## Where communities thrive

• Join over 1.5M+ people
• Join over 100K+ communities
• Free without limits
##### Activity
• Aug 11 15:46
t3mi opened #182
• Aug 03 15:17
dsfrederic opened #280
• Aug 03 08:43
arnaudlh closed #181
• Aug 03 08:43
arnaudlh assigned #181
• Aug 03 08:43
arnaudlh labeled #181
• Aug 03 08:41
arnaudlh synchronize #181
• Aug 03 08:41
arnaudlh opened #181
• Aug 03 08:33
arnaudlh closed #180
• Aug 03 08:16
arnaudlh review_requested #180
• Aug 03 08:13
arnaudlh edited #180
• Aug 03 08:12
arnaudlh labeled #180
• Aug 03 08:12
arnaudlh assigned #180
• Aug 03 08:11
arnaudlh opened #180
• Aug 03 07:51
arnaudlh closed #176
• Aug 03 07:51
arnaudlh closed #177
• Aug 02 08:44
arnaudlh closed #279
• Aug 02 08:30
arnaudlh labeled #279
• Aug 02 07:44
LaurentLesle assigned #279
• Aug 02 07:44
LaurentLesle review_requested #279
• Aug 02 07:44
LaurentLesle opened #279
jamesyoung007
@jamesyoung007
jamesyoung007
@jamesyoung007

[209116 ms] Port forwarding 57354 > 40275 > 40275 terminated with code 0 and signal null.
Updating https://github.com/pre-commit/pre-commit-hooks ... already up to date.

[291413 ms] Port forwarding 57354 > 40275 > 40275: Local close

jamesyoung007
@jamesyoung007
tried it on macbook, it worked
it never worked on Windows with WSL2
jamesyoung007
@jamesyoung007
[55862 ms] Container server: Remote to local stream terminated with error: {
message: 'connect ENOENT \\.\pipe\openssh-ssh-agent',
name: 'Error',
stack: 'Error: connect ENOENT \\.\pipe\openssh-ssh-agent\n' +
'\tat PipeConnectWrap.afterConnect [as oncomplete] (node:net:1161:16)'
}
WSL failed again
sean-vancity
@sean-vancity
I'm curious when the azurerm 3.x support will be merged to main. @LaurentLesle , it looks like you were recently working on it. Is the int-azrm-3.7.0 branch fairly stable?
Matze-Li
@Matze-Li

Hi @LaurentLesle, hi @arnaudlh,
I am currently wondering why the Rover Plan ist taking quite long in my runs. I found that the step for loading the plugins is taking quite too long (5-10 Minutes).

Is this normal or a known issue?

I'm using CAF 5.5.8 and Rover 1.1.7-2203.2311

3 replies
anasmohana
@anasmohana
Hi all, my apply pipeline end all the time with this error any idea please :)
8 replies
jamesyoung007
@jamesyoung007
it is taking long time to run plan for me on WSL as well
Traiano Welcome
@archmangler
Hi all - is there a guide on how to reliably destroy the entire terraform CAF stack from L2 - L0 in a consistent, deterministic way ?
4 replies
Fulforce
@Fulforce
Hello all. If I want to create a vnet peering with a vnet that exists in a different landing zone, is this possible? Currently I get an error in my pipeline telling me that "the given key does not identify an element in this collection value". I know that it exists in a different landing zone, I would like to know if I can get them to read each other? They are both in Level 2
Shane Holder
@shaneholder
Good morning! I was wondering if it is appropriate to use methods other than CAF for laying down some resources into the Management/Connection/Identity subscriptions. My thought is that there are possibly different teams that might need to contribute resources into the Management subscription and I want them to be able to operate independently but I may not want them manipulating CAF ESLZ. Maybe they want to deploy using regular terraform or bicep or ARM (shudder). Is that a reasonable path or beyond here be dragons?
Stu
@kewalaka
hi - i'm using the standalone module, if I take the sample as-is it initialises just fine, if I change the version to 5.5.9 it says: The child module requires an additional configuration for provider hashicorp/azurerm, with the local name "azurerm.vhub".
2 replies
Matze-Li
@Matze-Li
Any ideas why the Plan-Step is taking too long? It takes >8 min just to reload the Provider Plugins. This must be an issue, does it?
3 replies
Soy Milk
has anybody tried renaming the RG names (levels) at level0 after stuff has been deployed into the higher levels, without destroying and recreating all the resources created?
2 replies
Florian Ried
@florian-ried
Hi all :) ESLZ is used in March Release in version 1.1.3. Does anyone have an idea how to update to version 2.1.0?
Gerrit
@gerrito333
I followed the walkthrough and now try to extend the single_subscription.yaml to multi subscription approach. Is rover capable to create these subscriptions (identity, connectivity, ...) or is rover expecting these subscriptions to be already created?
Vivek Thirumoorthy
@mh-Vthirumoorthy
Hi Guys, I'm having trouble getting the firewall policies associated with firewall using CAF on Level2. During the deployment, the firewall policy is getting created but however the its not getting associating. I'm using the below code on CAF. If you have any thought or recommendation. Please let me know
azurerm_firewalls = {
test_azfw1 = {
name = "firewall1"
resource_group_key = "rg_test1"
region = "region1"
vnet_key = "eus2_vnet_01"
sku_name = "AZFW_VNet"
zones = [1, 2, 3]
firewall_policy_key = "policy1"
}
4 replies
Stefan
@ic3mango
2 replies
florentvaldelievre
@florentvaldelievre

Hi,

Trying to grasp all the templating stuff, which is great. However, I have a few questions:

1) As far as I understand with this new approach, we only need to versions yaml files in source control since all tfvars should be generated. Is it correct?
2) Everytime we change one value in a yaml file, we need to re-run 'ansible-playbook /tf/caf/landingzones/templates/ansible/ansible.yaml --extra-vars "@/tf/caf/platform/definition/ignite.yaml"' which takes 4:30 min. Then, we need to run terraform plan, which takes 6 min (for caf-solution lz). Meaning that its 10:30min everytime we need to change something. Is it the right way to do it?
3) Let say i want to create a new landing zone and create a new resource group (using yaml file only). How do I do it ?

Thank you very much

5 replies
polwtc
@polwtc
Hello, TF-CAF is great, thanks! When do we expect to release the assignable_to_role argument during ad group creation in terraform? We found this PR: aztfmod/terraform-azurerm-caf#1072
Roland
@schoenr79
Hey Community, i have a question regarding backup and DR resources. Based on the CAF landingzone hierarchy backup and dr resources should be placed in level 2. But in what subscription the backup resources should be placed? I think the most fitting subsbription will be the management sub. Do you agree?
CKLandau
@CKLandau

Hello all. I am new and today for the first time tried to follow the "Single subscription deployment lab" step by step. First of all thanks for the great module. I am sure that our cloud migration will be significantly accelerated by the module and the quality will be increased.

I hope the community can help me with my startup difficulties. The steps rover ignite and rover plan from the lab were successful. Unfortunately I get the following error when using rover apply:

╷
│ Error: local-exec provisioner error
│
│   11:   provisioner "local-exec" {
│
│ Enabling directory role: Groups Administrator
│  - body: {
│   "roleTemplateId": "fdd7a751-b60b-444a-984c-02652fe8fa1c"
│ }
│ ERROR: Bad Request({"error":{"code":"Request_BadRequest","message":"A conflicting object with one or more of the specified property values is present
│ in the directory.","details":[{"code":"ConflictingObjects","message":"A conflicting object with one or more of the specified property values is
│ present in the
│ directory.","target":"Role_8e481c99-f40b-47e2-bc7a-a688cdfa2340"}],"innerError":{"date":"2022-07-15T11:42:42","request-id":"e5583fc7-1c49-48f1-894e-403f3fb74735","client-request-id":"e5583fc7-1c49-48f1-894e-403f3fb74735"}}})

Does anyone have a clue why this error occurs and how I can fix it? I have checked both the App Registration and the Enterprise Application created for identity in the portal and I don't see any "Groups Administrator" role assigned.

2 replies
nusrath432
@nusrath432

Rover Ignite - Templating - Experience / Feedback @LaurentLesle @arnaudlh
Has anyone implemented Rover Ignite / Templating for two or more clients (ClientA & ClientB) with two or more environments (Dev/QA/Prod)?

Templating: Guess the objective was to simplify config generation but seems a lot of work is required in writing the YAML/J2 definition files, generating and managing .tfvars with the assumption that the stack would be identical between the clients and between each of those environments. How does this compare with having a global_settings.tfvar file per stack and diffing between stacks - it may not be elegant but to me seems like a quick and easy solution.

Handling stack variations: Again, Dev/QA/Prod may not be an identical stack for practical reasons. Can we handle variations between stacks or do variations nullify the purpose of Rover ignite/templating?

Speed of change: each time we need to make an update, we need to update our YAML/J2 definitions, run the Ansible playbook, generate the .tfvars, run Terraform plan & apply, and repeat if any mistakes are done.

Upgrades: How do we handle stack upgrades with Rover ignite using templates? How would it re-generate the configuration for each stack for each client?

Documentation: We need more clarity on the workflow of using Rover Ignite/Templating for a single stack explaining how to introduce a new change (adding new resource to the stack or whole new landingzone) initially for a single subscription but eventually in a multi-tenant, multi-subscription, multi-stack scenario.

@zaidmohd
Getting below error when running the ADO pipeline, any insights to fix this?
Plan and Apply are successful.

## [error]WARNING: The command requires the extension resource-graph. It will be installed first.

4 replies
CKLandau
@CKLandau

Hello again,

I am wondering what I have todo to use multiple subscriptions instead of just a single one like I did when following the the lab. I tried to modify the ignite.yaml to use two seperate subscriptions. One for all launchpad resources and one for all the other platform resources. The generated subscriptions.yaml was configured correctly with my input from the ignite.yaml:

resources:
subscriptions:
subscriptions:
create_alias: false
subscription_id: xxxxxxxx-xxxx-xxxx-xxxx-534f587e31eb
identity:
name: CAF Platform
create_alias: false
subscription_id: xxxxxxxx-xxxx-xxxx-xxxx-a79c4fcf01e4
connectivity:
name: CAF Platform
create_alias: false
subscription_id: xxxxxxxx-xxxx-xxxx-xxxx-a79c4fcf01e4
management:
name: CAF Platform
create_alias: false
subscription_id: xxxxxxxx-xxxx-xxxx-xxxx-a79c4fcf01e4

But all resources where generated in the CAF Launchpad subscription. After i realized this i noticed that in all readme files in the rover command the CAF Launchpad subscription id was generated as target_subscription.

After I simply specified the desired subscription id in the parameter target_subscription, the resources were generated in this as desired.

My question is only whether this is the right way to achieve my goal?
And if yes, if in the future rover ignite will use the subscriptions stored in ignite.yaml to generate the readme files?

Thank you and best regards!

4 replies
SaSSaS13
@SaSSaS13
Hi, does someone know why exactly the Initial Account needs to be Global Admin?
4 replies
ramabaswa
@ramabaswa
This message was deleted
11 replies
nusrath432
@nusrath432

## Global Settings & its behaviour @LaurentLesle@arnaudlh

Hi, I am trying to build a landingzone at level3 with its own block of global-settings (passthrough = false) and a unique prefix, which works fine. However, post-creation of my landingzone(level3), if I reference another statefile (from current or lower levels) that has global-settings (passthrough = true) it is taking precedence and ignoring current-level (passthrough = false). Even though I am NOT using global_settings_key = "lower-level" within the current (level3) landinzone={} block, just the tfstate={} block.

This is potentially dangerous if we work on a higher level landing-zone that has a requirement to reference a lower level state file with a difference in Global Settings (passthrough/prefixes/suffixes/slug/random_length).

Lower level global-settings should only be active, if global_settings_key is referenced within the current level but not when we only reference tfstate={}.

Could you help with the right understanding and usage of Global_Settings, please. There could be few permutations & combinations for the above settings.

3 replies
martinhacker1965
@martinhacker1965
Hi all, I wasn't 100% sure where I should log this but as it seems related to Rover ignite I've logged the following issue. If anyone could take a look and possibly provide any suggestions or a fix/workaround I would be grateful. Thanks Azure/caf-terraform-landingzones-platform-starter#11.
Larry Song
@larry_song:matrix.org
[m]
Hi All, a newbie on CAF here. I have followed https://aztfmod.github.io/documentation/docs/azure-landing-zones/landingzones/platform/single%20reuse/elsz-single-reuse and created level 0 and level 1 landingzones on a single subscription. Now I am trying to start with multi-subscription scenario however, the document is not there yet. Can someone please give some guidance on where to start with? Things like github repo.., thanks!
4 replies
@zaidmohd
Can we use ADO Service Connection for running the pipeline instead of SPN as variables?
2 replies
nusrath432
@nusrath432

## Hub & Spoke Implementation (Cross-subscription)

Can anyone help with the Hub-Spoke implementation if they are in two different Subscriptions please

Hub network must be in level 2 in its own landingzone subscription sub1. VWan is in same subscription/resource group but different landingzone & hence different tfstate file.
Spoke network must be in level3 and in a different subscription sub2.

I defined the virtual_hub_connections at level 3:

virtual_hub_connections = {
my-spoke_TO_my-hub = {
name        = "my-spoke_TO_my-hub"
virtual_hub = {
lz_key = "my-hub-landingzone-key"
key    = "my-hub-key"
}
vnet = {
vnet_key = "my-spoke-vnet-key"

}
}
}
module.solution.azurerm_virtual_hub_connection.vhub_connection["my-spoke_TO_my-hub"]: Creating...
╷
│ Error: creating Hub Virtual Network Connection: (Name "my-spoke_TO_my-hub" / Virtual Hub Name "my-hub" / Resource Group "myhub-rg"): network.HubVirtualNetworkConnectionsClient#CreateOrUpdate: Failure sending request: StatusCode=404 -- Original Error: Code="ResourceGroupNotFound" Message="Resource group 'myhub-rg' could not be found."
│
│   with module.solution.azurerm_virtual_hub_connection.vhub_connection["my-spoke_TO_my-hub"],
│   on /home/vscode/.terraform.cache/mydev/rover_jobs/20220728004934565321893/modules/solution/networking_virtual_hub_connection.tf line 14, in resource "azurerm_virtual_hub_connection" "vhub_connection":
│   14: resource "azurerm_virtual_hub_connection" "vhub_connection" {
│

TF Plan shows the right plan but when it does apply it fails and I assume it is targeting the level3 subscription when it does TF Apply even though TF plan shows the correct level2 subscription.

** Do we create a virtual_hub_connections landingzone exclusive for connections (no other resources defined) and then run -target-subscription <level2-subscription or move virtual_hub_connections to level 2 and reference level3 vnet using resource ID?

Note: The tfstate for Hub & VWan landingzones are reference at level3 - order toggled but still issue persists.

2 replies
Yves Vogl
@yves-vogl
Hello everyone!
@zaidmohd
Can anyone share the link for sample config/tfvars to apply built-in Azure Policies?
2 replies
Yves Vogl
@yves-vogl
Does someone know a place with some more information on the features of symphony?
Following the documentation from here https://aztfmod.github.io/documentation/docs/azure-landing-zones/landingzones/platform/single%20reuse/elsz-single-reuse I am able to generate the configuration of landing zone (Level0,1,and 2). However when I run the rover plan on launchpad I get this error
10 replies
Florian Ried
@florian-ried
harikrishna197
@harikrishna197
@arnaudlh @LaurentLesle We are trying to import a Express Route circuit which was manually created to terraform State file, Post import, CAF Terraform is trying to re-create the Express Route on the next run, Since it's a production we can't re-create. does somebody know the reason behind this behavior ?
Yves Vogl
@yves-vogl
Can you show the plan output?
Florian Ried
@florian-ried

Hello Everyone, hope you're well and safe.

Sorry for the newbie question, but that's something I've been trying to figure out for sometime and it's not clear yet for me :

What's the difference between Azure/terraform-azurerm-caf-enterprise-scale and aztfmod/terraform-azurerm-caf ?
Which one is recommended to use for ESLZ deployments ? Both are endorsed by Microsoft ?
Is there a way to use Azure/terraform-azurerm-caf-enterprise-scale for standalone deployments ?

I've started to use azfmod/terraform-azurerm-caf for my standalone deployments (not related to CAF), but we are also about to adopt CAF in our environment and the consultancy that is helping us in this journey is using Azure/terraform-azurerm-caf-enterprise-scale for the deployment.

Any rover expert here? Trying to deploy caf landing zones in multi subscription. Followed the documentation of single subscription and modified subscriptions section in ignite.yaml, however it still deploys everything in single subscription. Here is how my subscriptions look like in ignite.yaml.

subscriptions:
launchpad:  # Do not rename the key
create_alias: false
subscription_id: abcd
identity:  # Do not rename the key
name: Identity
create_alias: false
subscription_id: efgh
connectivity:  # Do not rename the key
name: Connectivity
create_alias: false
subscription_id: ijkl
management:  # Do not rename the key
name: Management
create_alias: false
subscription_id: pqrs

any help towards how to deploy these in their respective landing zones is appreciated

harikrishna197
@harikrishna197

Can you show the plan output?
@yves-vogl