Skip to content

Commit

Permalink
Merge pull request #29 from clouddrove/version-6.1.0
Browse files Browse the repository at this point in the history
updated module version to 6.1.0
  • Loading branch information
d4kverma authored Sep 19, 2024
2 parents 0630ada + c543565 commit f8031f3
Show file tree
Hide file tree
Showing 30 changed files with 379 additions and 230 deletions.
14 changes: 7 additions & 7 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
version: 2
# ---
# version: 2

updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: daily
# updates:
# - package-ecosystem: "github-actions"
# directory: "/"
# schedule:
# interval: daily
62 changes: 31 additions & 31 deletions .github/workflows/update-policy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,35 +97,35 @@ jobs:
echo "changes=${#CHECK_GIT_STATUS[@]}" >> "$GITHUB_OUTPUT"
working-directory: ${{ github.repository }}

- name: Add files, commit and push
if: steps.git_status.outputs.changes > 0
run: |
echo "Pushing changes to origin..."
git add modules/archetypes/lib
git commit -m '${{ env.pr_title }}'
git push origin ${{ env.branch_name }}
working-directory: ${{ github.repository }}
# - name: Add files, commit and push
# if: steps.git_status.outputs.changes > 0
# run: |
# echo "Pushing changes to origin..."
# git add modules/archetypes/lib
# git commit -m '${{ env.pr_title }}'
# git push origin ${{ env.branch_name }}
# working-directory: ${{ github.repository }}

- name: Create pull request
if: steps.git_status.outputs.changes > 0
run: |
HEAD_LABEL="${{ github.repository_owner }}:${{ env.branch_name }}"
BASE_LABEL="${{ github.repository_owner }}:$(echo '${{ github.ref }}' | sed 's:refs/heads/::')"
PULL_REQUEST_URL="repos/${{ github.repository }}/pulls"
JQ_FILTER=".[] | select(.head.label == \"$HEAD_LABEL\") | select(.base.label == \"$BASE_LABEL\") | .url"
CHECK_PULL_REQUEST_URL=$(gh api $PULL_REQUEST_URL | jq -r "$JQ_FILTER")
if [ -z "$CHECK_PULL_REQUEST_URL" ]
then
CHECK_PULL_REQUEST_URL=$(gh pr create \
--title "${{ env.pr_title }}" \
--body "${{ env.pr_body }}" \
--base "${{ github.ref }}" \
--head "${{ env.branch_name }}" \
--draft)
echo "Created new PR: $CHECK_PULL_REQUEST_URL"
else
echo "Existing PR found: $CHECK_PULL_REQUEST_URL"
fi
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
# - name: Create pull request
# if: steps.git_status.outputs.changes > 0
# run: |
# HEAD_LABEL="${{ github.repository_owner }}:${{ env.branch_name }}"
# BASE_LABEL="${{ github.repository_owner }}:$(echo '${{ github.ref }}' | sed 's:refs/heads/::')"
# PULL_REQUEST_URL="repos/${{ github.repository }}/pulls"
# JQ_FILTER=".[] | select(.head.label == \"$HEAD_LABEL\") | select(.base.label == \"$BASE_LABEL\") | .url"
# CHECK_PULL_REQUEST_URL=$(gh api $PULL_REQUEST_URL | jq -r "$JQ_FILTER")
# if [ -z "$CHECK_PULL_REQUEST_URL" ]
# then
# CHECK_PULL_REQUEST_URL=$(gh pr create \
# --title "${{ env.pr_title }}" \
# --body "${{ env.pr_body }}" \
# --base "${{ github.ref }}" \
# --head "${{ env.branch_name }}" \
# --draft)
# echo "Created new PR: $CHECK_PULL_REQUEST_URL"
# else
# echo "Existing PR found: $CHECK_PULL_REQUEST_URL"
# fi
# working-directory: ${{ github.repository }}
# env:
# GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
15 changes: 10 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -654,11 +654,14 @@ object({
log_analytics = optional(object({
enabled = optional(bool, true)
config = optional(object({
retention_in_days = optional(number, 30)
enable_monitoring_for_vm = optional(bool, true)
enable_monitoring_for_vmss = optional(bool, true)
enable_sentinel = optional(bool, true)
enable_change_tracking = optional(bool, true)
retention_in_days = optional(number, 30)
enable_monitoring_for_vm = optional(bool, true)
enable_monitoring_for_vmss = optional(bool, true)
enable_sentinel = optional(bool, true)
enable_change_tracking = optional(bool, true)
enable_solution_for_vm_insights = optional(bool, true)
enable_solution_for_container_insights = optional(bool, true)
sentinel_customer_managed_key_enabled = optional(bool, false) # not used at this time
}), {})
}), {})
security_center = optional(object({
Expand Down Expand Up @@ -1103,6 +1106,8 @@ The following resources are used by this module:
- [azurerm_resource_group.connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
- [azurerm_resource_group.management](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
- [azurerm_resource_group.virtual_wan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
- [azurerm_role_assignment.ama_managed_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.ama_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.enterprise_scale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.private_dns_zone_contributor_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -162,23 +162,21 @@ This helps to keep the module block clean, whilst providing clear separation bet
locals {
configure_management_resources = {
settings = {
ama = {
enable_uami = true
enable_vminsights_dcr = true
enable_change_tracking_dcr = true
enable_mdfc_defender_for_sql_dcr = false
enable_mdfc_defender_for_sql_query_collection_for_security_research = false
}
log_analytics = {
enabled = true
config = {
retention_in_days = var.log_retention_in_days
enable_monitoring_for_vm = true
enable_monitoring_for_vmss = true
enable_solution_for_agent_health_assessment = true
enable_solution_for_anti_malware = true
enable_solution_for_change_tracking = true
enable_solution_for_service_map = false
enable_solution_for_sql_assessment = false
enable_solution_for_sql_vulnerability_assessment = false
enable_solution_for_sql_advanced_threat_detection = false
enable_solution_for_updates = true
enable_solution_for_vm_insights = true
enable_solution_for_container_insights = true
enable_sentinel = true
retention_in_days = var.log_retention_in_days
enable_monitoring_for_vm = true
enable_monitoring_for_vmss = true
enable_sentinel = true
enable_change_tracking = true
}
}
security_center = {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!-- markdownlint-disable first-line-h1 -->
## Overview

This page describes how to deploy Azure landing zones with connectivity resources based on the [Traditional Azure networking topology (hub and spoke)][wiki_connectivity_resources_hub_and_spoke] created in the current Subscription context, using custom configuration settings.
This page describes how to deploy a multi-region Azure landing zone with connectivity resources based on the [Traditional Azure networking topology (hub and spoke)][wiki_connectivity_resources_hub_and_spoke] created in the current Subscription context, using custom configuration settings.

> **NOTE:**
> If you need to deploy a network based on Virtual WAN, please see our [Deploy Connectivity Resources With Custom Settings (Virtual WAN)][wiki_deploy_virtual_wan_resources_custom] example.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!-- markdownlint-disable first-line-h1 -->
## Overview

This page describes how to deploy Azure landing zones with connectivity resources based on the [Virtual WAN network topology (Microsoft-managed)][wiki_connectivity_resources_virtual_wan] created in the current Subscription context, using custom configuration settings.
This page describes how to deploy a multi-region Azure landing zone with connectivity resources based on the [Virtual WAN network topology (Microsoft-managed)][wiki_connectivity_resources_virtual_wan] created in the current Subscription context, using custom configuration settings.

> **NOTE:**
> If you need to deploy a network based on traditional virtual networks, please see our [Deploy Connectivity Resources With Custom Settings (Hub and Spoke)][wiki_deploy_connectivity_resources_custom] example.
Expand Down
2 changes: 1 addition & 1 deletion docs/wiki/[User-Guide]-Upgrade-from-v5.2.1-to-v6.0.0.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ See: <https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies>

## Azure Monitor Agent

The Microsoft Monitoring Agent is deprecated and all assignments have been removed, howwver the policy definitions remain.
The Microsoft Monitoring Agent is deprecated and all assignments have been removed, however the policy definitions remain.
We now assign polices that deploy the Azure Monitor Agent (AMA) instead of the Microsoft Monitoring Agent (MMA).
We deploy AMA resources using the new `configure_management_resources` variable.

Expand Down
8 changes: 4 additions & 4 deletions docs/wiki/_Sidebar.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@
- [Create and assign custom RBAC roles][wiki_create_and_assign_custom_rbac_roles]
- [Set parameter values for Policy Assignments][wiki_set_parameter_values_for_policy_assignments]
- [Level 300][wiki_examples_level_300]
- [Deploy connectivity resources with custom settings (Hub and Spoke)][wiki_deploy_connectivity_resources_custom]
- [Deploy connectivity resources with custom settings (Virtual WAN)][wiki_deploy_virtual_wan_resources_custom]
- [Deploy multi region networking with custom settings (Hub and Spoke)][wiki_deploy_connectivity_resources_custom]
- [Deploy multi region networking with custom settings (Virtual WAN)][wiki_deploy_virtual_wan_resources_custom]
- [Deploy with Zero Trust network principles (Hub and Spoke)][wiki_deploy_ZT_network]
- [Deploy identity resources with custom settings][wiki_deploy_identity_resources_custom]
- [Deploy management resources with custom settings][wiki_deploy_management_resources_custom]
Expand Down Expand Up @@ -84,9 +84,9 @@
[wiki_deploy_management_resources]: %5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy management resources"
[wiki_deploy_management_resources_custom]: %5BExamples%5D-Deploy-Management-Resources-With-Custom-Settings "Wiki - Deploy management resources with custom settings"
[wiki_deploy_connectivity_resources]: %5BExamples%5D-Deploy-Connectivity-Resources "Wiki - Deploy connectivity resources (Hub and Spoke)"
[wiki_deploy_connectivity_resources_custom]: %5BExamples%5D-Deploy-Connectivity-Resources-With-Custom-Settings "Wiki - Deploy connectivity resources with custom settings (Hub and Spoke)"
[wiki_deploy_connectivity_resources_custom]: %5BExamples%5D-Deploy-Multi-Region-Networking-With-Custom-Settings "Wiki - Deploy multi region networking with custom settings (Hub and Spoke)"
[wiki_deploy_virtual_wan_resources]: %5BExamples%5D-Deploy-Virtual-WAN-Resources "Wiki - Deploy connectivity resources (Virtual WAN)"
[wiki_deploy_virtual_wan_resources_custom]: %5BExamples%5D-Deploy-Virtual-WAN-Resources-With-Custom-Settings "Wiki - Deploy connectivity resources with custom settings (Virtual WAN)"
[wiki_deploy_virtual_wan_resources_custom]: %5BExamples%5D-Deploy-Virtual-WAN-Multi-Region-With-Custom-Settings "Wiki - Deploy multi region networking with custom settings (Virtual WAN)"
[wiki_deploy_identity_resources]: %5BExamples%5D-Deploy-Identity-Resources "Wiki - Deploy identity resources"
[wiki_deploy_identity_resources_custom]: %5BExamples%5D-Deploy-Identity-Resources-With-Custom-Settings "Wiki - Deploy identity resources with custom settings"
[wiki_deploy_using_module_nesting]: %5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy using module nesting"
Expand Down
1 change: 1 addition & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ data "azurerm_client_config" "core" {}


module "enterprise_scale" {
# source = "clouddrove/landingzone/azure"
source = "../../"
# version = "5.0.3" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints

Expand Down
8 changes: 8 additions & 0 deletions locals.management.tf
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,11 @@ locals {
if resource.managed_by_module
}
}

# locals {
# azapi_sentinel_onboarding = {
# for resource in module.management_resources.configuration.azapi_sentinel_onboarding :
# resource.resource_id => resource
# if resource.managed_by_module
# }
# }
3 changes: 2 additions & 1 deletion locals.role_assignments.tf
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,5 @@ locals {

locals {
connectivity_mg_exists = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-connectivity")]) > 0
}
platform_mg_exists = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-platform")]) > 0
}
17 changes: 9 additions & 8 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,13 @@ module "connectivity_resources" {
tags = local.connectivity_resources_tags

# Optional input variables (advanced configuration)
resource_prefix = lookup(local.connectivity_resources_advanced, "resource_prefix", local.empty_string)
resource_suffix = lookup(local.connectivity_resources_advanced, "resource_suffix", local.empty_string)
existing_ddos_protection_plan_resource_id = lookup(local.connectivity_resources_advanced, "existing_ddos_protection_plan_resource_id", local.empty_string)
existing_virtual_wan_resource_id = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_id", local.empty_string)
existing_virtual_wan_resource_group_name = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_group_name", local.empty_string)
resource_group_per_virtual_hub_location = lookup(local.connectivity_resources_advanced, "resource_group_per_virtual_hub_location", false)
custom_azure_backup_geo_codes = lookup(local.connectivity_resources_advanced, "custom_azure_backup_geo_codes", local.empty_map)
custom_settings_by_resource_type = lookup(local.connectivity_resources_advanced, "custom_settings_by_resource_type", local.empty_map)
resource_prefix = lookup(local.connectivity_resources_advanced, "resource_prefix", local.empty_string)
resource_suffix = lookup(local.connectivity_resources_advanced, "resource_suffix", local.empty_string)
existing_ddos_protection_plan_resource_id = lookup(local.connectivity_resources_advanced, "existing_ddos_protection_plan_resource_id", local.empty_string)
existing_virtual_wan_resource_id = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_id", local.empty_string)
existing_virtual_wan_resource_group_name = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_group_name", local.empty_string)
resource_group_per_virtual_hub_location = lookup(local.connectivity_resources_advanced, "resource_group_per_virtual_hub_location", false)
custom_azure_backup_geo_codes = lookup(local.connectivity_resources_advanced, "custom_azure_backup_geo_codes", local.empty_map)
custom_privatelink_azurestaticapps_partitionids = lookup(local.connectivity_resources_advanced, "custom_privatelink_azurestaticapps_partitionids", null)
custom_settings_by_resource_type = lookup(local.connectivity_resources_advanced, "custom_settings_by_resource_type", local.empty_map)
}
Original file line number Diff line number Diff line change
Expand Up @@ -1430,13 +1430,13 @@
"policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9",
"parameters": {
"privateDnsZoneIdForGuestConfiguration": {
"privateDnsZoneIDForGuestConfiguration": {
"value": "[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]"
},
"privateDnsZoneIdForHybridResourceProvider": {
"privateDnsZoneIDForHybridResourceProvider": {
"value": "[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]"
},
"privateDnsZoneIdForKubernetesConfiguration": {
"privateDnsZoneIDForKubernetesConfiguration": {
"value": "[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]"
},
"effect": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
"effect": {
"value": "[parameters('effect')]"
},
"CheckLockedImmutabiltyOnly": {
"checkLockedImmutabiltyOnly": {
"value": "[parameters('checkLockedImmutabilityOnly')]"
}
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"displayName": "Enforce recommended guardrails for Azure Key Vault",
"description": "Enforce recommended guardrails for Azure Key Vault.",
"metadata": {
"version": "2.0.0",
"version": "2.1.0",
"category": "Key Vault",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -236,8 +236,11 @@
"type": "string",
"defaultValue": "Disabled",
"allowedValues": [
"audit",
"Audit",
"deny",
"Deny",
"disabled",
"Disabled"
]
},
Expand Down
Loading

0 comments on commit f8031f3

Please sign in to comment.