From 30ed0aaea0b02ad825508f2f1694409e5b0ff1a5 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Wed, 16 Oct 2024 12:05:19 +0100 Subject: [PATCH] Updates for SLZ --- templates/.config/ALZ-Powershell.config.json | 12 +- .../microsoft_cloud_for_sovereignty/README.md | 233 ------------------ .../.gitignore | 0 .../sovereign_landing_zone/README.md | 184 ++++++++++++++ .../data.tf | 0 .../locals.tf | 27 +- .../main.bootstrap.tf | 4 +- .../main.compliance.tf | 4 +- .../main.dashboard.tf | 4 +- .../main.platform.tf | 24 +- .../main.policyExemption.tf | 2 +- .../main.policyRemediation.tf | 2 +- .../outputs.tf | 2 +- .../policySetParameterSampleFile.json | 0 .../templates/default_dashboard.tpl | 0 .../terraform.tf | 3 +- .../variables.tf | 6 +- templates/test/outputs.tf | 4 + templates/test/variables.tf | 6 + 19 files changed, 240 insertions(+), 277 deletions(-) delete mode 100644 templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/README.md rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/.gitignore (100%) create mode 100644 templates/microsoft_cloud_for_industry/sovereign_landing_zone/README.md rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/data.tf (100%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/locals.tf (95%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/main.bootstrap.tf (99%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/main.compliance.tf (95%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/main.dashboard.tf (91%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/main.platform.tf (94%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/main.policyExemption.tf (99%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/main.policyRemediation.tf (99%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/outputs.tf (99%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/policy_parameters/policySetParameterSampleFile.json (100%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/templates/default_dashboard.tpl (100%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/terraform.tf (98%) rename templates/microsoft_cloud_for_industry/{microsoft_cloud_for_sovereignty => sovereign_landing_zone}/variables.tf (99%) diff --git a/templates/.config/ALZ-Powershell.config.json b/templates/.config/ALZ-Powershell.config.json index e7f5fdd6..d4af8418 100644 --- a/templates/.config/ALZ-Powershell.config.json +++ b/templates/.config/ALZ-Powershell.config.json @@ -5,6 +5,11 @@ "short_name": "Complete Multi-Region", "description": "Complete Azure Landing Zones Configurable Deployment with Multi-Region Support" }, + "sovereign_landing_zone": { + "location": "microsoft_cloud_for_industry/sovereign_landing_zone", + "short_name": "Sovereign Landing Zone", + "description": "Complete Sovereign Landing Zones Configurable Deployment (Warning: This is a work in progress)" + }, "complete": { "location": "complete", "short_name": "Complete", @@ -20,16 +25,11 @@ "short_name": "Hub Networking", "description": "Hub Networking Azure Landing Zones Deployment with Management Groups, Policy and Hub Networking" }, - "complete_vnet": { + "complete_vnext": { "location": "complete_vnext", "short_name": "Complete vNext", "description": "vNext Complete Azure Landing Zones Configurable Deployment (Warning: This is a work in progress)" }, - "microsoft_cloud_for_sovereignty": { - "location": "microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty", - "short_name": "Microsoft Cloud for Sovereignty", - "description": "Complete Sovereign Landing Zones Configurable Deployment (Warning: This is a work in progress)" - }, "test": { "location": "test", "short_name": "Test", diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/README.md b/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/README.md deleted file mode 100644 index 09fe1cfb..00000000 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/README.md +++ /dev/null @@ -1,233 +0,0 @@ -# Azure Landing Zones Accelerator Starter Module for Terraform - Sovereign Landing Zone - -This module is part of the Azure Landing Zones Accelerator solution. It is Sovereign Landing Zone implementation of the Azure Landing Zones Platform Landing Zone for Terraform. - -It deploys the Sovereign Landing Zone (SLZ) with an equivalent compliance posture as to our [Bicep implementation](https://aka.ms/slz/bicep). - -The module deploys the following resources: - -- Management group hierarchy -- Management group scope for confidential computing resources -- Azure Policy definitions and assignments -- Sovereign Baseline Policy Initiatives -- Role definitions -- Management resources, including Log Analytics workspace and Automation account -- Hub virtual network including Azure Bastion and Azure Firewall -- DDOS protection plan -- Private DNS zones - -## Usage - -The module is intended to be used with the [Azure Landing Zones Accelerator](https://aka.ms/alz/accelerator/docs). Head over there to get started and review the microsoft_cloud_for_sovereignty starter module during Phase 2. A copy of the `inputs.yaml` file to use can be found [here](https://aka.ms/slz/terraform/inputs). - -## Inputs.yaml Parameters - -The inputs listed as `Required` are those that must be reviewed and potetially customized, if they are allowed during the public preview. All other values are suitable defaults, but may be changed as needed. - -| Input | Required | Type | Default Value | Description | -| - | -- | --- | ---- | ----- | -| `iac` | Required | String | `"terraform"` | For public preview, only `"terraform"` is supported. | -| `bootstrap` | Required | String | `"alz_local"` | For public preview, only `"alz_local"` is supported. | -| `starter` | Required | String | `"microsoft_cloud_for_sovereignty"` | This value denotes to use the Sovereign Landing Zone. | -| `bootstrap_location` | Required | Location | | For public preview, use the same value as the `default_location`. As of the current release, it is required but not used. | -| `starter_locations` | Required | Locations | | For public preview, use the same value as the `default_location`. As of the current release, it is required but not used. | -| `root_parent_management_group_id` | | MG ID | | The Management Group ID to deploy the SLZ under. By default, it will be deployed at the tenant root group level. | -| `subscription_id_management` | | Sub ID | | This is the UUID value for a previously created management subscription. If left blank, a new subscription will be created. | -| `subscription_id_identity` | | Sub ID | | This is the UUID value for a previously created identity subscription. If left blank, a new subscription will be created. | -| `subscription_id_connectivity` | | Sub ID | | This is the UUID value for a previously created connectivity subscription. If left blank, a new subscription will be created. | -| `target_directory` | | File Path | `""` | Local file path for the resulting Terraform to be deployed to. By default it is created under the current working directory in a directory named `local-output`. | -| `create_bootstrap_resources_in_azure` | Required | Boolean | `false` | For public preview, only `false` is supported. | -| `bootstrap_subscription_id` | | Sub ID | | For public preview, bootstrap is not is supported. | -| `service_name` | | String | slz | For public preview, bootstrap naming is not is supported. | -| `environment_name` | | String | mgmt | For public preview, bootstrap naming is not is supported. | -| `postfix_number` | | Numeric | 1 | For public preview, bootstrap naming is not is supported. | -| `apply_alz_archetypes_via_architecture_definition_template` | | Boolean | `true` | Set to `true` to deploy the default ALZ policy suite. | -| `allowed_locations` | Required | List | | This is a list of Azure regions all workloads running outside of the Confidential Management Group scopes are allowed to be deployed into. | -| `allowed_locations_for_confidential_computing` | Required | List | | This is a list of Azure regions all workloads running inside of the Confidential Management Group scopes are allowed to be deployed into. | -| `az_firewall_policies_enabled` | | Boolean | `true` | Set to `true` to deploy a default Azure Firewall Policy resource if `enable_firewall` is also `true`. | -| `bastion_outbound_ssh_rdp_ports` | | List | `["22", "3389"]` | List of outbound remote access ports to enable on the Azure Bastion NSG if `deploy_bastion` is also `true`. | -| `custom_subnets` | | Map | See `inputs.yaml` for default object. | Map of subnets and their configurations to create within the hub network. | -| `customer` | | String | `"Country/Region"` | Customer name to use when branding the compliance dashboard. | -| `customer_policy_sets` | | Map | See the Custom Compliance section below for details. | Map of customer specified policy initiatives to apply alongside the SLZ. | -| `default_location` | Required | Location | | This is the Azure region to deploy all SLZ resources into. | -| `default_postfix` | | String | | Postfix value to append to all resources. | -| `default_prefix` | Required | String | `mcfs` | Prefix value to append to all resources. | -| `deploy_bastion` | | Boolean | `true` | Set to `true` to deploy Azure Bastion within the hub network. | -| `deploy_ddos_protection` | | Boolean | `true` | Set to `true` to deploy Azure DDoS Protection within the hub network. | -| `deploy_hub_network` | | Boolean | `true` | Set to `true` to deploy the hub network. | -| `deploy_log_analytics_workspace` | | Boolean | `true` | Set to `true` to deploy Azure Log Analytics Workspace. | -| `enable_firewall` | | Boolean | `true` | Set to `true` to deploy Azure Firewall within the hub network. | -| `enable_telemetry` | | Boolean | `true` | Set to `false` to opt out of telemetry tracking. We use telemetry data to understand usage rates to help prioritize future development efforts. | -| `express_route_gateway_config` | | Map | `{name: "noconfigEr"}` | Leave as default to not deploy an ExpressRoute Gateway. See the Network Connectivity section below for details. | -| `hub_network_address_prefix` | | CIDR | "10.20.0.0/16" | This is the CIDR to use for the hub network. | -| `landing_zone_management_group_children` | | Map | | See the Customize Application Landing Zones section below for details. | -| `log_analytics_workspace_retention_in_days` | | Numeric | 365 | Number of days to retain logs in the Log Analytics Workspace. | -| `ms_defender_for_cloud_email_security_contact` | | Email | `security_contact@replaceme.com` | Email address to use for Microsoft Defender for Cloud. | -| `policy_assignment_enforcement_mode` | | String | `Default` | The enforcement mode to use for the Sovereign Baseline Policy initiatives. | -| `policy_effect` | | String | `Deny` | The effect to use for the Sovereign Baseline Policy initiatives, when policies support multiple effects. | -| `policy_exemptions` | | Map | See the Custom Compliance section below for details. | Map of customer specified policy exemptions to use alongside the SLZ. | -| `subscription_billing_scope` | | String | | Only required if you have not provided existing subscription IDs for management, connectivity, and identity. | -| `tags` | | Map | See the Custom Tagging section below for details. | Set of tags to apply to all resources deployed. | -| `use_premium_firewall` | | Boolean | `true` | Set to `true` to deploy Premium SKU of the Azure Firewall if `enable_firewall` is also `true`. | -| `vpn_gateway_config` | | Map | `{name: "noconfigEr"}` | Leave as default to not deploy an VPN Gateway. See the Network Connectivity section below for details. | -| `bootstrap_module_version` | | String | `v4.0.5` | For public preview, only `"v4.0.5"` is supported. | -| `starter_module_version` | | String | `latest` | For public preview, only `"latest"` is supported. | - -## Custom Compliance - -### Custom Policy Sets - -An example of the format for the `customer_policy_sets` map is as follows: - -```yaml -customer_policy_sets: { - assignment1: { - policySetDefinitionId: "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f", - policySetAssignmentName: "FedRAMPHigh", - policySetAssignmentDisplayName: "FedRAMP High", - policySetAssignmentDescription: "FedRAMP High", - policySetManagementGroupAssignmentScope: "/providers/Microsoft.management/managementGroups/", - policyParameterFilePath: "./policy_parameters/policySetParameterSampleFile.json" - } -} -``` - -### Policy Exemptions - -An example of the format for the `policy_exemptions` map is as follows: - -```yaml -policy_exemptions: { - policy_exemption1: { - name: "globalexemption", - display_name: "global", - description: "test", - management_group_id: "/providers/Microsoft.management/managementGroups/", - policy_assignment_id: "/providers/microsoft.management/managementGroups//providers/microsoft.Authorization/policyassignments/enforce-sovereign-global", - policy_definition_reference_ids: ["AllowedLocations"] - } -} -``` - -## Customize Application Landing Zones - -### Landing Zone Management Group Children - -An example of the format for the `landing_zone_management_group_children` map is as follows: - -```yaml -landing_zone_management_group_children: { - child1: { - id: "child1", - display_name: "Landing zone child one" - } -} -``` - -## Custom Tagging - -### Tags - -An example of the format for the `tags` map is as follows: - -```yaml -tags: { - Environment: "Production", - ServiceName: "SLZ" -} -``` - -## Network Connectivity - -### ExpressRoute Gateway Config - -An example of the format for the `express_route_gateway_config` map is as follows: - -```yaml -express_route_gateway_config: { - name: "express_route", - gatewayType: "ExpressRoute", - sku: "ErGw1AZ", - vpnType: "RouteBased", - vpnGatewayGeneration: null, - enableBgp: false, - activeActive: false, - enableBgpRouteTranslationForNat: false, - enableDnsForwarding: false, - asn: 65515, - bgpPeeringAddress: "", - peerWeight: 5 -} -``` - -### VPN Gateway Config - -An example of the format for the `vpn_gateway_config` map is as follows: - -```yaml -vpn_gateway_config: { - name: "vpn_gateway", - gatewayType: "Vpn", - sku: "VpnGw1", - vpnType: "RouteBased", - vpnGatewayGeneration: "Generation1", - enableBgp: false, - activeActive: false, - enableBgpRouteTranslationForNat: false, - enableDnsForwarding: false, - bgpPeeringAddress: "", - asn: 65515, - peerWeight: 5, - vpnClientConfiguration: { - vpnAddressSpace: ["10.2.0.0/24"] - } -} -``` - -## Known Issues - -The following are known issues with the Public Preview release for the SLZ. - -### Multiple Resources Destroyed and Recreated During Second Execution - -Occasionally, terraform will attempt to recreate many resources under a subscription despite no resource configurations being changed. A temporary work around can be done by updating `locals.tf` with the following: - -```terraform -locals { - subscription_id_management = "management_subscription_id" - subscription_id_connectivity = "connectivity_subscription_id" - subscription_id_identity = "identity_subscription_id" -} -``` - -### Multiple Inputs for Location - -The inputs for `bootstrap_location` and `starter_locations` and `default_location` must be identical. In a future release, we will have defaults and overrides for these values. - -### Terraform Plan or Apply Fails After Updating tfvars - -Any updates should be made to the `inputs.yaml` file and the tfvars will be updated upon executing the `Deploy-Accelerator` PowerShell command. - -### Invalid Hub Network Address Prefix or Subnet Address Prefix - -There is no validation done to ensure subnets fall within the hub network CIDR or that subnets do not overlap. These issues will be uncovered during apply. - -### Unable to Build Authorizer for Resource Manager API - -It is necessary to rerun `az login` after creating subscriptions for terraform to pick up that they exist. - -### Unable to Update Address Prefixes - -Updating the address prefix on either the hub network or subnets is not supported at this time. - -### Unable to Change Top Level or Sub Level Management Group Names - -Modifying the Top Level or Sub Level Management Group name is not supported at this time. - -### Tags are Not Applied to All Resources - -Certain resources are not receiving the default tags. This will be addressed in a future release. - -### Default Compliance Score is not 100% - -Certain resources will show as being out of compliance by default. This will be addressed in a future release. diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/.gitignore b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/.gitignore similarity index 100% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/.gitignore rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/.gitignore diff --git a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/README.md b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/README.md new file mode 100644 index 00000000..487b7d90 --- /dev/null +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/README.md @@ -0,0 +1,184 @@ +# Azure Landing Zones Accelerator Starter Module for Terraform - Sovereign Landing Zone + +This module is part of the Azure Landing Zones Accelerator solution. It is Sovereign Landing Zone implementation of the Azure Landing Zones Platform Landing Zone for Terraform. + +It deploys the Sovereign Landing Zone (SLZ) with an equivalent compliance posture as to our [Bicep implementation](https://aka.ms/slz/bicep). + +The module deploys the following resources: + +- Management group hierarchy +- Management group scope for confidential computing resources +- Azure Policy definitions and assignments +- Sovereign Baseline Policy Initiatives +- Role definitions +- Management resources, including Log Analytics workspace and Automation account +- Hub virtual network including Azure Bastion and Azure Firewall +- DDOS protection plan +- Private DNS zones + +## Usage + +The module is intended to be used with the [Azure Landing Zones Accelerator](https://aka.ms/alz/accelerator/docs). Head over there to get started and review the microsoft_cloud_for_sovereignty starter module during Phase 2. A copy of the `inputs.yaml` file to use can be found [here](https://aka.ms/slz/terraform/inputs). + +## Inputs Parameters + +The description of inputs for this module are found in ALZ Accelerator documentation [here](https://aka.ms/slz/terraform/inputs). + +## Custom Compliance + +### Custom Policy Sets + +An example of the format for the `customer_policy_sets` map is as follows: + +```yaml +customer_policy_sets: { + assignment1: { + policySetDefinitionId: "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f", + policySetAssignmentName: "FedRAMPHigh", + policySetAssignmentDisplayName: "FedRAMP High", + policySetAssignmentDescription: "FedRAMP High", + policySetManagementGroupAssignmentScope: "/providers/Microsoft.management/managementGroups/", + policyParameterFilePath: "./policy_parameters/policySetParameterSampleFile.json" + } +} +``` + +### Policy Exemptions + +An example of the format for the `policy_exemptions` map is as follows: + +```yaml +policy_exemptions: { + policy_exemption1: { + name: "globalexemption", + display_name: "global", + description: "test", + management_group_id: "/providers/Microsoft.management/managementGroups/", + policy_assignment_id: "/providers/microsoft.management/managementGroups//providers/microsoft.Authorization/policyassignments/enforce-sovereign-global", + policy_definition_reference_ids: ["AllowedLocations"] + } +} +``` + +## Customize Application Landing Zones + +### Landing Zone Management Group Children + +An example of the format for the `landing_zone_management_group_children` map is as follows: + +```yaml +landing_zone_management_group_children: { + child1: { + id: "child1", + display_name: "Landing zone child one" + } +} +``` + +## Custom Tagging + +### Tags + +An example of the format for the `tags` map is as follows: + +```yaml +tags: { + Environment: "Production", + ServiceName: "SLZ" +} +``` + +## Network Connectivity + +### ExpressRoute Gateway Config + +An example of the format for the `express_route_gateway_config` map is as follows: + +```yaml +express_route_gateway_config: { + name: "express_route", + gatewayType: "ExpressRoute", + sku: "ErGw1AZ", + vpnType: "RouteBased", + vpnGatewayGeneration: null, + enableBgp: false, + activeActive: false, + enableBgpRouteTranslationForNat: false, + enableDnsForwarding: false, + asn: 65515, + bgpPeeringAddress: "", + peerWeight: 5 +} +``` + +### VPN Gateway Config + +An example of the format for the `vpn_gateway_config` map is as follows: + +```yaml +vpn_gateway_config: { + name: "vpn_gateway", + gatewayType: "Vpn", + sku: "VpnGw1", + vpnType: "RouteBased", + vpnGatewayGeneration: "Generation1", + enableBgp: false, + activeActive: false, + enableBgpRouteTranslationForNat: false, + enableDnsForwarding: false, + bgpPeeringAddress: "", + asn: 65515, + peerWeight: 5, + vpnClientConfiguration: { + vpnAddressSpace: ["10.2.0.0/24"] + } +} +``` + +## Known Issues + +The following are known issues with the Public Preview release for the SLZ. + +### Multiple Resources Destroyed and Recreated During Second Execution + +Occasionally, terraform will attempt to recreate many resources under a subscription despite no resource configurations being changed. A temporary work around can be done by updating `locals.tf` with the following: + +```terraform +locals { + subscription_id_management = "management_subscription_id" + subscription_id_connectivity = "connectivity_subscription_id" + subscription_id_identity = "identity_subscription_id" +} +``` + +### Multiple Inputs for Location + +The inputs for `bootstrap_location` and `starter_locations` and `default_location` must be identical. In a future release, we will have defaults and overrides for these values. + +### Terraform Plan or Apply Fails After Updating tfvars + +Any updates should be made to the `inputs.yaml` file and the tfvars will be updated upon executing the `Deploy-Accelerator` PowerShell command. + +### Invalid Hub Network Address Prefix or Subnet Address Prefix + +There is no validation done to ensure subnets fall within the hub network CIDR or that subnets do not overlap. These issues will be uncovered during apply. + +### Unable to Build Authorizer for Resource Manager API + +It is necessary to rerun `az login` after creating subscriptions for terraform to pick up that they exist. + +### Unable to Update Address Prefixes + +Updating the address prefix on either the hub network or subnets is not supported at this time. + +### Unable to Change Top Level or Sub Level Management Group Names + +Modifying the Top Level or Sub Level Management Group name is not supported at this time. + +### Tags are Not Applied to All Resources + +Certain resources are not receiving the default tags. This will be addressed in a future release. + +### Default Compliance Score is not 100% + +Certain resources will show as being out of compliance by default. This will be addressed in a future release. diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/data.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/data.tf similarity index 100% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/data.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/data.tf diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/locals.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf similarity index 95% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/locals.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf index b2b717a3..09d2e7bb 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/locals.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf @@ -1,4 +1,5 @@ locals { + default_location = var.starter_locations[0] subscription_id_management = var.subscription_id_management != "" ? var.subscription_id_management : module.subscription_management_creation[0].subscription_id subscription_id_connectivity = var.subscription_id_connectivity != "" ? var.subscription_id_connectivity : module.subscription_connectivity_creation[0].subscription_id subscription_id_identity = var.subscription_id_identity != "" ? var.subscription_id_identity : module.subscription_identity_creation[0].subscription_id @@ -41,21 +42,21 @@ locals { confidential_online_management_group_id = format(local.management_group_resource_id_format, "${var.default_prefix}-landingzones-confidential-online${var.default_postfix}") architecture_name = "slz" - azure_bastion_public_ip_name = "${var.default_prefix}-bas-${var.default_location}${var.default_postfix}-PublicIP${var.default_postfix}" - azure_bastion_name = "${var.default_prefix}-bas-${var.default_location}${var.default_postfix}" - automation_account_name = "${var.default_prefix}-automation-account-${var.default_location}${var.default_postfix}" + azure_bastion_public_ip_name = "${var.default_prefix}-bas-${local.default_location}${var.default_postfix}-PublicIP${var.default_postfix}" + azure_bastion_name = "${var.default_prefix}-bas-${local.default_location}${var.default_postfix}" + automation_account_name = "${var.default_prefix}-automation-account-${local.default_location}${var.default_postfix}" ddos_plan_name = "${var.default_prefix}-ddos-plan${var.default_postfix}" - firewall_policy_name = "${var.default_prefix}-azfwpolicy-${var.default_location}" + firewall_policy_name = "${var.default_prefix}-azfwpolicy-${local.default_location}" firewall_policy_id = var.az_firewall_policies_enabled ? "/subscriptions/${local.subscription_id_connectivity}/resourceGroups/${local.hub_rg_name}/providers/Microsoft.Network/firewallPolicies/${local.firewall_policy_name}" : null firewall_sku_name = "AZFW_VNet" gateway_public_ip_name = "${var.default_prefix}-%s-PublicIP${var.default_postfix}" - hub_rg_name = "${var.default_prefix}-rg-hub-network-${var.default_location}${var.default_postfix}" - hub_vnet_name = "${var.default_prefix}-hub-${var.default_location}${var.default_postfix}" + hub_rg_name = "${var.default_prefix}-rg-hub-network-${local.default_location}${var.default_postfix}" + hub_vnet_name = "${var.default_prefix}-hub-${local.default_location}${var.default_postfix}" hub_vnet_resource_id = "/subscriptions/${local.subscription_id_connectivity}/resourceGroups/${local.hub_rg_name}/providers/Microsoft.Network/virtualNetworks/${local.hub_vnet_name}" - log_analytics_workspace_name = "${var.default_prefix}-log-analytics-${var.default_location}${var.default_postfix}" - log_analytics_resource_group_name = "${var.default_prefix}-rg-logging-${var.default_location}${var.default_postfix}" - nsg_name = "${var.default_prefix}-nsg-AzureBastionSubnet-${var.default_location}${var.default_postfix}" - route_table_name = "${var.default_prefix}-rt-${var.default_location}${var.default_postfix}" + log_analytics_workspace_name = "${var.default_prefix}-log-analytics-${local.default_location}${var.default_postfix}" + log_analytics_resource_group_name = "${var.default_prefix}-rg-logging-${local.default_location}${var.default_postfix}" + nsg_name = "${var.default_prefix}-nsg-AzureBastionSubnet-${local.default_location}${var.default_postfix}" + route_table_name = "${var.default_prefix}-rt-${local.default_location}${var.default_postfix}" # Telemetry partner ID : partner_id_uuid = "2c12b9d4-df50-4186-bd31-ae6686b633d2" # static uuid generated for SLZ @@ -412,8 +413,8 @@ locals { management_group_link = "${local.az_portal_link}/#view/Microsoft_Azure_Resources/ManagmentGroupDrilldownMenuBlade/~/overview/tenantId/${local.tenant_id}/mgId/${var.default_prefix}${var.default_postfix}/mgDisplayName/Sovereign%20Landing%20Zone/mgCanAddOrMoveSubscription~/true/mgParentAccessLevel/Owner/defaultMenuItemId/overview/drillDownMode~/true" management_group_info = "If you want to learn more about your management group, please click the following link.\n\n${local.management_group_link}\n\n" - dashboard_resource_group_name = "${var.default_prefix}-rg-dashboards-${var.default_location}${var.default_postfix}" - dashboard_name = "${var.default_prefix}-Sovereign-Landing-Zone-Dashboard-${var.default_location}${var.default_postfix}" + dashboard_resource_group_name = "${var.default_prefix}-rg-dashboards-${local.default_location}${var.default_postfix}" + dashboard_name = "${var.default_prefix}-Sovereign-Landing-Zone-Dashboard-${local.default_location}${var.default_postfix}" dashboard_template_file_path = "${path.root}/templates/default_dashboard.tpl" template_file_variables = { root_prefix = var.default_prefix, root_postfix = var.default_postfix, customer = var.customer } default_template_file_variables = { name = local.dashboard_name } @@ -421,4 +422,4 @@ locals { domain_name = data.azuread_domains.default.domains[0].domain_name dashboard_link = "${local.az_portal_link}/#@${local.domain_name}/dashboard/arm/subscriptions/${var.subscription_id_management}/resourceGroups/${local.dashboard_resource_group_name}/providers/Microsoft.Portal/dashboards/${local.dashboard_name}" dashboard_info = "Now your compliance dashboard is ready for you to get insights. If you want to learn more, please click the following link.\n\n${local.dashboard_link}\n\n" -} \ No newline at end of file +} diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.bootstrap.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.bootstrap.tf similarity index 99% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.bootstrap.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.bootstrap.tf index 41be64cd..690e22fb 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.bootstrap.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.bootstrap.tf @@ -11,7 +11,7 @@ module "slz_management_groups" { version = "0.9.0-beta2" parent_resource_id = local.root_parent_management_group_id architecture_name = local.architecture_name - location = var.default_location + location = local.default_location enable_telemetry = var.enable_telemetry policy_default_values = local.slz_default_policy_values partner_id = local.partner_id @@ -108,4 +108,4 @@ module "subscription_connectivity_move" { subscription_management_group_association_enabled = true subscription_management_group_id = local.connectivity_management_group_id depends_on = [module.subscription_connectivity_creation] -} \ No newline at end of file +} diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.compliance.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.compliance.tf similarity index 95% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.compliance.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.compliance.tf index ea209afd..36bb625e 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.compliance.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.compliance.tf @@ -17,7 +17,7 @@ resource "azurerm_management_group_policy_assignment" "custom_policy" { identity { type = "SystemAssigned" } - location = var.default_location + location = local.default_location depends_on = [module.slz_management_groups] -} \ No newline at end of file +} diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.dashboard.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.dashboard.tf similarity index 91% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.dashboard.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.dashboard.tf index fddcda04..be2ef601 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.dashboard.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.dashboard.tf @@ -7,7 +7,7 @@ AUTHOR/S: Cloud for Sovereignty module "dashboard_rg" { source = "Azure/avm-res-resources-resourcegroup/azurerm" version = "0.1.0" - location = var.default_location + location = local.default_location name = local.dashboard_resource_group_name enable_telemetry = var.enable_telemetry providers = { @@ -18,7 +18,7 @@ module "dashboard_rg" { module "avm_res_portal_dashboard" { source = "Azure/avm-res-portal-dashboard/azurerm" version = "0.1.0" - location = var.default_location + location = local.default_location name = local.dashboard_name resource_group_name = module.dashboard_rg.name template_file_path = local.dashboard_template_file_path diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.platform.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.platform.tf similarity index 94% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.platform.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.platform.tf index c2894312..c26b5eba 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.platform.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.platform.tf @@ -10,7 +10,7 @@ module "alz_management" { count = var.deploy_log_analytics_workspace ? 1 : 0 automation_account_name = local.automation_account_name - location = var.default_location + location = local.default_location log_analytics_workspace_name = local.log_analytics_workspace_name resource_group_name = local.log_analytics_resource_group_name enable_telemetry = var.enable_telemetry @@ -28,7 +28,7 @@ module "hub_rg" { source = "Azure/avm-res-resources-resourcegroup/azurerm" version = "0.1.0" - location = var.default_location + location = local.default_location name = local.hub_rg_name enable_telemetry = var.enable_telemetry providers = { @@ -42,7 +42,7 @@ module "firewall_policy" { version = "0.2.3" name = local.firewall_policy_name - location = var.default_location + location = local.default_location resource_group_name = module.hub_rg.name enable_telemetry = var.enable_telemetry @@ -61,7 +61,7 @@ module "hubnetworks" { hub = { name = local.hub_vnet_name address_space = [var.hub_network_address_prefix] - location = var.default_location + location = local.default_location resource_group_name = local.hub_rg_name resource_group_creation_enabled = false resource_group_lock_enabled = false @@ -126,7 +126,7 @@ module "gateway_public_ip" { version = "0.1.2" allocation_method = local.public_ip_allocation_method - location = var.default_location + location = local.default_location name = format(local.gateway_public_ip_name, each.value.name) resource_group_name = local.hub_rg_name sku = local.public_ip_sku @@ -144,7 +144,7 @@ resource "azurerm_virtual_network_gateway" "vnet_gateway" { resource_group_name = local.hub_rg_name name = each.value.name - location = var.default_location + location = local.default_location tags = var.tags active_active = each.value.activeActive enable_bgp = each.value.enableBgp @@ -183,7 +183,7 @@ module "private_dns_zones" { source = "Azure/avm-ptn-network-private-link-private-dns-zones/azurerm" version = "0.4.0" - location = var.default_location + location = local.default_location resource_group_name = local.hub_rg_name resource_group_creation_enabled = false virtual_network_resource_ids_to_link_to = { @@ -206,7 +206,7 @@ module "ddos_protection_plan" { resource_group_name = local.hub_rg_name name = local.ddos_plan_name - location = var.default_location + location = local.default_location enable_telemetry = var.enable_telemetry tags = var.tags @@ -223,7 +223,7 @@ module "nsg" { resource_group_name = local.hub_rg_name name = local.nsg_name - location = var.default_location + location = local.default_location security_rules = local.nsg_rules enable_telemetry = var.enable_telemetry @@ -239,7 +239,7 @@ module "azure_bastion_public_ip" { version = "0.1.2" allocation_method = local.public_ip_allocation_method - location = var.default_location + location = local.default_location name = local.azure_bastion_public_ip_name resource_group_name = local.hub_rg_name sku = local.public_ip_sku @@ -258,7 +258,7 @@ module "azure_bastion" { name = local.azure_bastion_name resource_group_name = local.hub_rg_name - location = var.default_location + location = local.default_location copy_paste_enabled = true file_copy_enabled = false sku = "Standard" @@ -288,4 +288,4 @@ resource "azurerm_subnet_network_security_group_association" "nsg_link_bastion_s provider = azurerm.connectivity depends_on = [azurerm_subnet.custom_subnets, module.nsg] -} \ No newline at end of file +} diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.policyExemption.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.policyExemption.tf similarity index 99% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.policyExemption.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.policyExemption.tf index 6357aea9..8bb0ded7 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.policyExemption.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.policyExemption.tf @@ -16,4 +16,4 @@ resource "azurerm_management_group_policy_exemption" "policy_exemptions" { exemption_category = each.value.exemption_category depends_on = [module.slz_management_groups, azurerm_management_group_policy_assignment.custom_policy] -} \ No newline at end of file +} diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.policyRemediation.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.policyRemediation.tf similarity index 99% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.policyRemediation.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.policyRemediation.tf index becd2cd4..11262331 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/main.policyRemediation.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/main.policyRemediation.tf @@ -11,4 +11,4 @@ resource "azurerm_management_group_policy_remediation" "policy_remediation" { policy_assignment_id = each.value depends_on = [module.slz_management_groups, azurerm_management_group_policy_assignment.custom_policy, azurerm_management_group_policy_exemption.policy_exemptions] -} \ No newline at end of file +} diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/outputs.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/outputs.tf similarity index 99% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/outputs.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/outputs.tf index 69edac86..9defff19 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/outputs.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/outputs.tf @@ -27,4 +27,4 @@ output "management_group_info" { output "dashboard_info" { description = "The dashboard information with a link to portal dashboard." value = local.dashboard_info -} \ No newline at end of file +} diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/policy_parameters/policySetParameterSampleFile.json b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/policy_parameters/policySetParameterSampleFile.json similarity index 100% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/policy_parameters/policySetParameterSampleFile.json rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/policy_parameters/policySetParameterSampleFile.json diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/templates/default_dashboard.tpl b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/templates/default_dashboard.tpl similarity index 100% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/templates/default_dashboard.tpl rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/templates/default_dashboard.tpl diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/terraform.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/terraform.tf similarity index 98% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/terraform.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/terraform.tf index f4459b75..e8cc6eba 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/terraform.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/terraform.tf @@ -32,6 +32,7 @@ terraform { version = "~> 3.6.3" } } + # backend "azurerm" {} } # Include the additional policies and override archetypes @@ -70,4 +71,4 @@ provider "azurerm" { alias = "identity" subscription_id = local.subscription_id_identity features {} -} \ No newline at end of file +} diff --git a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/variables.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/variables.tf similarity index 99% rename from templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/variables.tf rename to templates/microsoft_cloud_for_industry/sovereign_landing_zone/variables.tf index b923412d..16748d05 100644 --- a/templates/microsoft_cloud_for_industry/microsoft_cloud_for_sovereignty/variables.tf +++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/variables.tf @@ -4,8 +4,8 @@ SUMMARY : Outputs for the Sovereign Landing Zone Depoloyment AUTHOR/S: Cloud for Sovereignty */ -variable "default_location" { - type = string +variable "starter_locations" { + type = list(string) description = "Location used for deploying Azure resources. (e.g 'uksouth')|azure_location" } @@ -360,4 +360,4 @@ For more information see https://aka.ms/avm/telemetryinfo. If it is set to false, then no telemetry will be collected. DESCRIPTION nullable = false -} \ No newline at end of file +} diff --git a/templates/test/outputs.tf b/templates/test/outputs.tf index 40a5843f..022e52ab 100644 --- a/templates/test/outputs.tf +++ b/templates/test/outputs.tf @@ -37,3 +37,7 @@ output "resource_group_names" { identity = azurerm_resource_group.identity.name } } + +output "boolean_test" { + value = var.boolean_test +} diff --git a/templates/test/variables.tf b/templates/test/variables.tf index 9a98b19d..f8db671b 100644 --- a/templates/test/variables.tf +++ b/templates/test/variables.tf @@ -29,3 +29,9 @@ variable "starter_locations" { type = list(string) description = "This is the fourth test variable|azure_location" } + +variable "boolean_test" { + type = bool + description = "This is the fifth test variable" + default = true +}