Azure
/
caf-terraform-landingzones
зеркало из https://github.com/Azure/caf-terraform-landingzones.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update with multi-region support

This commit is contained in:
LaurentLesle 2022-03-12 10:22:50 +00:00
Родитель f122e39178
Коммит cbbf09468f
225 изменённых файлов: 3780 добавлений и 2632 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
caf_launchpad/dynamic_secrets.tf
Просмотреть файл

@ -1,9 +1,9 @@
module "dynamic_keyvault_secrets" {
source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets"
version = "5.5.1"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=patch.5.5.4"
for_each = try(var.dynamic_keyvault_secrets, {})

6
caf_launchpad/landingzone.tf
Просмотреть файл

@ -1,8 +1,8 @@
module "launchpad" {
# source = "aztfmod/caf/azurerm"
# version = "~> 5.5.1"
source = "aztfmod/caf/azurerm"
version = "~> 5.5.4"
source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=AL-azurerm2931"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=patch.5.5.4"
# source = "../../aztfmod"
providers = {

4
caf_solution/add-ons/caf_eslz/enterprise_scale.tf
Просмотреть файл

@ -2,9 +2,9 @@
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "1.1.1"
version = "1.1.3"
# source = "/tf/caf/eslz"
# source = "/tf/caf/alz"
providers = {
azurerm = azurerm

4
caf_solution/dynamic_secrets.tf
Просмотреть файл

@ -1,8 +1,8 @@
module "dynamic_keyvault_secrets" {
source = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets"
version = "5.5.1"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=master"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/security/dynamic_keyvault_secrets?ref=patch.5.5.4"
for_each = {
for keyvault_key, secrets in try(var.dynamic_keyvault_secrets, {}) : keyvault_key => {

6
caf_solution/landingzone.tf
Просмотреть файл

@ -1,8 +1,8 @@
module "solution" {
# source = "aztfmod/caf/azurerm"
# version = "~> 5.5.1"
source = "aztfmod/caf/azurerm"
version = "~> 5.5.4"
source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=AL-azurerm2931"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git?ref=patch.5.5.4"
# source = "../../aztfmod"
providers = {

10
caf_solution/vm_extensions.tf
Просмотреть файл

@ -4,7 +4,7 @@
module "vm_extension_monitoring_agent" {
source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions"
version = "5.5.1"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master"
@ -26,7 +26,7 @@ module "vm_extension_monitoring_agent" {
module "vm_extension_diagnostics" {
source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions"
version = "5.5.1"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master"
@ -51,7 +51,7 @@ module "vm_extension_diagnostics" {
module "vm_extension_microsoft_azure_domainjoin" {
source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions"
version = "5.5.1"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master"
@ -71,7 +71,7 @@ module "vm_extension_microsoft_azure_domainjoin" {
module "vm_extension_session_host_dscextension" {
source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions"
version = "5.5.1"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master"
@ -93,7 +93,7 @@ module "vm_extension_session_host_dscextension" {
module "vm_extension_custom_scriptextension" {
source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_extensions"
version = "5.5.1"
version = "5.5.4"
#source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_extensions?ref=master"

4
caf_solution/vmss_extensions.tf
Просмотреть файл

@ -1,6 +1,6 @@
module "vmss_extension_microsoft_azure_domainjoin" {
source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_scale_set_extensions"
version = "5.5.1"
version = "5.5.4"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_scale_set_extensions?ref=master"
@ -21,7 +21,7 @@ module "vmss_extension_microsoft_azure_domainjoin" {
module "vmss_extension_custom_scriptextension" {
source = "aztfmod/caf/azurerm//modules/compute/virtual_machine_scale_set_extensions"
version = "5.5.1"
version = "5.5.4"
# source = "git::https://github.com/aztfmod/terraform-azurerm-caf.git//modules/compute/virtual_machine_scale_set_extensions?ref=master"

0
templates/platform/action_plugins/__pycache__/merge_vars.cpython-39.pyc → templates/ansible/action_plugins/__pycache__/merge_vars.cpython-39.pyc
Просмотреть файл

0
templates/platform/action_plugins/merge_vars.py → templates/ansible/action_plugins/merge_vars.py
Просмотреть файл

136
templates/ansible/ansible.yaml Normal file
Просмотреть файл

@ -0,0 +1,136 @@
- name: Process deployment based on ignite.yaml
hosts: localhost
tasks:
- name: "Set variables"
set_fact:
job_cache_base_path: "/home/vscode/.terraform.cache"
destination_base_path: '{{ platform_configuration_folder }}'
resource_template_folder: "{{ public_templates_folder }}/resources"
platform_service_folder: "{{ public_templates_folder }}/platform/services"
- name: "load {{ template_folder | default(platform_definition_folder)}}/ignite.yaml"
include_vars:
name: bootstrap
dir: "{{ template_folder | default(platform_definition_folder)}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "ignite.yaml"
- name: "load _variables files"
include_vars:
name: variables
dir: "{{ template_folder | default(platform_service_folder)}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "_variables"
- name: "Load variable for {{deployment_mode}} config from {{definition_folder}}"
include_vars:
name: asvm_resource__to_merge
dir: "{{definition_folder | default(platform_definition_folder)}}"
depth: 0
# ignore_unknown_extensions: true
files_matching: ".yaml"
when: deployment_mode == 'asvm'
- name: "Load variable for ignite.yaml config from {{platform_definition_folder}}"
include_vars:
name: ignite_resource__to_merge
dir: "{{platform_definition_folder}}"
depth: 0
files_matching: "ignite.yaml"
when: deployment_mode == 'asvm'
- name: "Load variable for tfstates.yaml config from {{platform_definition_folder}}"
include_vars:
name: tfstates_resource__to_merge
dir: "{{platform_definition_folder}}"
depth: 0
files_matching: "tfstates.yaml"
when: deployment_mode == 'asvm'
- name: "Load variable for platform config from {{platform_definition_folder}}"
include_vars:
name: platform_resource__to_merge
dir: "{{platform_definition_folder | default(template_folder)}}"
depth: 0
ignore_unknown_extensions: true
files_matching: ".yaml"
when: deployment_mode == 'platform'
- name: Merge resources variables
merge_vars:
suffix_to_merge: _resource__to_merge
merged_var_name: merged_resources
expected_type: 'dict'
recursive_dict_merge: True
- set_fact:
resources: "{{ merged_resources }}"
- name: "Creates destination directory - {{destination_base_path}}"
file:
path: "{{destination_base_path}}"
state: directory
- debug:
msg:
- "bootstrap: {{bootstrap}}"
- "resources: {{resources}}"
#
# Generate the foundation services
#
- name: Process core deployments
include_tasks: "process_regions.yaml"
loop: "{{bootstrap.deployments[deployment_mode].root.keys()}}"
loop_control:
loop_var: region
vars:
lz_type: "{{deployment_mode}}"
stage: root
- name: Process alz deployments
include_tasks: "process_regions.yaml"
loop: "{{bootstrap.deployments[deployment_mode].alz.keys()}}"
loop_control:
loop_var: region
when:
- bootstrap.deployments[deployment_mode].alz is defined and launchpad_tfstate_exists.rc == 0
vars:
lz_type: "{{deployment_mode}}"
stage: alz
#
# Process the deployments folders
#
- find:
paths: "{{definition_folder | default(platform_definition_folder)}}/scale_out_domains"
recurse: yes
patterns: "*.yaml"
file_type: file
register: files_to_process
- name: "Process deployments"
include_tasks: "process_regions.yaml"
loop: "{{bootstrap.deployments[deployment_mode].scale_out_domains.keys()}}"
loop_control:
loop_var: region
when:
- (launchpad_tfstate_exists is defined and launchpad_tfstate_exists.rc == 0) or (storage_account_level3 is defined and storage_account_level3.rc == 0)
vars:
lz_type: "{{deployment_mode}}"
stage: scale_out_domains
#
# Formatting & Linters
#
- name: Terraform Formatting
shell: |
terraform fmt -recursive {{ destination_base_path }}

70
templates/ansible/asvm_definition.yaml Normal file
Просмотреть файл

@ -0,0 +1,70 @@
- name: Process deployment based on ignite.yaml
hosts: localhost
tasks:
- debug:
msg: "{{landingzone_definition}}"
- set_fact:
scale_out_domains: "{{scale_out_domains_input.split(',') }}"
- name: Load templates
set_fact:
subscriptions_asvm: "{{ lookup('template', '{{ template_folder }}/subscriptions.asvm.yaml') }}"
tfstates: "{{ lookup('template', '{{ template_folder }}/tfstates.asvm.yaml') }}"
- name: Load resources template
set_fact:
resources_{{scod}}: "{{ lookup('template', '{{ template_folder }}/resources.asvm.yaml') }}"
loop: "{{scale_out_domains}}"
loop_control:
loop_var: scod
- debug:
msg:
- "subscriptions_asvm: {{subscriptions_asvm}}"
- "tfstates: {{tfstates}}"
- debug:
msg:
- "{{'resources_' + scod}}: {{lookup('vars', 'resources_' + scod)}}"
loop: "{{scale_out_domains}}"
loop_control:
loop_var: scod
#
# Create definition folder structure
#
- name: "Creates definition directory - {{definition_folder}}"
file:
path: "{{definition_folder}}"
state: directory
- name: "definition - tfstates"
copy:
content: "{{ tfstates }}"
dest: "{{ definition_folder }}/tfstates.asvm.yaml"
- name: "definition - subscriptions_asvm"
copy:
content: "{{ subscriptions_asvm }}"
dest: "{{ definition_folder }}/subscriptions.asvm.yaml"
- name: "definition - resources"
copy:
content: "{{lookup('vars', 'resources_' + scod)}}"
dest: "{{ definition_folder }}/{{landingzone_definition}}_{{scod}}.asvm.yaml"
loop: "{{scale_out_domains}}"
loop_control:
loop_var: scod
- name: "definition - readme"
ansible.builtin.template:
src: "{{ topology_folder }}/readme_definition.md"
dest: "{{ definition_folder }}/readme.md"
- debug:
msg:
- "next steps: {{definition_folder}}/readme.md"

7
templates/ansible/load_alz.yaml Normal file
Просмотреть файл

@ -0,0 +1,7 @@
- include_tasks: "load_deployments_alz.yaml"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: service
when: stage == 'alz'

50
templates/ansible/load_deployments.yaml Normal file
Просмотреть файл

@ -0,0 +1,50 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{stage}}"
- "{{region}}"
- "topology: {{topology}}"
- name: "Process 1 deployment file {{stage}}/{{region}}"
set_fact:
"{{stage}}_{{region}}_{{item}}_deployment__to_merge": "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][item]}}') | from_yaml }}"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
when:
- stage == 'root' or stage == 'alz'
- topologies is not defined
- name: "Copy file {{stage}} from {{platform_service_folder}}"
ansible.builtin.template:
src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}"
dest: "{{destination_path}}/{{topologies[item].tfstate.config_file}}"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
when:
- stage == 'root'
- topologies is defined
- name: "Copy file {{stage}} from {{platform_service_folder}}"
ansible.builtin.template:
src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}"
dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
when:
- stage == 'alz'
- topologies is defined
- name: "Process 2 deployment file {{stage}}"
include_tasks: "load_deployments_alz.yaml"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: service
when:
- stage == 'alz'
- topologies is defined
- name: "Process 2 deployment file {{stage}}"
include_tasks: "load_deployments_env.yaml"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: service
when:
- stage == 'scale_out_domains'

77
templates/ansible/load_deployments_alz.yaml Normal file
Просмотреть файл

@ -0,0 +1,77 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{stage}}"
- "{{region}}"
- "{{service}}"
- name: "{{destination_alz_path}} - Set tfstate_object"
set_fact:
tfstate_object: "{{topologies['alz_' + service].tfstate}}"
- name: "{{destination_path}}/{{stage}} - Set landingzone file_path"
set_fact:
destination_alz_path: "{{destination_path}}/{{stage}}/{{service}}"
alz_template_folder: "{{public_templates_folder}}/{{ tfstate_object.template_lib_folder}}"
- name: "{{destination_alz_path}} - Set landingzone file_path"
set_fact:
template_lib_folder: "{{alz_template_folder}}/lib/{{ tfstate_object.alz_version }}"
- name: "{{destination_alz_path}} - Set landingzone file_path"
set_fact:
mg: "{{ lookup('template', '{{ template_lib_folder }}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}"
mg_custom: "{{ lookup('template', '{{ template_lib_folder }}/custom_landing_zones.caf.platform.yaml') | from_yaml }}"
- debug:
msg: "{{destination_alz_path}}"
- name: "Clean-up destination directory"
shell: |
rm -rf "{{ destination_alz_path }}"
when:
- topology.management_groups[region][service].clean_up_destination_folder | default(True)
- name: "Creates directory structure - {{template_lib_folder}}"
shell: mkdir -p "{{ destination_alz_path }}/lib/{{ item.path }}"
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'directory'
- name: " Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_alz_path }}/lib/{{ item.path }}"
force: yes
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'file'
- item.path is not search(".j2")
- item.path is not search(".yaml") or item.path is search(".json") or item.path is search(".md")
- topology.management_groups[region][service].update_lib_folder | default(False)
- name: " Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_alz_path }}/{{ item.path }}"
force: yes
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'file'
- item.path is search(".yaml")
- topology.management_groups[region][service].update_lib_folder | default(False)
# - name: "{{deployment_mode}}/{{stage}}/{{region}}/{{service}} to {{destination_path}}/{{'alz_' + service}}.yaml"
# ansible.builtin.template:
# src: "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][service]}}') | from_yaml }}"
# dest: "{{destination_path}}/{{'alz_' + service}}.yaml"
# force: yes
# vars:
# item: "{{service}}"
- name: "{{deployment_mode}}/{{stage}}/{{region}}/{{service}} to {{destination_path}}/{{'alz_' + service}}.yaml"
ansible.builtin.template:
src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][item]}}"
dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}"
loop: "{{topology.deployments[deployment_mode][stage][region].keys()}}"

17
templates/platform/ansible/load_deployments_env.yaml → templates/ansible/load_deployments_env.yaml
Просмотреть файл

@ -1,7 +1,14 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{stage}}"
- "{{region}}"
- "{{service}}"
- name: "Process 3 deployment file {{stage}}/{{service}}"
set_fact:
"{{service}}_{{env}}_deployment__to_merge": "{{ lookup('template', '{{ config_folder_platform_templates + \"/services/\" + topology.deployments[stage][service][env]}}') | from_yaml }}"
loop: "{{topology.deployments[stage][service].keys()}}"
"{{service}}_{{env}}_deployment__to_merge": "{{ lookup('template', '{{ platform_service_folder + \"/\" + topology.deployments[deployment_mode][stage][region][service][env]}}') | from_yaml }}"
loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}"
loop_control:
loop_var: env
when:
@ -12,7 +19,7 @@
file:
path: "{{destination_path}}/{{stage}}/{{env}}"
state: directory
loop: "{{topology.deployments[stage][service].keys()}}"
loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}"
loop_control:
loop_var: env
when:
@ -20,9 +27,9 @@
- name: "Copy file {{stage}}/{{service}}"
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][service][env]}}"
src: "{{platform_service_folder}}/{{topology.deployments[deployment_mode][stage][region][service][env]}}"
dest: "{{destination_path}}/{{stage}}/{{env}}/{{topologies[service + '_' + env].tfstate.config_file}}"
loop: "{{topology.deployments[stage][service].keys()}}"
loop: "{{topology.deployments[deployment_mode][stage][region][service].keys()}}"
loop_control:
loop_var: env
when:

22
templates/ansible/load_regions.yaml Normal file
Просмотреть файл

@ -0,0 +1,22 @@
- include_tasks: "load_deployments.yaml"
loop: "{{topology.deployments[deployment_mode][stage].keys()}}"
loop_control:
loop_var: region
when: stage != 'alz'
- include_tasks: "load_deployments.yaml"
loop: "{{topology.deployments[deployment_mode][stage].keys()}}"
loop_control:
loop_var: region
when:
- stage == 'alz'
- topologies is not defined
- include_tasks: "load_alz.yaml"
loop: "{{topology.deployments[deployment_mode][stage].keys()}}"
loop_control:
loop_var: region
when:
- stage == 'alz'
- topologies is defined

13
templates/ansible/process_deployments.yaml Normal file
Просмотреть файл

@ -0,0 +1,13 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{region}}"
- "{{tfstate}}"
- name: "Including tasks process_tfstate.yaml"
include_tasks: "process_tfstate.yaml"
loop: "{{bootstrap.deployments[deployment_mode].scale_out_domains[region][tfstate].keys()}}"
loop_control:
loop_var: env

19
templates/ansible/process_regions.yaml Normal file
Просмотреть файл

@ -0,0 +1,19 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{lz_type}}"
- "{{stage}}"
- name: Process core deployments
include_tasks: "process_stages.yaml"
loop: "{{bootstrap.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: tfstate
when: stage != 'scale_out_domains'
- name: Process core deployments
include_tasks: "process_deployments.yaml"
loop: "{{bootstrap.deployments[deployment_mode][stage][region].keys()}}"
loop_control:
loop_var: tfstate
when: stage == 'scale_out_domains'

0
templates/platform/ansible/process_resources.yaml → templates/ansible/process_resources.yaml
Просмотреть файл

16
templates/platform/ansible/process_stages.yaml → templates/ansible/process_stages.yaml
Просмотреть файл

@ -1,12 +1,15 @@
- debug:
msg:
- "tfstate {{tfstate}}}}"
- "tfstate {{tfstate}}"
- "{{lz_type}}"
- "{{stage}}"
- "{{region}}"
- "{{tfstate}}"
- name: "Set tfstate_object"
set_fact:
tfstate_object: "{{resources.tfstates[lz_type]['eslz_' + tfstate] if stage == 'eslz' else resources.tfstates[lz_type][tfstate] }}"
tfstate_object: "{{resources.tfstates[lz_type]['alz_' + tfstate] if stage == 'alz' else resources.tfstates[lz_type][tfstate] }}"
env: ''
- name: "Set config_folder"
@ -29,12 +32,3 @@
vars:
config_file: "{{config_folder + '/' + tfstate_object.config_file }}"
when: stage != 'scale_out_domains'
- name: "Process deployments"
include_tasks: "process_deployments.yaml"
loop: "{{bootstrap.deployments.scale_out_domains[tfstate].keys()}}"
loop_control:
loop_var: env
vars:
deployment: deployment
when: stage == 'scale_out_domains'

17
templates/platform/ansible/process_subscription_resources.yaml → templates/ansible/process_subscription_resources.yaml
Просмотреть файл

@ -2,11 +2,14 @@
- debug:
msg:
- "subscription_key {{subscription_key}}"
- "{{deployment_mode}}"
- "{{tfstate}}"
- "{{env}}"
- name: "{{deployment}} - Set ansible_to_process"
- name: "{{deployment_mode}} - Set ansible_to_process"
set_fact:
ansible_to_process: "{{base_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else base_templates_folder + '/generic'}}"
tfstate_resource: "{{ 'eslz_' + deployment if stage == 'eslz' else deployment if env == '' else deployment + '_' + env }}"
ansible_to_process: "{{public_templates_folder + '/' + tfstate_object.sub_template_folder if tfstate_object.sub_template_folder is defined else public_templates_folder + '/platform/generic'}}"
tfstate_resource: "{{ 'alz_' + tfstate if stage == 'alz' else tfstate if env == '' else tfstate + '_' + env }}"
verbosity: 2
@ -20,7 +23,7 @@
set_fact:
landingzone_template: "{{resource_template_folder}}/landingzone.tfvars.j2"
landingzone_override: "{{ansible_to_process}}/landingzone.tfvars.j2"
destination_path: "{{destination_base_path}}/{{resources['eslz_' + deployment].relative_destination_folder if stage == 'eslz' else resources[tfstate_resource].relative_destination_folder}}"
destination_path: "{{destination_base_path}}/{{resources['alz_' + tfstate].relative_destination_folder if stage == 'alz' else resources[tfstate_resource].relative_destination_folder}}"
level: "{{tfstate_object.level}}"
verbosity: 2
@ -35,7 +38,7 @@
file:
path: "{{destination_path}}"
state: absent
when: resources.configuration_folders.platform.cleanup_destination | bool
when: resources.configuration_folders[deployment_mode].cleanup_destination | default(true)
- name: "[{{tfstate_resource}}] - landingzone - Creates directory"
file:
@ -45,7 +48,7 @@
- name: "{{tfstate_resource}} - process custom yaml process"
include_tasks: "{{base_templates_folder}}/{{tfstate_object.yaml}}"
include_tasks: "{{public_templates_folder}}/{{tfstate_object.yaml}}"
when: tfstate_object.yaml is defined
#
@ -65,7 +68,7 @@
- name: "{{tfstate_resource}} - process resources"
include_tasks: "process_resources.yaml"
loop: "{{resources[tfstate_resource].subscriptions[subscription_key] | list if resources[tfstate_resource].subscriptions[subscription_key] is mapping else [] }}"
loop: "{{resources[tfstate_resource].resources[subscription_key] | list if resources[tfstate_resource].resources[subscription_key] is mapping else [] }}"
loop_control:
loop_var: resource_type

31
templates/ansible/process_tfstate.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
- debug:
msg:
- "{{deployment_mode}}"
- "{{stage}}"
- "{{tfstate}}"
- "{{env}}"
- name: "Set tfstate_object"
set_fact:
tfstate_object: "{{resources.tfstates[deployment_mode]['alz_' + tfstate] if stage == 'alz' else resources.tfstates[deployment_mode][tfstate] if env == '' else resources.tfstates[deployment_mode][tfstate][env]}}"
- name: "Verify {{deployment_mode}}/{{stage}}/{{tfstate}}/{{env | default('')}} is defined under tfstates/{{deployment_mode}} in {{platform_definition_folder}}/tfstates.yaml :"
debug:
msg:
- "{{tfstate_object}}"
- name: "{{deployment_mode}} - tfstate_object sub_template_folder- {{env | default('')}}"
debug:
msg:
- 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}'
- 'tfstate_object - {{tfstate_object}}'
# - "{{resources}}"
- name: "{{deployment_mode}}/{{stage}}/{{tfstate}} - process subscription resources"
include_tasks: "process_subscription_resources.yaml"
loop: "{{resources['alz_' + tfstate].resources.keys() if stage == 'alz' else resources[tfstate].resources.keys() if env == '' else resources[tfstate + '_' + env].resources.keys() }}"
loop_control:
loop_var: subscription_key
vars:
level: "{{tfstate_object.level}}"

28
templates/platform/walk-through-single.yaml → templates/ansible/walk-through-single.yaml
Просмотреть файл

@ -2,7 +2,7 @@
# Initial script to select a topology and create the base templates for the definitions folder
#
# ansible-playbook /tf/caf/landingzones/templates/platform/walk-through-single.yaml \
# -e topology_file=/tf/caf/landingzones/templates/platform/eslz_single_subscription.yaml \
# -e topology_file=/tf/caf/landingzones/templates/platform/alz_single_subscription.yaml \
# -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \
# -e landingzones_folder=/tf/caf/landingzones \
# -e destination_base_path=/tf/caf \
@ -23,6 +23,21 @@
private: no
default: contoso
- name: prefix
prompt: Set the prefix to add to all resource.
private: no
default: caf
- name: alz_mg_prefix
prompt: Management group prefix (value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens).
private: no
default: es
- name: alz_mg_name
prompt: Management group name
private: no
default: Contoso
- name: default_email_address
prompt: Email address to send all notifications
private: no
@ -40,16 +55,7 @@
private: no
default: region1
- name: eslz_mg_prefix
prompt: Management group prefix (value must be between 2 to 10 characters long and can only contain alphanumeric characters and hyphens).
private: no
default: es
- name: eslz_mg_name
prompt: Management group name
private: no
default: Contoso
tasks:
- include_tasks: "ansible/walk-through.yaml"
- include_tasks: "walk-through.yaml"

67
templates/platform/ansible/walk-through.yaml → templates/ansible/walk-through.yaml
Просмотреть файл

@ -2,7 +2,7 @@
# Get launchpad subscription details
#
- name: Get deployment user object_id
- name: Get deployment user object_id (make sure you are logged-in to the launchpad Azure subscription first.)
shell: az ad signed-in-user show --query objectId -o tsv
register: object_id
@ -29,28 +29,40 @@
- set_fact:
regions: "{{ azure_regions }}"
deployment_mode: "platform"
topology: "{{bootstrap | default()}}"
- set_fact:
topology: "{{ lookup('template', '{{ topology_file }}') | from_yaml }}"
destination_path: "{{destination_folder}}"
destination_path: "{{definition_folder | default(platform_definition_folder)}}"
resource_template_folder: "{{ public_templates_folder }}/resources"
platform_service_folder: "{{ public_templates_folder }}/platform/services"
public_templates_variables_folder: "{{ public_templates_folder }}/variables"
- name: "Creates directory - {{destination_path}}"
file:
path: "{{destination_path}}"
state: directory
- name: ignite_input
ansible.builtin.template:
src: "{{platform_service_folder}}/ignite_input.yaml"
dest: "{{destination_path}}/ignite_input.yaml"
#
# Load the files into variables
#
- name: "load _variables files"
include_vars:
name: variables
dir: "{{ public_templates_variables_folder}}"
depth: 1
ignore_unknown_extensions: true
files_matching: "_variables"
- include_tasks: "load_deployments.yaml"
loop: "{{topology.deployments.keys()}}"
- debug:
msg:
- "variables: {{variables}}"
- "{{topology}}"
- include_tasks: "load_regions.yaml"
loop: "{{topology.deployments[deployment_mode].keys()}}"
loop_control:
loop_var: stage
@ -61,19 +73,15 @@
expected_type: 'dict'
recursive_dict_merge: True
- set_fact:
- name: "Topologies merged"
set_fact:
topologies: "{{ merged_topologies }}"
# Need topologies to render the following templates
- name: "load tfstates"
set_fact:
"tfstates_deployment__to_merge": "{{ lookup('template', '{{platform_service_folder}}/tfstates.yaml') | from_yaml }}"
- name: "load template.caf.platform"
set_fact:
"caf_platform_deployment__to_merge": "{{ lookup('template', '{{platform_service_folder}}/template.caf.platform.yaml') | from_yaml }}"
- name: Merge deployment files into topologies variable
merge_vars:
suffix_to_merge: _deployment__to_merge
@ -92,11 +100,24 @@
#
- name: Copy files
include_tasks: "load_deployments.yaml"
loop: "{{topology.deployments.keys()}}"
include_tasks: "load_regions.yaml"
loop: "{{topology.deployments[deployment_mode].keys()}}"
loop_control:
loop_var: stage
- find:
paths: "{{public_templates_variables_folder}}"
recurse: no
patterns: "_variables*.yaml"
file_type: file
register: variable_files_to_process
- name: copy variables files
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{destination_path}}/{{ item.path | basename }}"
loop: "{{variable_files_to_process.files}}"
- name: tfstates.yaml
ansible.builtin.template:
src: "{{platform_service_folder}}/tfstates.yaml"
@ -104,13 +125,13 @@
- name: ignite.yaml
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/single_subscription.yaml"
src: "{{public_templates_folder}}/platform/single_subscription.yaml"
dest: "{{destination_path}}/ignite.yaml"
- name: template.caf.platform.yaml
ansible.builtin.template:
src: "{{platform_service_folder}}/template.caf.platform.yaml"
dest: "{{destination_path}}/{{topology.customer_name}}.caf.platform.yaml"
# - name: template.caf.platform.yaml
# ansible.builtin.template:
# src: "{{platform_service_folder}}/template.caf.platform.yaml"
# dest: "{{destination_path}}/{{topology.customer_name}}.caf.platform.yaml"
- name: readme.md
ansible.builtin.template:

71
templates/asvm/ignite.yaml Normal file
Просмотреть файл

@ -0,0 +1,71 @@
landingzone_definition: {{landingzone_definition}}
subscriptions:
{% for scod in scale_out_domains %}
{{scod}}:
name: {{landingzone_definition}}-{{scod}}
{% if generate_new_subscriptions %}
# Set to false if you do not have permissions to create an alias
create_alias: false
subscription_id: {{subscription_id}}
{% endif %}
{% endfor %}
#
# deployments
#
deployments:
asvm:
root:
region1:
asvm_subscriptions: subscriptions.asvm.yaml
scale_out_domains:
region1:
{{landingzone_definition}}:
{% for scod in scale_out_domains %}
{{scod}}: {{landingzone_definition}}_{{scod}}.asvm.yaml
{% endfor %}
platform_mappings:
{%for key, value in platform_domain_mapping.items() %}
{{key}}: {{value}}
{% endfor %}
#
# If platform folder and config not accessible to the asvm repo you need to add the following variables
#
# caf_terraform:
# launchpad:
# caf_environment: cont0226
# subscription_id:
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
asvm:
cleanup_destination: true
#
# paths
#
topology_folder: {{topology_folder}}
public_templates_folder: {{public_templates_folder}}
landingzones_folder: {{landingzones_folder}}
template_folder: {{template_folder}}
definition_folder: {{definition_folder}}
platform_configuration_folder: {{platform_configuration_folder}}
platform_definition_folder: {{platform_definition_folder}}
deployment_mode: {{deployment_mode}}
#
# Ansible input responses
#
# don't change the structure of the values for ansible to process them properly.
# you can update the values following the structure.
scale_out_domains_input: {{scale_out_domains_input}}
platform_domain_mapping_input: {{platform_domain_mapping_input}}
generate_new_subscriptions: {{generate_new_subscriptions}}

17
templates/asvm/orion/deploy_template.sh Executable file
Просмотреть файл

@ -0,0 +1,17 @@
#! /bin/bash
echo -n "Name of the landingzone group definition (no spaces) to create: "
read -r landingzone_definition
export ANSIBLE_DISPLAY_SKIPPED_HOSTS=False
ansible-playbook /tf/caf/landingzones/templates/asvm/walk-through.yaml \
-e topology_folder=/tf/caf/landingzones/templates/asvm/orion \
-e public_templates_folder=/tf/caf/landingzones/templates \
-e landingzones_folder=/tf/caf/landingzones \
-e template_folder=/tf/caf/asvm/${landingzone_definition} \
-e definition_folder=/tf/caf/asvm/${landingzone_definition}/definition \
-e platform_configuration_folder=/tf/caf/configuration \
-e platform_definition_folder=/tf/caf/platform/definition \
-e deployment_mode=asvm \
--extra-vars landingzone_definition=${landingzone_definition}

20
templates/asvm/orion/readme.md Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM)
## Generate the configuration files
```bash
ansible-playbook {{public_templates_folder}}/ansible/asvm_definition.yaml \
--extra-vars "@{{template_folder}}/ignite.yaml"
```
## Regenerate the template
Note: This playbook will override the customization you have performed in your {{platform_configuration_folder}} folder.
```bash
ansible-playbook {{public_templates_folder}}/walk-through.yaml \
--extra-vars "@{{template_folder}}/ignite.yaml"
```

17
templates/asvm/orion/readme_definition.md Normal file
Просмотреть файл

@ -0,0 +1,17 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM)
## Generate the configuration files
```bash
ansible-playbook {{public_templates_folder}}/ansible/ansible.yaml \
--extra-vars "@{{template_folder}}/ignite.yaml"
```
## Regenerate the definition folder
```bash
ansible-playbook {{public_templates_folder}}/ansible/asvm_definition.yaml \
--extra-vars "@{{template_folder}}/ignite.yaml"
```

526
templates/asvm/orion/resources.asvm.yaml Normal file
Просмотреть файл

@ -0,0 +1,526 @@
{{landingzone_definition}}_{{scod}}:
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level3/{{landingzone_definition}}/{{scod}}
deployments:
landingzone:
global_settings_key:
platform:
virtual_hubs: {{platform_mappings[scod]}}
remote_tfstates:
asvm:
asvm_subscriptions:
platform:
virtual_hubs: {{platform_mappings[scod]}}
virtual_hubs_route_tables: {{platform_mappings[scod]}}
secure_firewalls: {{platform_mappings[scod]}}
identity_level2: {{platform_mappings[scod]}}
asvm:
resources:
{{landingzone_definition}}_{{scod}}:
resource_groups:
rg:
name: {{landingzone_definition}}-{{scod}}
backup:
name: {{landingzone_definition}}-{{scod}}-backup
networking:
name: {{landingzone_definition}}-{{scod}}-networking
preparation:
name: {{landingzone_definition}}-{{scod}}-preparation
modeling:
name: {{landingzone_definition}}-{{scod}}-modeling
consumption:
name: {{landingzone_definition}}-{{scod}}-consumption
analytics:
name: {{landingzone_definition}}-{{scod}}-analytics
virtual_networks:
vnet:
name: {{landingzone_definition}}-{{scod}}
resource_group_key: networking
region_key: region1
dns_servers_keys:
fw_secure_{{platform_mappings[scod]}}:
resource_type: azurerm_firewall
lz_key: connectivity_secure_firewalls_{{platform_mappings[scod]}}
key: fw_secure_{{platform_mappings[scod]}}
address_space:
- 10.101.8.0/23
subnets:
databricks_preparation_egress:
name: databricks-preparation-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.8.0/26
databricks_preparation_private:
name: databricks-preparation-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.8.64/26
databricks_modeling_egress:
name: databricks-modeling-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.9.0/26
databricks_modeling_private:
name: databricks-modeling-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.9.64/26
consumption:
name: consumption
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.8.128/25
databricks_notebooks:
name: databricks-notebooks
service_endpoints:
- Microsoft.Storage
- Microsoft.KeyVault
nsg_key: databricks_notebooks
cidr:
- 10.101.9.128/27
private_endpoints:
name: private-endpoints
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.9.192/27
network_security_group_definition:
databricks_egress:
version: 1
resource_group_key: networking
name: databricks-egress
nsg:
Inbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 5557
destination_address_prefix: "*"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 22
destination_address_prefix: "*"
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
405:
name: ICMP
access: Allow
protocol: icmp
source_port_range: "*"
source_address_prefix: "*"
destination_port_range: "*"
destination_address_prefix: "*"
databricks_private:
version: 1
resource_group_key: networking
name: databricks-private
nsg:
Inbound:
400:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
401:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
consumption:
version: 1
resource_group_key: networking
name: consumption
databricks_notebooks:
version: 1
resource_group_key: networking
name: databricks-notebooks
nsg:
Inbound:
500:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
501:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
500:
name: AzureActiveDirectory
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureActiveDirectory"
destination_port_ranges:
- 80
- 443
501:
name: AzureMachineLearning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureMachineLearning"
destination_port_ranges:
- 443
502:
name: AzureResourceManager
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureResourceManager"
destination_port_ranges:
- 443
503:
name: Storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "Storage"
destination_port_ranges:
- 443
504:
name: AzureFrontDoor Frontend
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.Frontend"
destination_port_ranges:
- 443
505:
name: Container Registry
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureContainerRegistry"
destination_port_ranges:
- 443
506:
name: Microsoft Container Registry
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "MicrosoftContainerRegistry"
destination_port_ranges:
- 443
507:
name: Keyvault
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureKeyVault"
destination_port_ranges:
- 443
508:
name: AzureFrontDoor FirstParty
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.FirstParty"
destination_port_range: "*"
virtual_hub_connections:
vnet_to_{{platform_mappings[scod]}}:
name: vnet-{{landingzone_definition}}-{{scod}}-TO-{{platform_mappings[scod]}}
virtual_hub:
lz_key: connectivity_virtual_hubs_{{platform_mappings[scod]}}
key: {{platform_mappings[scod]}}
vnet:
vnet_key: vnet
routing:
egress:
lz_key: virtual_hubs_route_tables_{{platform_mappings[scod]}}
recovery_vaults:
asr:
name: vault-{{landingzone_definition}}-{{scod}}
resource_group_key: backup
backup_policies:
vms:
default:
name: vm-default-policy
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
keyvaults:
kv_delegated_sp:
name: {{landingzone_definition}}{{scod}}001
resource_group_key: rg
creation_policies:
logged_in_user:
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
landingzone_maintainers_{{platform_mappings[scod]}}:
lz_key: asvm
azuread_group_key: caf_ac_landingzone_maintainers_{{platform_mappings[scod]}}
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
kv_delegated_sp:
app_LZContributors:
azuread_service_principal_key: sp_LZContributors
secret_permissions:
- Get
azuread_applications:
app_LZContributors:
application_name: app-asvm-{{landingzone_definition}}-{{scod}}-Contributors
azuread_service_principals:
sp_LZContributors:
azuread_application:
key: app_LZContributors
azuread_credentials:
app_LZContributors:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
key: app_LZContributors
keyvaults:
kv_delegated_sp:
secret_prefix: sp
azuread_credential_policies:
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 70
rotation_key0:
days: 33
rotation_key1:
days: 58
azuread_groups_membership:
caf_{{platform_mappings[scod]}}_landingzones_dns_contributors:
azuread_service_principals:
sp_LZContributors:
group_lz_key: identity_level2_{{platform_mappings[scod]}}
keys:
- sp_LZContributors
caf_ac_landingzone_maintainers_{{platform_mappings[scod]}}:
azuread_service_principals:
sp_LZContributors:
group_lz_key: asvm
keys:
- sp_LZContributors
custom_role_definitions:
contributors_extended:
name: lz-{{landingzone_definition}}-{{scod}}-contributors-extended
useprefix: true
description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/virtualNetworks/join/action
role_mapping:
custom_role_mapping:
networking:
vnet:
contributors_extended:
azuread_service_principals:
keys:
- sp_LZContributors
built_in_role_mapping:
resource_groups:
preparation:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
modeling:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
consumption:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
analytics:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
storage_containers:
{{landingzone_definition}}_{{scod}}_level3:
lz_key: {{landingzone_definition}}_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors
{{landingzone_definition}}_{{scod}}_level4:
lz_key: {{landingzone_definition}}_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors

25
templates/asvm/orion/subscriptions.asvm.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
asvm_subscriptions:
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level3/{{landingzone_definition}}/subscriptions
deployments:
landingzone:
global_settings_key:
platform:
asvm:
remote_tfstates:
platform:
asvm:
resources:
asvm_subscriptions:
subscriptions:
{{landingzone_definition}}:
{% for scod in deployments.asvm['scale_out_domains'][landingzone_definition].keys() %}
{{scod}}:
name: {{landingzone_definition}}-{{scod}}
create_alias: {{subscriptions[scod].create_alias}}
subscription_id: {{subscriptions[scod].subscription_id}}
{% endfor %}

20
templates/asvm/orion/tfstates.asvm.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# ### {{landingzone_definition}} ###
tfstates:
asvm:
asvm_subscriptions:
lz_key_name: {{landingzone_definition}}_subscriptions
tfstate: {{landingzone_definition}}_subscriptions.tfstate
workspace: tfstate
level: level3
sub_template_folder: platform/level3/subscriptions
yaml: platform/level3/ansible.yaml
{{landingzone_definition}}:
{% for scod in scale_out_domains %}
{{scod}}:
lz_key_name: {{landingzone_definition}}_{{scod}}_level3
tfstate: {{landingzone_definition}}_{{scod}}_level3.tfstate
workspace: {{landingzone_definition | replace('_', '-')}}-{{scod}}
level: level3
{% endfor %}

7
templates/asvm/readme.md Normal file
Просмотреть файл

@ -0,0 +1,7 @@
## Template to generate the defitions for the Orion data and ai landingzones
```bash
/tf/caf/landingzones/templates/asvm/orion/deploy_template.sh
```

81
templates/asvm/walk-through.yaml Normal file
Просмотреть файл

@ -0,0 +1,81 @@
#
# Initial script to select a topology and create the base templates for the definition folder
#
- name: Deploy template to definition's folder
hosts: localhost
vars_prompt:
- name: landingzone_definition
prompt: Name of the landingzone group definition (no spaces)
private: no
- name: scale_out_domains_input
prompt: List of the scale-out domains. Will create one landingzone per domain.
private: no
default: dev,prod
- name: platform_domain_mapping_input
prompt: Mapping between the landingzones and platform scale-out domains.
private: no
default:
dev: non_prod
prod: prod
- name: generate_new_subscriptions
prompt: Do you want to deploy in the current logged_in subscription (True) or create new one (False)?
private: no
default: True
tasks:
- name: Get default subscription id
shell: az account show --query id -o tsv
register: subscription_id_cmd
when: generate_new_subscriptions
- set_fact:
scale_out_domains: "{{scale_out_domains_input.split(',') }}"
platform_domain_mapping: "{{platform_domain_mapping_input}}"
subscription_id: "{{subscription_id_cmd.stdout}}"
- name: Get template files
register: asvm_files
find:
paths: "{{topology_folder}}"
file_type: file
excludes:
- "readme_definition.md"
- "deploy_template.sh"
- debug:
msg:
- "{{asvm_files}}"
- "{{playbook_dir}}"
verbosity: 1
- name: "Creates template_folder directory - {{template_folder}}"
file:
path: "{{template_folder}}"
state: directory
- name: Deploy files
ansible.builtin.copy:
src: "{{item.path}}"
dest: "{{template_folder}}/{{ item.path | basename }}"
loop: "{{asvm_files.files}}"
- name: Save parameters
ansible.builtin.template:
src: "{{playbook_dir}}/ignite.yaml"
dest: "{{template_folder}}/ignite.yaml"
- name: readme
ansible.builtin.template:
src: "{{topology_folder}}/readme.md"
dest: "{{template_folder}}/readme.md"
- debug:
msg:
- "next steps: {{template_folder}}/readme.md"

99
templates/platform/ansible/ansible.yaml
Просмотреть файл

@ -1,99 +0,0 @@
- name: Process deployment based on ignite.yaml
hosts: localhost
tasks:
- name: "load {{ config_folder }}/ignite.yaml"
include_vars:
name: bootstrap
dir: "{{ config_folder }}"
depth: 1
ignore_unknown_extensions: true
files_matching: "ignite.yaml"
- name: "Load variable for platform config"
include_vars:
name: resources
dir: "{{config_folder_platform | default(config_folder)}}"
depth: 0
ignore_unknown_extensions: true
files_matching: ".yaml"
ignore_files: "ignite.yaml"
- name: "Set variables"
set_fact:
job_cache_base_path: "/home/vscode/.terraform.cache"
destination_base_path: '{{ destination_folder }}'
- name: "Creates destination directory - {{destination_base_path}}"
file:
path: "{{destination_base_path}}"
state: directory
- debug:
msg:
- "bootstrap: {{bootstrap}}"
- "resources: {{resources}}"
#
# Generate the foundation services
#
- name: Process core deployments
include_tasks: "process_stages.yaml"
loop: "{{bootstrap.deployments.root.keys()}}"
loop_control:
loop_var: tfstate
vars:
lz_type: platform
stage: root
- name: Process eslz deployments
include_tasks: "process_stages.yaml"
loop: "{{bootstrap.deployments.eslz.keys()}}"
loop_control:
loop_var: tfstate
when:
- launchpad_tfstate_exists.rc == 0
vars:
lz_type: platform
stage: eslz
#
# Process the deployments folders
#
- find:
paths: "{{config_folder}}/scale_out_domains"
recurse: yes
patterns: "*.yaml"
file_type: file
register: files_to_process
- name: Process scale out domaines deployments
include_tasks: "process_stages.yaml"
loop: "{{bootstrap.deployments.scale_out_domains.keys()}}"
loop_control:
loop_var: tfstate
when:
- launchpad_tfstate_exists.rc == 0
vars:
lz_type: platform
stage: scale_out_domains
## Platform readme
- name: "[{{ base_templates_folder }}] readme"
ansible.builtin.template:
src: "{{ base_templates_folder }}/readme.md"
dest: "{{ destination_base_path }}/readme.md"
force: yes
#
# Formatting & Linters
#
- name: Terraform Formatting
shell: |
terraform fmt -recursive {{ destination_base_path }}

44
templates/platform/ansible/load_deployments.yaml
Просмотреть файл

@ -1,44 +0,0 @@
- name: "Process 1 deployment file {{stage}}"
set_fact:
"{{stage}}_{{item}}_deployment__to_merge": "{{ lookup('template', '{{ config_folder_platform_templates + \"/services/\" + topology.deployments[stage][item]}}') | from_yaml }}"
loop: "{{topology.deployments[stage].keys()}}"
when:
- stage == 'root' or stage == 'eslz'
- topologies is not defined
- name: "Copy file {{stage}} from {{config_folder_platform_templates}}/services/"
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][item]}}"
dest: "{{destination_path}}/{{topologies[item].tfstate.config_file}}"
loop: "{{topology.deployments[stage].keys()}}"
when:
- stage == 'root'
- topologies is defined
- name: "Copy file {{stage}} from {{config_folder_platform_templates}}/services/"
ansible.builtin.template:
src: "{{config_folder_platform_templates}}/services/{{topology.deployments[stage][item]}}"
dest: "{{destination_path}}/{{topologies[stage + '_' + item].tfstate.config_file}}"
loop: "{{topology.deployments[stage].keys()}}"
when:
- stage == 'eslz'
- topologies is defined
- name: "Process 2 deployment file {{stage}}"
include_tasks: "load_deployments_eslz.yaml"
loop: "{{topology.deployments[stage].keys()}}"
loop_control:
loop_var: service
when:
- stage == 'eslz'
- topologies is defined
- name: "Process 2 deployment file {{stage}}"
include_tasks: "load_deployments_env.yaml"
loop: "{{topology.deployments[stage].keys()}}"
loop_control:
loop_var: service
when:
- stage == 'scale_out_domains'

57
templates/platform/ansible/load_deployments_eslz.yaml
Просмотреть файл

@ -1,57 +0,0 @@
- name: "{{destination_eslz_path}} - Set tfstate_object"
set_fact:
tfstate_object: "{{topologies['eslz_' + service].tfstate}}"
- name: "{{destination_path}}/{{stage}} - Set landingzone file_path"
set_fact:
destination_eslz_path: "{{destination_path}}/{{stage}}/{{service}}"
template_folder: "{{config_folder_platform_templates}}/{{ tfstate_object.template_lib_folder}}"
- name: "{{destination_eslz_path}} - Set landingzone file_path"
set_fact:
template_lib_folder: "{{template_folder}}/lib/{{ tfstate_object.eslz_version }}"
- name: "{{destination_eslz_path}} - Set landingzone file_path"
set_fact:
mg: "{{ lookup('template', '{{ template_lib_folder }}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}"
mg_custom: "{{ lookup('template', '{{ template_lib_folder }}/custom_landing_zones.caf.platform.yaml') | from_yaml }}"
- debug:
msg: "{{destination_eslz_path}}"
- name: "Clean-up destination directory"
shell: |
rm -rf "{{ destination_eslz_path }}"
when:
- topology.enterprise_scale[service].clean_up_destination_folder
- name: "Creates directory structure - {{template_lib_folder}}"
shell: mkdir -p "{{ destination_eslz_path }}/lib/{{ item.path }}"
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'directory'
- name: " Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_eslz_path }}/lib/{{ item.path }}"
force: yes
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'file'
- item.path is not search(".j2")
- item.path is not search(".yaml") or item.path is search(".json") or item.path is search(".md")
- topologies.platform_core_setup.enterprise_scale[service].update_lib_folder
- name: " Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_eslz_path }}/{{ item.path }}"
force: yes
with_filetree: "{{ template_lib_folder }}"
when:
- item.state == 'file'
- item.path is search(".yaml")
- topologies.platform_core_setup.enterprise_scale[service].update_lib_folder

38
templates/platform/ansible/process_deployments.yaml
Просмотреть файл

@ -1,38 +0,0 @@
- debug:
msg:
- "env: {{env}}"
- "lz_type: {{lz_type}}"
- "tfstate: {{tfstate}}"
# - set_fact:
# lz_type: "{{resources.deployments.landingzone.tfstate.keys() | first}}"
# - set_fact:
# # tfstate: "{{resources.deployments.landingzone.tfstate[lz_type].keys() | first}}"
# env: "{{resources.deployments.landingzone.tfstate[lz_type].values() | first | default('')}}"
# - debug:
# msg:
# - "{{config}}"
# - "{{lz_type}}"
# - "{{tfstate}}"
# - "{{env}}"
# verbosity: 2
- name: "Set tfstate_object"
set_fact:
tfstate_object: '{{resources.tfstates[lz_type][tfstate][env] }}'
- debug:
msg:
- "{{tfstate_object}}"
- name: "Including tasks process_tfstate.yaml"
include_tasks: "process_tfstate.yaml"
loop: ["{{ tfstate }}"]
loop_control:
loop_var: deployment

11
templates/platform/ansible/process_foundations.yaml
Просмотреть файл

@ -1,11 +0,0 @@
- debug:
msg: "stage {{stage}} - {{bootstrap[step][stage]}}"
- include_tasks: "process_stages.yaml"
loop: "{{bootstrap[step][stage].keys()}}"
loop_control:
loop_var: tfstate
vars:
tfstates: "{{bootstrap[step][stage]}}"
lz_type: platform

24
templates/platform/ansible/process_tfstate.yaml
Просмотреть файл

@ -1,24 +0,0 @@
- debug:
msg:
- "{{lz_type}}"
- "{{deployment}}"
- "{{env}}"
- name: "Verify {{deployment}} {{lz_type}} is defined under tfstates:platform in {{config_folder}}/tfstates.yaml :"
debug:
msg:
- "{{resources.tfstates[lz_type]['eslz_' + tfstate] if stage == 'eslz' else resources.tfstates[lz_type][deployment] if env == '' else resources.tfstates[lz_type][deployment][env]}}"
- name: "{{deployment}} - tfstate_object sub_template_folder- {{env}}"
debug:
msg:
- 'sub_template_folder - {{tfstate_object.sub_template_folder | default()}}'
- 'tfstate_object - {{tfstate_object}}'
- name: "{{deployment}} - process subscription resources"
include_tasks: "process_subscription_resources.yaml"
loop: "{{resources['eslz_' + tfstate].subscriptions.keys() if stage == 'eslz' else resources[tfstate].subscriptions.keys() if env == '' else resources[tfstate + '_' + env].subscriptions.keys() }}"
loop_control:
loop_var: subscription_key
vars:
level: "{{tfstate_object.level}}"

4
templates/platform/asvm/orion/config.asvm.yaml
Просмотреть файл

@ -1,4 +0,0 @@
# cleanup_destination - recommended to clean and recreated a clean state from template.
configuration_folders:
asvm:
cleanup_destination: true

511
templates/platform/asvm/orion/deployments/orion_dev.yaml
Просмотреть файл

@ -1,511 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level3/asvm/orion/dev
deployments:
landingzone:
tfstate:
asvm:
orion_dev:
global_settings_key:
platform:
virtual_hubs: non_prod
remote_tfstates:
asvm:
subscriptions:
platform:
virtual_hubs: non_prod
azurerm_firewalls: non_prod
identity_level2: non_prod
asvm:
subscriptions:
orion_dev:
resource_groups:
rg:
name: orion-dev
backup:
name: orion-dev-backup
networking:
name: orion-dev-networking
preparation:
name: orion-dev-preparation
modeling:
name: orion-dev-modeling
consumption:
name: orion-dev-consumption
analytics:
name: orion-dev-analytics
virtual_networks:
vnet:
name: orion-dev
resource_group_key: networking
region_key: region1
dns_servers_keys:
fw_prod_plinks_01:
resource_type: azurerm_firewall
lz_key: connectivity_firewalls_non_prod
key: fw_non_prod_plinks_01
address_space:
- 10.101.200.0/23
subnets:
databricks_preparation_egress:
name: databricks-preparation-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.200.0/26
databricks_preparation_private:
name: databricks-preparation-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.200.64/26
databricks_modeling_egress:
name: databricks-modeling-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.201.0/26
databricks_modeling_private:
name: databricks-modeling-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.201.64/26
consumption:
name: consumption
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.200.128/25
databricks_notebooks:
name: databricks-notebooks
service_endpoints:
- Microsoft.Storage
- Microsoft.KeyVault
nsg_key: databricks_notebooks
cidr:
- 10.101.201.128/27
private_endpoints:
name: private-endpoints
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.201.192/27
network_security_group_definition:
databricks_egress:
version: 1
resource_group_key: networking
name: databricks-egress
nsg:
Inbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 5557
destination_address_prefix: "*"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 22
destination_address_prefix: "*"
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
405:
name: ICMP
access: Allow
protocol: icmp
source_port_range: "*"
source_address_prefix: "*"
destination_port_range: "*"
destination_address_prefix: "*"
databricks_private:
version: 1
resource_group_key: networking
name: databricks-private
nsg:
Inbound:
400:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
401:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
consumption:
version: 1
resource_group_key: networking
name: consumption
databricks_notebooks:
version: 1
resource_group_key: networking
name: databricks-notebook
nsg:
Inbound:
500:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
501:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
500:
name: AzureActiveDirectory
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureActiveDirectory"
destination_port_ranges:
- 80
- 443
501:
name: AzureMachineLearning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureMachineLearning"
destination_port_ranges:
- 443
502:
name: AzureResourceManager
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureResourceManager"
destination_port_ranges:
- 443
503:
name: Storage SoutheastAsia
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "Storage.SoutheastAsia"
destination_port_ranges:
- 443
504:
name: AzureFrontDoor Frontend
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.Frontend"
destination_port_ranges:
- 443
505:
name: Container Registry SoutheastAsia
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureContainerRegistry.SoutheastAsia"
destination_port_ranges:
- 443
506:
name: Microsoft Container Registry SoutheastAsia
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "MicrosoftContainerRegistry.SoutheastAsia"
destination_port_ranges:
- 443
507:
name: Keyvault SoutheastAsia
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureKeyVault.SoutheastAsia"
destination_port_ranges:
- 443
508:
name: AzureFrontDoor FirstParty
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.FirstParty"
destination_port_range: "*"
virtual_hub_connections:
vnet_to_dev:
name: vnet-orion-dev-TO-non-prod
virtual_hub:
lz_key: connectivity_virtual_hub_non_prod
key: non_prod
vnet:
vnet_key: vnet
recovery_vaults:
asr:
name: vault-orion-dev
resource_group_key: backup
backup_policies:
vms:
default:
name: vm-default-policy
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
keyvaults:
kv_delegated_sp:
name: oriondev0001
resource_group_key: rg
creation_policies:
logged_in_user:
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
landingzone_maintainers_non_prod:
lz_key: asvm
azuread_group_key: caf_ac_landingzone_maintainers_non_prod
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
kv_delegated_sp:
app_LZContributors:
azuread_service_principal_key: sp_LZContributors
secret_permissions:
- Get
azuread_applications:
app_LZContributors:
application_name: app-asvm-orion-dev-Contributors
azuread_service_principals:
sp_LZContributors:
azuread_application:
key: app_LZContributors
azuread_credentials:
app_LZContributors:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
key: app_LZContributors
keyvaults:
kv_delegated_sp:
secret_prefix: sp
azuread_credential_policies:
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 70
rotation_key0:
days: 33
rotation_key1:
days: 58
custom_role_definitions:
contributors_extended:
name: lz-orion-dev-contributors-extended
useprefix: true
description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/virtualNetworks/join/action
role_mapping:
custom_role_mapping:
networking:
vnet:
contributors_extended:
azuread_service_principals:
keys:
- sp_LZContributors
built_in_role_mapping:
resource_groups:
preparation:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
modeling:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
consumption:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
analytics:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
storage_containers:
orion_prod_level3:
lz_key: orion_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors
orion_dev_level4:
lz_key: orion_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors

540
templates/platform/asvm/orion/deployments/orion_prod.yaml
Просмотреть файл

@ -1,540 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level3/asvm/orion/prod
deployments:
landingzone:
tfstate:
asvm:
orion_prod:
global_settings_key:
platform:
virtual_hubs: prod
remote_tfstates:
asvm:
subscriptions:
platform:
virtual_hubs: prod
azurerm_firewalls: prod
identity_level2: prod
asvm:
subscriptions:
orion_prod:
resource_groups:
rg:
name: orion-prod
backup:
name: orion-prod-backup
networking:
name: orion-prod-networking
preparation:
name: orion-prod-preparation
modeling:
name: orion-prod-modeling
consumption:
name: orion-prod-consumption
analytics:
name: orion-prod-analytics
virtual_networks:
vnet:
name: orion-prod
resource_group_key: networking
region_key: region1
dns_servers_keys:
fw_prod_plinks_01:
resource_type: azurerm_firewall
lz_key: connectivity_firewalls_prod
key: fw_prod_plinks_01
address_space:
- 10.101.8.0/23
subnets:
databricks_preparation_egress:
name: databricks-preparation-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.8.0/26
databricks_preparation_private:
name: databricks-preparation-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.8.64/26
databricks_modeling_egress:
name: databricks-modeling-egress
nsg_key: databricks_egress
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.9.0/26
databricks_modeling_private:
name: databricks-modeling-private
nsg_key: databricks_private
delegation:
name: databricks
service_delegation: Microsoft.Databricks/workspaces
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
cidr:
- 10.101.9.64/26
consumption:
name: consumption
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.8.128/25
databricks_notebooks:
name: databricks-notebooks
service_endpoints:
- Microsoft.Storage
- Microsoft.KeyVault
nsg_key: databricks_notebooks
cidr:
- 10.101.9.128/27
private_endpoints:
name: private-endpoints
enforce_private_link_endpoint_network_policies: true
cidr:
- 10.101.9.192/27
network_security_group_definition:
databricks_egress:
version: 1
resource_group_key: networking
name: databricks-egress
nsg:
Inbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-proxy
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 5557
destination_address_prefix: "*"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-control-plane-to-worker-ssh
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureDatabricks"
destination_port_range: 22
destination_address_prefix: "*"
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
405:
name: ICMP
access: Allow
protocol: icmp
source_port_range: "*"
source_address_prefix: "*"
destination_port_range: "*"
destination_address_prefix: "*"
databricks_private:
version: 1
resource_group_key: networking
name: databricks-private
nsg:
Inbound:
400:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
401:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
400:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-webapp
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "AzureDatabricks"
401:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 3306
destination_address_prefix: "Sql"
402:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 443
destination_address_prefix: "Storage"
403:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: "*"
destination_address_prefix: "VirtualNetwork"
404:
name: Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "VirtualNetwork"
destination_port_range: 9093
destination_address_prefix: "EventHub"
consumption:
version: 1
resource_group_key: networking
name: consumption
databricks_notebooks:
version: 1
resource_group_key: networking
name: databricks-notebooks
nsg:
Inbound:
500:
name: Batch Node Management
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "BatchNodeManagement"
destination_address_prefix: "*"
destination_port_ranges:
- 29876
- 29877
501:
name: Azure Machine Learning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "AzureMachineLearning"
destination_address_prefix: "*"
destination_port_ranges:
- 44224
Outbound:
500:
name: AzureActiveDirectory
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureActiveDirectory"
destination_port_ranges:
- 80
- 443
501:
name: AzureMachineLearning
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureMachineLearning"
destination_port_ranges:
- 443
502:
name: AzureResourceManager
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureResourceManager"
destination_port_ranges:
- 443
503:
name: Storage
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "Storage"
destination_port_ranges:
- 443
504:
name: AzureFrontDoor Frontend
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.Frontend"
destination_port_ranges:
- 443
505:
name: Container Registry
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureContainerRegistry"
destination_port_ranges:
- 443
506:
name: Microsoft Container Registry
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "MicrosoftContainerRegistry"
destination_port_ranges:
- 443
507:
name: Keyvault
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureKeyVault"
destination_port_ranges:
- 443
508:
name: AzureFrontDoor FirstParty
access: Allow
protocol: tcp
source_port_range: "*"
source_address_prefix: "*"
destination_address_prefix: "AzureFrontDoor.FirstParty"
destination_port_range: "*"
virtual_hub_connections:
vnet_to_prod:
name: vnet-orion-prod-TO-prod
virtual_hub:
lz_key: connectivity_virtual_hub_prod
key: prod
vnet:
vnet_key: vnet
routing:
egress:
lz_key: route tables
propagated_route_table:
labels:
- egress-firewall-prod
static_vnet_route:
egress_internet:
name: egress internet
address_prefix:
- 0.0.0.0/0
# netx_hop_ip_address: 10.101.61.4
next_hop:
lz_key: caf_networking_firewall
key:
interface_index: 0
recovery_vaults:
asr:
name: vault-orion-prod
resource_group_key: backup
backup_policies:
vms:
default:
name: vm-default-policy
timezone: "SE Asia Standard Time"
backup:
frequency: Daily
time: "23:00"
retention_daily:
count: 7
keyvaults:
kv_delegated_sp:
name: orionprod001
resource_group_key: rg
creation_policies:
logged_in_user:
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
landingzone_maintainers_prod:
lz_key: asvm
azuread_group_key: caf_ac_landingzone_maintainers_prod
secret_permissions:
- Set
- Get
- List
- Delete
- Purge
- Recover
keyvault_access_policies:
kv_delegated_sp:
app_LZContributors:
azuread_service_principal_key: sp_LZContributors
secret_permissions:
- Get
azuread_applications:
app_LZContributors:
application_name: app-asvm-orion-prod-Contributors
azuread_service_principals:
sp_LZContributors:
azuread_application:
key: app_LZContributors
azuread_credentials:
app_LZContributors:
type: password
azuread_credential_policy_key: default_policy
azuread_application:
key: app_LZContributors
keyvaults:
kv_delegated_sp:
secret_prefix: sp
azuread_credential_policies:
default_policy:
length: 250
special: false
upper: true
number: true
expire_in_days: 70
rotation_key0:
days: 33
rotation_key1:
days: 58
azuread_groups_membership:
caf_prod_landingzones_dns_contributors:
azuread_service_principals:
sp_LZContributors:
group_lz_key: identity_level2
keys:
- sp_LZContributors
caf_ac_landingzone_maintainers_prod:
azuread_service_principals:
sp_LZContributors:
group_lz_key: asvm
keys:
- sp_LZContributors
custom_role_definitions:
contributors_extended:
name: lz-orion-prod-contributors-extended
useprefix: true
description: "Provides additional permissions for the level4 principal to perform activies on the level3 landingzone services."
permissions:
actions:
- Microsoft.Network/privateDnsZones/join/action
- Microsoft.Network/virtualNetworks/join/action
role_mapping:
custom_role_mapping:
networking:
vnet:
contributors_extended:
azuread_service_principals:
keys:
- sp_LZContributors
built_in_role_mapping:
resource_groups:
preparation:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
modeling:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
consumption:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
analytics:
Owner:
azuread_service_principals:
keys:
- sp_LZContributors
storage_containers:
orion_prod_level3:
lz_key: orion_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors
orion_prod_level4:
lz_key: orion_subscriptions
Storage Blob Data Contributor:
azuread_service_principals:
keys:
- sp_LZContributors

31
templates/platform/asvm/orion/deployments/subscriptions.yaml
Просмотреть файл

@ -1,31 +0,0 @@
gitops:
caf_landingzone_branch: aci_network
relative_destination_folder: level3/asvm/orion/subscriptions
deployments:
landingzone:
tfstate:
asvm:
subscriptions:
global_settings_key:
platform:
asvm:
remote_tfstates:
platform:
asvm:
subscriptions:
launchpad:
subscriptions:
orion_dev:
name: orion-dev
create_alias: false
subscription_id: <replace>
orion_prod:
name: orion-prod
create_alias: false
subscription_id: <replace>

16
templates/platform/asvm/orion/readme.md
Просмотреть файл

@ -1,16 +0,0 @@
# Cloud Adoption Framework landing zones for Terraform - Starter template for Azure Subscription Vending Machine (ASVM)
## Generate the configuration files
```bash
rover ignite \
--playbook /tf/caf/landingzones/templates/platform/ansible.yaml \
-e base_templates_folder=/tf/caf/landingzones/templates/platform \
-e resource_template_folder=/tf/caf/landingzones/templates/resources \
-e config_folder=/tf/caf/definitions/asvm/orion-landingzone \
-e config_folder_platform=/tf/caf/definitions \
-e landingzones_folder=/tf/caf/landingzones
```

28
templates/platform/asvm/orion/tfstates.asvm.yaml
Просмотреть файл

@ -1,28 +0,0 @@
# ### orion ###
tfstates:
asvm:
subscriptions:
lz_key_name: orion_subscriptions
tfstate: orion_subscriptions.tfstate
workspace: tfstate
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml
orion_dev:
lz_key_name: orion_dev_level3
tfstate: orion_dev_level3.tfstate
workspace: orion-dev
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml
orion_prod:
lz_key_name: orion_prod_level3
tfstate: orion_prod_level3.tfstate
workspace: orion-prod
level: level3
sub_template_folder: level3
yaml: level3/ansible.yaml

28
templates/platform/asvm/walk-through.yaml
Просмотреть файл

@ -1,28 +0,0 @@
#
# Initial script to select a topology and create the base templates for the definitions folder
#
# ansible-playbook /tf/caf/landingzones/templates/platform/asvm/walk-through.yaml \
# -e topology_folder=/tf/caf/landingzones/templates/platform/asvm/orion \
# -e config_folder_platform_templates=/tf/caf/landingzones/templates/platform \
# -e landingzones_folder=/tf/caf/landingzones \
# -e destination_folder=/tf/caf/definitions/asvm/orion
- name: Deploy template to definition's folder
hosts: localhost
tasks:
- name: Get template files
register: asvm_files
find:
paths: {{topology_file}}
file_type: file
- debug:
- msg: "{{asvm_files}}"
- name: Deploy files
ansible.builtin.template:
src: "{{topology_folder}}/{{item}}"
dest: "{{destination_folder}}/{{item}}"
loop:

12
templates/platform/deploy_platform.sh Executable file
Просмотреть файл

@ -0,0 +1,12 @@
#! /bin/bash
export ANSIBLE_DISPLAY_SKIPPED_HOSTS=False
ansible-playbook /tf/caf/landingzones/templates/ansible/walk-through-single.yaml \
-e topology_file=/tf/caf/landingzones/templates/platform/single_subscription.yaml \
-e public_templates_folder=/tf/caf/landingzones/templates \
-e landingzones_folder=/tf/caf/landingzones \
-e platform_configuration_folder=/tf/caf/configuration \
-e platform_definition_folder=/tf/caf/platform/definition \
-e platform_template_folder=/tf/caf/platform/template \
--extra-vars "@/tf/caf/landingzones/templates/platform/template_topology.yaml"

10
templates/platform/generic/readme.md
Просмотреть файл

@ -4,24 +4,24 @@
rover logout
# login a with a user member of the caf-maintainers group
rover login -t {{ resources.platform_identity.tenant_name }}
rover login -t {{ resources.azure_landing_zones.identity.tenant_name }}
rover \
{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %}
--impersonate-sp-from-keyvault-url {{ keyvaults[ tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz /tf/caf/landingzones/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \
-tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \
{% if platform_subscriptions_details is defined %}
-target_subscription {{ platform_subscriptions_details[resources.subscriptions.keys() | first].subscription_id }} \
{% elif subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id is defined %}
-target_subscription {{ subscriptions.platform_subscriptions[resources.subscriptions.keys() | first].subscription_id }} \
{% else %}
-target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ resources.caf_launchpad.subscription_id }} \
{% endif %}
-tfstate {{ tfstate_object.tfstate }} \
-env {{ resources.caf_terraform.launchpad.caf_environment }} \
-env {{ resources.caf_environment }} \
-level {{ level }} \
-w {{ tfstate_object.workspace | default('tfstate') }} \
-p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \

2
templates/platform/level0/README.md
Просмотреть файл

@ -15,7 +15,7 @@ Platform- Subscriptions | Deploys platform subscriptions such as managemen
management | Foundation resources to management subscription such as service health alerts, log analytics
gitops | This directory hosts the Azure DevOps configurations such as Azure DevOps projects, pipelines variable groups
Identity | This hosts the identities for the pipelines and identies are pushed to vault after created
Enterprise scale - Platform | Deploys eslz resources suych as management groups, custom roles, policies, and map that to management groups
Enterprise scale - Platform | Deploys alz resources suych as management groups, custom roles, policies, and map that to management groups
### Level 2

4
templates/platform/level0/billing_subscription_role_delegations/ansible.yaml
Просмотреть файл

@ -5,14 +5,14 @@
when: resources.configuration_folders.platform.cleanup_destination | bool
- name: "[{{ level }}-{{ base_folder }}] Creates directory"
when: resources.caf_terraform.billing_subscription_role_delegations.enable == true
when: resources.billing_subscription_role_delegations.enable == true
register: level0_billing_subscription_role_delegations
file:
path: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}"
state: directory
- name: "[{{ level }}-{{ base_folder }}] subscription role delegation"
when: resources.caf_terraform.billing_subscription_role_delegations.enable == true
when: resources.billing_subscription_role_delegations.enable == true
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/{{ level }}/{{ base_folder }}/{{ item | basename | regex_replace('.j2$', '') }}"

14
templates/platform/level0/billing_subscription_role_delegations/readme.md
Просмотреть файл

@ -3,17 +3,17 @@
Set-up the subscription delegations for platform and landingzone subscriptions
```bash
# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
rover login -t {{ resources.platform_identity.tenant_name }}
# Login to the subscription {{ resources.caf_launchpad.subscription_name }} with the user {{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
rover login -t {{ resources.azure_landing_zones.identity.tenant_name }}
rover \
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_base }}/{{ resources.configuration_folders.platform.destination_relative_path }}/level0/billing_subscription_role_delegations \
-tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \
-tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \
-tfstate {{ resources.tfstates.platform.billing_subscription_role_delegations.tfstate }} \
-target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ resources.caf_launchpad.subscription_id }} \
-launchpad \
-env {{ resources.caf_terraform.launchpad.caf_environment }} \
-env {{ resources.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ resources.tfstates.platform.billing_subscription_role_delegations.tfstate }}.tfplan \
-a plan
@ -25,13 +25,13 @@ rover logout
# Run rover ignite to generate the next level configuration files
To execute this step you need to login with on of the CAF maintainers:
{% for maintainer in resources.platform_identity.caf_platform_maintainers %}
{% for maintainer in resources.azure_landing_zones.identity.caf_platform_maintainers %}
- {{ maintainer }}
{% endfor %}
```bash
rover login -t {{ resources.platform_identity.tenant_name }}
rover login -t {{ resources.azure_landing_zones.identity.tenant_name }}
rover ignite \
--playbook {{ landingzones_folder }}/ansible.yaml \

4
templates/platform/level0/billing_subscription_role_delegations/subscription_creation_roles.tfvars.j2
Просмотреть файл

@ -2,8 +2,8 @@ subscription_billing_role_assignments = {
# Delegated accounts who can create subscriptions.
# Used by Gitops pipelines
subscription_creators = {
billing_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.billing_account_name }}"
enrollment_account_name = "{{ resources.caf_terraform.billing_subscription_role_delegations.enrollment_account_name }}"
billing_account_name = "{{ resources.billing_subscription_role_delegations.billing_account_name }}"
enrollment_account_name = "{{ resources.billing_subscription_role_delegations.enrollment_account_name }}"
billing_role_definition_name = "Enrollment account subscription creator"
principals = {

2
templates/platform/level0/credentials/dynamic_secrets.tfvars.j2
Просмотреть файл

@ -14,7 +14,7 @@ dynamic_keyvault_secrets = {
}
tenant_id = {
secret_name = "tenant-id"
value = "{{ resources.caf_terraform.launchpad.tenant_id }}" # {{ resources.platform_identity.tenant_name }} Tenant
value = "{{ resources.caf_launchpad.tenant_id }}" # {{ resources.azure_landing_zones.identity.tenant_name }} Tenant
}
}

33
templates/platform/level0/credentials/readme.md
Просмотреть файл

@ -3,43 +3,43 @@
```bash
# For manual bootstrap:
# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
rover login -t {{ resources.platform_identity.tenant_name }}
# Login to the subscription {{ resources.caf_launchpad.subscription_name }} with the user {{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
rover login -t {{ resources.azure_landing_zones.identity.tenant_name }}
rover \
{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %}
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \
-tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \
-target_subscription {{ resources.caf_launchpad.subscription_id }} \
-tfstate {{ resources.tfstates.platform.launchpad_credentials.tfstate }} \
-launchpad \
-env {{ resources.caf_terraform.launchpad.caf_environment }} \
-env {{ resources.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \
-a plan
```
If the plan is not successfull you need to come back to the yaml {{resources.customer_name}}.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan.
If the plan is not successfull you need to come back to the yaml {{customer_name}}.caf.platform.yaml, fix the values, re-execute the rover ignite and then rover plan.
```bash
# On success plan, execute
rover \
{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and keyvaults is defined %}
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz {{ landingzones_folder }}/caf_solution \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \
-tfstate_subscription_id {{ resources.caf_launchpad.subscription_id }} \
-target_subscription {{ resources.caf_launchpad.subscription_id }} \
-tfstate {{ resources.tfstates.platform.launchpad_credentials.tfstate }} \
-launchpad \
-env {{ resources.caf_terraform.launchpad.caf_environment }} \
-env {{ resources.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad_credentials.tfstate }}.tfplan \
-a apply
@ -49,13 +49,8 @@ rover \
```bash
# On success, re-execute the rover ignite
rover ignite \
--playbook {{ base_templates_folder }}/ansible/ansible.yaml \
-e base_templates_folder={{ base_templates_folder }} \
-e resource_template_folder={{resource_template_folder}} \
-e config_folder={{ config_folder }} \
-e landingzones_folder={{ landingzones_folder }} \
-e destination_folder={{destination_folder}}
ansible-playbook {{public_templates_folder}}/ansible/ansible.yaml \
--extra-vars "@{{platform_definition_folder}}/ignite.yaml"
```
@ -67,7 +62,7 @@ Just re-execute the plan/apply command as above and you will notice the rover wi
When you have successfully deployed the launchpad you can move to the next step.
{% if resources.caf_terraform.billing_subscription_role_delegations.enable %}
{% if resources.billing_subscription_role_delegations.enable %}
[[Deploy the billing subscription role delegation](../billing_subscription_role_delegations/readme.md)
{% else %}
[Deploy the subscription services](../../level1/subscriptions/readme.md)

2
templates/platform/level0/credentials/role_mappings.tfvars.j2
Просмотреть файл

@ -6,7 +6,7 @@
role_mapping = {
built_in_role_mapping = {
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
resource_groups = {
sp_credentials = {
"Contributor" = {

10
templates/platform/level0/launchpad/ansible.yaml
Просмотреть файл

@ -10,8 +10,8 @@
register: launchpad_storage_account
shell: |
az storage account list \
--subscription {{ resources.caf_terraform.launchpad.subscription_id }} \
--query "[?tags.caf_tfstate=='{{ tfstate_object.level }}' && tags.caf_environment=='{{ resources.caf_terraform.launchpad.caf_environment }}'].{name:name}[0]" -o json | jq -r .name
--subscription {{ resources.caf_launchpad.subscription_id }} \
--query "[?tags.caf_tfstate=='{{ tfstate_object.level }}' && tags.caf_environment=='{{ resources.caf_environment }}'].{name:name}[0]" -o json | jq -r .name
- debug:
msg: "{{launchpad_storage_account}}"
@ -33,21 +33,21 @@
- name: "[{{resources[tfstate].relative_destination_folder}}] Get subscription_creation_landingzones details"
when:
- launchpad_tfstate_exists.rc == 0
- resources.platform_core_setup.enable_azure_subscription_vending_machine
- resources.enable_azure_subscription_vending_machine
shell: "cat ~/.terraform.cache/launchpad/{{ resources.tfstates.platform.launchpad.tfstate }}"
register: launchpad_tfstate
- name: "[{{resources[tfstate].relative_destination_folder}}] Get launchpad json data"
when:
- launchpad_tfstate_exists.rc == 0
- resources.platform_core_setup.enable_azure_subscription_vending_machine
- resources.enable_azure_subscription_vending_machine
set_fact:
scljsondata: "{{ launchpad_tfstate.stdout | from_json }}"
- name: "[{{resources[tfstate].relative_destination_folder}}] set launchpad_azuread_groups"
when:
- launchpad_tfstate_exists.rc == 0
- resources.platform_core_setup.enable_azure_subscription_vending_machine
- resources.enable_azure_subscription_vending_machine
set_fact:
launchpad_azuread_groups: "{{ scljsondata | json_query(path) }}"
vars:

22
templates/platform/level0/launchpad/azuread_group_members.tfvars.j2
Просмотреть файл

@ -1,20 +1,20 @@
{% if resources.platform_identity.enable_azuread_groups %}
{% if bootstrap.enable_azuread_groups %}
azuread_groups_membership = {
caf_platform_maintainers = {
{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %}
object_ids = {
logged_in = {
keys = ["user"]
}
}
{% endif %}
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
members = {
{% if resources.platform_identity.caf_platform_maintainers.user_principal_names is defined %}
{% if bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names is defined %}
user_principal_names = [
"{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}",
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' and resources.platform_identity.caf_platform_maintainers.user_principal_names is mapping%}
{% for user in resources.platform_identity.caf_platform_maintainers.user_principal_names %}
"{{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }}",
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' and bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names is mapping%}
{% for user in bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names %}
"{{ user }}",
{% endfor %}
{% endif %}
@ -25,14 +25,14 @@ azuread_groups_membership = {
}
caf_platform_contributors = {
members = {
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if resources.platform_identity.caf_platform_maintainers.user_principal_names is mapping %}
user_principal_names = {{ resources.platform_identity.caf_platform_maintainers.user_principal_names | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
{% if bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names is mapping %}
user_principal_names = {{ bootstrap.azure_landing_zones.identity.caf_platform_maintainers.user_principal_names | replace('None','[]') | replace('[', '[\n') | replace(']', '\n]') | replace(',', ',\n') | replace('\'','\"') }}
{% endif %}
{% endif %}
}
}
}
{% else %}
# Azure AD Groups in resources.platform_identity.enable_azuread_groups is not set to true
# Azure AD Groups in bootstrap.enable_azuread_groups is not set to true
{% endif %}

18
templates/platform/level0/launchpad/global_settings.tfvars.j2
Просмотреть файл

@ -3,25 +3,25 @@
#
# passthrough means the default CAF naming convention is not applied and you are responsible
# of the unicity of the names you are giving. the CAF provider will clear out
passthrough = {{ resources.caf_terraform.naming_convention.passthrough | string | lower }}
passthrough = {{ bootstrap.naming_convention.passthrough | string | lower }}
# adds random chars at the end of the names produced by the provider
# Do not change the following values once the launchpad deployed.
# Enable tag inheritance (can be changed)
inherit_tags = {{ resources.caf_terraform.naming_convention.inherit_tags | string | lower }}
inherit_tags = {{ bootstrap.naming_convention.inherit_tags | string | lower }}
# When passthrough is set to false, define the number of random characters to add to the names
random_length = {{ resources.caf_terraform.naming_convention.random_length }}
random_length = {{ bootstrap.naming_convention.random_length }}
# Set the prefix that will be added to all azure resources.
# if not set and passthrough=false, the CAF module generates a random one.
{% if resources.caf_terraform.naming_convention.prefix is defined %}
prefix = "{{ resources.caf_terraform.naming_convention.prefix }}"
{% if bootstrap.naming_convention.prefix is defined %}
prefix = "{{ bootstrap.naming_convention.prefix }}"
{% endif %}
# Default region. When not set to a resource it will use that value
default_region = "{{ resources.caf_terraform.launchpad.default_region_key }}"
default_region = "{{ bootstrap.default_region_key }}"
# You can reference the regions by using region1, region2 or set your own keys
regions = {
{% for key, value in resources.caf_terraform.launchpad.regions.items() %}
{% for key, value in bootstrap.caf_regions.items() %}
{{ key }} = "{{ value }}"
{% endfor %}
}
@ -36,10 +36,10 @@ launchpad_key_names = {
]
}
{% if resources.caf_terraform.launchpad.tags is defined %}
{% if bootstrap.launchpad.tags is defined %}
# Global tags
tags = {
{% for tag_key, tag_value in resources.caf_terraform.launchpad.tags.items() %}
{% for tag_key, tag_value in bootstrap.launchpad.tags.items() %}
{{ tag_key }} = "{{ tag_value }}"
{% endfor %}
}

48
templates/platform/level0/launchpad/keyvaults.tfvars.j2
Просмотреть файл

@ -1,21 +1,21 @@
keyvaults = {
level0 = {
name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level0.name }}"
resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level0.resource_group_key }}"
sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}"
name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level0.name }}"
resource_group_key = "{{ resources[tfstate].resources[subscription_key].keyvaults.level0.resource_group_key }}"
sku_name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.sku_name | default('standard') }}"
tags = {
caf_tfstate = "level0"
caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}"
caf_environment = "{{ bootstrap.caf_environment }}"
}
creation_policies = {
// {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
// {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
bootstrap_user = {
object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
object_id = "{{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
{% if resources.platform_identity.enable_azuread_groups %}
{% if bootstrap.azure_landing_zones.identity.enable_azuread_groups %}
caf_platform_maintainers = {
azuread_group_key = "caf_platform_maintainers"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
@ -25,7 +25,7 @@ keyvaults = {
secret_permissions = ["Get"]
}
{% endif %}
{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %}
logged_in_user = {
# if the key is set to "logged_in_user" add the user running terraform in the keyvault policy
# More examples in /examples/keyvault
@ -37,21 +37,21 @@ keyvaults = {
}
level1 = {
name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.name }}"
resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.resource_group_key }}"
sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}"
name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.name }}"
resource_group_key = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.resource_group_key }}"
sku_name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.sku_name | default('standard') }}"
tags = {
caf_tfstate = "level1"
caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}"
caf_environment = "{{ bootstrap.caf_environment }}"
}
creation_policies = {
// {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
// {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
bootstrap_user = {
object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
object_id = "{{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
{% if resources.platform_identity.enable_azuread_groups %}
{% if bootstrap.azure_landing_zones.identity.enable_azuread_groups %}
caf_platform_maintainers = {
azuread_group_key = "caf_platform_maintainers"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
@ -61,7 +61,7 @@ keyvaults = {
secret_permissions = ["Get"]
}
{% endif %}
{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %}
logged_in_user = {
# if the key is set to "logged_in_user" add the user running terraform in the keyvault policy
# More examples in /examples/keyvault
@ -73,21 +73,21 @@ keyvaults = {
}
level2 = {
name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level2.name }}"
resource_group_key = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level2.resource_group_key }}"
sku_name = "{{ resources[tfstate].subscriptions[subscription_key].keyvaults.level1.sku_name | default('standard') }}"
name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level2.name }}"
resource_group_key = "{{ resources[tfstate].resources[subscription_key].keyvaults.level2.resource_group_key }}"
sku_name = "{{ resources[tfstate].resources[subscription_key].keyvaults.level1.sku_name | default('standard') }}"
tags = {
caf_tfstate = "level2"
caf_environment = "{{ resources.caf_terraform.launchpad.caf_environment }}"
caf_environment = "{{ bootstrap.caf_environment }}"
}
creation_policies = {
// {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
// {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
bootstrap_user = {
object_id = "{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
object_id = "{{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
{% if resources.platform_identity.enable_azuread_groups %}
{% if bootstrap.azure_landing_zones.identity.enable_azuread_groups %}
caf_platform_maintainers = {
azuread_group_key = "caf_platform_maintainers"
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
@ -97,7 +97,7 @@ keyvaults = {
secret_permissions = ["Get"]
}
{% endif %}
{% if resources.platform_identity.azuread_identity_mode == 'logged_in_user' %}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'logged_in_user' %}
logged_in_user = {
# if the key is set to "logged_in_user" add the user running terraform in the keyvault policy
# More examples in /examples/keyvault

73
templates/platform/level0/launchpad/readme.md
Просмотреть файл

@ -1,4 +1,4 @@
# Launchpad - {{ resources.caf_terraform.launchpad.caf_environment }}
# Launchpad - {{ bootstrap.caf_environment }}
## Pre-requisites
@ -11,19 +11,19 @@ This scenario requires the following privileges:
## Deployment
{% if resources.caf_terraform.billing_subscription_role_delegations is defined %}
{% if bootstrap.billing_subscription_role_delegations is defined %}
### Pre-requisite
Elevate your credentials to the tenant root level to have enough privileges to create the management group hierarchy.
```bash
{% if resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %}
# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
{% if bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %}
# Login to the subscription {{ bootstrap.caf_launchpad.subscription_name }} with the user {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
{% else %}
# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with an account owner.
# Login to the subscription {{ bootstrap.caf_launchpad.subscription_name }} with an account owner.
{% endif %}
rover login -t {{ resources.platform_identity.tenant_name }}
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %}
rover login -t {{ bootstrap.azure_landing_zones.identity.tenant_name }}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
{% endif %}
@ -33,33 +33,33 @@ az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?ap
### Launchpad
```bash
{% if resources.caf_terraform.billing_subscription_role_delegations is defined %}
{% if resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %}
# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with the user {{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
{% if bootstrap.billing_subscription_role_delegations is defined %}
{% if bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner is defined %}
# Login to the subscription {{ bootstrap.caf_launchpad.subscription_name }} with the user {{ bootstrap.billing_subscription_role_delegations.azuread_user_ea_account_owner }}
{% else %}
# Login to the subscription {{ resources.caf_terraform.launchpad.subscription_name }} with an account owner.
# Login to the subscription {{ bootstrap.caf_launchpad.subscription_name }} with an account owner.
{% endif %}
{% endif %}
rover login -t {{ resources.platform_identity.tenant_name }} -s {{ resources.caf_terraform.launchpad.subscription_id }}
rover login -t {{ bootstrap.azure_landing_zones.identity.tenant_name }} -s {{ bootstrap.caf_launchpad.subscription_id }}
cd {{ landingzones_folder }}
git fetch origin
git checkout {{ resources.gitops.caf_landingzone_branch }}
git checkout {{ bootstrap.caf_landingzone_branch }}
git pull
rover \
{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %}
--impersonate-sp-from-keyvault-url {{ keyvaults[tfstate_object.identity_aad_key].vault_uri }} \
{% endif %}
-lz {{ landingzones_folder }}/caf_launchpad \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \
-tfstate_subscription_id {{ bootstrap.caf_launchpad.subscription_id }} \
-target_subscription {{ bootstrap.caf_launchpad.subscription_id }} \
-tfstate {{ tfstate_object.tfstate }} \
-launchpad \
-env {{ resources.caf_terraform.launchpad.caf_environment }} \
-env {{ bootstrap.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \
-p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \
-a plan
```
@ -71,18 +71,18 @@ If the plan is not successfull you need to come back to the yaml contoso.caf.pla
# On success plan, execute
rover \
{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" and credentials_tfstate_exists.rc == 0 %}
--impersonate-sp-from-keyvault-url {{ keyvaults.cred_level0.vault_uri }} \
{% endif %}
-lz {{ landingzones_folder }}/caf_launchpad \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \
-tfstate_subscription_id {{ bootstrap.caf_launchpad.subscription_id }} \
-target_subscription {{ bootstrap.caf_launchpad.subscription_id }} \
-tfstate {{ tfstate_object.tfstate }} \
-launchpad \
-env {{ resources.caf_terraform.launchpad.caf_environment }} \
-env {{ bootstrap.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \
-p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \
-a apply
```
@ -92,17 +92,12 @@ Execute a rover logout and rover login in order to make sure your azure sessions
```bash
rover logout
rover login -t {{ resources.platform_identity.tenant_name }}
rover login -t {{ bootstrap.azure_landing_zones.identity.tenant_name }}
# On success, re-execute the rover ignite
rover ignite \
--playbook {{ base_templates_folder }}/ansible/ansible.yaml \
-e base_templates_folder={{ base_templates_folder }} \
-e resource_template_folder={{resource_template_folder}} \
-e config_folder={{ config_folder }} \
-e landingzones_folder={{ landingzones_folder }} \
-e destination_folder={{destination_folder}}
ansible-playbook {{public_templates_folder}}/ansible/ansible.yaml \
--extra-vars "@{{platform_definition_folder}}/ignite.yaml"
```
@ -110,7 +105,7 @@ rover ignite \
When you have successfully deployed the launchpad you can move to the next step.
{% if resources.platform_identity.azuread_identity_mode == 'service_principal' %}
{% if bootstrap.azure_landing_zones.identity.azuread_identity_mode == 'service_principal' %}
[Deploy the credentials landing zone](../credentials/readme.md)
{% else %}
[Deploy the management services](../../level1/management/readme.md)
@ -126,13 +121,13 @@ Destroying the launchpad is a specific opertion that requires the tfstate to be
rover \
-lz {{ landingzones_folder }}/caf_launchpad \
-var-folder {{ destination_path }} \
-tfstate_subscription_id {{ resources.caf_terraform.launchpad.subscription_id }} \
-target_subscription {{ resources.caf_terraform.launchpad.subscription_id }} \
-tfstate {{ resources.tfstates.platform.launchpad.tfstate }} \
-tfstate_subscription_id {{ bootstrap.caf_launchpad.subscription_id }} \
-target_subscription {{ bootstrap.caf_launchpad.subscription_id }} \
-tfstate {{ tfstate_object.tfstate }} \
-launchpad \
-env {{ resources.caf_terraform.launchpad.caf_environment }} \
-env {{ bootstrap.caf_environment }} \
-level {{ level }} \
-p ${TF_DATA_DIR}/{{ resources.tfstates.platform.launchpad.tfstate }}.tfplan \
-p ${TF_DATA_DIR}/{{ tfstate_object.tfstate }}.tfplan \
-a destroy
```

37
templates/platform/level1/eslz/ansible.yaml → templates/platform/level1/alz/ansible.yaml
Просмотреть файл

@ -1,28 +1,27 @@
- name: "{{level }}-{{ deployment}} - Set landingzone file_path"
- name: "{{level }}-{{ tfstate}} - Set landingzone file_path"
set_fact:
# destination_path: "{{destination_base_path}}/{{ resources['eslz_' + deployment].relative_destination_folder }}"
mg: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}"
mg_custom: "{{ lookup('file', '{{ config_folder }}/eslz/{{deployment}}/custom_landing_zones.caf.platform.yaml') | from_yaml }}"
mg: "{{ lookup('file', '{{ platform_definition_folder }}/alz/{{tfstate}}/archetype_config_overrides.caf.platform.yaml') | from_yaml }}"
mg_custom: "{{ lookup('file', '{{ platform_definition_folder }}/alz/{{tfstate}}/custom_landing_zones.caf.platform.yaml') | from_yaml }}"
level: "{{tfstate_object.level}}"
definition_source_folder: "{{config_folder}}/eslz/{{ deployment}}"
template_source_folder: "{{base_templates_folder}}/{{tfstate_object.template_lib_folder}}"
definition_source_folder: "{{platform_definition_folder}}/alz/{{ tfstate}}"
template_source_folder: "{{public_templates_folder}}/{{tfstate_object.template_lib_folder}}"
verbosity: 2
- debug:
msg: "{{destination_path}}"
- name: "{{ level }}-{{ deployment }} | Clean-up base directory"
- name: "{{ level }}-{{ tfstate }} | Clean-up base directory"
shell: |
rm -rf "{{ destination_path }}"
when:
- resources.platform_core_setup.enterprise_scale[deployment].clean_up_destination_folder
- bootstrap.management_groups[region][tfstate].clean_up_destination_folder
- name: "{{ level }}-{{ deployment }} | Creates directory structure"
- name: "{{ level }}-{{ tfstate }} | Creates directory structure"
shell: mkdir -p "{{ destination_path }}/{{ item.path }}"
with_filetree: "{{ definition_source_folder }}"
when: item.state == 'directory'
- name: "{{ level }}-{{ deployment }} | Tfvars"
- name: "{{ level }}-{{ tfstate }} | Tfvars"
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
@ -31,45 +30,45 @@
- "{{ template_source_folder }}/*.j2"
- "{{ template_source_folder }}/*.md"
- name: "{{ level }}-{{ deployment }} | Lib - archetypes - built-in"
- name: "{{ level }}-{{ tfstate }} | Lib - archetypes - built-in"
ansible.builtin.template:
src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/archetype_definitions/archetype_definition_template.json.j2"
src: "{{ template_source_folder }}/lib/{{tfstate_object.alz_version}}/archetype_definitions/archetype_definition_template.json.j2"
dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg.archetype_definitions[item].archetype_id }}.json"
force: yes
loop: "{{ mg.archetype_definitions.keys() }}"
loop_control:
loop_var: item
- name: "{{ level }}-{{ deployment }} | Lib - archetypes - custom"
- name: "{{ level }}-{{ tfstate }} | Lib - archetypes - custom"
when:
- mg_custom.archetype_definitions is defined
ansible.builtin.template:
src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/archetype_definitions/custom_landing_zone_template.json.j2"
src: "{{ template_source_folder }}/lib/{{tfstate_object.alz_version}}/archetype_definitions/custom_landing_zone_template.json.j2"
dest: "{{ destination_path }}/lib/archetype_definitions/archetype_definition_{{ mg_custom.archetype_definitions[item].archetype_id }}.json"
force: yes
loop: "{{ mg_custom.archetype_definitions.keys() }}"
loop_control:
loop_var: item
- name: "{{ level }}-{{ deployment }} | archetypes"
- name: "{{ level }}-{{ tfstate }} | archetypes"
ansible.builtin.template:
src: "{{ template_source_folder }}/lib/{{tfstate_object.eslz_version}}/{{item}}"
src: "{{ template_source_folder }}/lib/{{tfstate_object.alz_version}}/{{item}}"
dest: "{{ destination_path }}/{{ item | basename | regex_replace('.j2$', '') }}"
force: yes
loop:
- archetype_config_overrides.tfvars.j2
- custom_landing_zones.tfvars.j2
- name: "{{ level }}-{{ deployment }} | Lib"
- name: "{{ level }}-{{ tfstate }} | Lib"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ destination_path }}/{{ item.path }}"
force: yes
with_filetree: "{{ definition_source_folder }}"
when:
- item.state == 'file' and resources.platform_core_setup.enterprise_scale[deployment].update_lib_folder
- item.state == 'file' and bootstrap.management_groups[region][tfstate].update_lib_folder
- name: "{{ level }}-{{ deployment }} | overrides"
- name: "{{ level }}-{{ tfstate }} | overrides"
when:
- mg_custom.archetype_definitions is defined
ansible.builtin.template:

11
templates/platform/level1/alz/enterprise_scale.tfvars.j2 Normal file
Просмотреть файл

@ -0,0 +1,11 @@
# relative path to {{ landingzones_folder }}/caf_solution/add-ons/caf_alz
library_path = "{{ destination_base_path }}/{{tfstate_object.level}}/{{stage}}/{{tfstate}}/lib"
{% if bootstrap.management_groups[region][tfstate].root_parent_id is defined %}
root_parent_id = "{{ bootstrap.management_groups[region][tfstate].root_parent_id }}"
{% endif %}
root_id = "{{ bootstrap.management_groups[region][tfstate].management_group_prefix }}"
root_name = "{{ bootstrap.management_groups[region][tfstate].management_group_name }}"
deploy_core_landing_zones = {{ bootstrap.management_groups[region][tfstate].deploy_core_landing_zones | string | lower }}
{% if (bootstrap.enable_azure_subscription_vending_machine | default(false)) and bootstrap.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
reconcile_vending_subscriptions = true
{% endif %}

10
templates/platform/level1/eslz/lib/v0.1.x/archetype_config_overrides.tfvars.j2 → templates/platform/level1/alz/lib/v0.1.x/archetype_config_overrides.tfvars.j2
Просмотреть файл

@ -6,16 +6,16 @@ archetype_config_overrides = {
"Deny-Resource-Locations" = {
"listOfAllowedLocations" = {
value = [
"{{ resources.caf_terraform.launchpad.regions.region1.name }}",
"{{ resources.caf_terraform.launchpad.regions.region2.name }}"
"{{ resources.caf_regions.region1.name }}",
"{{ resources.caf_regions.region2.name }}"
]
}
}
"Deny-RSG-Locations" = {
"listOfAllowedLocations" = {
value = [
"{{ resources.caf_terraform.launchpad.regions.region1.name }}",
"{{ resources.caf_terraform.launchpad.regions.region2.name }}"
"{{ resources.caf_regions.region1.name }}",
"{{ resources.caf_regions.region2.name }}"
]
}
}
@ -28,7 +28,7 @@ archetype_config_overrides = {
attribute_key = "id"
}
"profileName" = {
value = "eslz-diagnostic-log"
value = "alz-diagnostic-log"
}
}
"Deploy-VM-Monitoring" = {

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/README.md → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone.json → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_corp.json → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_corp.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_online.json → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_landingzone_online.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform.json → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_connectivity.json → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_connectivity.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_identity.json → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_identity.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_management.json → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_platform_management.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/archetype_definitions/archetype_definition_root.json → templates/platform/level1/alz/lib/v0.1.x/archetype_definitions/archetype_definition_root.json
Просмотреть файл

8
templates/platform/level1/eslz/lib/v0.1.x/custom_landing_zones.tfvars.j2 → templates/platform/level1/alz/lib/v0.1.x/custom_landing_zones.tfvars.j2
Просмотреть файл

@ -1,7 +1,7 @@
custom_landing_zones = {
{{ resources.eslz.root_id }}-corp = {
{{ resources.alz.root_id }}-corp = {
display_name = "Corp"
parent_management_group_id = "{{ resources.eslz.root_id }}-landing-zones"
parent_management_group_id = "{{ resources.alz.root_id }}-landing-zones"
archetype_config = {
archetype_id = "landingzone_corp"
parameters = {}
@ -10,9 +10,9 @@ custom_landing_zones = {
subscriptions = {}
subscription_ids = []
}
{{ resources.eslz.root_id }}-online = {
{{ resources.alz.root_id }}-online = {
display_name = "Online"
parent_management_group_id = "{{ resources.eslz.root_id }}-landing-zones"
parent_management_group_id = "{{ resources.alz.root_id }}-landing-zones"
archetype_config = {
archetype_id = "landingzone_online"
parameters = {}

0
templates/platform/level1/eslz/lib/v0.1.x/policy_assignments/README.md → templates/platform/level1/alz/lib/v0.1.x/policy_assignments/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/policy_assignments/policy_assignment_pru_apply_security_benchmark.tmpl.json → templates/platform/level1/alz/lib/v0.1.x/policy_assignments/policy_assignment_pru_apply_security_benchmark.tmpl.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/policy_definitions/README.md → templates/platform/level1/alz/lib/v0.1.x/policy_definitions/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/policy_set_definitions/README.md → templates/platform/level1/alz/lib/v0.1.x/policy_set_definitions/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.1.x/role_definitions/README.md → templates/platform/level1/alz/lib/v0.1.x/role_definitions/README.md
Просмотреть файл

36
templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.old → templates/platform/level1/alz/lib/v0.3.3/archetype_config_overrides.old
Просмотреть файл

@ -6,8 +6,8 @@ archetype_config_overrides = {
"Allowed-Locations" = {
"listOfAllowedLocations" = {
values = [
{% for key in resources.caf_terraform.launchpad.regions.keys() %}
"{{ resources.caf_terraform.launchpad.regions[key].name }}",
{% for key in resources.caf_regions.keys() %}
"{{ resources.caf_regions[key].name }}",
{% endfor %}
]
}
@ -15,8 +15,8 @@ archetype_config_overrides = {
"Deny-RSG-Locations" = {
"listOfAllowedLocations" = {
values = [
{% for key in resources.caf_terraform.launchpad.regions.keys() %}
"{{ resources.caf_terraform.launchpad.regions[key].name }}",
{% for key in resources.caf_regions.keys() %}
"{{ resources.caf_regions[key].name }}",
{% endfor %}
]
}
@ -26,11 +26,11 @@ archetype_config_overrides = {
lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}"
output_key = "diagnostics"
resource_type = "log_analytics"
resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}"
resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}"
attribute_key = "id"
}
"profileName" = {
value = "eslz-diagnostic-log"
value = "alz-diagnostic-log"
}
}
"Deploy-AzActivity-Log" = {
@ -38,7 +38,7 @@ archetype_config_overrides = {
lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}"
output_key = "diagnostics"
resource_type = "log_analytics"
resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}"
resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}"
attribute_key = "id"
}
}
@ -48,7 +48,7 @@ archetype_config_overrides = {
lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}"
output_key = "diagnostics"
resource_type = "log_analytics"
resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}"
resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}"
attribute_key = "id"
}
}
@ -59,7 +59,7 @@ archetype_config_overrides = {
lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}"
output_key = "diagnostics"
resource_type = "log_analytics"
resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}"
resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}"
attribute_key = "id"
}
}
@ -70,7 +70,7 @@ archetype_config_overrides = {
lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}"
output_key = "diagnostics"
resource_type = "log_analytics"
resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}"
resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}"
attribute_key = "id"
}
}
@ -79,7 +79,7 @@ archetype_config_overrides = {
lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}"
output_key = "diagnostics"
resource_type = "log_analytics"
resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}"
resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}"
attribute_key = "id"
}
}
@ -92,7 +92,7 @@ archetype_config_overrides = {
lz_key = "{{ resources.tfstates.platform.management.lz_key_name }}"
output_key = "diagnostics"
resource_type = "log_analytics"
resource_key = "central_logs_{{resources.caf_terraform.launchpad.regions[resources.caf_terraform.launchpad.default_region_key].slug}}"
resource_key = "central_logs_{{resources.caf_regions[resources.default_region_key].slug}}"
attribute_key = "id"
}
{% for parameter_key in mg.archetype_definitions.root.policy_assignments["Deploy-ASC-Defender"].keys() %}
@ -109,7 +109,7 @@ archetype_config_overrides = {
archetype_id = "landingzone"
parameters = {}
access_control = {
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
"Owner" = {
"azuread_groups" = {
lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}"
@ -133,7 +133,7 @@ archetype_config_overrides = {
archetype_id = "platform_connectivity"
parameters = {}
access_control = {
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
"Owner" = {
"azuread_groups" = {
lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}"
@ -143,8 +143,8 @@ archetype_config_overrides = {
]
}
}
{% if resources.platform_core_setup.enterprise_scale.enable_azure_subscription_vending_machine %}
"[{{ resources.platform_core_setup.enterprise_scale.management_group_prefix | upper }}-CONNECTIVITY] CAF-network-vhub-peering" = {
{% if resources.azure_landing_zones.enterprise_scale.enable_azure_subscription_vending_machine %}
"[{{ resources.azure_landing_zones.enterprise_scale.management_group_prefix | upper }}-CONNECTIVITY] CAF-network-vhub-peering" = {
"azuread_groups" = {
lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}"
attribute_key = "id"
@ -162,7 +162,7 @@ archetype_config_overrides = {
archetype_id = "platform_identity"
parameters = {}
access_control = {
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
"Owner" = {
"azuread_groups" = {
lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}"
@ -180,7 +180,7 @@ archetype_config_overrides = {
archetype_id = "platform_management"
parameters = {}
access_control = {
{% if resources.platform_identity.azuread_identity_mode != 'logged_in_user' %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != 'logged_in_user' %}
"Owner" = {
"azuread_groups" = {
lz_key = "{{ resources.tfstates.platform.launchpad.lz_key_name }}"

0
templates/platform/level1/eslz/lib/v0.3.3/archetype_config_overrides.tfvars.j2 → templates/platform/level1/alz/lib/v0.3.3/archetype_config_overrides.tfvars.j2
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/README.md → templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/archetype_definition_template.json.j2 → templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/archetype_definition_template.json.j2
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/archetype_definitions/custom_landing_zone_template.json.j2 → templates/platform/level1/alz/lib/v0.3.3/archetype_definitions/custom_landing_zone_template.json.j2
Просмотреть файл

4
templates/platform/level1/eslz/lib/v0.3.3/custom_landing_zones.tfvars.j2 → templates/platform/level1/alz/lib/v0.3.3/custom_landing_zones.tfvars.j2
Просмотреть файл

@ -1,8 +1,8 @@
custom_landing_zones = {
{% for key, level in mg_custom.archetype_definitions.items() %}
{{ resources.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ key }} = {
{{ resources.azure_landing_zones.enterprise_scale.management_group_prefix }}-{{ key }} = {
display_name = "{{ mg_custom.archetype_definitions[key].display_name }}"
parent_management_group_id = "{{ resources.platform_core_setup.enterprise_scale.management_group_prefix }}-{{ mg_custom.archetype_definitions[key].parent_management_group_id }}"
parent_management_group_id = "{{ resources.azure_landing_zones.enterprise_scale.management_group_prefix }}-{{ mg_custom.archetype_definitions[key].parent_management_group_id }}"
archetype_config = {
archetype_id = "{{mg_custom.archetype_definitions[key].archetype_id }}"
{% if mg_custom.archetype_definitions[key].policy_assignments is defined %}

0
templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/README.md → templates/platform/level1/alz/lib/v0.3.3/policy_assignments/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/policy_assignment_caf_aks_capability.json → templates/platform/level1/alz/lib/v0.3.3/policy_assignments/policy_assignment_caf_aks_capability.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/policy_assignments/policy_assignment_es_allowed_locations.json → templates/platform/level1/alz/lib/v0.3.3/policy_assignments/policy_assignment_es_allowed_locations.json
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/policy_definitions/README.md → templates/platform/level1/alz/lib/v0.3.3/policy_definitions/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/policy_set_definitions/README.md → templates/platform/level1/alz/lib/v0.3.3/policy_set_definitions/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/role_definitions/README.md → templates/platform/level1/alz/lib/v0.3.3/role_definitions/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v0.3.3/role_definitions/role_definition_caf_vhub_peering.json → templates/platform/level1/alz/lib/v0.3.3/role_definitions/role_definition_caf_vhub_peering.json
Просмотреть файл

2
templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml → templates/platform/level1/alz/lib/v1.1.1/archetype_config_overrides.caf.platform.yaml
Просмотреть файл

@ -71,7 +71,7 @@ archetype_definitions:
attribute_key: id
Deploy-LX-Arc-Monitoring:
Deploy-Resource-Diag:
profileName: eslz-diagnostic-log
profileName: alz-diagnostic-log
logAnalytics:
lz_key: management
output_key: diagnostics

4
templates/platform/level1/eslz/lib/v1.1.1/archetype_config_overrides.tfvars.j2 → templates/platform/level1/alz/lib/v1.1.1/archetype_config_overrides.tfvars.j2
Просмотреть файл

@ -35,7 +35,7 @@ archetype_config_overrides = {
{% endif %}
{% if level.archetype_resources.access_control is mapping %}
access_control = {
{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %}
{% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %}
"{{level_ac_key}}" = {
{% for level_role_key, level_role in level_ac.items() %}
@ -49,7 +49,7 @@ archetype_config_overrides = {
{% endfor %}
{% else %}
"Owner" = {
"principal_ids" = ["{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"]
"principal_ids" = ["{{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"]
}
{% endif %}
}

0
templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/README.md → templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2 → templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/archetype_definition_template.json.j2
Просмотреть файл

0
templates/platform/level1/eslz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2 → templates/platform/level1/alz/lib/v1.1.1/archetype_definitions/custom_landing_zone_template.json.j2
Просмотреть файл

0
templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.caf.platform.yaml → templates/platform/level1/alz/lib/v1.1.1/custom_landing_zones.caf.platform.yaml
Просмотреть файл

8
templates/platform/level1/eslz/lib/v1.1.1/custom_landing_zones.tfvars.j2 → templates/platform/level1/alz/lib/v1.1.1/custom_landing_zones.tfvars.j2
Просмотреть файл

@ -1,8 +1,8 @@
custom_landing_zones = {
{% for key, level in mg_custom.archetype_definitions.items() %}
{{ resources.platform_core_setup.enterprise_scale[deployment].management_group_prefix }}-{{ key }} = {
{{ bootstrap.management_groups[region][tfstate].management_group_prefix }}-{{ key }} = {
display_name = "{{ level.display_name }}"
parent_management_group_id = "{{ resources.platform_core_setup.enterprise_scale[deployment].management_group_prefix }}-{{ level.parent_management_group_id }}"
parent_management_group_id = "{{ bootstrap.management_groups[region][tfstate].management_group_prefix }}-{{ level.parent_management_group_id }}"
archetype_config = {
archetype_id = "{{ level.archetype_id }}"
{% if level.policy_assignments is defined %}
@ -38,7 +38,7 @@ custom_landing_zones = {
{% endif %}
{% if level.archetype_resources.access_control is defined %}
access_control = {
{% if resources.platform_identity.azuread_identity_mode != "logged_in_user" %}
{% if resources.azure_landing_zones.identity.azuread_identity_mode != "logged_in_user" %}
{% for level_ac_key, level_ac in level.archetype_resources.access_control.items() %}
"{{level_ac_key}}" = {
{% for level_role_key, level_role in level_ac.items() %}
@ -52,7 +52,7 @@ custom_landing_zones = {
{% endfor %}
{% else %}
"Owner" = {
"principal_ids" = ["{{ resources.caf_terraform.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"]
"principal_ids" = ["{{ resources.billing_subscription_role_delegations.azuread_user_ea_account_owner_object_id }}"]
}
{% endif %}
}

0
templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/README.md → templates/platform/level1/alz/lib/v1.1.1/policy_assignments/README.md
Просмотреть файл

0
templates/platform/level1/eslz/lib/v1.1.1/policy_assignments/policy_assignment_caf_aks_capability.json → templates/platform/level1/alz/lib/v1.1.1/policy_assignments/policy_assignment_caf_aks_capability.json
Просмотреть файл

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше