From e4eb21b3801ed2be230545432dd90ee95feb1a43 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 27 Nov 2024 05:40:58 +0000 Subject: [PATCH] feature: Latest changes from likvid-cloudfoundation prod branch --- kit/azure/aviatrix/README.md | 27 +-- kit/azure/aviatrix/aviatrix.spn.tf | 2 +- kit/azure/aviatrix/outputs.tf | 2 +- kit/azure/aviatrix/variables.tf | 11 - kit/azure/aviatrix/versions.tf | 9 +- kit/azure/billing/README.md | 24 +- kit/azure/billing/documentation.tf | 4 +- kit/azure/billing/outputs.tf | 4 +- kit/azure/billing/resources.group.tf | 4 - kit/azure/billing/versions.tf | 4 +- kit/azure/bootstrap/README.md | 24 +- kit/azure/bootstrap/documentation.tf | 24 +- kit/azure/bootstrap/main.tf | 2 +- kit/azure/bootstrap/outputs.tf | 2 +- kit/azure/bootstrap/resources.key-vault.tf | 4 +- .../template/platform-module/terragrunt.hcl | 16 +- kit/azure/bootstrap/variables.tf | 1 + kit/azure/bootstrap/versions.tf | 2 +- kit/azure/buildingblocks/automation/README.md | 50 ++-- .../automation/documentation.tf | 13 +- kit/azure/buildingblocks/automation/main.tf | 8 +- .../buildingblocks/automation/outputs.tf | 4 +- .../automation/resources.bb-spn.tf | 2 +- .../buildingblocks/automation/versions.tf | 26 ++ .../budget-alert/backplane/README.md | 7 +- .../budget-alert/backplane/documentation.tf | 24 +- .../budget-alert/backplane/main.tf | 3 - .../budget-alert/backplane/versions.tf | 2 +- .../budget-alert/buildingblock/versions.tf | 3 +- .../connectivity/backplane/README.md | 9 +- .../connectivity/backplane/documentation.tf | 24 +- .../connectivity/backplane/variables.tf | 6 - .../connectivity/backplane/versions.tf | 2 +- .../connectivity/buildingblock/variables.tf | 2 + .../connectivity/buildingblock/versions.tf | 4 +- .../custom-permissions/backplane/README.md | 53 ++++ .../backplane/documentation.tf | 32 +++ .../custom-permissions/backplane/main.tf | 19 ++ .../custom-permissions/backplane/outputs.tf | 25 ++ .../custom-permissions/backplane/variables.tf | 22 ++ .../custom-permissions/backplane/versions.tf | 11 + .../custom-permissions/buildingblock/main.tf | 44 ++++ .../buildingblock/variables.tf | 31 +++ .../buildingblock/versions.tf | 15 ++ .../github-repo/backplane/documentation.tf | 1 - .../github-repo/backplane/main.tf | 9 - .../github-repo/backplane/variables.tf | 19 -- .../github-repo/backplane/versions.tf | 15 ++ .../github-repo/buildingblock/README.md | 10 +- .../github-repo/buildingblock/provider.tf | 4 +- .../starterkit/backplane/README.md | 227 ++++++++++++++++++ .../starterkit/backplane/documentation.tf | 39 +++ .../starterkit/backplane/main.tf | 67 ++++++ .../starterkit/backplane/outputs.tf | 59 +++++ .../backplane/resources.bbtfstate.tf | 26 ++ .../starterkit/backplane/resources.github.tf | 4 + .../backplane/resources.starterkit-spn.tf | 51 ++++ .../starterkit/backplane/variables.tf | 29 +++ .../starterkit/backplane/versions.tf | 31 +++ .../starterkit/buildingblock/.gitignore | 8 + .../starterkit/buildingblock/main.tf | 33 +++ .../starterkit/buildingblock/outputs.tf | 3 + .../buildingblock/resources.azure.app.tf | 54 +++++ .../buildingblock/resources.azure.cicd.tf | 63 +++++ .../buildingblock/resources.github.tf | 121 ++++++++++ .../starterkit/buildingblock/variables.tf | 37 +++ .../starterkit/buildingblock/versions.tf | 26 ++ .../subscription/backplane/README.md | 7 +- .../subscription/backplane/documentation.tf | 23 +- .../subscription/backplane/main.tf | 3 - .../subscription/backplane/versions.tf | 2 +- .../subscription/buildingblock/main.tf | 12 +- .../subscription/buildingblock/versions.tf | 2 +- kit/azure/landingzones/cloud-native/README.md | 8 +- .../landingzones/cloud-native/versions.tf | 2 +- .../landingzones/container-platform/README.md | 21 +- .../container-platform/documentation.tf | 20 +- ..._allow_only_serverless_resources.tmpl.json | 24 ++ ...ollie_allow_only_serverless_resources.json | 38 +++ ..._allow_only_serverless_resources.tmpl.json | 24 ++ .../landingzones/container-platform/main.tf | 37 ++- .../container-platform/outputs.tf | 32 +++ .../container-platform/variables.tf | 7 +- .../container-platform/versions.tf | 2 +- kit/azure/landingzones/corp-online/README.md | 16 +- kit/azure/landingzones/corp-online/main.tf | 6 +- kit/azure/landingzones/corp-online/outputs.tf | 10 + .../landingzones/corp-online/variables.tf | 5 - .../landingzones/corp-online/versions.tf | 10 + kit/azure/landingzones/sandbox/README.md | 4 +- kit/azure/landingzones/sandbox/main.tf | 2 +- kit/azure/landingzones/sandbox/versions.tf | 2 +- kit/azure/landingzones/serverless/README.md | 8 +- kit/azure/landingzones/serverless/main.tf | 2 +- .../landingzones/serverless/variables.tf | 5 - kit/azure/landingzones/serverless/versions.tf | 10 + kit/azure/logging/README.md | 30 +-- kit/azure/logging/documentation.tf | 4 +- kit/azure/logging/outputs.tf | 4 +- kit/azure/logging/versions.tf | 4 +- kit/azure/meshplatform/main.tf | 12 +- kit/azure/networking/README.md | 109 +++++---- kit/azure/networking/documentation.tf | 3 +- kit/azure/networking/outputs.tf | 4 +- kit/azure/networking/resources.firewall.tf | 2 +- kit/azure/networking/variables.tf | 12 - kit/azure/networking/versions.tf | 9 +- kit/azure/organization-hierarchy/README.md | 20 +- kit/azure/organization-hierarchy/versions.tf | 2 +- kit/azure/pam/README.md | 18 +- kit/azure/pam/main.tf | 4 - kit/azure/pam/versions.tf | 4 +- 112 files changed, 1687 insertions(+), 441 deletions(-) create mode 100644 kit/azure/buildingblocks/automation/versions.tf create mode 100644 kit/azure/buildingblocks/custom-permissions/backplane/README.md create mode 100644 kit/azure/buildingblocks/custom-permissions/backplane/documentation.tf create mode 100644 kit/azure/buildingblocks/custom-permissions/backplane/main.tf create mode 100644 kit/azure/buildingblocks/custom-permissions/backplane/outputs.tf create mode 100644 kit/azure/buildingblocks/custom-permissions/backplane/variables.tf create mode 100644 kit/azure/buildingblocks/custom-permissions/backplane/versions.tf create mode 100644 kit/azure/buildingblocks/custom-permissions/buildingblock/main.tf create mode 100644 kit/azure/buildingblocks/custom-permissions/buildingblock/variables.tf create mode 100644 kit/azure/buildingblocks/custom-permissions/buildingblock/versions.tf create mode 100644 kit/azure/buildingblocks/github-repo/backplane/versions.tf create mode 100644 kit/azure/buildingblocks/starterkit/backplane/README.md create mode 100644 kit/azure/buildingblocks/starterkit/backplane/documentation.tf create mode 100644 kit/azure/buildingblocks/starterkit/backplane/main.tf create mode 100644 kit/azure/buildingblocks/starterkit/backplane/outputs.tf create mode 100644 kit/azure/buildingblocks/starterkit/backplane/resources.bbtfstate.tf create mode 100644 kit/azure/buildingblocks/starterkit/backplane/resources.github.tf create mode 100644 kit/azure/buildingblocks/starterkit/backplane/resources.starterkit-spn.tf create mode 100644 kit/azure/buildingblocks/starterkit/backplane/variables.tf create mode 100644 kit/azure/buildingblocks/starterkit/backplane/versions.tf create mode 100644 kit/azure/buildingblocks/starterkit/buildingblock/.gitignore create mode 100644 kit/azure/buildingblocks/starterkit/buildingblock/main.tf create mode 100644 kit/azure/buildingblocks/starterkit/buildingblock/outputs.tf create mode 100644 kit/azure/buildingblocks/starterkit/buildingblock/resources.azure.app.tf create mode 100644 kit/azure/buildingblocks/starterkit/buildingblock/resources.azure.cicd.tf create mode 100644 kit/azure/buildingblocks/starterkit/buildingblock/resources.github.tf create mode 100644 kit/azure/buildingblocks/starterkit/buildingblock/variables.tf create mode 100644 kit/azure/buildingblocks/starterkit/buildingblock/versions.tf create mode 100644 kit/azure/landingzones/container-platform/lib/dev/policy_assignments/policy_assignment_collie_allow_only_serverless_resources.tmpl.json create mode 100644 kit/azure/landingzones/container-platform/lib/policy_definitions/policy_definition_collie_allow_only_serverless_resources.json create mode 100644 kit/azure/landingzones/container-platform/lib/prod/policy_assignments/policy_assignment_collie_allow_only_serverless_resources.tmpl.json create mode 100644 kit/azure/landingzones/corp-online/versions.tf create mode 100644 kit/azure/landingzones/serverless/versions.tf diff --git a/kit/azure/aviatrix/README.md b/kit/azure/aviatrix/README.md index ffa07094..2b123da2 100644 --- a/kit/azure/aviatrix/README.md +++ b/kit/azure/aviatrix/README.md @@ -17,8 +17,9 @@ Aviatrix | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azuread](#requirement\_azuread) | ~> 2.46.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.81.0 | +| [azuread](#requirement\_azuread) | 3.0.2 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | +| [time](#requirement\_time) | 0.11.1 | ## Modules @@ -28,23 +29,21 @@ No modules. | Name | Type | |------|------| -| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource | -| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource | -| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource | -| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource | -| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | -| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | -| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource | -| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source | -| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | +| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/app_role_assignment) | resource | +| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/app_role_assignment) | resource | +| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/application) | resource | +| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/application_password) | resource | +| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/service_principal) | resource | +| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | +| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/rotating) | resource | +| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/application_published_app_ids) | data source | +| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/service_principal) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [allowed\_user\_group\_id](#input\_allowed\_user\_group\_id) | id of the authorized id which can do changes | `list(string)` | n/a | yes | -| [location](#input\_location) | The Azure location used for creating policy assignments establishing this landing zone's guardrails. | `string` | n/a | yes | | [parent\_management\_group](#input\_parent\_management\_group) | id of the tenant management group | `string` | n/a | yes | | [service\_principal\_name](#input\_service\_principal\_name) | id of the tenant management group | `string` | `"avaitrix_deploy_spn"` | no | diff --git a/kit/azure/aviatrix/aviatrix.spn.tf b/kit/azure/aviatrix/aviatrix.spn.tf index 148bae83..00d4fb5a 100644 --- a/kit/azure/aviatrix/aviatrix.spn.tf +++ b/kit/azure/aviatrix/aviatrix.spn.tf @@ -91,7 +91,7 @@ resource "azuread_service_principal" "aviatrix_deploy" { resource "azurerm_role_assignment" "aviatrix_deploy" { scope = var.parent_management_group role_definition_id = azurerm_role_definition.aviatrix_deploy.role_definition_resource_id - principal_id = azuread_service_principal.aviatrix_deploy.id + principal_id = azuread_service_principal.aviatrix_deploy.object_id } resource "azuread_app_role_assignment" "aviatrix_deploy-directory" { diff --git a/kit/azure/aviatrix/outputs.tf b/kit/azure/aviatrix/outputs.tf index b31c4a73..61277ada 100644 --- a/kit/azure/aviatrix/outputs.tf +++ b/kit/azure/aviatrix/outputs.tf @@ -8,7 +8,7 @@ output "client_secret" { } output "client_principal_id" { - value = azuread_service_principal.aviatrix_deploy.id + value = azuread_service_principal.aviatrix_deploy.object_id } output "aviatrix_service_principal" { diff --git a/kit/azure/aviatrix/variables.tf b/kit/azure/aviatrix/variables.tf index f64d10ca..2f92a9bb 100644 --- a/kit/azure/aviatrix/variables.tf +++ b/kit/azure/aviatrix/variables.tf @@ -10,14 +10,3 @@ variable "service_principal_name" { default = "avaitrix_deploy_spn" description = "id of the tenant management group" } - -variable "allowed_user_group_id" { - type = list(string) - nullable = false - description = "id of the authorized id which can do changes" -} - -variable "location" { - type = string - description = "The Azure location used for creating policy assignments establishing this landing zone's guardrails." -} diff --git a/kit/azure/aviatrix/versions.tf b/kit/azure/aviatrix/versions.tf index 4da6ddd1..a5ef6c39 100644 --- a/kit/azure/aviatrix/versions.tf +++ b/kit/azure/aviatrix/versions.tf @@ -4,12 +4,17 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "3.116.0" } azuread = { source = "hashicorp/azuread" - version = "~> 2.46.0" + version = "3.0.2" + } + + time = { + source = "hashicorp/time" + version = "0.11.1" } } } diff --git a/kit/azure/billing/README.md b/kit/azure/billing/README.md index 04fdfec6..addc5bd0 100644 --- a/kit/azure/billing/README.md +++ b/kit/azure/billing/README.md @@ -22,8 +22,8 @@ Microsoft Cost Management is a suite of tools that help organizations monitor, a | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azuread](#requirement\_azuread) | ~> 2.41.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | +| [azuread](#requirement\_azuread) | 3.0.2 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -33,15 +33,13 @@ No modules. | Name | Type | |------|------| -| [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | -| [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | -| [azurerm_consumption_budget_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/consumption_budget_management_group) | resource | -| [azurerm_role_assignment.cost_management_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.cost_management_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.management_group_biling_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.management_group_billing_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource | +| [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource | +| [azurerm_consumption_budget_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/consumption_budget_management_group) | resource | +| [azurerm_role_assignment.cost_management_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.cost_management_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.management_group_biling_admin](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.management_group_billing_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | ## Inputs @@ -51,8 +49,8 @@ No modules. | [billing\_reader\_group](#input\_billing\_reader\_group) | the name of the cloud foundation billing reader group | `string` | `"cloudfoundation-billing-readers"` | no | | [budget\_amount](#input\_budget\_amount) | amount of the budget | `number` | `100` | no | | [budget\_name](#input\_budget\_name) | the name of the budget alert | `string` | `"cloudfoundation_budget"` | no | -| [budget\_time\_period](#input\_budget\_time\_period) | the time period of the budget alert | 
list(object({
    start = string,
    end   = optional(string),
  }))
| 
[
  {
    "end": "2022-07-01T00:00:00Z",
    "start": "2022-06-01T00:00:00Z"
  }
]
| no | -| [contact\_mails](#input\_contact\_mails) | The email address of the contact person for the cost alert | `list(string)` | 
[
  "billingmeshi@meshithesheep.io"
]
| no | +| [budget\_time\_period](#input\_budget\_time\_period) | the time period of the budget alert | 
list(object({
    start = string,
    end   = optional(string),
  }))
| 
[
  {
    "end": "2022-07-01T00:00:00Z",
    "start": "2022-06-01T00:00:00Z"
  }
]
| no | +| [contact\_mails](#input\_contact\_mails) | The email address of the contact person for the cost alert | `list(string)` | 
[
  "billingmeshi@meshithesheep.io"
]
| no | | [scope](#input\_scope) | id of the tenant management group | `string` | n/a | yes | ## Outputs diff --git a/kit/azure/billing/documentation.tf b/kit/azure/billing/documentation.tf index 5472ce53..7e4da170 100644 --- a/kit/azure/billing/documentation.tf +++ b/kit/azure/billing/documentation.tf @@ -20,8 +20,8 @@ The following AAD groups control access and are used to implement [Privileged Ac |group|description|object_id| |-|-|-| -| ${azuread_group.billing_admins.display_name} | ${azuread_group.billing_admins.description} | ${azuread_group.billing_admins.id} | -| ${azuread_group.billing_readers.display_name} | ${azuread_group.billing_readers.description} | ${azuread_group.billing_readers.id} | +| ${azuread_group.billing_admins.display_name} | ${azuread_group.billing_admins.description} | ${azuread_group.billing_admins.object_id} | +| ${azuread_group.billing_readers.display_name} | ${azuread_group.billing_readers.description} | ${azuread_group.billing_readers.object_id} | ## How can I review Cost Management data for my subscription diff --git a/kit/azure/billing/outputs.tf b/kit/azure/billing/outputs.tf index 4c267ca6..71ffd17e 100644 --- a/kit/azure/billing/outputs.tf +++ b/kit/azure/billing/outputs.tf @@ -1,7 +1,7 @@ output "billing_admins_azuread_group_id" { - value = azuread_group.billing_admins.id + value = azuread_group.billing_admins.object_id } output "billing_readers_azuread_group_id" { - value = azuread_group.billing_readers.id + value = azuread_group.billing_readers.object_id } diff --git a/kit/azure/billing/resources.group.tf b/kit/azure/billing/resources.group.tf index cbc27540..5564023a 100644 --- a/kit/azure/billing/resources.group.tf +++ b/kit/azure/billing/resources.group.tf @@ -1,7 +1,3 @@ -data "azuread_client_config" "current" {} - -data "azurerm_subscription" "current" {} - resource "azuread_group" "billing_admins" { display_name = var.billing_admin_group description = "Privileged Cloud Foundation group. Members can manage billing profiles, reserved instances and have full access to all Azure Cost Management data." diff --git a/kit/azure/billing/versions.tf b/kit/azure/billing/versions.tf index 1f004dd0..7225fc8d 100644 --- a/kit/azure/billing/versions.tf +++ b/kit/azure/billing/versions.tf @@ -4,12 +4,12 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "3.116.0" } azuread = { source = "hashicorp/azuread" - version = "~> 2.41.0" + version = "3.0.2" } } } diff --git a/kit/azure/bootstrap/README.md b/kit/azure/bootstrap/README.md index 551122d9..163a714c 100644 --- a/kit/azure/bootstrap/README.md +++ b/kit/azure/bootstrap/README.md @@ -77,7 +77,7 @@ collie foundation deploy --bootstrap -- destroy | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azuread](#requirement\_azuread) | 2.53.1 | +| [azuread](#requirement\_azuread) | 3.0.2 | | [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -90,9 +90,9 @@ collie foundation deploy --bootstrap -- destroy | Name | Type | |------|------| -| [azuread_directory_role.readers](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/directory_role) | resource | -| [azuread_directory_role_assignment.validation_reader](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/directory_role_assignment) | resource | -| [azuread_group.platform_engineers](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource | +| [azuread_directory_role.readers](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/directory_role) | resource | +| [azuread_directory_role_assignment.validation_reader](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/directory_role_assignment) | resource | +| [azuread_group.platform_engineers](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource | | [azurerm_federated_identity_credential.docs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/federated_identity_credential) | resource | | [azurerm_federated_identity_credential.validation](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/federated_identity_credential) | resource | | [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/key_vault) | resource | @@ -108,8 +108,8 @@ collie foundation deploy --bootstrap -- destroy | [azurerm_role_definition.validation_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | | [azurerm_user_assigned_identity.docs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/user_assigned_identity) | resource | | [azurerm_user_assigned_identity.validation](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/user_assigned_identity) | resource | -| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/client_config) | data source | -| [azuread_users.platform_engineers_members](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/users) | data source | +| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/client_config) | data source | +| [azuread_users.platform_engineers_members](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/users) | data source | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/client_config) | data source | | [azurerm_management_group.parent](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/management_group) | data source | | [azurerm_role_definition.keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/role_definition) | data source | @@ -119,13 +119,13 @@ collie foundation deploy --bootstrap -- destroy | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [documentation\_uami](#input\_documentation\_uami) | read-only UAMI with access to terraform states to generate documentation in CI pipelines | 
object({
    name = string
    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373
    oidc_subject = string
  })
| `null` | no | -| [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. | 
object({
    name                = string,
    resource_group_name = string
  })
| 
{
  "name": "cloudfoundation-kv",
  "resource_group_name": "cloudfoundation-rg"
}
| no | +| [documentation\_uami](#input\_documentation\_uami) | read-only UAMI with access to terraform states to generate documentation in CI pipelines | 
object({
    name = string
    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373
    oidc_subject = string
  })
| `null` | no | +| [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. | 
object({
    name                = string,
    resource_group_name = string
  })
| 
{
  "name": "cloudfoundation-kv",
  "resource_group_name": "cloudfoundation-rg"
}
| no | | [parent\_management\_group\_name](#input\_parent\_management\_group\_name) | Name of the management group you want to use as parent for your foundation. | `string` | n/a | yes | -| [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | n/a | yes | -| [platform\_engineers\_members](#input\_platform\_engineers\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | 
list(object({
    email = string,
    upn   = string,
  }))
| n/a | yes | -| [terraform\_state\_storage](#input\_terraform\_state\_storage) | Configure this object to enable setting up a terraform state store in Azure Storage. | 
object({
    location            = string,
    name                = string,
    config_file_path    = string,
    resource_group_name = optional(string)
  })
| n/a | yes | -| [validation\_uami](#input\_validation\_uami) | read-only UAMI with access to terraform states and read-only access on the landingzone architecture for validation of the deployment in CI pipelines | 
object({
    name = string
    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373
    oidc_subject = string
  })
| `null` | no | +| [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | `"cloudfoundation-platform-engineers"` | no | +| [platform\_engineers\_members](#input\_platform\_engineers\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | 
list(object({
    email = string,
    upn   = string,
  }))
| n/a | yes | +| [terraform\_state\_storage](#input\_terraform\_state\_storage) | Configure this object to enable setting up a terraform state store in Azure Storage. | 
object({
    location            = string,
    name                = string,
    config_file_path    = string,
    resource_group_name = optional(string)
  })
| n/a | yes | +| [validation\_uami](#input\_validation\_uami) | read-only UAMI with access to terraform states and read-only access on the landingzone architecture for validation of the deployment in CI pipelines | 
object({
    name = string
    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373
    oidc_subject = string
  })
| `null` | no | ## Outputs diff --git a/kit/azure/bootstrap/documentation.tf b/kit/azure/bootstrap/documentation.tf index 25b210a4..3546dad2 100644 --- a/kit/azure/bootstrap/documentation.tf +++ b/kit/azure/bootstrap/documentation.tf @@ -1,43 +1,37 @@ output "documentation_md" { value = < ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azuread](#requirement\_azuread) | 3.0.2 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | +| [random](#requirement\_random) | 3.6.0 | +| [time](#requirement\_time) | 0.11.1 | ## Modules @@ -36,32 +42,32 @@ No modules. | Name | Type | |------|------| -| [azuread_app_role_assignment.buildingblock-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource | -| [azuread_application.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource | -| [azuread_service_principal.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | -| [azuread_service_principal_password.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource | -| [azurerm_management_group_policy_assignment.buildingblock_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource | -| [azurerm_policy_definition.buildingblock_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource | -| [azurerm_resource_group.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | -| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.keyvault_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.tfstates_engineers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_definition.buildingblock_plan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | -| [azurerm_storage_account.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | -| [azurerm_storage_container.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | -| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource | -| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source | -| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | -| [azurerm_key_vault.cf_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | -| [azurerm_role_definition.keyvault_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azuread_app_role_assignment.buildingblock-directory](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/app_role_assignment) | resource | +| [azuread_application.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/application) | resource | +| [azuread_service_principal.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/service_principal) | resource | +| [azuread_service_principal_password.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/service_principal_password) | resource | +| [azurerm_management_group_policy_assignment.buildingblock_access](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group_policy_assignment) | resource | +| [azurerm_policy_definition.buildingblock_access](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/policy_definition) | resource | +| [azurerm_resource_group.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource | +| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.keyvault_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.tfstates_engineers](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.buildingblock_plan](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | +| [azurerm_storage_account.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_account) | resource | +| [azurerm_storage_container.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_container) | resource | +| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/string) | resource | +| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/rotating) | resource | +| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/application_published_app_ids) | data source | +| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/service_principal) | data source | +| [azurerm_key_vault.cf_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/key_vault) | data source | +| [azurerm_role_definition.keyvault_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/role_definition) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [key\_vault](#input\_key\_vault) | Key Vault configuration | 
object({
    name                = string
    resource_group_name = string
  })
| n/a | yes | +| [key\_vault](#input\_key\_vault) | Key Vault configuration | 
object({
    name                = string
    resource_group_name = string
  })
| n/a | yes | | [location](#input\_location) | Azure location for deploying the storage account | `string` | n/a | yes | | [scope](#input\_scope) | n/a | `string` | n/a | yes | | [service\_principal\_name](#input\_service\_principal\_name) | n/a | `string` | n/a | yes | diff --git a/kit/azure/buildingblocks/automation/documentation.tf b/kit/azure/buildingblocks/automation/documentation.tf index ba090f71..df6883c5 100644 --- a/kit/azure/buildingblocks/automation/documentation.tf +++ b/kit/azure/buildingblocks/automation/documentation.tf @@ -3,16 +3,25 @@ output "documentation_md" { # πŸ—οΈ Building Blocks Automation Infrastructure -This module automates the deployment of building blocks within Azure. It utilizes service principles for automation. The states of these resources are maintained in a designated storage account. +The Likvid Bank Cloud Foundation team maintains a set of building blocks to help application teams get started on the cloud quickly +and provide common services to all application teams. + +We use some common infrastructure to automate deployment of building blocks from meshStack. ## πŸ› οΈ Service Principal +The building block automation infrastructure uses a service principal to deploy building blocks. +Each building block definition creates the necessary roles and assigns them to this service principal, so that it +has the right permissions to deploy the building block implementation to a target subscription. + | Name | ID | Client ID | | --- | --- | --- | -| `${azuread_service_principal.buildingblock.display_name}` | `${azuread_service_principal.buildingblock.id}` | `${azuread_service_principal.buildingblock.client_id}` | +| `${azuread_service_principal.buildingblock.display_name}` | `${azuread_service_principal.buildingblock.object_id}` | `${azuread_service_principal.buildingblock.client_id}` | ## πŸ—ƒοΈ Storage Account +We maintain all terraform states of deployed building blocks in a central storage account. + | Resource Group | Name | Container Name | | --- | --- | --- | | `${azurerm_resource_group.tfstates.name}` | `${azurerm_storage_account.tfstates.name}` | `${azurerm_storage_container.tfstates.name}` | diff --git a/kit/azure/buildingblocks/automation/main.tf b/kit/azure/buildingblocks/automation/main.tf index e1d251d1..39ba8c35 100644 --- a/kit/azure/buildingblocks/automation/main.tf +++ b/kit/azure/buildingblocks/automation/main.tf @@ -2,7 +2,7 @@ data "azurerm_subscription" "current" {} resource "azurerm_role_assignment" "tfstates_engineers" { role_definition_name = "Storage Blob Data Owner" - principal_id = azuread_service_principal.buildingblock.id + principal_id = azuread_service_principal.buildingblock.object_id scope = azurerm_storage_container.tfstates.resource_manager_id } @@ -25,7 +25,7 @@ data "azurerm_role_definition" "keyvault_administrator" { resource "azurerm_role_assignment" "keyvault_administrator" { scope = data.azurerm_key_vault.cf_key_vault.id role_definition_name = data.azurerm_role_definition.keyvault_administrator.name - principal_id = azuread_service_principal.buildingblock.id + principal_id = azuread_service_principal.buildingblock.object_id } locals { @@ -63,7 +63,7 @@ resource "azurerm_role_definition" "buildingblock_plan" { resource "azurerm_role_assignment" "buildingblock_deploy" { role_definition_id = azurerm_role_definition.buildingblock_plan.role_definition_resource_id - principal_id = azuread_service_principal.buildingblock.id + principal_id = azuread_service_principal.buildingblock.object_id scope = var.scope } @@ -131,7 +131,7 @@ resource "azurerm_management_group_policy_assignment" "buildingblock_access" { management_group_id = var.scope parameters = jsonencode({ - principalId = { value = azuread_service_principal.buildingblock.id } + principalId = { value = azuread_service_principal.buildingblock.object_id } managedResourceGroups = { value = local.managedResourceGroups } }) } diff --git a/kit/azure/buildingblocks/automation/outputs.tf b/kit/azure/buildingblocks/automation/outputs.tf index 4c20e11b..590a7c7a 100644 --- a/kit/azure/buildingblocks/automation/outputs.tf +++ b/kit/azure/buildingblocks/automation/outputs.tf @@ -19,7 +19,7 @@ output "container_name" { } output "principal_id" { - value = azuread_service_principal.buildingblock.id + value = azuread_service_principal.buildingblock.object_id } output "client_id" { @@ -29,4 +29,4 @@ output "client_id" { output "client_secret" { value = azuread_service_principal_password.buildingblock.value sensitive = true -} \ No newline at end of file +} diff --git a/kit/azure/buildingblocks/automation/resources.bb-spn.tf b/kit/azure/buildingblocks/automation/resources.bb-spn.tf index c1598e57..45ca54cc 100644 --- a/kit/azure/buildingblocks/automation/resources.bb-spn.tf +++ b/kit/azure/buildingblocks/automation/resources.bb-spn.tf @@ -32,4 +32,4 @@ resource "azuread_service_principal_password" "buildingblock" { rotate_when_changed = { rotation = time_rotating.key_rotation.id } -} \ No newline at end of file +} diff --git a/kit/azure/buildingblocks/automation/versions.tf b/kit/azure/buildingblocks/automation/versions.tf new file mode 100644 index 00000000..3f898087 --- /dev/null +++ b/kit/azure/buildingblocks/automation/versions.tf @@ -0,0 +1,26 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.116.0" + } + + azuread = { + source = "hashicorp/azuread" + version = "3.0.2" + } + + random = { + source = "hashicorp/random" + version = "3.6.0" + } + + time = { + source = "hashicorp/time" + version = "0.11.1" + } + } +} + diff --git a/kit/azure/buildingblocks/budget-alert/backplane/README.md b/kit/azure/buildingblocks/budget-alert/backplane/README.md index 4982e357..05d00e89 100644 --- a/kit/azure/buildingblocks/budget-alert/backplane/README.md +++ b/kit/azure/buildingblocks/budget-alert/backplane/README.md @@ -19,7 +19,7 @@ across all subscriptions underneath a management group (typically the top-level | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -29,9 +29,8 @@ No modules. | Name | Type | |------|------| -| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | ## Inputs diff --git a/kit/azure/buildingblocks/budget-alert/backplane/documentation.tf b/kit/azure/buildingblocks/budget-alert/backplane/documentation.tf index efd7db87..3f5ab6fc 100644 --- a/kit/azure/buildingblocks/budget-alert/backplane/documentation.tf +++ b/kit/azure/buildingblocks/budget-alert/backplane/documentation.tf @@ -9,26 +9,14 @@ mechanism to prevent unintentional cost overruns. We encourage application teams to deploy additional alerts with fine-grained notification rules according to the specific needs of their application and infrastructure. -# πŸ’° Budget Alert Building Block Backplane +## Automation -This module automates the deployment of a Budget Alert building block within Azure. It utilizes the common [Azure Building Blocks Automation Infrastructure](./azure-buildingblocks-automation) +We automate the deployment of a Budget Alert building block using the common [Azure Building Blocks Automation Infrastructure](../automation.md). +In order to deploy this building block, this infrastructure receives the following roles. - -## πŸ› οΈ Role Definition - -| Name | ID | -| --- | --- | -| ${azurerm_role_definition.buildingblock_deploy.name} | ${azurerm_role_definition.buildingblock_deploy.id} | - -## πŸ“ Role Assignments - -| Principal ID | -| --- | -| ${join("\n", [for assignment in azurerm_role_assignment.buildingblock_deploy : assignment.principal_id])} | - -## 🎯 Scope - -- **Scope**: `${var.scope}` +| Role Name | Description | Permissions | +|-----------|-------------|-------------| +| `${azurerm_role_definition.buildingblock_deploy.name}` | ${azurerm_role_definition.buildingblock_deploy.description} | ${join("
", formatlist("- `%s`", azurerm_role_definition.buildingblock_deploy.permissions[0].actions))} | EOF description = "Markdown documentation with information about the Budget Alert building block backplane" diff --git a/kit/azure/buildingblocks/budget-alert/backplane/main.tf b/kit/azure/buildingblocks/budget-alert/backplane/main.tf index 417c17d5..253d3781 100644 --- a/kit/azure/buildingblocks/budget-alert/backplane/main.tf +++ b/kit/azure/buildingblocks/budget-alert/backplane/main.tf @@ -1,6 +1,3 @@ -data "azurerm_subscription" "current" { -} - resource "azurerm_role_definition" "buildingblock_deploy" { name = "${var.name}-deploy" description = "Enables deployment of the ${var.name} building block to subscriptions" diff --git a/kit/azure/buildingblocks/budget-alert/backplane/versions.tf b/kit/azure/buildingblocks/budget-alert/backplane/versions.tf index 804ffa0a..f04a3a77 100644 --- a/kit/azure/buildingblocks/budget-alert/backplane/versions.tf +++ b/kit/azure/buildingblocks/budget-alert/backplane/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "3.116.0" } } } diff --git a/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf b/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf index 4917af3d..05954801 100644 --- a/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf +++ b/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf @@ -4,8 +4,9 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.108.0" + version = "3.116.0" } + time = { source = "hashicorp/time" version = "0.11.1" diff --git a/kit/azure/buildingblocks/connectivity/backplane/README.md b/kit/azure/buildingblocks/connectivity/backplane/README.md index 9cdfdd98..e81efe93 100644 --- a/kit/azure/buildingblocks/connectivity/backplane/README.md +++ b/kit/azure/buildingblocks/connectivity/backplane/README.md @@ -24,7 +24,7 @@ An Azure Policy confines the access of the SPN to that resource group. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -34,9 +34,9 @@ No modules. | Name | Type | |------|------| -| [azurerm_role_assignment.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_definition.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_role_assignment.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source | ## Inputs @@ -44,7 +44,6 @@ No modules. |------|-------------|------|---------|:--------:| | [name](#input\_name) | name of the building block, used for naming resources | `string` | n/a | yes | | [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes | -| [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes | ## Outputs diff --git a/kit/azure/buildingblocks/connectivity/backplane/documentation.tf b/kit/azure/buildingblocks/connectivity/backplane/documentation.tf index ddbd4e3b..27d3d94c 100644 --- a/kit/azure/buildingblocks/connectivity/backplane/documentation.tf +++ b/kit/azure/buildingblocks/connectivity/backplane/documentation.tf @@ -5,26 +5,14 @@ output "documentation_md" { The Connectivity building block deploys a managed VNet that's connected to Likvid Bank's network hub. This enables on-premise connectivity. -# 🌐 Connectivity Building Block Backplane +## Automation -This module automates the deployment of a Connectivity building block within Azure. It utilizes service principles for automation. The states of these resources are maintained in a designated storage account. +We automates the deployment of a Budget Alert building block using the common [Azure Building Blocks Automation Infrastructure](../automation.md). +In order to deploy this building block, this infrastructure receives the following roles. -## πŸ› οΈ Role Definition - -| Name | ID | -| --- | --- | -| ${azurerm_role_definition.buildingblock_deploy_hub.name} | ${azurerm_role_definition.buildingblock_deploy_hub.id} | - -## πŸ“ Role Assignments - -| Principal ID | -| --- | -| ${join("\n", [for assignment in azurerm_role_assignment.buildingblock_deploy_hub : assignment.principal_id])} | - - -## 🎯 Scope - -- **Scope**: `${var.scope}` +| Role Name | Description | Permissions | +|-----------|-------------|-------------| +| `${azurerm_role_definition.buildingblock_deploy_hub.name}` | ${azurerm_role_definition.buildingblock_deploy_hub.description} | ${join("
", formatlist("- `%s`", azurerm_role_definition.buildingblock_deploy_hub.permissions[0].actions))} | EOF description = "Markdown documentation with information about the Connectivity building block backplane" diff --git a/kit/azure/buildingblocks/connectivity/backplane/variables.tf b/kit/azure/buildingblocks/connectivity/backplane/variables.tf index 5f9226b2..94a55259 100644 --- a/kit/azure/buildingblocks/connectivity/backplane/variables.tf +++ b/kit/azure/buildingblocks/connectivity/backplane/variables.tf @@ -8,12 +8,6 @@ variable "name" { } } -variable "scope" { - type = string - nullable = false - description = "Scope where the building block should be deployable, typically the parent of all Landing Zones." -} - variable "principal_ids" { type = set(string) nullable = false diff --git a/kit/azure/buildingblocks/connectivity/backplane/versions.tf b/kit/azure/buildingblocks/connectivity/backplane/versions.tf index 804ffa0a..f04a3a77 100644 --- a/kit/azure/buildingblocks/connectivity/backplane/versions.tf +++ b/kit/azure/buildingblocks/connectivity/backplane/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "3.116.0" } } } diff --git a/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf b/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf index 7f45dd0e..b765d9c7 100644 --- a/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf +++ b/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf @@ -14,6 +14,8 @@ variable "address_space" { type = string } +# this variable is supposed to be used by an injected config.tf file for configuring the azurerm provider +# tflint-ignore: terraform_unused_declarations variable "subscription_id" { type = string description = "The ID of the subscription that you want to deploy the spoke to" diff --git a/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf b/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf index 56843d8e..f04e43a9 100644 --- a/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf +++ b/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf @@ -1,11 +1,11 @@ terraform { - required_version = ">=1.0" + required_version = ">= 1.0" required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.108.0" + version = "3.116.0" configuration_aliases = [azurerm.spoke, azurerm.hub] } diff --git a/kit/azure/buildingblocks/custom-permissions/backplane/README.md b/kit/azure/buildingblocks/custom-permissions/backplane/README.md new file mode 100644 index 00000000..cc51d9e1 --- /dev/null +++ b/kit/azure/buildingblocks/custom-permissions/backplane/README.md @@ -0,0 +1,53 @@ +--- +name: Azure Building Block - Custom Permissions +summary: | + Building block module for adding a simple monthly budget alert to a subscription. +--- + +# Azure Subscription Budget Alert + +This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module. + +## Permissions + +This is a very simple building block, which means we let the SPN have access to deploy custom permissions +across all subscriptions underneath a management group (typically the top-level management group for landing zones). + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [name](#input\_name) | name of the building block, used for naming resources | `string` | `"budget-alert"` | no | +| [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes | +| [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the building block | +| [role\_assignment\_ids](#output\_role\_assignment\_ids) | The IDs of the role assignments for the service principals. | +| [role\_assignment\_principal\_ids](#output\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the role. | +| [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the building block to subscriptions. | +| [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the building block to subscriptions. | +| [scope](#output\_scope) | The scope where the role definition and role assignments are applied. | + \ No newline at end of file diff --git a/kit/azure/buildingblocks/custom-permissions/backplane/documentation.tf b/kit/azure/buildingblocks/custom-permissions/backplane/documentation.tf new file mode 100644 index 00000000..99cdbb58 --- /dev/null +++ b/kit/azure/buildingblocks/custom-permissions/backplane/documentation.tf @@ -0,0 +1,32 @@ +output "documentation_md" { + value = < [azurerm](#requirement\_azurerm) | ~> 3.81.0 | -| [github](#requirement\_github) | 5.34.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | +| [github](#requirement\_github) | 5.42.0 | ## Modules @@ -42,9 +42,9 @@ No modules. | Name | Type | |------|------| -| [github_repository.repository](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository) | resource | -| [azurerm_key_vault.cloudfoundation_keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | -| [azurerm_key_vault_secret.github_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | +| [github_repository.repository](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository) | resource | +| [azurerm_key_vault.cloudfoundation_keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/key_vault) | data source | +| [azurerm_key_vault_secret.github_token](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/key_vault_secret) | data source | ## Inputs diff --git a/kit/azure/buildingblocks/github-repo/buildingblock/provider.tf b/kit/azure/buildingblocks/github-repo/buildingblock/provider.tf index 26c6cda5..1013520f 100644 --- a/kit/azure/buildingblocks/github-repo/buildingblock/provider.tf +++ b/kit/azure/buildingblocks/github-repo/buildingblock/provider.tf @@ -2,11 +2,11 @@ terraform { required_providers { github = { source = "integrations/github" - version = "5.34.0" + version = "5.42.0" } azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "3.116.0" } } } diff --git a/kit/azure/buildingblocks/starterkit/backplane/README.md b/kit/azure/buildingblocks/starterkit/backplane/README.md new file mode 100644 index 00000000..8f00b9f2 --- /dev/null +++ b/kit/azure/buildingblocks/starterkit/backplane/README.md @@ -0,0 +1,227 @@ +--- +name: Starter Kits +summary: | + Offers templates for application teams to get started quickly with deploying their applications on the cloud while following best practices. +compliance: +- control: cfmm/service-ecosystem/managed-devops-toolchain + statement: | + Provides a GitHub repository set up to deploy against Azure Subscriptions using Workload Identity Federation. +- control: cfmm/iam/service-account-management + statement: | + Automatically manages service principals for CI/CD pipelines using Workload Identity Federation. +--- + +# Starter Kits + +This is an implementation of "Cloud Starter Kits" that provides application teams with + +- a GitHub repository, seeded with an application starter kit +- a GitHub actions pipeline +- a service account solution that enables the GitHub actions pipeline to deploy to their Azure Subscription + +## Prerequisites + +### GitHub App + +Apart from an Azure Landing Zone (we recommend using starter kits only with Sandbox Landing Zones) you will need a +GitHub organization and the ability to [create and install a private GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app) on the organization. This app will need the following permissions + +- Permissions + - `Read access to metadata and organization administration` + - ` Read and write access to actions, administration, code, secrets, and workflows` +- Repository access: `All repositories` + +You will also need to generate a private key `.PEM` file for the app to be used by the [github terraform provider](https://registry.terraform.io/providers/integrations/github/latest/docs#github-app-installation) when deploying instances of the `buildingblock/` module. + + +### Template Repository + +You will also need a template repository that contains code and GitHub actions pipelines. The "official example" +that we use for testing is [likvid-bank/starterkit-template-azure-static-website](https://github.com/likvid-bank/starterkit-template-azure-static-website). +This template sets up an Azure Static Website including a PR workflow for terraform and code. + +## Structure of this Kit module + +This kit module comes with three components, each responsible for enabling deployment of the next + +- the kit module itself, acting as the building block's "backplane" that sets up all required infrastructure for deploying starterkits for application teams +- a terraform module that forms the definition for each "building block", i.e. the instance of the starterkit deployed for a particular application team including a GitHub repo and GitHub actions pipeline +- terraform code that lives in the starterkit template, deployed by a GitHub actions pipeline + +The following sections explain these parts in more detail + +### Deployment of the Building Block backplane + +Before we can deploy building blocks, we need to first set up the backplane. This operation is only performed once by deploying this kit module using collie as any other kit module with `collie kit apply` and `collie foundation deploy`. + +> Unforutnately it's currently not possible to setup a GitHub app via terraform, so please perform this manually. + +This will deploy the following resources: + +```mermaid +flowchart TD + subgraph github[GitHub Organization] + ghapp[GitHub App] + ghrepotemplate[GitHub Template Repository] + end + subgraph Azure + subgraph bbsub[Building Block Backplane Subscription] + bbsubtfstate[StarterKit BB TF State] + bbspn[StarterKit SPN] + + end + end + + BB((Starter Kit
Building Block)) + + BB --> github + BB --> Azure + bbspn --Storage Blob Owner--> bbsubtfstate + + +``` + +### Deployment of a Building Block + +Now that we the backplane deployed, we can use the backplane to deploy an instance of the [buildingblock](./buildingblock/) terraform module into a sandbox subscription supplied by the application team. +The easiest way to do this is to create a building block definition from the `buildingblock` terraform module in meshStack and configure it with the `config_tf` file produced by the backplane module. + +The chart below shows the interaction of cloud resources when deploying a new building block using the backplane: + +```mermaid +flowchart TD + subgraph GitHub[GitHub Organization] + ghapp[GitHub App] + subgraph ghrepo [GitHub Repo] + ghpipeline[Deploy Pipeline] + end + ghrepotemplate[GitHub Template Repository] + end + subgraph Azure + subgraph bbsub[Building Block Backplane Subscription] + bbsubtfstate[StarterKit BB TF State] + bbspn[StarterKit SPN] + + end + subgraph sbsub[Sandbox Subscription] + subgraph rgcicd[Resource Group ci-cd] + ghactionsuami[UAMI for GitHub Actions] + sbsubtfstate[Pipeline TF State] + end + subgraph rgapp[Resource Group app] + staticwebsite + end + end + end + + BB((Starter Kit Building Block)) + + ghapp -.deploys.-> ghrepo + bbspn -.deploys.-> rgcicd + bbspn -.deploys.-> rgapp + BB -.via github provider.-> ghapp + BB -.via azurerm provider.-> bbspn + ghrepotemplate -.from template.-> ghrepo + ghactionsuami --Storage Blob Owner--> sbsubtfstate + ghpipeline --Workload Identity Federation--> ghactionsuami + bbspn --Storage Blob Owner--> bbsubtfstate + ghactionsuami --Owner--> rgapp + + linkStyle 0,1,2,3,4,5 stroke:#ff3,stroke-width:4px; +``` + +## Deployment of the App + +Now that we have the application team's sandbox subscription and their GitHub repository configured, the team can use the setup to deploy their `staticwebsite` app. + +```mermaid +flowchart TD + subgraph GitHub[GitHub Organization] + subgraph ghrepo [GitHub Repo] + ghpipeline[Deploy Pipeline] + end + end + subgraph Azure + subgraph sbsub[Sandbox Subscription] + subgraph rgcicd[Resource Group ci-cd] + ghactionsuami[UAMI for GitHub Actions] + sbsubtfstate[Pipeline TF State] + end + subgraph rgapp[Resource Group app] + staticwebsite + end + end + end + + ghactionsuami -.deploys.-> staticwebsite + + ghactionsuami --Storage Blob Owner--> sbsubtfstate + ghpipeline --Workload Identity Federation--> ghactionsuami + ghactionsuami --Owner--> rgapp + + linkStyle 0 stroke:#ff3,stroke-width:4px; + +``` + +## Creating Custom Starter Kits + +Using this kit module as a template, you can quickly develop similar starter kits. +You will typically only need to customize the template repository with code and GitHub Actions workflows. + +For advanced use cases, you can of course also want to customize the `buildingblock/` terraform module itself or even the backplane terraform module. + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azuread](#requirement\_azuread) | 3.0.2 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | +| [github](#requirement\_github) | 5.42.0 | +| [random](#requirement\_random) | 3.6.0 | +| [time](#requirement\_time) | 0.11.1 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azuread_app_role_assignment.starterkit-directory](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/app_role_assignment) | resource | +| [azuread_application.starterkit](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/application) | resource | +| [azuread_service_principal.starterkit](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/service_principal) | resource | +| [azuread_service_principal_password.starterkit](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/service_principal_password) | resource | +| [azurerm_resource_group.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource | +| [azurerm_role_assignment.starterkit_access](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.terraform_state](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.starterkit_access](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | +| [azurerm_role_definition.starterkit_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | +| [azurerm_storage_account.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_account) | resource | +| [azurerm_storage_container.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_container) | resource | +| [github_repository.staticwebsite_template](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository) | resource | +| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/string) | resource | +| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/rotating) | resource | +| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/application_published_app_ids) | data source | +| [azuread_group.project_admins](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/group) | data source | +| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/service_principal) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [github\_app\_id](#input\_github\_app\_id) | id of your GitHub App | `number` | n/a | yes | +| [github\_app\_installation\_id](#input\_github\_app\_installation\_id) | id of your GitHub App installation as it appears in URLs on GitHub.com | `number` | n/a | yes | +| [github\_org](#input\_github\_org) | id of your GitHub organization as it appears in URLs on GitHub.com | `string` | n/a | yes | +| [location](#input\_location) | Azure location for deploying the building block terraform state storage account | `string` | n/a | yes | +| [scope](#input\_scope) | Scope where the building block should be deployable, typically a Sandbox Landing Zone Management Group | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [config\_tf](#output\_config\_tf) | Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block. | +| [documentation\_md](#output\_documentation\_md) | n/a | + \ No newline at end of file diff --git a/kit/azure/buildingblocks/starterkit/backplane/documentation.tf b/kit/azure/buildingblocks/starterkit/backplane/documentation.tf new file mode 100644 index 00000000..1d7b9bf8 --- /dev/null +++ b/kit/azure/buildingblocks/starterkit/backplane/documentation.tf @@ -0,0 +1,39 @@ +output "documentation_md" { + value = < Starter Kits are meant to be used in [Sandbox Landing Zones](./azure-landingzones-sandbox.md) for learning and experimentation only. + +The easiest way to get started with a Starter Kit is to search for "Starter Kit" in the Likvid Bank Cloud Portal +Marketplace and let the portal help you add it to a Sandbox Subscription (or create a new one if you don't have one yet). + +Starter Kits will create a (private) GitHub repository for you in our [GitHub Organization](https://github.com/${var.github_org}). +You will find the URL for your repository in the Starter Kit building block output tab. Please review the `README.md` +of that repository for further instructions and inspiration for working with the starter kit. + +## Next Steps when using a Starter Kit + +Once you are happy with your results, please provision a [Cloud-Native Landing Zone](./azure-landingzones-cloud-native.md) and fork-and-own the +starter kit template, including the infrastructure set up by the starter kit building block. We recommend this policy, +because for productive use cases you will eventually need to customize the way your CI/CD pipeline interacts with the +cloud. See [Secure DevOps Best Practices](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops) +for a good overview of securing production pipelines. + +## Automation + +This building block uses its own dedicated service principal `${azuread_application.starterkit.display_name}` to automate deployment +of required resources to your Azure subscription. + +EOF +} diff --git a/kit/azure/buildingblocks/starterkit/backplane/main.tf b/kit/azure/buildingblocks/starterkit/backplane/main.tf new file mode 100644 index 00000000..43935a5b --- /dev/null +++ b/kit/azure/buildingblocks/starterkit/backplane/main.tf @@ -0,0 +1,67 @@ +# configure our logging subscription +data "azurerm_subscription" "current" { +} + +resource "azurerm_role_assignment" "terraform_state" { + role_definition_name = "Storage Blob Data Owner" + principal_id = azuread_service_principal.starterkit.object_id + scope = azurerm_storage_container.tfstates.resource_manager_id +} + +# DESIGN: we don't want to permanently hold permissions on all subscriptions via the MG hierarchy +# this is mean to work in conjunction with the conditional assignment below +resource "azurerm_role_definition" "starterkit_access" { + name = "${azuread_service_principal.starterkit.display_name}-access" + description = "Allow self-assignment of a role in order access an application team's subscription for deployment" + scope = var.scope + assignable_scopes = [var.scope] + + permissions { + actions = [ + "Microsoft.Authorization/roleAssignments/*" + ] + } +} + +resource "azurerm_role_definition" "starterkit_deploy" { + name = "${azuread_service_principal.starterkit.display_name}-deploy" + description = "Enables deployment of starter kits to applicaiton team subscriptions" + scope = var.scope + + permissions { + actions = [ + "Microsoft.Authorization/*/read", + "Microsoft.Authorization/roleDefinitions/*", + "Microsoft.Authorization/roleAssignments/*", + "Microsoft.Resources/subscriptions/resourceGroups/*", + "Microsoft.Storage/storageAccounts/*", + "Microsoft.ManagedIdentity/*" + ] + } +} + +resource "azurerm_role_assignment" "starterkit_access" { + role_definition_id = azurerm_role_definition.starterkit_access.role_definition_resource_id + + description = "Allow the ${azuread_service_principal.starterkit.display_name} SPN to grant itself permissions on an application team's subscription to deploy a starterkit building block." + principal_id = azuread_service_principal.starterkit.object_id + scope = var.scope + + condition_version = "2.0" + + # what this does: if the request is not a write and not a delete, pass, else check that it only contains the expected role definition id + + condition = <<-EOT +( + !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) + AND + !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}) +) +OR +( + @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${azurerm_role_definition.starterkit_deploy.role_definition_id}} + AND + @Request[Microsoft.Authorization/roleAssignments:PrincipalId] ForAnyOfAnyValues:GuidEquals {${azuread_service_principal.starterkit.object_id}} +) +EOT +} \ No newline at end of file diff --git a/kit/azure/buildingblocks/starterkit/backplane/outputs.tf b/kit/azure/buildingblocks/starterkit/backplane/outputs.tf new file mode 100644 index 00000000..2655e715 --- /dev/null +++ b/kit/azure/buildingblocks/starterkit/backplane/outputs.tf @@ -0,0 +1,59 @@ +output "config_tf" { + description = "Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block." + sensitive = true + value = < [terraform](#requirement\_terraform) | >= 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -29,9 +29,8 @@ No modules. | Name | Type | |------|------| -| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | ## Inputs diff --git a/kit/azure/buildingblocks/subscription/backplane/documentation.tf b/kit/azure/buildingblocks/subscription/backplane/documentation.tf index 33853898..fccf1885 100644 --- a/kit/azure/buildingblocks/subscription/backplane/documentation.tf +++ b/kit/azure/buildingblocks/subscription/backplane/documentation.tf @@ -7,26 +7,15 @@ This building block deploys default configuration for a subscription. - Enforces subscription naming policy - Ensures subscriptions are placed correctly in the resource hierarchy -# πŸ“š Subscription Building Block Backplane +# Automation -This module automates the deployment of a Subscription building block within Azure. It utilizes service principles for automation. The states of these resources are maintained in a designated storage account. +We automates the deployment of a Budget Alert building block using the common [Azure Building Blocks Automation Infrastructure](../automation.md). +In order to deploy this building block, this infrastructure receives the following roles. -## πŸ› οΈ Role Definition +| Role Name | Description | Permissions | +|-----------|-------------|-------------| +| `${azurerm_role_definition.buildingblock_deploy.name}` | ${azurerm_role_definition.buildingblock_deploy.description} | ${join("
", formatlist("- `%s`", azurerm_role_definition.buildingblock_deploy.permissions[0].actions))} | -| Name | ID | -| --- | --- | -| ${azurerm_role_definition.buildingblock_deploy.name} | ${azurerm_role_definition.buildingblock_deploy.id} | - -## πŸ“ Role Assignments - -| Principal ID | -| --- | -| ${join("\n", [for assignment in azurerm_role_assignment.buildingblock_deploy : assignment.principal_id])} | - - -## 🎯 Scope - -- **Scope**: `${var.scope}` EOF description = "Markdown documentation with information about the Subscription building block backplane" diff --git a/kit/azure/buildingblocks/subscription/backplane/main.tf b/kit/azure/buildingblocks/subscription/backplane/main.tf index e810d38d..02b1f98a 100644 --- a/kit/azure/buildingblocks/subscription/backplane/main.tf +++ b/kit/azure/buildingblocks/subscription/backplane/main.tf @@ -1,6 +1,3 @@ -data "azurerm_subscription" "current" { -} - resource "azurerm_role_definition" "buildingblock_deploy" { name = "${var.name}-deploy" description = "Enables deployment of the ${var.name} building block to subscriptions" diff --git a/kit/azure/buildingblocks/subscription/backplane/versions.tf b/kit/azure/buildingblocks/subscription/backplane/versions.tf index a0c42f5d..ca8cf1fd 100644 --- a/kit/azure/buildingblocks/subscription/backplane/versions.tf +++ b/kit/azure/buildingblocks/subscription/backplane/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "3.116.0" } } } diff --git a/kit/azure/buildingblocks/subscription/buildingblock/main.tf b/kit/azure/buildingblocks/subscription/buildingblock/main.tf index 81ac514b..cd98106b 100644 --- a/kit/azure/buildingblocks/subscription/buildingblock/main.tf +++ b/kit/azure/buildingblocks/subscription/buildingblock/main.tf @@ -2,12 +2,12 @@ data "azurerm_subscription" "current" { } # workaround for https://github.com/hashicorp/terraform-provider-azurerm/issues/23014 -resource "terraform_data" "subscription_name" { - provisioner "local-exec" { - when = create - command = "az account subscription rename --id ${data.azurerm_subscription.current.subscription_id} --name ${var.subscription_name}" - } -} +# resource "terraform_data" "subscription_name" { +# provisioner "local-exec" { +# when = create +# command = "az account subscription rename --id ${data.azurerm_subscription.current.subscription_id} --name ${var.subscription_name}" +# } +# } // control placement in the LZ hierarchy diff --git a/kit/azure/buildingblocks/subscription/buildingblock/versions.tf b/kit/azure/buildingblocks/subscription/buildingblock/versions.tf index 374ea43b..ca8cf1fd 100644 --- a/kit/azure/buildingblocks/subscription/buildingblock/versions.tf +++ b/kit/azure/buildingblocks/subscription/buildingblock/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.108.0" + version = "3.116.0" } } } diff --git a/kit/azure/landingzones/cloud-native/README.md b/kit/azure/landingzones/cloud-native/README.md index 152ea844..6d572f03 100644 --- a/kit/azure/landingzones/cloud-native/README.md +++ b/kit/azure/landingzones/cloud-native/README.md @@ -22,7 +22,7 @@ The kit will create a dev group and a prod management groups. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -32,9 +32,9 @@ No modules. | Name | Type | |------|------| -| [azurerm_management_group.cloudnative](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | +| [azurerm_management_group.cloudnative](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | ## Inputs diff --git a/kit/azure/landingzones/cloud-native/versions.tf b/kit/azure/landingzones/cloud-native/versions.tf index a0c42f5d..ca8cf1fd 100644 --- a/kit/azure/landingzones/cloud-native/versions.tf +++ b/kit/azure/landingzones/cloud-native/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "3.116.0" } } } diff --git a/kit/azure/landingzones/container-platform/README.md b/kit/azure/landingzones/container-platform/README.md index 5553795b..4a40dcf4 100644 --- a/kit/azure/landingzones/container-platform/README.md +++ b/kit/azure/landingzones/container-platform/README.md @@ -19,35 +19,44 @@ The Container Platform Landing Zone is a pre-configured environment designed to | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.102.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [policy\_container\_platform](#module\_policy\_container\_platform) | github.com/meshcloud/collie-hub//kit/azure/util/azure-policies | 7c356a7 | +| [policy\_container\_platform\_dev](#module\_policy\_container\_platform\_dev) | github.com/meshcloud/collie-hub//kit/azure/util/azure-policies | 7c356a7 | +| [policy\_container\_platform\_prod](#module\_policy\_container\_platform\_prod) | github.com/meshcloud/collie-hub//kit/azure/util/azure-policies | 7c356a7 | ## Resources | Name | Type | |------|------| -| [azurerm_management_group.container_platform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | +| [azurerm_management_group.container_platform](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [landingzones](#input\_landingzones) | The parent\_management\_group where your landingzones are | `string` | `"landingzones"` | no | | [location](#input\_location) | The Azure location where this policy assignment should exist, required when an Identity is assigned. | `string` | `"germanywestcentral"` | no | -| [name](#input\_name) | n/a | `string` | `"container-platform"` | no | +| [lz-container-platform](#input\_lz-container-platform) | n/a | `string` | `"container-platform"` | no | | [parent\_management\_group\_id](#input\_parent\_management\_group\_id) | The tenant management group of your cloud foundation | `string` | `"foundation"` | no | ## Outputs | Name | Description | |------|-------------| +| [dev\_management\_display\_name](#output\_dev\_management\_display\_name) | n/a | +| [dev\_management\_id](#output\_dev\_management\_id) | n/a | | [documentation\_md](#output\_documentation\_md) | n/a | +| [management\_display\_name](#output\_management\_display\_name) | n/a | | [management\_id](#output\_management\_id) | n/a | +| [policy\_container\_platform\_assignments](#output\_policy\_container\_platform\_assignments) | n/a | +| [policy\_container\_platform\_dev\_assignments](#output\_policy\_container\_platform\_dev\_assignments) | n/a | +| [policy\_container\_platform\_prod\_assignments](#output\_policy\_container\_platform\_prod\_assignments) | n/a | +| [prod\_management\_display\_name](#output\_prod\_management\_display\_name) | n/a | +| [prod\_management\_id](#output\_prod\_management\_id) | n/a | diff --git a/kit/azure/landingzones/container-platform/documentation.tf b/kit/azure/landingzones/container-platform/documentation.tf index 297c4e7f..e89edd62 100644 --- a/kit/azure/landingzones/container-platform/documentation.tf +++ b/kit/azure/landingzones/container-platform/documentation.tf @@ -1,30 +1,18 @@ output "documentation_md" { value = < ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -33,10 +36,10 @@ No requirements. | Name | Type | |------|------| -| [azurerm_management_group.corp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.online](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | +| [azurerm_management_group.corp](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.online](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | ## Inputs @@ -44,7 +47,6 @@ No requirements. |------|-------------|------|---------|:--------:| | [cloudfoundation](#input\_cloudfoundation) | the name of your cloudfoundation | `string` | n/a | yes | | [corp](#input\_corp) | n/a | `string` | `"corp"` | no | -| [landingzones](#input\_landingzones) | The parent\_management\_group where your landingzones are | `string` | `"lv-landingzones"` | no | | [location](#input\_location) | The Azure location where this policy assignment should exist, required when an Identity is assigned. | `string` | `"germanywestcentral"` | no | | [online](#input\_online) | n/a | `string` | `"online"` | no | | [parent\_management\_group\_id](#input\_parent\_management\_group\_id) | The tenant management group of your cloud foundation | `string` | `"lv-foundation"` | no | @@ -54,7 +56,9 @@ No requirements. | Name | Description | |------|-------------| +| [corp\_dev\_id](#output\_corp\_dev\_id) | id of the corp dev management group | | [corp\_id](#output\_corp\_id) | id of the corp management group | +| [corp\_prod\_id](#output\_corp\_prod\_id) | id of the corp prod management group | | [documentation\_md](#output\_documentation\_md) | n/a | | [online\_id](#output\_online\_id) | id of the online management group | diff --git a/kit/azure/landingzones/corp-online/main.tf b/kit/azure/landingzones/corp-online/main.tf index 06468fcb..40ee50c0 100644 --- a/kit/azure/landingzones/corp-online/main.tf +++ b/kit/azure/landingzones/corp-online/main.tf @@ -27,8 +27,8 @@ module "policy_corp" { location = var.location template_file_variables = { - default_location = "${var.location}" - connectivity_location = "${var.location}" + default_location = var.location + connectivity_location = var.location current_scope_resource_id = azurerm_management_group.corp.id root_scope_resource_id = azurerm_management_group.corp.id vnet_address_space_id = var.vnet_address_space_id @@ -44,7 +44,7 @@ module "policy_online" { location = var.location template_file_variables = { - default_location = "${var.location}" + default_location = var.location current_scope_resource_id = azurerm_management_group.online.id root_scope_resource_id = azurerm_management_group.online.id } diff --git a/kit/azure/landingzones/corp-online/outputs.tf b/kit/azure/landingzones/corp-online/outputs.tf index 59ea1bc3..3d80b614 100644 --- a/kit/azure/landingzones/corp-online/outputs.tf +++ b/kit/azure/landingzones/corp-online/outputs.tf @@ -3,6 +3,16 @@ output "corp_id" { value = azurerm_management_group.corp.id } +output "corp_dev_id" { + description = "id of the corp dev management group" + value = azurerm_management_group.dev.id +} + +output "corp_prod_id" { + description = "id of the corp prod management group" + value = azurerm_management_group.prod.id +} + output "online_id" { description = "id of the online management group" value = azurerm_management_group.online.id diff --git a/kit/azure/landingzones/corp-online/variables.tf b/kit/azure/landingzones/corp-online/variables.tf index 00f2e63a..2bedfb51 100644 --- a/kit/azure/landingzones/corp-online/variables.tf +++ b/kit/azure/landingzones/corp-online/variables.tf @@ -9,11 +9,6 @@ variable "cloudfoundation" { description = "the name of your cloudfoundation" } -variable "landingzones" { - description = "The parent_management_group where your landingzones are" - default = "lv-landingzones" -} - variable "corp" { default = "corp" } diff --git a/kit/azure/landingzones/corp-online/versions.tf b/kit/azure/landingzones/corp-online/versions.tf new file mode 100644 index 00000000..ca8cf1fd --- /dev/null +++ b/kit/azure/landingzones/corp-online/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.116.0" + } + } +} diff --git a/kit/azure/landingzones/sandbox/README.md b/kit/azure/landingzones/sandbox/README.md index 6f7444bb..b1645e2f 100644 --- a/kit/azure/landingzones/sandbox/README.md +++ b/kit/azure/landingzones/sandbox/README.md @@ -23,7 +23,7 @@ This kit provides a Terraform configuration for setting a sandbox landing zone m | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -35,7 +35,7 @@ This kit provides a Terraform configuration for setting a sandbox landing zone m | Name | Type | |------|------| -| [azurerm_management_group.sandbox](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | +| [azurerm_management_group.sandbox](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | ## Inputs diff --git a/kit/azure/landingzones/sandbox/main.tf b/kit/azure/landingzones/sandbox/main.tf index fa392a03..d452beec 100644 --- a/kit/azure/landingzones/sandbox/main.tf +++ b/kit/azure/landingzones/sandbox/main.tf @@ -11,7 +11,7 @@ module "policy_sandbox" { location = var.location template_file_variables = { - default_location = "${var.location}" + default_location = var.location current_scope_resource_id = azurerm_management_group.sandbox.id root_scope_resource_id = azurerm_management_group.sandbox.id } diff --git a/kit/azure/landingzones/sandbox/versions.tf b/kit/azure/landingzones/sandbox/versions.tf index a0c42f5d..ca8cf1fd 100644 --- a/kit/azure/landingzones/sandbox/versions.tf +++ b/kit/azure/landingzones/sandbox/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "3.116.0" } } } diff --git a/kit/azure/landingzones/serverless/README.md b/kit/azure/landingzones/serverless/README.md index ce74b074..2caf7ca3 100644 --- a/kit/azure/landingzones/serverless/README.md +++ b/kit/azure/landingzones/serverless/README.md @@ -16,7 +16,10 @@ This kit provides a Terraform configuration for setting up Azure Management Grou ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -28,13 +31,12 @@ No requirements. | Name | Type | |------|------| -| [azurerm_management_group.serverless](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | +| [azurerm_management_group.serverless](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [landingzones](#input\_landingzones) | The parent\_management\_group where your landingzones are | `string` | `"lv-landingzones"` | no | | [location](#input\_location) | The Azure location where this policy assignment should exist, required when an Identity is assigned. | `string` | `"germanywestcentral"` | no | | [lz-serverless](#input\_lz-serverless) | n/a | `string` | `"serverless"` | no | | [parent\_management\_group\_id](#input\_parent\_management\_group\_id) | The tenant management group of your cloud foundation | `string` | `"lv-foundation"` | no | diff --git a/kit/azure/landingzones/serverless/main.tf b/kit/azure/landingzones/serverless/main.tf index 31682c6e..12c7f844 100644 --- a/kit/azure/landingzones/serverless/main.tf +++ b/kit/azure/landingzones/serverless/main.tf @@ -11,7 +11,7 @@ module "policy_serverless" { location = var.location template_file_variables = { - default_location = "${var.location}" + default_location = var.location current_scope_resource_id = azurerm_management_group.serverless.id root_scope_resource_id = azurerm_management_group.serverless.id } diff --git a/kit/azure/landingzones/serverless/variables.tf b/kit/azure/landingzones/serverless/variables.tf index 2c7182d5..fed99062 100644 --- a/kit/azure/landingzones/serverless/variables.tf +++ b/kit/azure/landingzones/serverless/variables.tf @@ -3,11 +3,6 @@ variable "parent_management_group_id" { default = "lv-foundation" } -variable "landingzones" { - description = "The parent_management_group where your landingzones are" - default = "lv-landingzones" -} - variable "lz-serverless" { default = "serverless" } diff --git a/kit/azure/landingzones/serverless/versions.tf b/kit/azure/landingzones/serverless/versions.tf new file mode 100644 index 00000000..ca8cf1fd --- /dev/null +++ b/kit/azure/landingzones/serverless/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.116.0" + } + } +} diff --git a/kit/azure/logging/README.md b/kit/azure/logging/README.md index 5f5f1db7..7be2442c 100644 --- a/kit/azure/logging/README.md +++ b/kit/azure/logging/README.md @@ -42,8 +42,8 @@ AzureActivity |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | | [azapi](#requirement\_azapi) | ~> 1.12.1 | -| [azuread](#requirement\_azuread) | ~> 2.41.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | +| [azuread](#requirement\_azuread) | 3.0.2 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -56,20 +56,20 @@ AzureActivity | Name | Type | |------|------| | [azapi_resource.diag_setting_management_group](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource) | resource | -| [azuread_group.security_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | -| [azuread_group.security_auditors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | -| [azurerm_log_analytics_workspace.law](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource | -| [azurerm_management_group_subscription_association.logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_subscription_association) | resource | -| [azurerm_resource_group.law_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | -| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.security_admins](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.security_admins_law](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.security_auditors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.security_auditors_law](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | +| [azuread_group.security_admins](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource | +| [azuread_group.security_auditors](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource | +| [azurerm_log_analytics_workspace.law](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/log_analytics_workspace) | resource | +| [azurerm_management_group_subscription_association.logging](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group_subscription_association) | resource | +| [azurerm_resource_group.law_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource | +| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.logging](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.security_admins](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.security_admins_law](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.security_auditors](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.security_auditors_law](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | | [terraform_data.subscription_name](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source | ## Inputs diff --git a/kit/azure/logging/documentation.tf b/kit/azure/logging/documentation.tf index 7ab4d347..5f4f78e6 100644 --- a/kit/azure/logging/documentation.tf +++ b/kit/azure/logging/documentation.tf @@ -19,8 +19,8 @@ The following AAD groups control access and are used to implement [Privileged Ac |group|description|object_id| |-|-|-| -| ${azuread_group.security_admins.display_name} | ${azuread_group.security_admins.description} | ${azuread_group.security_admins.id} | -| ${azuread_group.security_auditors.display_name} | ${azuread_group.security_auditors.description} | ${azuread_group.security_auditors.id} | +| ${azuread_group.security_admins.display_name} | ${azuread_group.security_admins.description} | ${azuread_group.security_admins.object_id} | +| ${azuread_group.security_auditors.display_name} | ${azuread_group.security_auditors.description} | ${azuread_group.security_auditors.object_id} | ## How can I access Activity Logs for my subscription? diff --git a/kit/azure/logging/outputs.tf b/kit/azure/logging/outputs.tf index 594769ae..cbb43f45 100644 --- a/kit/azure/logging/outputs.tf +++ b/kit/azure/logging/outputs.tf @@ -1,9 +1,9 @@ output "security_admins_azuread_group_id" { - value = azuread_group.security_admins.id + value = azuread_group.security_admins.object_id } output "security_auditors_azuread_group_id" { - value = azuread_group.security_auditors.id + value = azuread_group.security_auditors.object_id } output "logging_subscription" { diff --git a/kit/azure/logging/versions.tf b/kit/azure/logging/versions.tf index 7fbbf1a9..5dc1cd78 100644 --- a/kit/azure/logging/versions.tf +++ b/kit/azure/logging/versions.tf @@ -4,12 +4,12 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "3.116.0" } azuread = { source = "hashicorp/azuread" - version = "~> 2.41.0" + version = "3.0.2" } azapi = { diff --git a/kit/azure/meshplatform/main.tf b/kit/azure/meshplatform/main.tf index f083d869..8e5db5bd 100644 --- a/kit/azure/meshplatform/main.tf +++ b/kit/azure/meshplatform/main.tf @@ -6,10 +6,14 @@ module "meshplatform" { source = "registry.terraform.io/meshcloud/meshplatform/azure" version = "0.6.0" - metering_enabled = var.metering_enabled - metering_service_principal_name = var.metering_service_principal_name - metering_assignment_scopes = var.metering_assignment_scopes - sso_enabled = var.sso_enabled + metering_enabled = var.metering_enabled + metering_service_principal_name = var.metering_service_principal_name + metering_assignment_scopes = var.metering_assignment_scopes + + sso_enabled = var.sso_enabled + sso_meshstack_redirect_uri = var.sso_meshstack_redirect_uri + sso_service_principal_name = var.sso_service_principal_name + replicator_enabled = var.replicator_enabled replicator_rg_enabled = var.replicator_rg_enabled replicator_service_principal_name = var.replicator_service_principal_name diff --git a/kit/azure/networking/README.md b/kit/azure/networking/README.md index 07f129b7..05407e35 100644 --- a/kit/azure/networking/README.md +++ b/kit/azure/networking/README.md @@ -21,8 +21,9 @@ on the internet. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azuread](#requirement\_azuread) | ~> 2.41.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.85.0 | +| [azuread](#requirement\_azuread) | 3.0.2 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | +| [random](#requirement\_random) | 3.6.0 | ## Modules @@ -32,51 +33,51 @@ No modules. | Name | Type | |------|------| -| [azuread_group.network_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | -| [azurerm_firewall.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) | resource | -| [azurerm_firewall_application_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_application_rule_collection) | resource | -| [azurerm_firewall_nat_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_nat_rule_collection) | resource | -| [azurerm_firewall_network_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_network_rule_collection) | resource | -| [azurerm_management_group_subscription_association.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_subscription_association) | resource | -| [azurerm_monitor_diagnostic_setting.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource | -| [azurerm_monitor_diagnostic_setting.fw_pip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource | -| [azurerm_monitor_diagnostic_setting.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource | -| [azurerm_monitor_diagnostic_setting.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource | -| [azurerm_network_ddos_protection_plan.hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_ddos_protection_plan) | resource | -| [azurerm_network_security_group.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource | -| [azurerm_network_security_rule.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource | -| [azurerm_network_watcher.netwatcher](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher) | resource | -| [azurerm_network_watcher_flow_log.mgmt_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log) | resource | -| [azurerm_public_ip.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | -| [azurerm_public_ip.fw_mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | -| [azurerm_public_ip_prefix.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip_prefix) | resource | -| [azurerm_resource_group.hub_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | -| [azurerm_resource_group.netwatcher](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | -| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.network_admins](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.network_admins_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.network_admins_dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.network_admins_landingzone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | -| [azurerm_route.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route) | resource | -| [azurerm_route_table.out](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) | resource | -| [azurerm_storage_account.flowlogs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | -| [azurerm_storage_container.flowlogs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | -| [azurerm_subnet.firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | -| [azurerm_subnet.firewallmgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | -| [azurerm_subnet.gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | -| [azurerm_subnet.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | -| [azurerm_subnet_network_security_group_association.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource | -| [azurerm_subnet_route_table_association.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) | resource | -| [azurerm_virtual_network.hub_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource | -| [random_string.dns](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [azuread_group.network_admins](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group) | resource | +| [azurerm_firewall.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/firewall) | resource | +| [azurerm_firewall_application_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/firewall_application_rule_collection) | resource | +| [azurerm_firewall_nat_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/firewall_nat_rule_collection) | resource | +| [azurerm_firewall_network_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/firewall_network_rule_collection) | resource | +| [azurerm_management_group_subscription_association.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group_subscription_association) | resource | +| [azurerm_monitor_diagnostic_setting.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/monitor_diagnostic_setting) | resource | +| [azurerm_monitor_diagnostic_setting.fw_pip](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/monitor_diagnostic_setting) | resource | +| [azurerm_monitor_diagnostic_setting.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/monitor_diagnostic_setting) | resource | +| [azurerm_monitor_diagnostic_setting.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/monitor_diagnostic_setting) | resource | +| [azurerm_network_ddos_protection_plan.hub](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_ddos_protection_plan) | resource | +| [azurerm_network_security_group.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_security_group) | resource | +| [azurerm_network_security_rule.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_security_rule) | resource | +| [azurerm_network_watcher.netwatcher](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_watcher) | resource | +| [azurerm_network_watcher_flow_log.mgmt_logs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_watcher_flow_log) | resource | +| [azurerm_public_ip.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/public_ip) | resource | +| [azurerm_public_ip.fw_mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/public_ip) | resource | +| [azurerm_public_ip_prefix.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/public_ip_prefix) | resource | +| [azurerm_resource_group.hub_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource | +| [azurerm_resource_group.netwatcher](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource | +| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.network_admins](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.network_admins_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.network_admins_dns](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.network_admins_landingzone](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource | +| [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource | +| [azurerm_route.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/route) | resource | +| [azurerm_route_table.out](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/route_table) | resource | +| [azurerm_storage_account.flowlogs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_account) | resource | +| [azurerm_storage_container.flowlogs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_container) | resource | +| [azurerm_subnet.firewall](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet) | resource | +| [azurerm_subnet.firewallmgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet) | resource | +| [azurerm_subnet.gateway](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet) | resource | +| [azurerm_subnet.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet) | resource | +| [azurerm_subnet_network_security_group_association.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet_network_security_group_association) | resource | +| [azurerm_subnet_route_table_association.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet_route_table_association) | resource | +| [azurerm_virtual_network.hub_network](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/virtual_network) | resource | +| [random_string.dns](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/string) | resource | +| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/string) | resource | | [terraform_data.subscription_name](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | -| [azurerm_monitor_diagnostic_categories.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source | -| [azurerm_monitor_diagnostic_categories.fw_pip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source | -| [azurerm_monitor_diagnostic_categories.hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source | -| [azurerm_monitor_diagnostic_categories.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_monitor_diagnostic_categories.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/monitor_diagnostic_categories) | data source | +| [azurerm_monitor_diagnostic_categories.fw_pip](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/monitor_diagnostic_categories) | data source | +| [azurerm_monitor_diagnostic_categories.hub](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/monitor_diagnostic_categories) | data source | +| [azurerm_monitor_diagnostic_categories.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/monitor_diagnostic_categories) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source | ## Inputs @@ -88,25 +89,23 @@ No modules. | [connectivity\_scope](#input\_connectivity\_scope) | Identifier for the management group connectivity | `string` | n/a | yes | | [create\_ddos\_plan](#input\_create\_ddos\_plan) | Create a DDos protection plan and attach it to the virtual network. | `bool` | `false` | no | | [deploy\_firewall](#input\_deploy\_firewall) | Toggle to deploy or bypass the firewall. | `bool` | `false` | no | -| [diagnostics](#input\_diagnostics) | Diagnostic settings for supporting resources. Refer to README.md for configuration details. | 
object({
    destination = string
    logs        = list(string)
    metrics     = list(string)
  })
| `null` | no | -| [firewall\_application\_rules](#input\_firewall\_application\_rules) | List of application rules to apply to the firewall. | 
list(object({
    name             = string
    action           = string
    source_addresses = list(string)
    target_fqdns     = list(string)
    protocol = object({
      type = string
      port = string
    })
  }))
| `[]` | no | -| [firewall\_nat\_rules](#input\_firewall\_nat\_rules) | List of NAT rules to apply to the firewall. | 
list(object({
    name                  = string
    action                = string
    source_addresses      = list(string)
    destination_ports     = list(string)
    destination_addresses = list(string)
    protocols             = list(string)
    translated_address    = string
    translated_port       = string
  }))
| `[]` | no | -| [firewall\_network\_rules](#input\_firewall\_network\_rules) | List of network rules to apply to the firewall. | 
list(object({
    name                  = string
    action                = string
    source_addresses      = list(string)
    destination_ports     = list(string)
    destination_addresses = list(string)
    protocols             = list(string)
  }))
| `[]` | no | +| [diagnostics](#input\_diagnostics) | Diagnostic settings for supporting resources. Refer to README.md for configuration details. | 
object({
    destination = string
    logs        = list(string)
    metrics     = list(string)
  })
| `null` | no | +| [firewall\_application\_rules](#input\_firewall\_application\_rules) | List of application rules to apply to the firewall. | 
list(object({
    name             = string
    action           = string
    source_addresses = list(string)
    target_fqdns     = list(string)
    protocol = object({
      type = string
      port = string
    })
  }))
| `[]` | no | +| [firewall\_nat\_rules](#input\_firewall\_nat\_rules) | List of NAT rules to apply to the firewall. | 
list(object({
    name                  = string
    action                = string
    source_addresses      = list(string)
    destination_ports     = list(string)
    destination_addresses = list(string)
    protocols             = list(string)
    translated_address    = string
    translated_port       = string
  }))
| `[]` | no | +| [firewall\_network\_rules](#input\_firewall\_network\_rules) | List of network rules to apply to the firewall. | 
list(object({
    name                  = string
    action                = string
    source_addresses      = list(string)
    destination_ports     = list(string)
    destination_addresses = list(string)
    protocols             = list(string)
  }))
| `[]` | no | | [firewall\_sku\_tier](#input\_firewall\_sku\_tier) | Specify the tier for the firewall, choosing from options like Basic or Standard, Premium. | `string` | `"Basic"` | no | | [firewall\_zones](#input\_firewall\_zones) | Collection of availability zones to distribute the Firewall across. | `list(string)` | `null` | no | -| [hub\_networking\_deploy](#input\_hub\_networking\_deploy) | Service Principal responsible for deploying the central hub networking | `string` | `"cloudfoundation_hub_network_deploy_user"` | no | | [hub\_resource\_group](#input\_hub\_resource\_group) | Name of the central hub resource group | `string` | `"hub-vnet-rg"` | no | | [hub\_subscription\_name](#input\_hub\_subscription\_name) | Name of your hub subscription | `string` | `"hub"` | no | | [hub\_vnet\_name](#input\_hub\_vnet\_name) | Name of the central virtual network | `string` | `"hub-vnet"` | no | | [landingzone\_scope](#input\_landingzone\_scope) | Identifier for the management group landinzone | `string` | n/a | yes | | [location](#input\_location) | Region for resource deployment | `string` | n/a | yes | -| [lz\_networking\_deploy](#input\_lz\_networking\_deploy) | Service Principal responsible for deploying the landing zone networking | `string` | `"cloudfoundation_lz_network_deploy_user"` | no | | [management\_nsg\_rules](#input\_management\_nsg\_rules) | Network security rules to add to the management subnet. Refer to README for setup details. | `list(any)` | `[]` | no | -| [netwatcher](#input\_netwatcher) | Properties for creating network watcher. If set, it creates a Network Watcher resource using standard naming conventions. | 
object({
    log_analytics_workspace_id       = string
    log_analytics_workspace_id_short = string
    log_analytics_resource_id        = string
  })
| `null` | no | +| [netwatcher](#input\_netwatcher) | Properties for creating network watcher. If set, it creates a Network Watcher resource using standard naming conventions. | 
object({
    log_analytics_workspace_id       = string
    log_analytics_workspace_id_short = string
    log_analytics_resource_id        = string
  })
| `null` | no | | [network\_admin\_group](#input\_network\_admin\_group) | Name of the Cloud Foundation network administration group | `string` | `"cloudfoundation-network-admins"` | no | -| [public\_ip\_names](#input\_public\_ip\_names) | List of public IP names connected to the firewall. At least one is required. | `list(string)` | 
[
  "fw-public"
]
| no | +| [public\_ip\_names](#input\_public\_ip\_names) | List of public IP names connected to the firewall. At least one is required. | `list(string)` | 
[
  "fw-public"
]
| no | | [public\_ip\_prefix\_length](#input\_public\_ip\_prefix\_length) | Specifies the number of bits in the prefix. Value can be set between 24 (256 addresses) and 31 (2 addresses). | `number` | `30` | no | -| [service\_endpoints](#input\_service\_endpoints) | Service endpoints to add to the firewall subnet. | `list(string)` | 
[
  "Microsoft.AzureActiveDirectory",
  "Microsoft.AzureCosmosDB",
  "Microsoft.EventHub",
  "Microsoft.KeyVault",
  "Microsoft.ServiceBus",
  "Microsoft.Sql",
  "Microsoft.Storage"
]
| no | +| [service\_endpoints](#input\_service\_endpoints) | Service endpoints to add to the firewall subnet. | `list(string)` | 
[
  "Microsoft.AzureActiveDirectory",
  "Microsoft.AzureCosmosDB",
  "Microsoft.EventHub",
  "Microsoft.KeyVault",
  "Microsoft.ServiceBus",
  "Microsoft.Sql",
  "Microsoft.Storage"
]
| no | | [threat\_intel\_mode](#input\_threat\_intel\_mode) | Operation mode for threat intelligence-based filtering. Possible values: Off, Alert, Deny, and "" (empty string). | `string` | `"Off"` | no | ## Outputs diff --git a/kit/azure/networking/documentation.tf b/kit/azure/networking/documentation.tf index 37e72b23..3f6bc01a 100644 --- a/kit/azure/networking/documentation.tf +++ b/kit/azure/networking/documentation.tf @@ -16,8 +16,9 @@ All Firewall related logs are in the Log Anlytics Workspace | name | address_space | description | |-|-|-| | glaskugel | 10.1.0.0/24 | Project PalantΓ­ri, stackholder Saruman | - +| glaskugel | 10.2.1.0/24 | Project PalantΓ­ri dev, stackholder Saruman | ## Subnets + | name | prefixes | |-|-| | ${azurerm_subnet.mgmt.name} | ${join(", ", azurerm_subnet.mgmt.address_prefixes)} | diff --git a/kit/azure/networking/outputs.tf b/kit/azure/networking/outputs.tf index a7660b6f..34358b61 100644 --- a/kit/azure/networking/outputs.tf +++ b/kit/azure/networking/outputs.tf @@ -24,10 +24,10 @@ output "hub_vnet_id" { } output "firewall_name" { - value = join("", azurerm_firewall.fw.*.name) + value = join("", azurerm_firewall.fw[*].name) description = "Hub VNet firewall name" } output "network_admins_azuread_group_id" { - value = azuread_group.network_admins.id + value = azuread_group.network_admins.object_id } diff --git a/kit/azure/networking/resources.firewall.tf b/kit/azure/networking/resources.firewall.tf index 9399bb0b..5111bc9f 100644 --- a/kit/azure/networking/resources.firewall.tf +++ b/kit/azure/networking/resources.firewall.tf @@ -31,7 +31,7 @@ resource "azurerm_route" "fw" { route_table_name = azurerm_route_table.out.name address_prefix = "0.0.0.0/0" next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = azurerm_firewall.fw[0].ip_configuration.0.private_ip_address + next_hop_in_ip_address = azurerm_firewall.fw[0].ip_configuration[0].private_ip_address } resource "azurerm_public_ip_prefix" "fw" { diff --git a/kit/azure/networking/variables.tf b/kit/azure/networking/variables.tf index 08979ccf..9f84704d 100644 --- a/kit/azure/networking/variables.tf +++ b/kit/azure/networking/variables.tf @@ -58,18 +58,6 @@ variable "management_nsg_rules" { default = [] } -variable "lz_networking_deploy" { - type = string - default = "cloudfoundation_lz_network_deploy_user" - description = "Service Principal responsible for deploying the landing zone networking" -} - -variable "hub_networking_deploy" { - type = string - default = "cloudfoundation_hub_network_deploy_user" - description = "Service Principal responsible for deploying the central hub networking" -} - variable "network_admin_group" { type = string default = "cloudfoundation-network-admins" diff --git a/kit/azure/networking/versions.tf b/kit/azure/networking/versions.tf index dc6d67ac..0b030b6b 100644 --- a/kit/azure/networking/versions.tf +++ b/kit/azure/networking/versions.tf @@ -4,12 +4,17 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.85.0" + version = "3.116.0" } azuread = { source = "hashicorp/azuread" - version = "~> 2.41.0" + version = "3.0.2" + } + + random = { + source = "hashicorp/random" + version = "3.6.0" } } } diff --git a/kit/azure/organization-hierarchy/README.md b/kit/azure/organization-hierarchy/README.md index acebafc1..1d43781c 100644 --- a/kit/azure/organization-hierarchy/README.md +++ b/kit/azure/organization-hierarchy/README.md @@ -57,7 +57,7 @@ After deploying this module, you should probably deploy the following kit module | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.97.0 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -69,15 +69,15 @@ After deploying this module, you should probably deploy the following kit module | Name | Type | |------|------| -| [azurerm_management_group.connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.landingzones](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.management](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group.platform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource | -| [azurerm_management_group_subscription_association.management](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_subscription_association) | resource | +| [azurerm_management_group.connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.identity](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.landingzones](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.management](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group.platform](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource | +| [azurerm_management_group_subscription_association.management](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group_subscription_association) | resource | | [terraform_data.management_subscription_name](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | -| [azurerm_management_group.parent](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_management_group.parent](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/management_group) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source | ## Inputs @@ -86,7 +86,7 @@ After deploying this module, you should probably deploy the following kit module | [connectivity](#input\_connectivity) | n/a | `string` | `"connectivity"` | no | | [identity](#input\_identity) | n/a | `string` | `"identity"` | no | | [landingzones](#input\_landingzones) | n/a | `string` | `"landingzones"` | no | -| [locations](#input\_locations) | This is for the Azure Allowed locations. Additionally, we use the first added locations where this policy assignment should exist, which is required when an identity is assigned. | `list(string)` | 
[
  "germanywestcentral"
]
| no | +| [locations](#input\_locations) | This is for the Azure Allowed locations. Additionally, we use the first added locations where this policy assignment should exist, which is required when an identity is assigned. | `list(string)` | 
[
  "germanywestcentral"
]
| no | | [management](#input\_management) | n/a | `string` | `"management"` | no | | [management\_subscription\_name](#input\_management\_subscription\_name) | Name of your management subscription | `string` | `"management"` | no | | [parent\_management\_group\_name](#input\_parent\_management\_group\_name) | n/a | `string` | `"foundation"` | no | diff --git a/kit/azure/organization-hierarchy/versions.tf b/kit/azure/organization-hierarchy/versions.tf index 302be9cf..ca8cf1fd 100644 --- a/kit/azure/organization-hierarchy/versions.tf +++ b/kit/azure/organization-hierarchy/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.97.0" + version = "3.116.0" } } } diff --git a/kit/azure/pam/README.md b/kit/azure/pam/README.md index fa31aa66..0e0aad66 100644 --- a/kit/azure/pam/README.md +++ b/kit/azure/pam/README.md @@ -32,8 +32,8 @@ and cohesive overview. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [azuread](#requirement\_azuread) | ~> 2.41.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.71.0 | +| [azuread](#requirement\_azuread) | 3.0.2 | +| [azurerm](#requirement\_azurerm) | 3.116.0 | ## Modules @@ -43,19 +43,17 @@ No modules. | Name | Type | |------|------| -| [azuread_group_member.pam_desired_memberships](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource | -| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source | -| [azuread_group.pam_desired_groups](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | -| [azuread_group.pam_groups](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | -| [azuread_user.pam_desired_users](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/user) | data source | -| [azuread_user.pam_users](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/user) | data source | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azuread_group_member.pam_desired_memberships](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/group_member) | resource | +| [azuread_group.pam_desired_groups](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/group) | data source | +| [azuread_group.pam_groups](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/group) | data source | +| [azuread_user.pam_desired_users](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/user) | data source | +| [azuread_user.pam_users](https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/data-sources/user) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [pam\_group\_members](#input\_pam\_group\_members) | Optional: manage members for cloud foundation PAM groups via terraform | 
list(object({
    group_object_id = string

    # other attributes would be possible (e.g. UPN or mail_nickname) with small changes to the terraform module
    members_by_mail = list(string)
  }))
| n/a | yes | +| [pam\_group\_members](#input\_pam\_group\_members) | Optional: manage members for cloud foundation PAM groups via terraform | 
list(object({
    group_object_id = string

    # other attributes would be possible (e.g. UPN or mail_nickname) with small changes to the terraform module
    members_by_mail = list(string)
  }))
| n/a | yes | | [pam\_group\_object\_ids](#input\_pam\_group\_object\_ids) | the object\_ids of PAM groups used by the cloud foundation | `list(string)` | n/a | yes | ## Outputs diff --git a/kit/azure/pam/main.tf b/kit/azure/pam/main.tf index da1a95e3..ec651de6 100644 --- a/kit/azure/pam/main.tf +++ b/kit/azure/pam/main.tf @@ -1,7 +1,3 @@ -data "azuread_client_config" "current" {} - -data "azurerm_subscription" "current" {} - # We have to do some pre-processing here in order to produce nice documentation. # fetch data about all actual PAM groups diff --git a/kit/azure/pam/versions.tf b/kit/azure/pam/versions.tf index 1f004dd0..7225fc8d 100644 --- a/kit/azure/pam/versions.tf +++ b/kit/azure/pam/versions.tf @@ -4,12 +4,12 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.71.0" + version = "3.116.0" } azuread = { source = "hashicorp/azuread" - version = "~> 2.41.0" + version = "3.0.2" } } }