Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Dec 06 08:17
    mikecuison opened #217
  • Dec 06 05:05
    mikewoodd3432 edited #216
  • Dec 06 05:04
    mikewoodd3432 opened #216
  • Nov 30 08:02
    arnaudlh labeled #215
  • Nov 30 08:02
    arnaudlh assigned #215
  • Nov 29 18:25
    owenfarrell edited #203
  • Nov 29 18:24
    owenfarrell synchronize #203
  • Nov 29 10:00
    arnaudlh closed #196
  • Nov 29 10:00
    arnaudlh review_requested #203
  • Nov 29 10:00
    arnaudlh assigned #140
  • Nov 29 02:47
    arnaudlh closed #170
  • Nov 29 02:46
    arnaudlh closed #212
  • Nov 29 02:46
    arnaudlh closed #213
  • Nov 29 02:34
    arnaudlh closed #210
  • Nov 29 02:34
    arnaudlh closed #211
  • Nov 29 02:20
    arnaudlh labeled #213
  • Nov 29 02:20
    arnaudlh assigned #213
  • Nov 29 02:16
    arnaudlh edited #211
  • Nov 29 02:16
    arnaudlh closed #207
  • Nov 25 12:06
    Pasukaru edited #215
Hamad Riaz
@hriaz
I am completely stuck and hoping someone can help. I have a shared image gallery in a different subscription not deployed via LandingZone. I need to reference this shared image gallery and its images in my single_linux_vm.tfvar file. I have tried different things like storage_image_reference or azurerm_shared_image references but nothing seems to be working. Can anyone point me in the right direction what I can look at to build a linux image from a pre-existing shared image gallery hosted in the same tenant but different subscription?
mohsinali
@mohsinaliariz_gitlab

image.png

Hi I have Created vnet in level2 networking-hub and now i want to use this vnet for my virtual machines i want to create in level3 solutions for this when i provide the vnet key getting an error
I'm new to landing zones is it possible to use virtual network created at level2 can be used in leve3 deployments.

Hamad Riaz
@hriaz

@mohsinaliariz_gitlab you need to define the "lower" level tf state and use the lz_key from it.

"landingzone = {
backend_type = "azurerm"
global_settings_key = "shared_services"
level = "level3"
key = "solutions"
tfstates = {

shared_services = {
  level   = "lower"
  tfstate = "sharedservices.tfstate"
}

networking_spoke = {
  level   = "lower"
  tfstate = "networking.tfstate"
}

}
} "

Hamad Riaz
@hriaz

I am completely stuck and hoping someone can help. I have a shared image gallery in a different subscription not deployed via LandingZone. I need to reference this shared image gallery and its images in my single_linux_vm.tfvar file. I have tried different things like storage_image_reference or azurerm_shared_image references but nothing seems to be working. Can anyone point me in the right direction what I can look at to build a linux image from a pre-existing shared image gallery hosted in the same tenant but different subscription?

Any help on this would be appreciated. I see an issue from September 9th, 2020 where a feature "Add support to create VM from image gallery" is listed but not checked. Can anyone shed some light on this? aztfmod/terraform-azurerm-caf#4

sukhi25
@sukhi25
Hi, Just wanted to ask if anyone else has come across the same issue. I have tried to deploy https://github.com/Azure/caf-terraform-landingzones-starter/tree/starter/configuration/sandpit/level1/gitops/azure_devops. and get below error when running PLAN: on /home/vscode/.terraform.cache/modules/caf/modules/security/keyvault_access_policies/policies.tf line 12, in module "azuread_apps":
│ 12: object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key),var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id
│ ├────────────────
│ │ each.value is object with 3 attributes
│ │ each.value.lz_key is "launchpad"
│ │ var.azuread_apps is object with 1 attribute "azdo-contoso"
│ │ var.client_config.landingzone_key is "azdo-contoso"

│ The given key does not identify an element in this collection value.
9 replies
Hamad Riaz
@hriaz

I am running into something similar as @sukhi25. If i change my "networking" CAF module version from "~>5.2.0" to "~>5.3.0" my vnet creation fails with the following error:

'''
Error: Missing required argument

on /home/vscode/.terraform.cache/modules/landingzones_shared_services/modules/azuread/groups/group.tf line 1, in resource "azuread_group" "group":
1: resource "azuread_group" "group" {

The argument "name" is required, but no definition was found.

Error: Unsupported argument

on /home/vscode/.terraform.cache/modules/landingzones_shared_services/modules/azuread/groups/group.tf line 3, in resource "azuread_group" "group":
3: display_name = var.global_settings.passthrough ? format("%s", var.azuread_groups.name) : format("%s%s", try(format("%s-", var.global_settings.prefixes.0), ""), var.azuread_groups.name)

An argument named "display_name" is not expected here.

'''

Hamad Riaz
@hriaz
I am wondering if anyone has an easy answer to this. I am creating a bunch of resource groups. I want to have the same tags across all of them. Currently i have to put a tag under each resource group name for the tag to work. If i try to do it right under resource_group = everything fails. If i do it outside of that block there is no effect at all. I am sure there is something i am missing?
1 reply
Gerald Fehringer
@geraldfehringer
@arnaudlh -
hi, first of all: awesome work!
What I think many people are struggling, is the abstraction from "caf-terraform-landingzones-starter" > "
caf-terraform-landingzones" and then the actual module use from "terraform-azurerm-caf". So the layer of your level 0-4 is a nice approach, but you have introduced additional logic in "caf-terraform-landingzones" which is not well documented. One example: deploying simple VM's in Level3 is not straight forward, because you are adding some more logic to aztfmod/caf, like https://github.com/Azure/caf-terraform-landingzones/blob/master/caf_solution/variables.compute.tf
Many people already asked and I would als greatly appreciate if you provide some more examples into level3 (not just AKS) - thanks a lot!
5 replies
Gerald Fehringer
@geraldfehringer
@arnaudlh aks cluster referenced parameters? Hi Arnaud, aks_clusters = {
cluster_re1 = {
helm_keys = ["flux", "podIdentify"]
...
couldn't grep anything where key: helm_keys is used, nor in oringinal modules or from which tf provider this could be executed? THANKS!
2 replies
laingsc
@laingsc
Good morning folks (morning in NZ). I have a question, and hopefully you might be able to save me some time. We've already built a landing zone in Azure that's nearly a year old. The majority of it was built with the previous standalone modules, vnets, log analytics, keyvault. Now I need to build an application gateway, waf, keyvault solution, and am really keen to use the submodules for this. Now I've spent nearly 4 days trying to figure out if I can integrate with an existing landing zone, but it looks like I would've needed to start with the latest caf in the first place. I can only reference things built with this framework. I'm about to go to basic resource definitions and for_each loops to build public ips, app gateways, etc, but I wanted to check first if there was a way to use these modules...in a more manual way? I'd love to just be able to pass the vnet/subnet instead of keys for something that it's not aware of. Am looking at remote_objects, but they would've needed to be created with this as well but with a different landing zone key in a different workspace perhaps. Anyhow, I'm about to abandon this but I figured I'd ask for any thoughts besides making my own module type thing.
7 replies
Hamad Riaz
@hriaz
I have a pretty simple question hopefully someone can quickly answer. I have resource groups created in level 2 as part of shared services deployment. When trying to use them in level3 i keep getting " module.resource_groups is object with no attributes. The given key does not identify an element in this collection value". I have the lower level states already defined. I ran into a similar problem with vnets but was able to resolve that on level3 by adding vnet_key and subnet_key values. I am creating a storage account and i am defining resource_group_key from the shared services level2. What am i missing?
Hamad Riaz
@hriaz
Hi @arnaudlh If i need to apply permissions in a spoke subscription (non-launchpad) would i apply the role_mapping on level2 pointed to caf_solutions or would that be level1 for the subscription? I am a bit confused on how to assign these permissions to a non-launchpad subscription or resource group in a different subscription?
5 replies
Hamad Riaz
@hriaz
Also the role mapping examples assumes that we are creating new Azure AD Groups and expects a key value for the membership. What if we were re-using an existing AzureAD group. How do we define that/
1 reply
lolorol
@LaurentLesle
image.png
You can add the lz_key. Here an example for azuread_service_principals for the same applies for azuread_groups
Hamad Riaz
@hriaz
sorry if it sounds stupid or simple but how would that work for something that the launchpad has not created? For example using pre-existing AzureAD Groups. Are you saying I can just reference a name of an existing group? Also what would be my lz_key be in that case? Foundations?
lolorol
@LaurentLesle
image.png
you can set a list of existing object_ids referencing your azure ad groups
Hamad Riaz
@hriaz
Thank you! this is perfect. I Will try it out shortly
lolorol
@LaurentLesle
do you need the same for keyvault access policies?
Hamad Riaz
@hriaz
that would be a great reference
Hamad Riaz
@hriaz
@LaurentLesle @arnaudlh I am noticing with 5.3 networking modules the empty nsg block is not working. Was there a change? I can share my code for reference. I know the same code was working with 5.2.x
Paul Matthews
@pmatthews05

I'm having an issue with setting up a bootstrap service principal and the main issue is if the secret is changed. It seems as though the secret is cached somewhere within rover.
The following gist shows what I'm doing - https://gist.github.com/pmatthews05/77c2b79a8b2630e814216eadadcce073

On a brand new instance of Rover (aztfmod/rover:0.15.4-2105.2603) calling those lines of code, it logs in correct using az login --service-principal, and when Rover is called it logs in correctly with the Service Principal.

If I change the secret in Azure AD, run the gist code again with the updated secret. It can login to az with service principal without any issues, but when it login inside rover, it first shows "Resources from this landing zone are going to be deployed in the following subscription:" which shows the service principal in the user section. But after Initializing az cloud variables it says secret is invalid.

"ERROR: AADSTS7000215: Invalid client secret is provided.
Trace ID: 177140d2-33fe-42e6-a169-b8a7b0d11600
Correlation ID: b6b0a0c3-8cf2-46bc-8d13-b628d4ce3f80
Timestamp: 2021-06-10 09:27:20Z
To re-authenticate, please run az login. If the problem persists, please contact your tenant administrator.
Logged in rover app object_id: "

They only way I can stop this from happening is removing the entire rover image from my machine, downloading it again and running.

3 replies
Kieran
@kiebrew

We don't want our VM names to use the global prefix as this causes a lot of headache with the 15 character netbios limit for windows names I.E if we want a VM to be called vm-appx01-uks then if the prefix is 5 characters, it pushes the name over the limit and causes mismatches and weird issues with some having the prefix and some not.

The only solution I've found so far is to take a local copy of the main aztfmod https://github.com/aztfmod/terraform-azurerm-caf and comment out the prefixes variable under the compute/vm modules then set my landingzone module source to the local copy rather than the MS maintained github repo.

Am I missing something obvious? Is there a way to opt out of using a prefix for certain resources (particulary those with character limits)?

wmcrobertsq
@wmcrobertsq
I'm trying to understand the initial steps for "Deployment of Enterprise-Scale AKS Construction Set". Specifically, jumping from the starter "Demo" instructions to Enterprise-Scale AKS. Should I do Demo levels 0-2 and then do instructions for Enterprise-Scale AKS to mimic what I would normally do for demo level 3?
Or would following the instructions for Enterprise-Scale AKS only give me levels 0-3?
Hamad Riaz
@hriaz

do you need the same for keyvault access policies?

Hi @LaurentLesle you were going to send a reference for using object_id's in key vault policies. Do you have this handy? I have a requirement for it now and i am trying to play around with it.

1 reply
Paul Matthews
@pmatthews05
After deploying Level0 and Level1 (azure_devops, azure_devops_agents_vm and gitops_connectivity) from my Rover instance, should I be able to deploy all of them levels now by Pipelines? I'm finding the msi that the pipeline run under do not seem to have the right access.
Savinayan
@Savinayan
I am trying to use service principal for rover login any suggestion/hint please
1 reply
Marcel B
@Plork
hey all, I am playing around with https://github.com/Azure/terraform-azurerm-caf-enterprise-scale to be able to deploy resources in their own sub. So also each landing zone will have its own sub eventually. (even split for dtap, 2 at least maybe even 4). Are there examples for cross sub deployments of the CAF landingzones?
5 replies
laingsc
@laingsc
image.png

Good afternoon, so have just onboarded a new Application Gateway, and now have a requirement for health probes and header re-writes, however it looks like the application gateway module is only partially completed??? /modules/networking/application_gateway/application_gateway.tf:

  dynamic "backend_http_settings" {
    for_each = local.backend_http_settings

    content {
      name                                = var.application_gateway_applications[backend_http_settings.key].name
      cookie_based_affinity               = try(backend_http_settings.value.cookie_based_affinity, "Disabled")
      port                                = backend_http_settings.value.port
      protocol                            = backend_http_settings.value.protocol
      request_timeout                     = try(backend_http_settings.value.request_timeout, 30)
      pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false)
      trusted_root_certificate_names      = try(backend_http_settings.value.trusted_root_certificate_names, null)
    }
  }

There's no probe_name or host_name....

In addition there's no probe block, and several other blocks are missing from the actual resource....

Any plans to complete this or should I just use the resource itself you reckon?

There's some blocks rem'd out probably in a to-do list eh:

Paul Matthews
@pmatthews05

I have an Application that was created in level 0

azuread_apps = {
  # Do not rename the key "launchpad" to be able to upgrade to the standard launchpad
  caf_launchpad_level0 = {
    useprefix               = true
    application_name        = "caf_launchpad_level0"
    password_expire_in_days = 180

    # Store the ${secret_prefix}-client-id, ${secret_prefix}-client-secret...
    # Set the policy during the creation process of the launchpad
    keyvaults = {
      level0 = {
        secret_prefix = "aadapp-caf-launchpad-level0"
      }
    }
  }
}

If in Level0 I want grant access to a keyvault with this app I can put in the following

keyvault_access_policies_azuread_apps = {
  level0 = {
    caf_launchpad_level0 = {
      # Reference a key to an azure ad applications
      azuread_app_key    = "caf_launchpad_level0"
      secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
    }
  }
}

How do I grant this same app access to a keyvault in level1? I've attempted to follow examples like the MSI's and AD Groups, but I keep getting null errors.

keyvault_access_policies_azuread_apps = {
  bastion = {
     caf_launchpad_level0 = {
       lz_key               = "launchpad"
       azuread_app_key    = "caf_launchpad_level0"
       secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
    }
  }
}
1 reply
shuft
@shuft
Hi folks, (newbie here) I've had a play with the starter template via Rover, so far, so good. Is there any guidance on getting a repo setup that separates my launchpad / es configuration from the caf solution itself?
Dominic Motuka
@daumie
Hello, I'm having trouble understanding how all the landing zone pieces come together.
Is there any extra documentation you could direct me to?
5 replies
Dominic Motuka
@daumie
Like, how do I move from level0 to level1 .. and how do these things relate....how do I structure my work?
Am I able to deploy CAF according to enterprise scale philosophy using the unified repo?
kgib
@kgibson-insight:matrix.org
[m]
or said more simply, how do the enterprise scale repo (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) and the unified repo differ?
kgib
@kgibson-insight:matrix.org
[m]
I'm also curious how sandpit level 1 gets deployed as I can't seem to find any azure devops modules
kgib
@kgibson-insight:matrix.org
[m]
getting an error on level 1 deploy │ Error: Attempt to index null value │ │ on /home/vscode/.terraform.cache/modules/solution/modules/resource_group/module.tf line 15, in resource "azurerm_resource_group" "rg": │ 15: location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)] │ ├──────────────── │ │ var.global_settings.default_region is "region1" │ │ var.global_settings.regions is null │ │ var.settings is object with 1 attribute "name" │ │ This value is null, so it does not have any indices.
Dominic Motuka
@daumie

getting an error on level 1 deploy │ Error: Attempt to index null value │ │ on /home/vscode/.terraform.cache/modules/solution/modules/resource_group/module.tf line 15, in resource "azurerm_resource_group" "rg": │ 15: location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)] │ ├──────────────── │ │ var.global_settings.default_region is "region1" │ │ var.global_settings.regions is null │ │ var.settings is object with 1 attribute "name" │ │ This value is null, so it does not have any indices.

@kgibson-insight:matrix.org If you would like, we can pair on this over zoom.
Let me know if you have 15 mins.

Paul Matthews
@pmatthews05
Attempting to deploy the ESLZ add-on. Currently deploying logged in as me a Global Administrator. However, once I'm confident that I've created a configuration, I want to deploy this using pipelines. I've realised that all the permissions so far created for managed identity were on just a single subscription, the launchpad subscription. Is there example code on how to ensure the managed identity permissions are correct to deploy ESLZ?
2 replies
Dominic Motuka
@daumie
Do we have a way to import resources using rover?
4 replies
Kieran
@kiebrew

Hi I'm trying to deploy the es_root archetype (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib). But when I do so, I keep getting the following error

Terraform returned errors:
╷
│ Error: reading Policy Set Definition "Deploy-ASC-Config": policy.SetDefinitionsClient#GetBuiltIn: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-ASC-Config' could not be found."
│ 
│   with module.enterprise_scale.data.azurerm_policy_set_definition.external_lookup["/providers/Microsoft.Management/managementGroups/im/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASC-Config"],
│   on /home/vscode/.terraform.cache/modules/enterprise_scale/locals.policy_assignments.tf line 90, in data "azurerm_policy_set_definition" "external_lookup":
│   90: data "azurerm_policy_set_definition" "external_lookup" {
│ 
╵
╷
│ Error: reading Policy Set Definition "Deploy-Diagnostics-LogAnalytics": policy.SetDefinitionsClient#GetBuiltIn: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-Diagnostics-LogAnalytics' could not be found."
│ 
│   with module.enterprise_scale.data.azurerm_policy_set_definition.external_lookup["/providers/Microsoft.Management/managementGroups/im/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics"],
│   on /home/vscode/.terraform.cache/modules/enterprise_scale/locals.policy_assignments.tf line 90, in data "azurerm_policy_set_definition" "external_lookup":
│   90: data "azurerm_policy_set_definition" "external_lookup" {

I can see that the policy definitions/assignment exist in that lib folder so i'm not sure what the issue is - has anyone else come across something like this?

3 replies
kgib
@kgibson-insight:matrix.org
[m]
Still getting error on level1 deploy with starter repo
│ Error: Invalid index
│ 
│   on /home/vscode/.terraform.cache/modules/solution/modules/security/keyvault_access_policies/policies.tf line 48, in module "azuread_group":
│   48:   object_id     = try(each.value.lz_key, null) == null ? var.azuread_groups[var.client_config.landingzone_key][each.value.azuread_group_key].id : var.azuread_groups[each.value.lz_key][each.value.azuread_group_key].id
│     ├────────────────
│     │ each.value.azuread_group_key is "keyvault_level1_rw"
│     │ each.value.lz_key is "launchpad"
│     │ var.azuread_groups is object with 4 attributes
│ 
│ The given key does not identify an element in this collection value.
Can someone help point me to where the issue might be? Not sure how to troubleshoot this error
kgib
@kgibson-insight:matrix.org
[m]
which key is message referencing?