scale/contoso/platform/reuse_subscriptions/identity.yaml
Просмотреть файл

@ -1,69 +0,0 @@
subscriptions:
identity:
resource_groups:
management:
name: management
alerts:
name: alerts
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: lalesle@microsoft.com
use_common_alert_schema: false
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday
# Bring here you existing active directory security groups.
# Those are the groups you will inject to RBAC in the Enterprise Scale deployment.
# Note Terraform will create a new Azure AD group and add the existing as a member
#
# level1:
# azuread_groups:
# network_ops_team:
# name: netops
# members:
# # Set the list of the existing groups
# objects_ids:
# - existing_azure_ad_group_object_id

40
templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad.yaml
Просмотреть файл

@ -1,40 +0,0 @@
subscriptions:
launchpad:
resource_groups:
level0:
name: caf-level0
tags:
level: level0
level1:
name: caf-level1
tags:
level: level1
level2:
name: caf-level2
tags:
level: level2
storage_accounts:
level0:
name: l0
resource_group_key: level0
level1:
name: l1
resource_group_key: level1
level2:
name: l2
resource_group_key: level2
keyvaults:
level0:
name: l0
sku_name: premium
resource_group_key: level0
level1:
name: l1
sku_name: premium
resource_group_key: level1
level2:
name: l2
sku_name: premium
resource_group_key: level2

415
templates/enterprise-scale/contoso/platform/reuse_subscriptions/launchpad_credentials.yaml
Просмотреть файл

@ -1,415 +0,0 @@
subscriptions:
launchpad_credentials:
resource_groups:
sp_credentials:
name: credentials
keyvaults:
cred_ea_account_owner:
name: eaowner
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_level0:
name: idl0
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
level0:
lz_key: launchpad
azuread_group_key: level0
secret_permissions:
- Get
cred_identity:
name: id
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_management:
name: mg
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
management_azuread_group:
lz_key: launchpad
azuread_group_key: management
secret_permissions:
- Get
cred_eslz:
name: es
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
eslz_azuread_group:
lz_key: launchpad
azuread_group_key: eslz
secret_permissions:
- Get
cred_connectivity:
name: co
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
connectivity_azuread_group:
lz_key: launchpad
azuread_group_key: connectivity
secret_permissions:
- Get
cred_subscription_creation_platform:
name: scp
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
cred_subscription_creation_landingzones:
name: scl
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_landingzones
secret_permissions:
- Get
cred_gitops:
name: gitops
resource_group_key: sp_credentials
purge_protection_enabled: false
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
cred_ea_account_owner:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_level0:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_identity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_management:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_eslz:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_connectivity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_platform:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_landingzones:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_gitops:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
azuread_applications:
gitops:
application_name: app-azure-platform-credentials-for-gitops
azuread_service_principals:
gitops:
azuread_application:
key: gitops
azuread_credentials:
gitops:
type: password
azuread_credential_policy_key: gitops
azuread_application:
key: gitops
keyvaults:
cred_gitops:
secret_prefix: sp
level0:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: level0
keyvaults:
cred_level0:
secret_prefix: sp
identity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: identity
keyvaults:
cred_identity:
secret_prefix: sp
management:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: management
keyvaults:
cred_management:
secret_prefix: sp
eslz:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: eslz
keyvaults:
cred_eslz:
secret_prefix: sp
connectivity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: connectivity
keyvaults:
cred_connectivity:
secret_prefix: sp
subscription_creation_platform:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_platform
keyvaults:
cred_subscription_creation_platform:
secret_prefix: sp
subscription_creation_landingzones:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_landingzones
keyvaults:
cred_subscription_creation_landingzones:
secret_prefix: sp
azuread_credential_policies:
gitops:
length: 250
special: false
upper: true
number: true
expire_in_days: 360
rotation_key0:
days: 181
rotation_key1:
days: 300
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 65
rotation_key0:
days: 33
rotation_key1:
days: 58

84
templates/enterprise-scale/contoso/platform/reuse_subscriptions/management.yaml
Просмотреть файл

@ -1,84 +0,0 @@
subscriptions:
management:
resource_groups:
management:
name: management
alerts:
name: alerts
diagnostic_log_analytics:
# if you change this key you also need to change it in the ESLZ deployment
# eslz/archetype_config_overrides.caf.platform.yaml
# eslz/custom_landing_zones.caf.platform.yaml
region1:
name: logre1
resource_group_key: management
monitor_action_groups:
networking_operations:
action_group_name: Networking Operations
resource_group_key: alerts
shortname: netops
arm_role_alert:
contributors:
name: Monitoring Contributor
role_name: Monitoring Contributor
use_common_alert_schema: false
email_receiver:
noc:
name: email_alert_support1
email_address: arnaul@microsoft.com
use_common_alert_schema: false
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: arnaul@microsoft.com
use_common_alert_schema: false
automation_accounts:
account1:
name: automationAccount1
resource_group_key: management
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday

105
templates/enterprise-scale/contoso/platform/reuse_subscriptions/tfstates.yaml
Просмотреть файл

@ -1,105 +0,0 @@
tfstates:
platform:
### Level0 ###
launchpad:
lz_key_name: launchpad
tfstate: caf_launchpad.tfstate
workspace: tfstate
base_config_path: launchpad
level: level0
launchpad_credentials:
lz_key_name: launchpad_credentials_rotation
tfstate: launchpad_credentials_rotation.tfstate
base_config_path: credentials
level: level0
### Level1 ###
management:
lz_key_name: management
tfstate: management.tfstate
base_config_path: management
level: level1
identity:
lz_key_name: identity
tfstate: identity.tfstate
base_config_path: identity
level: level1
eslz:
lz_key_name: eslz
tfstate: eslz.tfstate
base_config_path: eslz
level: level1
## Level2 ##
identity_level2:
prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
non_prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
identity_level2_aadds:
prod:
lz_key_name: identity_level2_aadds
tfstate: identity_level2_aadds.tfstate
level: level2
virtual_wans:
prod:
lz_key_name: connectivity_virtual_wan
tfstate: connectivity_virtual_wan.tfstate
base_config_path: connectivity/virtual_wan
level: level2
virtual_hubs:
prod:
lz_key_name: connectivity_virtual_hub_prod
tfstate: connectivity_virtual_hub_prod.tfstate
workspace: tfstate
base_config_path: connectivity/virtual_hub
level: level2
non_prod:
lz_key_name: connectivity_virtual_hub_non_prod
tfstate: connectivity_virtual_hub_non_prod.tfstate
workspace: tfstate
base_config_path: connectivity/virtual_hub
level: level2
azurerm_firewalls:
prod:
lz_key_name: connectivity_firewalls_prod
tfstate: connectivity_firewalls_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_firewalls_non_prod
tfstate: connectivity_firewalls_non_prod.tfstate
level: level2
azurerm_firewall_policies:
prod:
lz_key_name: connectivity_firewall_policies_prod
tfstate: connectivity_firewall_policies_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_firewall_policies_non_prod
tfstate: connectivity_firewall_policies_non_prod.tfstate
level: level2
private_dns:
prod:
lz_key_name: connectivity_private_dns_prod
tfstate: connectivity_private_dns_prod.tfstate
level: level2
non_prod:
lz_key_name: connectivity_private_dns_non_prod
tfstate: connectivity_private_dns_non_prod.tfstate
level: level2
asvm:
lz_key_name: asvm
tfstate: asvm_subscription_vending_machine.tfstate
level: level2

40
templates/enterprise-scale/contoso/platform/single_subscription/README.md
Просмотреть файл

@ -1,40 +0,0 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Platform
:rocket: START HERE: [Follow the onboarding guide from](https://aztfmod.github.io/documentation/docs/enterprise-scale/landingzones/platform/org-setup)
For further executions or command, you can refer to the following sections
## Commands
### Clone the landingzone project (Terraform base code)
```bash
# Git Urls or from a fork
# https://github.com/Azure/caf-terraform-landingzones.git
git clone <replace> /tf/caf/landingzones
cd /tf/caf/landingzones
git pull
git checkout aci_network
```
### Rover ignite the platform
Rover ignite will now process the yaml files and start building the configuration structure of the tfvars. Note during the creation of the platform landingones you will have to run rover ignite many times as some deployments are required to be completed before you can perform the next steps.
Rover ignite creates the tfvars and also the documentation.
```bash
rover login -t <replace> -s <replace>
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/platform \
-e resource_template_folder=/tf/caf/landingzones/templates/resources \
-e config_folder=/tf/caf/definitions/single_subscription \
-e landingzones_folder=/tf/caf/landingzones
```
### Next step
Once the rover ignite command has been executed, go to your configuration folder when the platform launchpad configuration has been created.

18
templates/enterprise-scale/contoso/platform/single_subscription/bootstrap.yaml
Просмотреть файл

@ -1,18 +0,0 @@
#
# Set the workflow to bootstrap the Azure platform landing zones
#
deployments:
0:
0:
launchpad:
1:
launchpad_credentials:
# 2:
# subscriptions:
3:
identity:
4:
management:
5:
eslz:

131
templates/enterprise-scale/contoso/platform/single_subscription/contoso.caf.platform.yaml
Просмотреть файл

@ -1,131 +0,0 @@
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
platform:
# true: force the destination folder to be deleted and re-created before the files are created.
# false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is.
cleanup_destination: true
# base destination folder where rover ignite will store the tfvars files. No / at the end
destination_base_path: /tf/caf
# destination relative path to destination_base_path folder where rover ignite will store the tfvars files. No / at begining and end
destination_relative_path: platform/<replace>
caf_terraform:
naming_convention:
# When set to false use the CAF provider to generate names aligned to CAF guidance
# true: use the name as defined in the configuration files. You may have to iterate multiple times to prevent conflicts with Azure unique names with servides like storage account, keyvault or log analytics workspace.
passthrough: false
inherit_tags: false
# set: define the prefix to add to all resource names
# unset: if passthrough is set to false, generate a random prefix
prefix: cont
# if passthrough is set to false, add random suffix to name, up to the random_lenght value.
random_length: 3
launchpad:
caf_environment: <replace>
regions:
region1:
# set the short form of the Azure region
name: southeastasia # Use the lower-case region's name, short version with no space
slug: sea
region2:
name: eastasia # Use the lower-case region's name, short version with no space
slug: ea
default_region_key: region1
# Define the number of CAF levels to use. Recommended is 3 for the platform.
# number_of_levels: 3
# blob_versioning_enabled: true
# container_delete_retention_policy: 7
# delete_retention_policy: 7
# Subscription_id to deploy the launchpad. Note 1 existing manual subscription is required to deploy the launhchapd.
subscription_id: <replace>
subscription_name: <replace>
tenant_id: <replace>
global_tags_propagated: yes
tags:
test: <replace>
billing_subscription_role_delegations:
# true: enable this deployment. The remaining attributes are required.
# false: disable this deployment.
# azuread_user_ea_account_owner: set the upn of the user doing the manual deployment of the platform
# azuread_user_ea_account_owner_object_id: if that user is already loged-in to an azure cli session you can get the object_id by running:
# az ad signed-in-user show --query objectId -o tsv
# The remaining attributes are ignored: [billing_account_name, enrollment_account_name]
enable: false
# Azure Active Directory User (UPN) that is Account Owner in the EA portal
# if enable=false, set the upn of the user doing the manual deployment
azuread_user_ea_account_owner: <replace>
# see comments above to get the object_id
#
# Also set this GUID to the owner of the launchpad azuread_groups
#
azuread_user_ea_account_owner_object_id: <replace>
# Only set the following two attributes when enable=true
billing_account_name: <replace>
enrollment_account_name: <replace>
platform_core_setup:
enterprise_scale:
enable: true
management_group_name: <replace>
management_group_prefix: <replace>
deploy_core_landing_zones: true
enable_azure_subscription_vending_machine: true
clean_up_destination_folder: true
update_lib_folder: true
# resuse_subscriptions - do not create subscriptions through API automation. Requires the following subscription_id_overrides to be set with 4 subscriptions
# single_reuse - Deploy on a single subscription
subscription_deployment_mode: single_reuse
# Option only set if you've be given a delegated management group ID.
# Comment to deploy to deploy at the tenant root level
# root_parent_id: lab
private_lib:
version_to_deploy: v1.1.1
v0.1.x:
caf_landingzone_branch: "2107.1"
v0.3.3:
caf_landingzone_branch: "patch.5.4.4"
v1.1.1:
caf_landingzone_branch: "aci_network"
platform_management:
enable: true
networking_topology:
deployment_option: virtual_wan
platform_identity:
# Set the Azure Active Directory tenant name (primary domain name)
# has to be the default domain name (custom dns name or tenantname.onmicrosoft.com)
# check the AAD property
tenant_name: <replace>
# only service_principal supported with rover ignite at the moment
azuread_identity_mode: service_principal
enable_azuread_groups: true
enable_azuread_applications: true
# UPNs you want to add in the caf_platform_maintainers Azure AD group
# Can use user or guest accounts
# Those users will have full permissions on platform.
# Once setup, you can remove them from here or add them from
# Check in Azure AD the User Principal Name attribute value. Note there is a special convention for guest accounts.
caf_platform_maintainers:
user_principal_names:
# -
caf_platform_contributors:
user_principal_names:
# -
notifications:
service_health_alerts:
emails:
support1:
name: Support
email_address: <replace>
security_center_email_contact: <replace>
gitops:
caf_landingzone_branch: "aci_network"
deployment_mode: interactive
rover_log_error: ERROR

460
templates/enterprise-scale/contoso/platform/single_subscription/credentials.yaml
Просмотреть файл

@ -1,460 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level0/credentials
deployments:
landingzone:
tfstate:
platform:
launchpad_credentials:
global_settings_key:
platform:
launchpad:
remote_tfstates:
platform:
launchpad:
subscriptions:
launchpad_credentials:
resource_groups:
sp_credentials:
name: credentials
keyvaults:
cred_ea_account_owner:
name: eaowner
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_ea_account_owner
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_level0:
name: idl0
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_level0
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
level0:
lz_key: launchpad
azuread_group_key: level0
secret_permissions:
- Get
cred_identity:
name: id
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_identity
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
cred_management:
name: mg
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_management
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
management_azuread_group:
lz_key: launchpad
azuread_group_key: management
secret_permissions:
- Get
cred_eslz:
name: es
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_eslz
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
eslz_azuread_group:
lz_key: launchpad
azuread_group_key: eslz
secret_permissions:
- Get
cred_connectivity:
name: co
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_connectivity
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
connectivity_azuread_group:
lz_key: launchpad
azuread_group_key: connectivity
secret_permissions:
- Get
cred_subscription_creation_platform:
name: scp
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_subscription_creation_platform
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
cred_subscription_creation_landingzones:
name: scl
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_subscription_creation_landingzones
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
subscription_creation_platform_azuread_group:
lz_key: launchpad
azuread_group_key: subscription_creation_landingzones
secret_permissions:
- Get
cred_gitops:
name: gitops
resource_group_key: sp_credentials
purge_protection_enabled: false
tags:
caf_environment: <replace>
caf_identity_aad_key: cred_gitops
creation_policies:
caf_platform_maintainers:
lz_key: launchpad
azuread_group_key: caf_platform_maintainers
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity_azuread_group:
lz_key: launchpad
azuread_group_key: identity
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
cred_ea_account_owner:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_level0:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_identity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_management:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_eslz:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_connectivity:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_platform:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_subscription_creation_landingzones:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
cred_gitops:
gitops:
azuread_service_principal_key: gitops
secret_permissions:
- Get
azuread_applications:
gitops:
application_name: app-azure-platform-credentials-for-gitops
azuread_service_principals:
gitops:
azuread_application:
key: gitops
azuread_credentials:
gitops:
type: password
azuread_credential_policy_key: gitops
azuread_application:
key: gitops
keyvaults:
cred_gitops:
secret_prefix: sp
level0:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: level0
keyvaults:
cred_level0:
secret_prefix: sp
identity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: identity
keyvaults:
cred_identity:
secret_prefix: sp
management:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: management
keyvaults:
cred_management:
secret_prefix: sp
eslz:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: eslz
keyvaults:
cred_eslz:
secret_prefix: sp
connectivity:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: connectivity
keyvaults:
cred_connectivity:
secret_prefix: sp
subscription_creation_platform:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_platform
keyvaults:
cred_subscription_creation_platform:
secret_prefix: sp
subscription_creation_landingzones:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
lz_key: launchpad
key: subscription_creation_landingzones
keyvaults:
cred_subscription_creation_landingzones:
secret_prefix: sp
azuread_credential_policies:
gitops:
length: 250
special: false
upper: true
number: true
expire_in_days: 360
rotation_key0:
days: 181
rotation_key1:
days: 300
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 65
rotation_key0:
days: 33
rotation_key1:
days: 58

89
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/asvm.yaml
Просмотреть файл

@ -1,89 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/asvm
deployments:
landingzone:
tfstate:
platform:
asvm:
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
subscriptions:
launchpad:
resource_groups:
level3:
name: caf-level3
tags:
level: level3
level4:
name: caf-level4
tags:
level: level4
storage_accounts:
level3:
name: l3
resource_group_key: level3
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
containers:
tfstate:
name: tfstate
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level3
level4:
name: l4
resource_group_key: level4
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level4
keyvaults:
level3:
name: l3
resource_group_key: level3
level4:
name: l4
resource_group_key: level4
azuread_groups:
caf_ac_landingzone_maintainers_non_prod:
name: caf_ac_landingzone_maintainers_non_prod
caf_ac_landingzone_maintainers_prod:
name: caf_ac_landingzone_maintainers_prod

34
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewall_policies.yaml
Просмотреть файл

@ -1,34 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/connectivity/azurerm_firewall_policies/prod
deployments:
landingzone:
tfstate:
platform:
azurerm_firewall_policies: prod
global_settings_key:
platform:
virtual_wans: prod
remote_tfstates:
platform:
virtual_wans: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall-policies
region_key: region1
azurerm_firewall_policies:
root:
name: "prod-root-policy"
region_key: region1
resource_group:
key: firewall_policies
dns:
proxy_enabled: true
threat_intelligence_mode: "Alert"

78
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_firewalls.yaml
Просмотреть файл

@ -1,78 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2//connectivity/azurerm_firewalls/prod
deployments:
landingzone:
tfstate:
platform:
azurerm_firewalls: prod
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
platform:
virtual_hubs: prod
azurerm_firewall_policies: prod
subscriptions:
connectivity:
resource_groups:
firewall_policies:
name: connectivity-prod-firewall
region_key: region1
virtual_networks:
vnet:
name: vnet-connectivity-prod-fw-plinks
resource_group_key: firewall_policies
region_key: region1
address_space:
- 10.101.61.0/24
specialsubnets:
AzureFirewallSubnet:
name: AzureFirewallSubnet
cidr:
- 10.101.61.0/26
public_ip_addresses:
fw_pip1:
name: pip-prod-fw-01
resource_group_key: firewall_policies
sku: Standard
allocation_method: Static
ip_version: IPv4
idle_timeout_in_minutes: 4
azurerm_firewalls:
fw_prod_plinks_01:
name: fw-prod-plinks-01
resource_group_key: firewall_policies
vnet_key: vnet
sku_tier: Standard
firewall_policy:
key: root
lz_key: connectivity_firewall_policies_prod
zones:
- 1
- 2
- 3
public_ips:
ip1:
name: pip1
public_ip_key: fw_pip1
vnet_key: vnet
subnet_key: AzureFirewallSubnet
virtual_hub_connections:
vnet_to_hub:
name: vnet-connectivity-prod-fw-plinks-TO-vhub-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet

192
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_private_dns.yaml
Просмотреть файл

@ -1,192 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/connectivity/private_dns/prod
deployments:
landingzone:
tfstate:
platform:
private_dns: prod
global_settings_key:
platform:
azurerm_firewalls: prod
remote_tfstates:
platform:
azurerm_firewalls: prod
identity_level2: prod
subscriptions:
connectivity:
role_mapping:
custom_role_mapping:
resource_groups:
dns_connectivity_prod:
landgingzone_extended:
azuread_groups:
lz_key: identity_level2
keys:
- caf_prod_landingzones_dns_contributors
built_in_role_mapping:
resource_groups:
dns_connectivity_prod:
Private DNS Zone Contributor:
azuread_groups:
lz_key: identity_level2
keys:
- caf_prod_landingzones_dns_contributors
resource_groups:
dns_connectivity_prod:
name: dns-connectivity-prod
private_dns:
privatelink.adf.azure.com:
name: privatelink.adf.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.datafactory.azure.net:
name: privatelink.datafactory.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.blob.core.windows.net:
name: privatelink.blob.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.file.core.windows.net:
name: privatelink.file.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.notebooks.azure.net:
name: privatelink.notebooks.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.dfs.core.windows.net:
name: privatelink.dfs.core.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.vaultcore.azure.net:
name: privatelink.vaultcore.azure.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia.azmk8s.io:
name: privatelink.southeastasia.azmk8s.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.azurecr.io:
name: privatelink.azurecr.io
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.southeastasia.backup.windowsazure.com:
name: privatelink.southeastasia.backup.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.siterecovery.windowsazure.com:
name: privatelink.siterecovery.windowsazure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.servicebus.windows.net:
name: privatelink.servicebus.windows.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.api.azureml.ms:
name: privatelink.api.azureml.ms
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.monitor.azure.com:
name: privatelink.monitor.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.oms.opinsights.azure.com:
name: privatelink.oms.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.ods.opinsights.azure.com:
name: privatelink.ods.opinsights.azure.com
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
privatelink.agentsvc.azure-automation.net:
name: privatelink.agentsvc.azure-automation.net
resource_group_key: dns_connectivity_prod
vnet_links:
fw_prod_plinks_01:
name: fw-prod-plinks-01
vnet_key: vnet
lz_key: connectivity_firewalls_prod
custom_role_definitions:
landgingzone_extended:
name: landingzone-networking-private-dns-extended
useprefix: true
description: "(prod) Provides additional permissions for the level4 principal to perform activies on the level2 private dns zones for private links."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write

52
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_hubs.yaml
Просмотреть файл

@ -1,52 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/connectivity/virtual_hubs/prod
deployments:
landingzone:
tfstate:
platform:
virtual_hubs: prod
global_settings_key:
platform:
virtual_wans: prod
remote_tfstates:
platform:
virtual_wans: prod
custom_variables:
virtual_hub_lz_key: connectivity_virtual_hub_prod
# ddos_protection_plan_id:
subscriptions:
connectivity:
virtual_hubs:
prod:
name: Production
virtual_wan:
lz_key: connectivity_virtual_wan
key: global_wan
region_key: region1
hub_address_prefix: 10.101.51.0/24
deploy_s2s: false
s2s_config:
name: prod
scale_unit: 1
deploy_er: false
er_config:
name: prod
scale_units: 1
express_route_connections:
prod:
enable_er_connections: false
name: er-1-prod
virtual_hub:
key: prod
circuit_peering:
tfstate_key: prod
key: private_peering
express_route_circuit_authorization:
tfstate_key: prod
key: vhub-prod

29
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/connectivity_virtual_wan.yaml
Просмотреть файл

@ -1,29 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/connectivity/virtual_wans
deployments:
landingzone:
tfstate:
platform:
virtual_wans: prod
global_settings_key:
platform:
management:
remote_tfstates:
platform:
management:
subscriptions:
connectivity:
virtual_wans:
global_wan:
name: vwan
resource_group_key: global_wan
region_key: region1
resource_groups:
global_wan:
name: connectivity-global-wan
region_key: region1

22
templates/enterprise-scale/contoso/platform/single_subscription/deployments/prod/identity_level2.yaml
Просмотреть файл

@ -1,22 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level2/identity/prod
deployments:
landingzone:
tfstate:
platform:
identity_level2: prod
global_settings_key:
platform:
identity:
remote_tfstates:
platform:
identity:
subscriptions:
identity:
azuread_groups:
caf_prod_landingzones_dns_contributors:
name: caf ac prod landingzones dns contributors

8
templates/enterprise-scale/contoso/platform/single_subscription/eslz/eslz.yaml
Просмотреть файл

@ -1,8 +0,0 @@
gitops:
landingzones: aci_network
relative_destination_folder: level1/eslz
# Keep the following to allow rover ignite to process the deployment.
subscriptions:
launchpad:

2
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/readme.md
Просмотреть файл

@ -1,2 +0,0 @@
# Custom ESLZ library
In this folder you can store the custom definition and assignment objects you need to add to augment your custom governance.

27
templates/enterprise-scale/contoso/platform/single_subscription/eslz/lib/role_definitions/role_definition_caf_vhub_peering.json
Просмотреть файл

@ -1,27 +0,0 @@
{
"name": "48ec94a9-9a14-488d-928d-5e73f96b335c",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "CAF-network-vhub-peering",
"description": "Authorize vnet peerings to the vhub and DDOS to be deployed by policy.",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/*",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"${current_scope_resource_id}"
]
}
}

86
templates/enterprise-scale/contoso/platform/single_subscription/identity.yaml
Просмотреть файл

@ -1,86 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level1/identity
deployments:
landingzone:
tfstate:
platform:
identity:
global_settings_key:
platform:
launchpad:
remote_tfstates:
platform:
launchpad:
subscriptions:
identity:
resource_groups:
management:
name: management
alerts:
name: alerts
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday
# Bring here you existing active directory security groups.
# Those are the groups you will inject to RBAC in the Enterprise Scale deployment.
# Note Terraform will create a new Azure AD group and add the existing as a member
#
# level1:
# azuread_groups:
# network_ops_team:
# name: netops
# members:
# # Set the list of the existing groups
# objects_ids:
# - existing_azure_ad_group_object_id

510
templates/enterprise-scale/contoso/platform/single_subscription/launchpad.yaml
Просмотреть файл

@ -1,510 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level0/launchpad
deployments:
landingzone:
tfstate:
platform:
launchpad:
subscriptions:
launchpad:
resource_groups:
level0:
name: caf-level0
level1:
name: caf-level1
level2:
name: caf-level2
storage_accounts:
level0:
name: l0
resource_group_key: level0
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
containers:
tfstate:
name: tfstate
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level0
level1:
name: l1
resource_group_key: level1
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
containers:
tfstate:
name: tfstate
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level1
level2:
name: l2
resource_group_key: level2
account_kind: BlobStorage
account_tier: Standard
shared_access_key_enabled: false
account_replication_type: GRS
blob_properties:
versioning_enabled: true
last_access_time_enabled: true
container_delete_retention_policy:
days: 7
delete_retention_policy:
days: 7
containers:
tfstate:
name: tfstate
tags:
## Those tags must never be changed after being set as they are used by the rover to locate the launchpad and the tfstates.
# Only adjust the environment value at creation time
caf_environment: <replace>
caf_launchpad: launchpad
caf_tfstate: level2
role_mapping:
built_in_role_mapping:
management_group:
# if you are using a root_parent_id, replace the following root by the root_parent_id value
root:
User Access Administrator:
azuread_groups:
keys:
- level0
Management Group Contributor:
azuread_groups:
keys:
- eslz
- caf_platform_maintainers
Owner:
azuread_groups:
keys:
- eslz
- caf_platform_maintainers
- connectivity # only when deploying in single subscription
- identity # only when deploying in single subscription
- management # only when deploying in single subscription
- subscription_creation_landingzones # # only when deploying in single subscription
Reader:
azuread_groups:
keys:
- caf_platform_contributors
subscriptions:
logged_in_subscription:
Owner:
azuread_groups:
keys:
- level0
- subscription_creation_platform
- caf_platform_maintainers
Reader:
azuread_groups:
keys:
- identity
resource_groups:
level0:
Reader:
azuread_groups:
keys:
- identity
- subscription_creation_platform
- caf_platform_contributors
level1:
Reader:
azuread_groups:
keys:
- identity
- management
- eslz
- subscription_creation_platform
- caf_platform_contributors
level2:
Reader:
azuread_groups:
keys:
- identity
- management
- connectivity
- subscription_creation_platform
- caf_platform_contributors
storage_accounts:
level0:
Storage Blob Data Contributor:
azuread_groups:
keys:
- level0
- identity
- caf_platform_maintainers
Storage Blob Data Reader:
azuread_groups:
keys:
- management
- eslz
- subscription_creation_platform
- caf_platform_contributors
level1:
Storage Blob Data Contributor:
azuread_groups:
keys:
- caf_platform_maintainers
- identity
- management
- eslz
- subscription_creation_platform
Storage Blob Data Reader:
azuread_groups:
keys:
- connectivity
- caf_platform_contributors
- level0
level2:
Storage Blob Data Contributor:
azuread_groups:
keys:
- identity
- connectivity
- management
- caf_platform_maintainers
- level0
Storage Blob Data Reader:
azuread_groups:
keys:
- subscription_creation_landingzones
- caf_platform_contributors
keyvaults:
level0:
name: l0
sku_name: premium
resource_group_key: level0
level1:
name: l1
sku_name: premium
resource_group_key: level1
level2:
name: l2
sku_name: premium
resource_group_key: level2
keyvault_access_policies:
level0:
sp_level0:
azuread_group_key: level0
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity:
azuread_group_key: identity
secret_permissions:
- Get
level1:
sp_level0:
azuread_group_key: level0
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity:
azuread_group_key: identity
secret_permissions:
- Get
management:
azuread_group_key: management
secret_permissions:
- Get
eslz:
azuread_group_key: eslz
secret_permissions:
- Get
subscription_creation_platform:
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
level2:
sp_level0:
azuread_group_key: level0
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
identity:
azuread_group_key: identity
secret_permissions:
- Get
management:
azuread_group_key: management
secret_permissions:
- Get
connectivity:
azuread_group_key: connectivity
secret_permissions:
- Get
subscription_creation_platform:
azuread_group_key: subscription_creation_platform
secret_permissions:
- Get
azuread_applications:
level0:
application_name: sp-caf-level0
identity:
application_name: sp-caf-identity
management:
application_name: sp-caf-management
eslz:
application_name: sp-caf-eslz
connectivity:
application_name: sp-caf-connectivity
subscription_creation_platform:
application_name: sp-caf-subscription_creation_platform
subscription_creation_landingzones:
application_name: sp-caf-subscription_creation_landingzones
azuread_service_principals:
# Manage the deployment of the level0
level0:
azuread_application:
key: level0
# Manage the deployment of Enterprise Scale
eslz:
azuread_application:
key: eslz
# Manage the deployment of the connectivity services
connectivity:
azuread_application:
key: connectivity
# Manage the deployment of the shared services
management:
azuread_application:
key: management
# Manage the deployment of the identity services
identity:
azuread_application:
key: identity
# Has delegation to create platform subscriptions
subscription_creation_platform:
azuread_application:
key: subscription_creation_platform
# Has delegation to create landingzone subscriptions
subscription_creation_landingzones:
azuread_application:
key: subscription_creation_landingzones
azuread_api_permissions:
level0:
microsoft_graph:
resource_app_id: 00000003-0000-0000-c000-000000000000
resource_access:
AppRoleAssignment_ReadWrite_All:
id: 06b708a9-e830-4db3-a914-8e69da51d44f
type: Role
DelegatedPermissionGrant_ReadWrite_All:
id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a
type: Role
DelegatedPermissionGrant_ReadWrite_All:
id: 18a4783c-866b-4cc7-a460-3d5e5662c884
type: Role
identity:
active_directory_graph:
resource_app_id: 00000002-0000-0000-c000-000000000000
resource_access:
Application_ReadWrite_OwnedBy:
id: 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7
type: Role
Directory_ReadWrite_All:
id: 78c8a3c8-a07e-4b9e-af1b-b5ccab50a175
type: Role
microsoft_graph:
resource_app_id: 00000003-0000-0000-c000-000000000000
resource_access:
AppRoleAssignment_ReadWrite_All:
id: 06b708a9-e830-4db3-a914-8e69da51d44f
type: Role
DelegatedPermissionGrant_ReadWrite_All:
id: 8e8e4742-1d95-4f68-9d56-6ee75648c72a
type: Role
GroupReadWriteAll:
id: 62a82d76-70ea-41e2-9197-370581804d09
type: Role
RoleManagement_ReadWrite_Directory:
id: 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8
type: Role
azuread_roles:
azuread_service_principals:
level0:
roles:
- Privileged Role Administrator
- Application Administrator
- Groups Administrator
identity:
roles:
- User Administrator
- Application Administrator
- Groups Administrator
subscription_creation_landingzones:
roles:
- Application Administrator
- Groups Administrator
dynamic_keyvault_secrets:
level0:
subscription_id:
output_key: client_config
attribute_key: subscription_id
secret_name: subscription-id
tenant_id:
output_key: client_config
attribute_key: tenant_id
secret_name: tenant-id
level1:
lower_stg:
output_key: storage_accounts
resource_key: level0
attribute_key: name
secret_name: lower-storage-account-name
lower_rg:
output_key: resource_groups
resource_key: level0
attribute_key: name
secret_name: lower-resource-group-name
subscription_id:
output_key: client_config
attribute_key: subscription_id
secret_name: subscription-id
tenant_id:
output_key: client_config
attribute_key: tenant_id
secret_name: tenant-id
level2:
lower_stg:
output_key: storage_accounts
resource_key: level1
attribute_key: name
secret_name: lower-storage-account-name
lower_rg:
output_key: resource_groups
resource_key: level1
attribute_key: name
secret_name: lower-resource-group-name
subscription_id:
output_key: client_config
attribute_key: subscription_id
secret_name: subscription-id
tenant_id:
output_key: client_config
attribute_key: tenant_id
secret_name: tenant-id
azuread_groups:
caf_platform_maintainers:
name: caf-platform-maintainers
description: High privileged group to run all CAF deployments from vscode. Can be used to bootstrap or troubleshoot deployments.
prevent_duplicate_name: true
owners:
- <replace>
caf_platform_contributors:
name: caf-platform-contributors
description: Can only execute terraform plans for level1 and level2. They can test platform improvements and propose PR.
prevent_duplicate_name: true
owners:
- <replace>
level0:
name: caf-level0
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- level0
eslz:
name: caf-eslz
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- eslz
identity:
name: caf-identity
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- identity
management:
name: caf-management
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- management
connectivity:
name: caf-connectivity
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- connectivity
subscription_creation_platform:
name: caf-subscription_creation_platform
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- subscription_creation_platform
subscription_creation_landingzones:
name: caf-subscription_creation_landingzones
prevent_duplicate_name: true
owners:
- <replace>
members:
azuread_service_principal_keys:
- subscription_creation_landingzones
# object_ids:
# - 746f54dc-285b-454b-8c55-3d499be91e1f

101
templates/enterprise-scale/contoso/platform/single_subscription/management.yaml
Просмотреть файл

@ -1,101 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level1/management
deployments:
landingzone:
tfstate:
platform:
management:
global_settings_key:
platform:
launchpad:
remote_tfstates:
platform:
launchpad:
subscriptions:
management:
resource_groups:
management:
name: management
alerts:
name: alerts
diagnostic_log_analytics:
# if you change this key you also need to change it in the ESLZ deployment
# eslz/archetype_config_overrides.caf.platform.yaml
# eslz/custom_landing_zones.caf.platform.yaml
region1:
name: logre1
resource_group_key: management
monitor_action_groups:
networking_operations:
action_group_name: Networking Operations
resource_group_key: alerts
shortname: netops
arm_role_alert:
contributors:
name: Monitoring Contributor
role_name: Monitoring Contributor
use_common_alert_schema: false
email_receiver:
noc:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
service_health_alerts:
enable_service_health_alerts: true
name: alerts
shortname: HealthAlerts
resource_group_key: alerts
action_group_name: actiongrp
email_alert_settings:
support1:
name: email_alert_support1
email_address: <replace>
use_common_alert_schema: false
automation_accounts:
account1:
name: automationAccount1
resource_group_key: management
recovery_vaults:
asr:
name: asr
resource_group_key: management
soft_delete_enabled: true
backup_policies:
vms:
default:
name: vm-default-policy
# Default to UTC
# possible values - https://jackstromberg.com/2017/01/list-of-time-zones-consumed-by-azure/
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
retention_weekly:
count: 2
weekdays:
- Sunday
retention_monthly:
count: 2
weeks:
- First
weekdays:
- Sunday
retention_yearly:
count: 1
weeks:
- First
months:
- January
weekdays:
- Sunday

22
templates/enterprise-scale/contoso/platform/single_subscription/subscriptions.yaml
Просмотреть файл

@ -1,22 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level1/subscriptions
deployments:
landingzone:
tfstate:
platform:
subscriptions:
subscriptions:
launchpad:
subscriptions:
launchpad:
subscription_id: <replace>
identity:
subscription_id: <replace>
connectivity:
subscription_id: <replace>
management:
subscription_id: <replace>

144
templates/enterprise-scale/contoso/platform/single_subscription/tfstates.yaml
Просмотреть файл

@ -1,144 +0,0 @@
tfstates:
platform:
### Level0 ###
launchpad:
lz_key_name: launchpad
tfstate: caf_launchpad.tfstate
workspace: tfstate
level: level0
identity_aad_key: cred_level0
config_file: launchpad.yaml
sub_template_folder: level0/launchpad
yaml: level0/launchpad/ansible.yaml
launchpad_credentials:
lz_key_name: launchpad_credentials_rotation
tfstate: launchpad_credentials_rotation.tfstate
level: level0
identity_aad_key: cred_identity
config_file: credentials.yaml
sub_template_folder: level0/credentials
### Level1 ###
management:
lz_key_name: management
tfstate: management.tfstate
level: level1
identity_aad_key: cred_management
config_file: management.yaml
identity:
lz_key_name: identity
tfstate: identity.tfstate
level: level1
identity_aad_key: cred_identity
config_file: identity.yaml
sub_template_folder: level1/identity
eslz:
lz_key_name: eslz
tfstate: eslz.tfstate
level: level1
identity_aad_key: cred_eslz
config_file: eslz/eslz.yaml
sub_template_folder: level1/eslz
yaml: level1/eslz/ansible.yaml
platform_subscriptions:
lz_key_name: platform_subscriptions
tfstate: platform_subscriptions.tfstate
level: level1
identity_aad_key: cred_subscription_creation_platform
config_file: subscriptions.yaml
sub_template_folder: level1/subscriptions
## Level2 ##
identity_level2:
prod:
lz_key_name: identity_level2
tfstate: identity_level2.tfstate
level: level2
identity_aad_key: cred_identity
non_prod:
lz_key_name: identity_level2
tfstate: identity_level2_non_prod.tfstate
level: level2
identity_aad_key: cred_identity
identity_level2_aadds:
prod:
lz_key_name: identity_level2_aadds
tfstate: identity_level2_aadds.tfstate
level:
identity_aad_key: cred_identity
virtual_wans:
prod:
lz_key_name: connectivity_virtual_wan
tfstate: connectivity_virtual_wan.tfstate
level: level2
identity_aad_key: cred_connectivity
virtual_hubs:
prod:
lz_key_name: connectivity_virtual_hub_prod
tfstate: connectivity_virtual_hub_prod.tfstate
workspace: tfstate
level: level2
identity_aad_key: cred_connectivity
non_prod:
lz_key_name: connectivity_virtual_hub_non_prod
tfstate: connectivity_virtual_hub_non_prod.tfstate
workspace: tfstate
level: level2
identity_aad_key: cred_connectivity
azurerm_firewalls:
prod:
lz_key_name: connectivity_firewalls_prod
tfstate: connectivity_firewalls_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
non_prod:
lz_key_name: connectivity_firewalls_non_prod
tfstate: connectivity_firewalls_non_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
azurerm_firewall_policies:
prod:
lz_key_name: connectivity_firewall_policies_prod
tfstate: connectivity_firewall_policies_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
non_prod:
lz_key_name: connectivity_firewall_policies_non_prod
tfstate: connectivity_firewall_policies_non_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
private_dns:
prod:
lz_key_name: connectivity_private_dns_prod
tfstate: connectivity_private_dns_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
non_prod:
lz_key_name: connectivity_private_dns_non_prod
tfstate: connectivity_private_dns_non_prod.tfstate
level: level2
identity_aad_key: cred_connectivity
vpn_sites:
prod:
lz_key_name: connectivity_vpn_sites_prod
tfstate: connectivity_vpn_sites_prod.tfstate
sub_template_folder: level2/connectivity
level: level2
identity_aad_key: cred_connectivity
asvm:
lz_key_name: asvm
tfstate: asvm_subscription_vending_machine.tfstate
level: level2
identity_aad_key: cred_level0
sub_template_folder: level2/asvm
yaml: level2/asvm/ansible.yaml
rover_ignite_dependencies:
- launchpad

0
templates/enterprise-scale/contoso/platform/IP Address Plan.xlsx → templates/platform/IP Address Plan.xlsx
Просмотреть файл

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше