Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 25 09:10
    Sijoejohn opened #219
  • Jan 16 03:14
    arnaudlh closed #295
  • Jan 16 03:13
    arnaudlh assigned #295
  • Jan 16 03:13
    arnaudlh review_requested #295
  • Jan 13 09:05
    iriahk89 opened #295
  • Jan 11 07:17
    arnaudlh assigned #292
  • Jan 01 12:51
    heintonny opened #294
  • Dec 29 2022 19:24
    heintonny opened #293
  • Dec 19 2022 01:03
    andrewPoland opened #218
  • Dec 06 2022 08:17
    mikecuison opened #217
  • Dec 06 2022 05:05
    mikewoodd3432 edited #216
  • Dec 06 2022 05:04
    mikewoodd3432 opened #216
  • Nov 30 2022 08:02
    arnaudlh labeled #215
  • Nov 30 2022 08:02
    arnaudlh assigned #215
  • Nov 29 2022 18:25
    owenfarrell edited #203
  • Nov 29 2022 18:24
    owenfarrell synchronize #203
  • Nov 29 2022 10:00
    arnaudlh closed #196
  • Nov 29 2022 10:00
    arnaudlh review_requested #203
  • Nov 29 2022 10:00
    arnaudlh assigned #140
  • Nov 29 2022 02:47
    arnaudlh closed #170
wwtche
@wwtche
Hi all, I'm looking to use a launchpad-level0 output in level3 (an azuread_group_key). Is there a way to selectively/or entirely pass the outputs of lauchpad-L0 intoto L1's tfstate, then L2 tfstate before being made available in L3? please can someone advise?
1 reply
Jim Keane
@jkeane

I am running into an issue with lower level state. The scenario is I have an application_gateway that is deployed at level3 and I am trying to refer to a certificate in kv_secrets KeyVault. The configuration snippet in the gateway looks like:

    trusted_root_certificate = {
      wildcard_ingress = {
        lz_key = "launchpad"
        keyvault_key = "secrets"
        name = "appgateway"
      }
    }

and the level3 landingzone is configured like:

landingzone = {
  backend_type        = "azurerm"
  level               = "level3"
  key                 = "cluster_aks"
  global_settings_key = "shared_services"
  tfstates = { 
    shared_services = {
      level   = "lower"
      tfstate = "caf_shared_services.tfstate"
    }
    networking_hub = {
      level   = "lower"
      tfstate = "networking_hub.tfstate"
    }
    launchpad = {
      level   = "lower"
      tfstate = "caf_launchpad.tfstate"
    }        
  }
}

When I try to run plan on Level3 I get the following error:
│ on /home/vscode/.terraform.cache/modules/solution/modules/networking/application_gateway/application_gateway.tf line 17, in data "azurerm_key_vault_certificate" "trustedcas":
│ 17: key_vault_id = var.keyvaults[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.keyvault_key].id
│ ├────────────────
│ │ each.value.keyvault_key is "secrets"
│ │ each.value.lz_key is "launchpad"
│ │ var.client_config.landingzone_key is "cluster_aks"
│ │ var.keyvaults is object with 4 attributes

│ The given key does not identify an element in this collection value.

Through some creative coding I was able to dump out the value of var.keyvaults and it looks like the merge of the keyvaults from the lower tfstates results in empty dictionaries, e.g.

"cluster_aks": {}
"launchpad": {}
"networking_hub": {}
"shared_services": {}

I'm not 100% confident I am looking at the correct dump of the data structure but the error seems to indicate so. var.keyvaults["launchpad"]["secrets"] should be resolving but it is not.

Any thoughts?

jleonelion
@jleonelion
Keep in mind, tfstate files at “lower” level only go down one. So “lower” to level3 is level2, etc. i recommend looking at outputs of the level0 tfstate file to confirm the keyvaul is exported, then look at level1 to confirm, and level2. Important thing is that the resource you want to reference is being included in output of other tfstatw files.
All of that said, Id recommend using a keyvault at level 2 or 3. They are cheap and you dont have to deal with complex permissions to enforce “least privilege” principal if you have too many secrets all in the same key vault
Yannick
@goracc_twitter
Hey everyone, is there any repository containing more examples (scenarios) for level 1 ? Because all I'm able to find is the 100-passthrough or the gitops scenarios which don't cover stuff like policies and so on. Is it really required to pretty much reverse engineer the code to know how the variables have to look like as I'm not able to find any documentation about that. Same for the launchpad 300+ scenarios .. nowhere to be found
1 reply
martinhacker1965
@martinhacker1965
@goracc_twitter I'm trying out the enterprise scale examples to apply policies - hidden away at https://github.com/Azure/caf-terraform-landingzones/tree/master/caf_solution/add-ons/caf_eslz. These apply at the foundations layer (level1) so might be worth a look.
martinhacker1965
@martinhacker1965

landingzone = {
backend_type = "azurerm"

global_settings_key = "caf_foundations_sharedservices"

global_settings_key = "launchpad"
level = "level1"

key = "caf_foundations_enterprise_scale"

key = "caf_foundations"
tfstates = {
// Remote tfstate to retrieve default location and log analytics workspace

#caf_foundations_sharedservices = {
#  level   = "current"
#  tfstate = "caf_foundations_sharedservices.tfstate"
#}    
caf_foundations_enterprise_scale = {
  level   = "current"
  tfstate = "caf_foundations.tfstate"
}
// Remote tfstate to retrieve the MSI created by the launchpad and set permissions on the MG hierarchy
// Requires scenarion 200  to get access to Log Analytics key 'central_logs_region1'
launchpad = {
  level   = "lower"
  tfstate = "caf_launchpad.tfstate"
}

}
}

Tom Howarth
@TomHowarth
I am new to the aztfmod, are there any good blog posts that can give some pointers on how to use the module?
Hamad Riaz
@hriaz
I am completely stuck and hoping someone can help. I have a shared image gallery in a different subscription not deployed via LandingZone. I need to reference this shared image gallery and its images in my single_linux_vm.tfvar file. I have tried different things like storage_image_reference or azurerm_shared_image references but nothing seems to be working. Can anyone point me in the right direction what I can look at to build a linux image from a pre-existing shared image gallery hosted in the same tenant but different subscription?
mohsinali
@mohsinaliariz_gitlab

image.png

Hi I have Created vnet in level2 networking-hub and now i want to use this vnet for my virtual machines i want to create in level3 solutions for this when i provide the vnet key getting an error
I'm new to landing zones is it possible to use virtual network created at level2 can be used in leve3 deployments.

Hamad Riaz
@hriaz

@mohsinaliariz_gitlab you need to define the "lower" level tf state and use the lz_key from it.

"landingzone = {
backend_type = "azurerm"
global_settings_key = "shared_services"
level = "level3"
key = "solutions"
tfstates = {

shared_services = {
  level   = "lower"
  tfstate = "sharedservices.tfstate"
}

networking_spoke = {
  level   = "lower"
  tfstate = "networking.tfstate"
}

}
} "

Hamad Riaz
@hriaz

I am completely stuck and hoping someone can help. I have a shared image gallery in a different subscription not deployed via LandingZone. I need to reference this shared image gallery and its images in my single_linux_vm.tfvar file. I have tried different things like storage_image_reference or azurerm_shared_image references but nothing seems to be working. Can anyone point me in the right direction what I can look at to build a linux image from a pre-existing shared image gallery hosted in the same tenant but different subscription?

Any help on this would be appreciated. I see an issue from September 9th, 2020 where a feature "Add support to create VM from image gallery" is listed but not checked. Can anyone shed some light on this? aztfmod/terraform-azurerm-caf#4

sukhi25
@sukhi25
Hi, Just wanted to ask if anyone else has come across the same issue. I have tried to deploy https://github.com/Azure/caf-terraform-landingzones-starter/tree/starter/configuration/sandpit/level1/gitops/azure_devops. and get below error when running PLAN: on /home/vscode/.terraform.cache/modules/caf/modules/security/keyvault_access_policies/policies.tf line 12, in module "azuread_apps":
│ 12: object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key),var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id
│ ├────────────────
│ │ each.value is object with 3 attributes
│ │ each.value.lz_key is "launchpad"
│ │ var.azuread_apps is object with 1 attribute "azdo-contoso"
│ │ var.client_config.landingzone_key is "azdo-contoso"

│ The given key does not identify an element in this collection value.
9 replies
Hamad Riaz
@hriaz

I am running into something similar as @sukhi25. If i change my "networking" CAF module version from "~>5.2.0" to "~>5.3.0" my vnet creation fails with the following error:

'''
Error: Missing required argument

on /home/vscode/.terraform.cache/modules/landingzones_shared_services/modules/azuread/groups/group.tf line 1, in resource "azuread_group" "group":
1: resource "azuread_group" "group" {

The argument "name" is required, but no definition was found.

Error: Unsupported argument

on /home/vscode/.terraform.cache/modules/landingzones_shared_services/modules/azuread/groups/group.tf line 3, in resource "azuread_group" "group":
3: display_name = var.global_settings.passthrough ? format("%s", var.azuread_groups.name) : format("%s%s", try(format("%s-", var.global_settings.prefixes.0), ""), var.azuread_groups.name)

An argument named "display_name" is not expected here.

'''

Hamad Riaz
@hriaz
I am wondering if anyone has an easy answer to this. I am creating a bunch of resource groups. I want to have the same tags across all of them. Currently i have to put a tag under each resource group name for the tag to work. If i try to do it right under resource_group = everything fails. If i do it outside of that block there is no effect at all. I am sure there is something i am missing?
1 reply
Gerald Fehringer
@geraldfehringer
@arnaudlh -
hi, first of all: awesome work!
What I think many people are struggling, is the abstraction from "caf-terraform-landingzones-starter" > "
caf-terraform-landingzones" and then the actual module use from "terraform-azurerm-caf". So the layer of your level 0-4 is a nice approach, but you have introduced additional logic in "caf-terraform-landingzones" which is not well documented. One example: deploying simple VM's in Level3 is not straight forward, because you are adding some more logic to aztfmod/caf, like https://github.com/Azure/caf-terraform-landingzones/blob/master/caf_solution/variables.compute.tf
Many people already asked and I would als greatly appreciate if you provide some more examples into level3 (not just AKS) - thanks a lot!
5 replies
Gerald Fehringer
@geraldfehringer
@arnaudlh aks cluster referenced parameters? Hi Arnaud, aks_clusters = {
cluster_re1 = {
helm_keys = ["flux", "podIdentify"]
...
couldn't grep anything where key: helm_keys is used, nor in oringinal modules or from which tf provider this could be executed? THANKS!
2 replies
laingsc
@laingsc
Good morning folks (morning in NZ). I have a question, and hopefully you might be able to save me some time. We've already built a landing zone in Azure that's nearly a year old. The majority of it was built with the previous standalone modules, vnets, log analytics, keyvault. Now I need to build an application gateway, waf, keyvault solution, and am really keen to use the submodules for this. Now I've spent nearly 4 days trying to figure out if I can integrate with an existing landing zone, but it looks like I would've needed to start with the latest caf in the first place. I can only reference things built with this framework. I'm about to go to basic resource definitions and for_each loops to build public ips, app gateways, etc, but I wanted to check first if there was a way to use these modules...in a more manual way? I'd love to just be able to pass the vnet/subnet instead of keys for something that it's not aware of. Am looking at remote_objects, but they would've needed to be created with this as well but with a different landing zone key in a different workspace perhaps. Anyhow, I'm about to abandon this but I figured I'd ask for any thoughts besides making my own module type thing.
7 replies
Hamad Riaz
@hriaz
I have a pretty simple question hopefully someone can quickly answer. I have resource groups created in level 2 as part of shared services deployment. When trying to use them in level3 i keep getting " module.resource_groups is object with no attributes. The given key does not identify an element in this collection value". I have the lower level states already defined. I ran into a similar problem with vnets but was able to resolve that on level3 by adding vnet_key and subnet_key values. I am creating a storage account and i am defining resource_group_key from the shared services level2. What am i missing?
Hamad Riaz
@hriaz
Hi @arnaudlh If i need to apply permissions in a spoke subscription (non-launchpad) would i apply the role_mapping on level2 pointed to caf_solutions or would that be level1 for the subscription? I am a bit confused on how to assign these permissions to a non-launchpad subscription or resource group in a different subscription?
5 replies
Hamad Riaz
@hriaz
Also the role mapping examples assumes that we are creating new Azure AD Groups and expects a key value for the membership. What if we were re-using an existing AzureAD group. How do we define that/
1 reply
lolorol
@LaurentLesle
image.png
You can add the lz_key. Here an example for azuread_service_principals for the same applies for azuread_groups
Hamad Riaz
@hriaz
sorry if it sounds stupid or simple but how would that work for something that the launchpad has not created? For example using pre-existing AzureAD Groups. Are you saying I can just reference a name of an existing group? Also what would be my lz_key be in that case? Foundations?
lolorol
@LaurentLesle
image.png
you can set a list of existing object_ids referencing your azure ad groups
Hamad Riaz
@hriaz
Thank you! this is perfect. I Will try it out shortly
lolorol
@LaurentLesle
do you need the same for keyvault access policies?
Hamad Riaz
@hriaz
that would be a great reference
Hamad Riaz
@hriaz
@LaurentLesle @arnaudlh I am noticing with 5.3 networking modules the empty nsg block is not working. Was there a change? I can share my code for reference. I know the same code was working with 5.2.x
Paul Matthews
@pmatthews05

I'm having an issue with setting up a bootstrap service principal and the main issue is if the secret is changed. It seems as though the secret is cached somewhere within rover.
The following gist shows what I'm doing - https://gist.github.com/pmatthews05/77c2b79a8b2630e814216eadadcce073

On a brand new instance of Rover (aztfmod/rover:0.15.4-2105.2603) calling those lines of code, it logs in correct using az login --service-principal, and when Rover is called it logs in correctly with the Service Principal.

If I change the secret in Azure AD, run the gist code again with the updated secret. It can login to az with service principal without any issues, but when it login inside rover, it first shows "Resources from this landing zone are going to be deployed in the following subscription:" which shows the service principal in the user section. But after Initializing az cloud variables it says secret is invalid.

"ERROR: AADSTS7000215: Invalid client secret is provided.
Trace ID: 177140d2-33fe-42e6-a169-b8a7b0d11600
Correlation ID: b6b0a0c3-8cf2-46bc-8d13-b628d4ce3f80
Timestamp: 2021-06-10 09:27:20Z
To re-authenticate, please run az login. If the problem persists, please contact your tenant administrator.
Logged in rover app object_id: "

They only way I can stop this from happening is removing the entire rover image from my machine, downloading it again and running.

3 replies
Kieran
@kiebrew

We don't want our VM names to use the global prefix as this causes a lot of headache with the 15 character netbios limit for windows names I.E if we want a VM to be called vm-appx01-uks then if the prefix is 5 characters, it pushes the name over the limit and causes mismatches and weird issues with some having the prefix and some not.

The only solution I've found so far is to take a local copy of the main aztfmod https://github.com/aztfmod/terraform-azurerm-caf and comment out the prefixes variable under the compute/vm modules then set my landingzone module source to the local copy rather than the MS maintained github repo.

Am I missing something obvious? Is there a way to opt out of using a prefix for certain resources (particulary those with character limits)?

wmcrobertsq
@wmcrobertsq
I'm trying to understand the initial steps for "Deployment of Enterprise-Scale AKS Construction Set". Specifically, jumping from the starter "Demo" instructions to Enterprise-Scale AKS. Should I do Demo levels 0-2 and then do instructions for Enterprise-Scale AKS to mimic what I would normally do for demo level 3?
Or would following the instructions for Enterprise-Scale AKS only give me levels 0-3?
Hamad Riaz
@hriaz

do you need the same for keyvault access policies?

Hi @LaurentLesle you were going to send a reference for using object_id's in key vault policies. Do you have this handy? I have a requirement for it now and i am trying to play around with it.

1 reply
Paul Matthews
@pmatthews05
After deploying Level0 and Level1 (azure_devops, azure_devops_agents_vm and gitops_connectivity) from my Rover instance, should I be able to deploy all of them levels now by Pipelines? I'm finding the msi that the pipeline run under do not seem to have the right access.
Savinayan
@Savinayan
I am trying to use service principal for rover login any suggestion/hint please
1 reply
Marcel B
@Plork
hey all, I am playing around with https://github.com/Azure/terraform-azurerm-caf-enterprise-scale to be able to deploy resources in their own sub. So also each landing zone will have its own sub eventually. (even split for dtap, 2 at least maybe even 4). Are there examples for cross sub deployments of the CAF landingzones?
5 replies
laingsc
@laingsc
image.png

Good afternoon, so have just onboarded a new Application Gateway, and now have a requirement for health probes and header re-writes, however it looks like the application gateway module is only partially completed??? /modules/networking/application_gateway/application_gateway.tf:

  dynamic "backend_http_settings" {
    for_each = local.backend_http_settings

    content {
      name                                = var.application_gateway_applications[backend_http_settings.key].name
      cookie_based_affinity               = try(backend_http_settings.value.cookie_based_affinity, "Disabled")
      port                                = backend_http_settings.value.port
      protocol                            = backend_http_settings.value.protocol
      request_timeout                     = try(backend_http_settings.value.request_timeout, 30)
      pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false)
      trusted_root_certificate_names      = try(backend_http_settings.value.trusted_root_certificate_names, null)
    }
  }

There's no probe_name or host_name....

In addition there's no probe block, and several other blocks are missing from the actual resource....

Any plans to complete this or should I just use the resource itself you reckon?

There's some blocks rem'd out probably in a to-do list eh:

Paul Matthews
@pmatthews05

I have an Application that was created in level 0

azuread_apps = {
  # Do not rename the key "launchpad" to be able to upgrade to the standard launchpad
  caf_launchpad_level0 = {
    useprefix               = true
    application_name        = "caf_launchpad_level0"
    password_expire_in_days = 180

    # Store the ${secret_prefix}-client-id, ${secret_prefix}-client-secret...
    # Set the policy during the creation process of the launchpad
    keyvaults = {
      level0 = {
        secret_prefix = "aadapp-caf-launchpad-level0"
      }
    }
  }
}

If in Level0 I want grant access to a keyvault with this app I can put in the following

keyvault_access_policies_azuread_apps = {
  level0 = {
    caf_launchpad_level0 = {
      # Reference a key to an azure ad applications
      azuread_app_key    = "caf_launchpad_level0"
      secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
    }
  }
}

How do I grant this same app access to a keyvault in level1? I've attempted to follow examples like the MSI's and AD Groups, but I keep getting null errors.

keyvault_access_policies_azuread_apps = {
  bastion = {
     caf_launchpad_level0 = {
       lz_key               = "launchpad"
       azuread_app_key    = "caf_launchpad_level0"
       secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
    }
  }
}
1 reply
shuft
@shuft
Hi folks, (newbie here) I've had a play with the starter template via Rover, so far, so good. Is there any guidance on getting a repo setup that separates my launchpad / es configuration from the caf solution itself?
Dominic Motuka
@daumie
Hello, I'm having trouble understanding how all the landing zone pieces come together.
Is there any extra documentation you could direct me to?
5 replies
Dominic Motuka
@daumie
Like, how do I move from level0 to level1 .. and how do these things relate....how do I structure my work?
Am I able to deploy CAF according to enterprise scale philosophy using the unified repo?
kgib
@kgibson-insight:matrix.org
[m]
or said more simply, how do the enterprise scale repo (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) and the unified repo differ?