diff --git a/docs/wiki/[User-Guide]-Starter-Module-Complete.md b/docs/wiki/[User-Guide]-Starter-Module-Complete.md index 470da06f..46e7dcd6 100644 --- a/docs/wiki/[User-Guide]-Starter-Module-Complete.md +++ b/docs/wiki/[User-Guide]-Starter-Module-Complete.md @@ -3,10 +3,11 @@ The `complete` starter module provides full customization of the Azure Landing Z A custom `config.yaml` file can be passed to the `additional_files` argument of the ALZ PowerShell Module. This allows you to firstly design your Azure Landing Zone, and then deploy it. If not specified, the default `config.yaml` file will be used, which is as follows: - ```yaml +```yaml # This file contains templated variables to avoid repeating the same hard-coded values. # Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use: # `default_location`: This is an Azure location sourced from the `default_location` variable. This can be used to set the location of resources. +# `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency. # `root_parent_management_group_id`: This is the id of the management group that the ALZ hierarchy will be nested under. # `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`. # `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`. @@ -15,7 +16,6 @@ If not specified, the default `config.yaml` file will be used, which is as follo archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary. root_name: es root_id: Enterprise-Scale - subscription_id_connectivity: ${subscription_id_connectivity} subscription_id_identity: ${subscription_id_identity} subscription_id_management: ${subscription_id_management} @@ -57,13 +57,17 @@ connectivity: sku_name: AZFW_VNet sku_tier: Standard subnet_address_prefix: 10.0.1.0/24 - virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary. + zones: ["1", "2", "3"] + default_ip_configuration: + public_ip_config: + zones: ["1", "2", "3"] + name: "pip-hub" + virtual_network_gateway: # `avm-ptn-vnetgateway` module, add inputs as listed on the module registry where necessary. name: vgw-hub - sku: VpnGw1 - type: Vpn subnet_address_prefix: 10.0.2.0/24 + vwan: # `avm-ptn-vwan` module, add inputs as listed on the module registry where necessary. - ``` +``` The `config.yaml` file also comes with helpful templated variables such as `default_location` and `root_parent_management_group_id` which get prompted for during the ALZ PowerShell Module run. Alternatively, you can opt to not use the templated variables and hard-code the values in the `config.yaml` file. @@ -90,6 +94,10 @@ This module can be extended to deploy multiple Virtual Networks at scale, Route The `avm-ptn-vnetgateway` module is used to deploy a Virtual Network Gateway inside your Virtual Network. Further configuration can be added (depending on requirements) to deploy Local Network Gateways, configure Virtual Network Gateway Connections, deploy ExpressRoute Gateways, and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vnetgateway). +### `avm-ptn-vwan` + +The `avm-ptn-vwan` module is used to deploy a Virtual WAN. Further configuration can be added (depending on requirements) to deploy VPN Sites, configure VPN Connections, and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vwan). + ## Inputs - `default_location`: The default location to deploy resources to. diff --git a/docs/wiki/[User-Guide]-Starter-Module-HubNetworking.md b/docs/wiki/[User-Guide]-Starter-Module-HubNetworking.md index e237daad..4164430c 100644 --- a/docs/wiki/[User-Guide]-Starter-Module-HubNetworking.md +++ b/docs/wiki/[User-Guide]-Starter-Module-HubNetworking.md @@ -18,7 +18,7 @@ The `hubnetworking` module is used to deploy connectivity resources such as Virt ### `avm-ptn-vnetgateway` -The `avm-ptn-vnetgateway` module is used to deploy a Virtual Network Gateway inside your Virtual Network. By default, the resources of the module will not be deployed unless `virtual_network_gateway_creation_enabled` is set to true, if so, the module will deploy a VPN Gateway with SKU VpnGw1. +The `avm-ptn-vnetgateway` module is used to deploy a Virtual Network Gateway inside your Virtual Network. By default, the resources of the module will not be deployed unless `virtual_network_gateway_creation_enabled` is set to true, if so, the module will deploy a ExpressRoute Gateway with SKU ErGw1AZ. Further configuration can be added depending on requirements to deploy Local Network Gateways, configure Virtual Network Gateway Connections, deploy ExpressRoute Gateways and more. Additional information on the module can be found [here](https://github.com/Azure/terraform-azurerm-avm-ptn-vnetgateway). ## Inputs diff --git a/docs/wiki/[User-Guide]-YAML-Schema-Reference.md b/docs/wiki/[User-Guide]-YAML-Schema-Reference.md index b663cd79..3766741f 100644 --- a/docs/wiki/[User-Guide]-YAML-Schema-Reference.md +++ b/docs/wiki/[User-Guide]-YAML-Schema-Reference.md @@ -133,11 +133,11 @@ connectivity: resource_group_name: # string location: # string address_space: # list - virtual_network_gateway: # Arguments from https://github.com/Azure/terraform-azurerm-avm-ptn-vnetgateway/blob/v0.2.0/variables.tf converted to YAML. + virtual_network_gateway: # Arguments from https://github.com/Azure/terraform-azurerm-avm-ptn-vnetgateway/blob/v0.3.0/variables.tf converted to YAML. name: # string sku: # string subnet_address_prefix: # string - subnet_id: # string + subnet_creation_enabled: # boolean type: # string default_tags: # object edge_zone: # string @@ -151,6 +151,11 @@ connectivity: vpn_generation: # string vpn_point_to_site: # object vpn_type: # string + vpn_private_ip_address_enabled: # boolean + route_table_bgp_route_propagation_enabled: # boolean + route_table_creation_enabled: # boolean + route_table_name: # string + route_table_tags: # object ``` @@ -178,6 +183,40 @@ connectivity: subnet_address_prefix: 10.0.2.0/24 ``` +## `connectivity.vwan` + +Specifies the hub networking configuration to be used from the `terraform-azurerm-avm-ptn-virtualwan` module. + +```yaml + +connectivity: + vwan: # Arguments from https://github.com/Azure/terraform-azurerm-avm-ptn-virtualwan/blob/v0.4.0/variables.tf converted to YAML. + allow_branch_to_branch_traffic: # boolean + create_resource_group: # boolean + disable_vpn_encryption: # boolean + enable_telemetry: # boolean + er_circuit_connections: # object + expressroute_gateways: # object + firewalls: # object + location: # string + office365_local_breakout_category + p2s_gateway_vpn_server_configurations: # object + p2s_gateways: # object + resource_group_name: # string + resource_group_tags: # object + routing_intents: # object + telemetry_resource_group_name: # string + type: # string + virtual_hubs: # object + virtual_network_connections: # object + virtual_wan_name: # string + virtual_wan_tags: # object + vpn_gateways: # object + vpn_site_connections: # object + vpn_sites: # object + tags: # object +``` + [//]: # (************************) [//]: # (INSERT LINK LABELS BELOW) [//]: # (************************) diff --git a/templates/basic/main.tf b/templates/basic/main.tf index 9c6cc34e..2751d66b 100644 --- a/templates/basic/main.tf +++ b/templates/basic/main.tf @@ -1,6 +1,6 @@ module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "4.2.0" + version = "~> 5.2.0" disable_telemetry = true diff --git a/templates/basic/variables.tf b/templates/basic/variables.tf index bd5f49e0..fd4bd58c 100644 --- a/templates/basic/variables.tf +++ b/templates/basic/variables.tf @@ -1,37 +1,37 @@ variable "default_location" { - description = "The location for Azure resources. (e.g 'uksouth')|1|azure_location" - type = string -} - -variable "root_parent_management_group_id" { - description = "The parent management group id. Defaults to `Tenant Root Group` if not supplied.|2" type = string - default = "" + description = "The location for Azure resources. (e.g 'uksouth')|1|azure_location" } variable "subscription_id_connectivity" { - description = "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_subscription_id" type = string + description = "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_subscription_id" } variable "subscription_id_identity" { - description = "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|4|azure_subscription_id" type = string + description = "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|4|azure_subscription_id" } variable "subscription_id_management" { - description = "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)|5|azure_subscription_id" type = string + description = "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)|5|azure_subscription_id" } variable "root_id" { - description = "The root id is the identity for the root management group and a prefix applied to all management group identities|6|azure_name" type = string default = "es" + description = "The root id is the identity for the root management group and a prefix applied to all management group identities|6|azure_name" } variable "root_name" { - description = "The display name for the root management group|7|azure_name" type = string default = "Enterprise-Scale" + description = "The display name for the root management group|7|azure_name" +} + +variable "root_parent_management_group_id" { + type = string + default = "" + description = "The parent management group id. Defaults to `Tenant Root Group` if not supplied.|2" } diff --git a/templates/complete/config.yaml b/templates/complete/config.yaml index 220fcfdc..d78d7d5c 100644 --- a/templates/complete/config.yaml +++ b/templates/complete/config.yaml @@ -7,7 +7,7 @@ # `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`. # `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`. --- -archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary. +archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary. root_name: es root_id: Enterprise-Scale subscription_id_connectivity: ${subscription_id_connectivity} @@ -38,7 +38,7 @@ archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module management: name: aa-management connectivity: - hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. + hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. hub_virtual_networks: primary: name: vnet-hub @@ -51,8 +51,12 @@ connectivity: sku_name: AZFW_VNet sku_tier: Standard subnet_address_prefix: 10.0.1.0/24 - virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary. + zones: ["1", "2", "3"] + default_ip_configuration: + public_ip_config: + zones: ["1", "2", "3"] + name: "pip-hub" + virtual_network_gateway: # `avm-ptn-vnetgateway` module, add inputs as listed on the module registry where necessary. name: vgw-hub - sku: VpnGw1 - type: Vpn subnet_address_prefix: 10.0.2.0/24 + vwan: # `avm-ptn-virtualwan` module, add inputs as listed on the module registry where necessary. diff --git a/templates/complete/locals.tf b/templates/complete/locals.tf index f078c0b5..57adda76 100644 --- a/templates/complete/locals.tf +++ b/templates/complete/locals.tf @@ -1,12 +1,15 @@ locals { - const_yaml = "yaml" - const_yml = "yml" - + config_file_extension = replace(lower(element(local.config_file_split, length(local.config_file_split) - 1)), local.const_yml, local.const_yaml) config_file_name = var.configuration_file_path == "" ? "config.yaml" : basename(var.configuration_file_path) config_file_split = split(".", local.config_file_name) - config_file_extension = replace(lower(element(local.config_file_split, length(local.config_file_split) - 1)), local.const_yml, local.const_yaml) + const_yaml = "yaml" + const_yml = "yml" } locals { + config = (local.config_file_extension == local.const_yaml ? + yamldecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) : + jsondecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) + ) config_template_file_variables = { default_location = var.default_location default_postfix = var.default_postfix @@ -15,11 +18,6 @@ locals { subscription_id_identity = var.subscription_id_identity subscription_id_management = var.subscription_id_management } - - config = (local.config_file_extension == local.const_yaml ? - yamldecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) : - jsondecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) - ) } locals { archetypes = try(merge(local.config.archetypes, {}), {}) @@ -37,11 +35,13 @@ locals { for key, hub_virtual_network in local.hub_virtual_networks : key => merge( hub_virtual_network.virtual_network_gateway, { - location = hub_virtual_network.location - virtual_network_name = hub_virtual_network.name - virtual_network_resource_group_name = hub_virtual_network.resource_group_name + location = hub_virtual_network.location + virtual_network_id = module.hubnetworking[0].virtual_networks[key].id } ) if can(hub_virtual_network.virtual_network_gateway) } } +locals { + module_vwan = try(merge(local.config.connectivity.vwan, {}), {}) +} diff --git a/templates/complete/main.tf b/templates/complete/main.tf index ff4796b2..47388c85 100644 --- a/templates/complete/main.tf +++ b/templates/complete/main.tf @@ -1,6 +1,6 @@ module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "4.2.0" + version = "~> 5.2.0" count = length(local.archetypes) > 0 ? 1 : 0 @@ -53,7 +53,7 @@ module "enterprise_scale" { module "hubnetworking" { source = "Azure/hubnetworking/azurerm" - version = "1.1.1" + version = "~> 1.1.0" count = length(local.hub_virtual_networks) > 0 ? 1 : 0 @@ -70,37 +70,77 @@ module "hubnetworking" { module "virtual_network_gateway" { source = "Azure/avm-ptn-vnetgateway/azurerm" - version = "~> 0.2.0" + version = "~> 0.3.0" for_each = local.module_virtual_network_gateway - location = each.value.location - name = each.value.name - sku = each.value.sku - type = each.value.type - virtual_network_name = each.value.virtual_network_name - virtual_network_resource_group_name = each.value.virtual_network_resource_group_name - default_tags = try(each.value.default_tags, null) - edge_zone = try(each.value.edge_zone, null) - enable_telemetry = false - express_route_circuits = try(each.value.express_route_circuits, null) - ip_configurations = try(each.value.ip_configurations, null) - local_network_gateways = try(each.value.local_network_gateways, null) - subnet_address_prefix = try(each.value.subnet_address_prefix, null) - subnet_id = try(each.value.subnet_id, null) - tags = try(each.value.tags, null) - vpn_active_active_enabled = try(each.value.vpn_active_active_enabled, null) - vpn_bgp_enabled = try(each.value.vpn_bgp_enabled, null) - vpn_bgp_settings = try(each.value.vpn_bgp_settings, null) - vpn_generation = try(each.value.vpn_generation, null) - vpn_point_to_site = try(each.value.vpn_point_to_site, null) - vpn_type = try(each.value.vpn_type, null) + location = each.value.location + name = each.value.name + sku = try(each.value.sku, null) + type = try(each.value.type, null) + virtual_network_id = each.value.virtual_network_id + default_tags = try(each.value.default_tags, null) + subnet_creation_enabled = try(each.value.subnet_creation_enabled, null) + edge_zone = try(each.value.edge_zone, null) + enable_telemetry = false + express_route_circuits = try(each.value.express_route_circuits, null) + ip_configurations = try(each.value.ip_configurations, null) + local_network_gateways = try(each.value.local_network_gateways, null) + subnet_address_prefix = try(each.value.subnet_address_prefix, null) + tags = try(each.value.tags, null) + vpn_active_active_enabled = try(each.value.vpn_active_active_enabled, null) + vpn_bgp_enabled = try(each.value.vpn_bgp_enabled, null) + vpn_bgp_settings = try(each.value.vpn_bgp_settings, null) + vpn_generation = try(each.value.vpn_generation, null) + vpn_point_to_site = try(each.value.vpn_point_to_site, null) + vpn_type = try(each.value.vpn_type, null) + vpn_private_ip_address_enabled = try(each.value.vpn_private_ip_address_enabled, null) + route_table_bgp_route_propagation_enabled = try(each.value.route_table_bgp_route_propagation_enabled, null) + route_table_creation_enabled = try(each.value.route_table_creation_enabled, null) + route_table_name = try(each.value.route_table_name, null) + route_table_tags = try(each.value.route_table_tags, null) + + providers = { + azurerm = azurerm.connectivity + } +} + +module "vwan" { + source = "Azure/avm-ptn-virtualwan/azurerm" + version = "~> 0.4.0" + + count = length(local.module_vwan) > 0 ? 1 : 0 + + allow_branch_to_branch_traffic = try(local.module_vwan.allow_branch_to_branch_traffic, null) + create_resource_group = try(local.module_vwan.create_resource_group, null) + disable_vpn_encryption = try(local.module_vwan.disable_vpn_encryption, null) + enable_telemetry = try(local.module_vwan.enable_telemetry, null) + er_circuit_connections = try(local.module_vwan.er_circuit_connections, null) + expressroute_gateways = try(local.module_vwan.expressroute_gateways, null) + firewalls = try(local.module_vwan.firewalls, null) + office365_local_breakout_category = try(local.module_vwan.office365_local_breakout_category, null) + location = try(local.module_vwan.location, null) + p2s_gateway_vpn_server_configurations = try(local.module_vwan.p2s_gateway_vpn_server_configurations, null) + p2s_gateways = try(local.module_vwan.p2s_gateways, null) + resource_group_name = try(local.module_vwan.resource_group_name, null) + virtual_hubs = try(local.module_vwan.virtual_hubs, null) + virtual_network_connections = try(local.module_vwan.virtual_network_connections, null) + virtual_wan_name = try(local.module_vwan.virtual_wan_name, null) + type = try(local.module_vwan.type, null) + routing_intents = try(local.module_vwan.routing_intents, null) + resource_group_tags = try(local.module_vwan.resource_group_tags, null) + telemetry_resource_group_name = try(local.module_vwan.telemetry_resource_group_name, null) + virtual_wan_tags = try(local.module_vwan.virtual_wan_tags, null) + vpn_gateways = try(local.module_vwan.vpn_gateways, null) + vpn_site_connections = try(local.module_vwan.vpn_site_connections, null) + vpn_sites = try(local.module_vwan.vpn_sites, null) + tags = try(local.module_vwan.tags, null) providers = { azurerm = azurerm.connectivity } depends_on = [ - module.hubnetworking + module.enterprise_scale ] } diff --git a/templates/complete/variables.tf b/templates/complete/variables.tf index 6bd7583c..e8059e42 100644 --- a/templates/complete/variables.tf +++ b/templates/complete/variables.tf @@ -1,37 +1,37 @@ variable "default_location" { - description = "The location for Azure resources. (e.g 'uksouth')|1|azure_location" type = string + description = "The location for Azure resources. (e.g 'uksouth')|1|azure_location" } -variable "default_postfix" { - description = "The default postfix for Azure resources. (e.g 'landing-zone')|2|azure_name" +variable "subscription_id_connectivity" { type = string - default = "landing-zone" + description = "value of the subscription id for the Connectivity subscription|5|azure_subscription_id" } -variable "root_parent_management_group_id" { - description = "This is the id of the management group that the ALZ hierarchy will be nested under, will default to the Tenant Root Group|3|azure_name" +variable "subscription_id_identity" { type = string - default = "" + description = "value of the subscription id for the Identity subscription|6|azure_subscription_id" } variable "subscription_id_management" { - description = "value of the subscription id for the Management subscription|4|azure_subscription_id" type = string + description = "value of the subscription id for the Management subscription|4|azure_subscription_id" } -variable "subscription_id_connectivity" { - description = "value of the subscription id for the Connectivity subscription|5|azure_subscription_id" +variable "configuration_file_path" { type = string + default = "" + description = "The path of the configuration file|7|configuration_file_path" } -variable "subscription_id_identity" { - description = "value of the subscription id for the Identity subscription|6|azure_subscription_id" +variable "default_postfix" { type = string + default = "landing-zone" + description = "The default postfix for Azure resources. (e.g 'landing-zone')|2|azure_name" } -variable "configuration_file_path" { - description = "The path of the configuration file|7|configuration_file_path" +variable "root_parent_management_group_id" { type = string default = "" + description = "This is the id of the management group that the ALZ hierarchy will be nested under, will default to the Tenant Root Group|3|azure_name" } diff --git a/templates/complete_vnext/config.yaml b/templates/complete_vnext/config.yaml index 04f1a1b5..494543a7 100644 --- a/templates/complete_vnext/config.yaml +++ b/templates/complete_vnext/config.yaml @@ -72,21 +72,25 @@ management_groups: base_archetype: decommissioned connectivity: - hub_networking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. + hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. hub_virtual_networks: primary: - name: vnet-hub-${default_postfix} - resource_group_name: rg-connectivity-${default_postfix} + name: vnet-hub + resource_group_name: rg-connectivity location: ${default_location} address_space: - 10.0.0.0/16 firewall: - name: fw-hub-${default_postfix} + name: fw-hub sku_name: AZFW_VNet sku_tier: Standard subnet_address_prefix: 10.0.1.0/24 - virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary. - name: vgw-hub-${default_postfix} - sku: VpnGw1 - type: Vpn + zones: ["1", "2", "3"] + default_ip_configuration: + public_ip_config: + zones: ["1", "2", "3"] + name: "pip-hub" + virtual_network_gateway: # `avm-ptn-vnetgateway` module, add inputs as listed on the module registry where necessary. + name: vgw-hub subnet_address_prefix: 10.0.2.0/24 + vwan: # `avm-ptn-virtualwan` module, add inputs as listed on the module registry where necessary. diff --git a/templates/complete_vnext/locals.tf b/templates/complete_vnext/locals.tf index 0cc0c6b4..dc67fe83 100644 --- a/templates/complete_vnext/locals.tf +++ b/templates/complete_vnext/locals.tf @@ -1,12 +1,15 @@ locals { - const_yaml = "yaml" - const_yml = "yml" - + config_file_extension = replace(lower(element(local.config_file_split, length(local.config_file_split) - 1)), local.const_yml, local.const_yaml) config_file_name = var.configuration_file_path == "" ? "config.yaml" : basename(var.configuration_file_path) config_file_split = split(".", local.config_file_name) - config_file_extension = replace(lower(element(local.config_file_split, length(local.config_file_split) - 1)), local.const_yml, local.const_yaml) + const_yaml = "yaml" + const_yml = "yml" } locals { + config = (local.config_file_extension == local.const_yaml ? + yamldecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) : + jsondecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) + ) config_template_file_variables = { default_location = var.default_location default_postfix = var.default_postfix @@ -15,15 +18,9 @@ locals { subscription_id_identity = var.subscription_id_identity subscription_id_management = var.subscription_id_management } - - config = (local.config_file_extension == local.const_yaml ? - yamldecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) : - jsondecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) - ) } locals { management_group_resource_id_format = "/providers/Microsoft.Management/managementGroups/%s" - root_parent_management_group_id = local.config_template_file_variables.root_parent_management_group_id management_groups = { for k, v in local.config.management_groups : k => { id = v.id display_name = try(v.display_name, v.id) @@ -34,17 +31,18 @@ locals { is_root = v.parent == local.root_parent_management_group_id } } - management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.is_root } - management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_1), v.parent) } - management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_2), v.parent) } - management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_3), v.parent) } - management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_4), v.parent) } - management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_5), v.parent) } - management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_6), v.parent) } + management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.is_root } + management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_1), v.parent) } + management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_2), v.parent) } + management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_3), v.parent) } + management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_4), v.parent) } + management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_5), v.parent) } + management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_6), v.parent) } + root_parent_management_group_id = local.config_template_file_variables.root_parent_management_group_id } locals { + log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id management = local.config.management - log_analytics_workspace_id = "/subscriptions/${var.subscription_id_management}/resourceGroups/${local.management.resource_group_name}/providers/Microsoft.OperationalInsights/workspaces/${local.management.log_analytics_workspace_name}" } locals { hub_virtual_networks = try(merge(local.config.connectivity.hubnetworking.hub_virtual_networks, {}), {}) @@ -59,11 +57,14 @@ locals { for key, hub_virtual_network in local.hub_virtual_networks : key => merge( hub_virtual_network.virtual_network_gateway, { - location = hub_virtual_network.location - virtual_network_name = hub_virtual_network.name - virtual_network_resource_group_name = hub_virtual_network.resource_group_name + location = hub_virtual_network.location + virtual_network_id = module.hubnetworking[0].virtual_networks[key].id + } ) if can(hub_virtual_network.virtual_network_gateway) } } +locals { + module_vwan = try(merge(local.config.connectivity.vwan, {}), {}) +} diff --git a/templates/complete_vnext/main.tf b/templates/complete_vnext/main.tf index 9c2605aa..f6130bf2 100644 --- a/templates/complete_vnext/main.tf +++ b/templates/complete_vnext/main.tf @@ -1,3 +1,18 @@ +module "management_resources" { + source = "Azure/avm-ptn-alz-management/azurerm" + version = "~> 0.1.0" + + automation_account_name = try(local.management.automation_account_name, "") + location = try(local.management.location, "") + log_analytics_workspace_name = try(local.management.log_analytics_workspace_name, "") + resource_group_name = try(local.management.resource_group_name, "") + enable_telemetry = false + + providers = { + azurerm = azurerm.management + } +} + module "management_groups_layer_1" { source = "Azure/avm-ptn-alz/azurerm" version = "~> 0.6.0" @@ -89,24 +104,6 @@ module "management_groups_layer_7" { subscription_ids = each.value.subscriptions } -module "management_resources" { - source = "Azure/avm-ptn-alz-management/azurerm" - version = "~> 0.1.0" - - automation_account_name = try(local.management.automation_account_name, "") - location = try(local.management.location, "") - log_analytics_workspace_name = try(local.management.log_analytics_workspace_name, "") - resource_group_name = try(local.management.resource_group_name, "") - enable_telemetry = false - - providers = { - azurerm = azurerm.management - } - - depends_on = [ - module.management_groups_layer_7 - ] -} module "hubnetworking" { source = "Azure/hubnetworking/azurerm" @@ -121,43 +118,83 @@ module "hubnetworking" { } depends_on = [ - module.management_resources + module.management_groups_layer_7 ] } module "virtual_network_gateway" { source = "Azure/avm-ptn-vnetgateway/azurerm" - version = "~> 0.3.1" + version = "~> 0.3.0" for_each = local.module_virtual_network_gateway - location = each.value.location - name = each.value.name - sku = each.value.sku - type = each.value.type - virtual_network_name = each.value.virtual_network_name - virtual_network_resource_group_name = each.value.virtual_network_resource_group_name - default_tags = try(each.value.default_tags, null) - edge_zone = try(each.value.edge_zone, null) - enable_telemetry = false - express_route_circuits = try(each.value.express_route_circuits, null) - ip_configurations = try(each.value.ip_configurations, null) - local_network_gateways = try(each.value.local_network_gateways, null) - subnet_address_prefix = try(each.value.subnet_address_prefix, null) - subnet_id = try(each.value.subnet_id, null) - tags = try(each.value.tags, null) - vpn_active_active_enabled = try(each.value.vpn_active_active_enabled, null) - vpn_bgp_enabled = try(each.value.vpn_bgp_enabled, null) - vpn_bgp_settings = try(each.value.vpn_bgp_settings, null) - vpn_generation = try(each.value.vpn_generation, null) - vpn_point_to_site = try(each.value.vpn_point_to_site, null) - vpn_type = try(each.value.vpn_type, null) + location = each.value.location + name = each.value.name + sku = try(each.value.sku, null) + type = try(each.value.type, null) + virtual_network_id = each.value.virtual_network_id + default_tags = try(each.value.default_tags, null) + subnet_creation_enabled = try(each.value.subnet_creation_enabled, null) + edge_zone = try(each.value.edge_zone, null) + enable_telemetry = false + express_route_circuits = try(each.value.express_route_circuits, null) + ip_configurations = try(each.value.ip_configurations, null) + local_network_gateways = try(each.value.local_network_gateways, null) + subnet_address_prefix = try(each.value.subnet_address_prefix, null) + tags = try(each.value.tags, null) + vpn_active_active_enabled = try(each.value.vpn_active_active_enabled, null) + vpn_bgp_enabled = try(each.value.vpn_bgp_enabled, null) + vpn_bgp_settings = try(each.value.vpn_bgp_settings, null) + vpn_generation = try(each.value.vpn_generation, null) + vpn_point_to_site = try(each.value.vpn_point_to_site, null) + vpn_type = try(each.value.vpn_type, null) + vpn_private_ip_address_enabled = try(each.value.vpn_private_ip_address_enabled, null) + route_table_bgp_route_propagation_enabled = try(each.value.route_table_bgp_route_propagation_enabled, null) + route_table_creation_enabled = try(each.value.route_table_creation_enabled, null) + route_table_name = try(each.value.route_table_name, null) + route_table_tags = try(each.value.route_table_tags, null) + + providers = { + azurerm = azurerm.connectivity + } +} + +module "vwan" { + source = "Azure/avm-ptn-virtualwan/azurerm" + version = "~> 0.4.0" + + count = length(local.module_vwan) > 0 ? 1 : 0 + + allow_branch_to_branch_traffic = try(local.module_vwan.allow_branch_to_branch_traffic, null) + create_resource_group = try(local.module_vwan.create_resource_group, null) + disable_vpn_encryption = try(local.module_vwan.disable_vpn_encryption, null) + enable_telemetry = try(local.module_vwan.enable_telemetry, null) + er_circuit_connections = try(local.module_vwan.er_circuit_connections, null) + expressroute_gateways = try(local.module_vwan.expressroute_gateways, null) + firewalls = try(local.module_vwan.firewalls, null) + office365_local_breakout_category = try(local.module_vwan.office365_local_breakout_category, null) + location = try(local.module_vwan.location, null) + p2s_gateway_vpn_server_configurations = try(local.module_vwan.p2s_gateway_vpn_server_configurations, null) + p2s_gateways = try(local.module_vwan.p2s_gateways, null) + resource_group_name = try(local.module_vwan.resource_group_name, null) + virtual_hubs = try(local.module_vwan.virtual_hubs, null) + virtual_network_connections = try(local.module_vwan.virtual_network_connections, null) + virtual_wan_name = try(local.module_vwan.virtual_wan_name, null) + type = try(local.module_vwan.type, null) + routing_intents = try(local.module_vwan.routing_intents, null) + resource_group_tags = try(local.module_vwan.resource_group_tags, null) + telemetry_resource_group_name = try(local.module_vwan.telemetry_resource_group_name, null) + virtual_wan_tags = try(local.module_vwan.virtual_wan_tags, null) + vpn_gateways = try(local.module_vwan.vpn_gateways, null) + vpn_site_connections = try(local.module_vwan.vpn_site_connections, null) + vpn_sites = try(local.module_vwan.vpn_sites, null) + tags = try(local.module_vwan.tags, null) providers = { azurerm = azurerm.connectivity } depends_on = [ - module.hubnetworking + module.management_groups_layer_7 ] } diff --git a/templates/complete_vnext/outputs.tf b/templates/complete_vnext/outputs.tf index af205906..e69de29b 100644 --- a/templates/complete_vnext/outputs.tf +++ b/templates/complete_vnext/outputs.tf @@ -1,12 +0,0 @@ - -output "test" { - value = { - management_groups_layer_1 = local.management_groups_layer_1 - management_groups_layer_2 = local.management_groups_layer_2 - management_groups_layer_3 = local.management_groups_layer_3 - management_groups_layer_4 = local.management_groups_layer_4 - management_groups_layer_5 = local.management_groups_layer_5 - management_groups_layer_6 = local.management_groups_layer_6 - management_groups_layer_7 = local.management_groups_layer_7 - } -} diff --git a/templates/complete_vnext/variables.tf b/templates/complete_vnext/variables.tf index 339bf26f..23bfc6a2 100644 --- a/templates/complete_vnext/variables.tf +++ b/templates/complete_vnext/variables.tf @@ -1,37 +1,37 @@ variable "default_location" { - description = "The location for Azure resources. (e.g 'uksouth')|1|azure_location" type = string + description = "The location for Azure resources. (e.g 'uksouth')|1|azure_location" } -variable "default_postfix" { - description = "The default postfix for Azure resources. (e.g 'landing-zone')|2|azure_name" +variable "subscription_id_connectivity" { type = string - default = "landing-zone" + description = "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|4|azure_subscription_id" } -variable "root_parent_management_group_id" { - description = "The identifier of the Tenant Root Management Group, if left blank will use the tenant id. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_name" +variable "subscription_id_identity" { type = string - default = "" + description = "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|5|azure_subscription_id" } -variable "subscription_id_connectivity" { - description = "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|4|azure_subscription_id" +variable "subscription_id_management" { type = string + description = "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)|6|azure_subscription_id" } -variable "subscription_id_identity" { - description = "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|5|azure_subscription_id" +variable "configuration_file_path" { type = string + default = "" + description = "The path of the configuration file|7|configuration_file_path" } -variable "subscription_id_management" { - description = "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)|6|azure_subscription_id" +variable "default_postfix" { type = string + default = "landing-zone" + description = "The default postfix for Azure resources. (e.g 'landing-zone')|2|azure_name" } -variable "configuration_file_path" { - description = "The path of the configuration file|7|configuration_file_path" +variable "root_parent_management_group_id" { type = string default = "" + description = "The identifier of the Tenant Root Management Group, if left blank will use the tenant id. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_name" } diff --git a/templates/hubnetworking/main.tf b/templates/hubnetworking/main.tf index 058ce1e5..0659a80d 100644 --- a/templates/hubnetworking/main.tf +++ b/templates/hubnetworking/main.tf @@ -1,6 +1,6 @@ module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "4.2.0" + version = "~> 5.2.0" disable_telemetry = true @@ -25,7 +25,7 @@ module "enterprise_scale" { module "hubnetworking" { source = "Azure/hubnetworking/azurerm" - version = "1.1.0" + version = "~> 1.1.0" hub_virtual_networks = { primary-hub = { @@ -37,6 +37,13 @@ module "hubnetworking" { subnet_address_prefix = var.firewall_subnet_address_prefix sku_tier = "Standard" sku_name = "AZFW_VNet" + zones = ["1", "2", "3"] + default_ip_configuration = { + public_ip_config = { + zones = ["1", "2", "3"] + name = "pip-hub-${var.default_location}" + } + } } } } @@ -52,18 +59,15 @@ module "hubnetworking" { module "virtual_network_gateway" { source = "Azure/avm-ptn-vnetgateway/azurerm" - version = "0.2.0" + version = "~> 0.3.0" count = var.virtual_network_gateway_creation_enabled ? 1 : 0 - location = var.default_location - name = "vgw-hub-${var.default_location}" - sku = "VpnGw1" - subnet_address_prefix = var.gateway_subnet_address_prefix - type = "Vpn" - enable_telemetry = false - virtual_network_name = module.hubnetworking.virtual_networks["primary-hub"].name - virtual_network_resource_group_name = "rg-connectivity-${var.default_location}" + location = var.default_location + name = "vgw-hub-${var.default_location}" + subnet_address_prefix = var.gateway_subnet_address_prefix + enable_telemetry = false + virtual_network_id = module.hubnetworking.virtual_networks["primary-hub"].name providers = { azurerm = azurerm.connectivity