Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Sep 23 08:37
    arnaudlh opened #282
  • Sep 16 08:48
    wasfree opened #191
  • Sep 15 06:36
    arnaudlh review_requested #187
  • Sep 15 06:35
    arnaudlh review_requested #189
  • Sep 15 06:23
    arnaudlh labeled #184
  • Sep 15 06:23
    arnaudlh labeled #184
  • Sep 15 06:22
    arnaudlh edited #184
  • Sep 15 06:22
    arnaudlh closed #183
  • Sep 15 06:22
    arnaudlh closed #184
  • Sep 15 06:16
    arnaudlh closed #281
  • Sep 15 02:55
    arnaudlh labeled #187
  • Sep 15 02:55
    arnaudlh assigned #187
  • Sep 15 02:53
    arnaudlh synchronize #281
  • Sep 14 12:02
    wasfree opened #190
  • Sep 10 07:09
    nusrath432 opened #189
  • Sep 08 06:50
    arnaudlh synchronize #281
  • Sep 08 06:50
    arnaudlh synchronize #281
  • Sep 06 10:23
    t3mi opened #188
  • Sep 05 12:55
    t3mi opened #187
  • Aug 29 11:55
    joselcaguilar opened #186
lolorol
@LaurentLesle
do you need the same for keyvault access policies?
Hamad Riaz
@hriaz
that would be a great reference
Hamad Riaz
@hriaz
@LaurentLesle @arnaudlh I am noticing with 5.3 networking modules the empty nsg block is not working. Was there a change? I can share my code for reference. I know the same code was working with 5.2.x
Paul Matthews
@pmatthews05

I'm having an issue with setting up a bootstrap service principal and the main issue is if the secret is changed. It seems as though the secret is cached somewhere within rover.
The following gist shows what I'm doing - https://gist.github.com/pmatthews05/77c2b79a8b2630e814216eadadcce073

On a brand new instance of Rover (aztfmod/rover:0.15.4-2105.2603) calling those lines of code, it logs in correct using az login --service-principal, and when Rover is called it logs in correctly with the Service Principal.

If I change the secret in Azure AD, run the gist code again with the updated secret. It can login to az with service principal without any issues, but when it login inside rover, it first shows "Resources from this landing zone are going to be deployed in the following subscription:" which shows the service principal in the user section. But after Initializing az cloud variables it says secret is invalid.

"ERROR: AADSTS7000215: Invalid client secret is provided.
Trace ID: 177140d2-33fe-42e6-a169-b8a7b0d11600
Correlation ID: b6b0a0c3-8cf2-46bc-8d13-b628d4ce3f80
Timestamp: 2021-06-10 09:27:20Z
To re-authenticate, please run az login. If the problem persists, please contact your tenant administrator.
Logged in rover app object_id: "

They only way I can stop this from happening is removing the entire rover image from my machine, downloading it again and running.

3 replies
Kieran
@kiebrew

We don't want our VM names to use the global prefix as this causes a lot of headache with the 15 character netbios limit for windows names I.E if we want a VM to be called vm-appx01-uks then if the prefix is 5 characters, it pushes the name over the limit and causes mismatches and weird issues with some having the prefix and some not.

The only solution I've found so far is to take a local copy of the main aztfmod https://github.com/aztfmod/terraform-azurerm-caf and comment out the prefixes variable under the compute/vm modules then set my landingzone module source to the local copy rather than the MS maintained github repo.

Am I missing something obvious? Is there a way to opt out of using a prefix for certain resources (particulary those with character limits)?

wmcrobertsq
@wmcrobertsq
I'm trying to understand the initial steps for "Deployment of Enterprise-Scale AKS Construction Set". Specifically, jumping from the starter "Demo" instructions to Enterprise-Scale AKS. Should I do Demo levels 0-2 and then do instructions for Enterprise-Scale AKS to mimic what I would normally do for demo level 3?
Or would following the instructions for Enterprise-Scale AKS only give me levels 0-3?
Hamad Riaz
@hriaz

do you need the same for keyvault access policies?

Hi @LaurentLesle you were going to send a reference for using object_id's in key vault policies. Do you have this handy? I have a requirement for it now and i am trying to play around with it.

1 reply
Paul Matthews
@pmatthews05
After deploying Level0 and Level1 (azure_devops, azure_devops_agents_vm and gitops_connectivity) from my Rover instance, should I be able to deploy all of them levels now by Pipelines? I'm finding the msi that the pipeline run under do not seem to have the right access.
Savinayan
@Savinayan
I am trying to use service principal for rover login any suggestion/hint please
1 reply
Marcel B
@Plork
hey all, I am playing around with https://github.com/Azure/terraform-azurerm-caf-enterprise-scale to be able to deploy resources in their own sub. So also each landing zone will have its own sub eventually. (even split for dtap, 2 at least maybe even 4). Are there examples for cross sub deployments of the CAF landingzones?
5 replies
laingsc
@laingsc
image.png

Good afternoon, so have just onboarded a new Application Gateway, and now have a requirement for health probes and header re-writes, however it looks like the application gateway module is only partially completed??? /modules/networking/application_gateway/application_gateway.tf:

  dynamic "backend_http_settings" {
    for_each = local.backend_http_settings

    content {
      name                                = var.application_gateway_applications[backend_http_settings.key].name
      cookie_based_affinity               = try(backend_http_settings.value.cookie_based_affinity, "Disabled")
      port                                = backend_http_settings.value.port
      protocol                            = backend_http_settings.value.protocol
      request_timeout                     = try(backend_http_settings.value.request_timeout, 30)
      pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false)
      trusted_root_certificate_names      = try(backend_http_settings.value.trusted_root_certificate_names, null)
    }
  }

There's no probe_name or host_name....

In addition there's no probe block, and several other blocks are missing from the actual resource....

Any plans to complete this or should I just use the resource itself you reckon?

There's some blocks rem'd out probably in a to-do list eh:

Paul Matthews
@pmatthews05

I have an Application that was created in level 0

azuread_apps = {
  # Do not rename the key "launchpad" to be able to upgrade to the standard launchpad
  caf_launchpad_level0 = {
    useprefix               = true
    application_name        = "caf_launchpad_level0"
    password_expire_in_days = 180

    # Store the ${secret_prefix}-client-id, ${secret_prefix}-client-secret...
    # Set the policy during the creation process of the launchpad
    keyvaults = {
      level0 = {
        secret_prefix = "aadapp-caf-launchpad-level0"
      }
    }
  }
}

If in Level0 I want grant access to a keyvault with this app I can put in the following

keyvault_access_policies_azuread_apps = {
  level0 = {
    caf_launchpad_level0 = {
      # Reference a key to an azure ad applications
      azuread_app_key    = "caf_launchpad_level0"
      secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
    }
  }
}

How do I grant this same app access to a keyvault in level1? I've attempted to follow examples like the MSI's and AD Groups, but I keep getting null errors.

keyvault_access_policies_azuread_apps = {
  bastion = {
     caf_launchpad_level0 = {
       lz_key               = "launchpad"
       azuread_app_key    = "caf_launchpad_level0"
       secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
    }
  }
}
1 reply
shuft
@shuft
Hi folks, (newbie here) I've had a play with the starter template via Rover, so far, so good. Is there any guidance on getting a repo setup that separates my launchpad / es configuration from the caf solution itself?
Dominic Motuka
@daumie
Hello, I'm having trouble understanding how all the landing zone pieces come together.
Is there any extra documentation you could direct me to?
5 replies
Dominic Motuka
@daumie
Like, how do I move from level0 to level1 .. and how do these things relate....how do I structure my work?
Am I able to deploy CAF according to enterprise scale philosophy using the unified repo?
kgib
@kgibson-insight:matrix.org
[m]
or said more simply, how do the enterprise scale repo (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) and the unified repo differ?
kgib
@kgibson-insight:matrix.org
[m]
I'm also curious how sandpit level 1 gets deployed as I can't seem to find any azure devops modules
kgib
@kgibson-insight:matrix.org
[m]
getting an error on level 1 deploy │ Error: Attempt to index null value │ │ on /home/vscode/.terraform.cache/modules/solution/modules/resource_group/module.tf line 15, in resource "azurerm_resource_group" "rg": │ 15: location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)] │ ├──────────────── │ │ var.global_settings.default_region is "region1" │ │ var.global_settings.regions is null │ │ var.settings is object with 1 attribute "name" │ │ This value is null, so it does not have any indices.
Dominic Motuka
@daumie

getting an error on level 1 deploy │ Error: Attempt to index null value │ │ on /home/vscode/.terraform.cache/modules/solution/modules/resource_group/module.tf line 15, in resource "azurerm_resource_group" "rg": │ 15: location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)] │ ├──────────────── │ │ var.global_settings.default_region is "region1" │ │ var.global_settings.regions is null │ │ var.settings is object with 1 attribute "name" │ │ This value is null, so it does not have any indices.

@kgibson-insight:matrix.org If you would like, we can pair on this over zoom.
Let me know if you have 15 mins.

Paul Matthews
@pmatthews05
Attempting to deploy the ESLZ add-on. Currently deploying logged in as me a Global Administrator. However, once I'm confident that I've created a configuration, I want to deploy this using pipelines. I've realised that all the permissions so far created for managed identity were on just a single subscription, the launchpad subscription. Is there example code on how to ensure the managed identity permissions are correct to deploy ESLZ?
2 replies
Dominic Motuka
@daumie
Do we have a way to import resources using rover?
4 replies
Kieran
@kiebrew

Hi I'm trying to deploy the es_root archetype (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib). But when I do so, I keep getting the following error

Terraform returned errors:
╷
│ Error: reading Policy Set Definition "Deploy-ASC-Config": policy.SetDefinitionsClient#GetBuiltIn: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-ASC-Config' could not be found."
│ 
│   with module.enterprise_scale.data.azurerm_policy_set_definition.external_lookup["/providers/Microsoft.Management/managementGroups/im/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASC-Config"],
│   on /home/vscode/.terraform.cache/modules/enterprise_scale/locals.policy_assignments.tf line 90, in data "azurerm_policy_set_definition" "external_lookup":
│   90: data "azurerm_policy_set_definition" "external_lookup" {
│ 
╵
╷
│ Error: reading Policy Set Definition "Deploy-Diagnostics-LogAnalytics": policy.SetDefinitionsClient#GetBuiltIn: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-Diagnostics-LogAnalytics' could not be found."
│ 
│   with module.enterprise_scale.data.azurerm_policy_set_definition.external_lookup["/providers/Microsoft.Management/managementGroups/im/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics"],
│   on /home/vscode/.terraform.cache/modules/enterprise_scale/locals.policy_assignments.tf line 90, in data "azurerm_policy_set_definition" "external_lookup":
│   90: data "azurerm_policy_set_definition" "external_lookup" {

I can see that the policy definitions/assignment exist in that lib folder so i'm not sure what the issue is - has anyone else come across something like this?

3 replies
kgib
@kgibson-insight:matrix.org
[m]
Still getting error on level1 deploy with starter repo
│ Error: Invalid index
│ 
│   on /home/vscode/.terraform.cache/modules/solution/modules/security/keyvault_access_policies/policies.tf line 48, in module "azuread_group":
│   48:   object_id     = try(each.value.lz_key, null) == null ? var.azuread_groups[var.client_config.landingzone_key][each.value.azuread_group_key].id : var.azuread_groups[each.value.lz_key][each.value.azuread_group_key].id
│     ├────────────────
│     │ each.value.azuread_group_key is "keyvault_level1_rw"
│     │ each.value.lz_key is "launchpad"
│     │ var.azuread_groups is object with 4 attributes
│ 
│ The given key does not identify an element in this collection value.
Can someone help point me to where the issue might be? Not sure how to troubleshoot this error
kgib
@kgibson-insight:matrix.org
[m]
which key is message referencing?
Paul Matthews
@pmatthews05

Deployed all of Level0, using Sandpit as the example, which deploys diagnostics for the different resources. Now I'm working on ESLZ which deploys diagnostic policies and the remediation of those policies are failing because a diagnostic has already been deployed with a different name. I thought about passing in the profile name to match, however, as the "Deploy-Resource-Diag" is an initiative I can only pass in one profile name. Where some resources the diagnostics are called "operational_logs_and_metrics" or "operations" or "siem" or "storageAccountsDiagnosticsLogsToWorkspace" etc.

We have decided to remove all the diagnostics from our level0 deployment and just use Azure Policies going forward. Could the people who created this project comment on this please? Also interested in anyone elses thoughts on this.

1 reply
Tom Howarth
@TomHowarth

I banging my head against the wall with this at the moment. I have followed the documentation and I receive the following errors:


│ Error: Unsupported attribute

│ on dynamic_secrets.tf line 11, in module "dynamic_keyvault_secrets":
│ 11: keyvault = module.launchpad.keyvaults[each.key]
│ ├────────────────
│ │ module.launchpad is a object, known only after apply

│ This object does not have an attribute named "keyvaults".


│ Error: Unsupported attribute

│ on main.tf line 74, in locals:
│ 74: storage_account_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply

│ This object does not have an attribute named "storage_accounts".


│ Error: Unsupported attribute

│ on main.tf line 75, in locals:
│ 75: container_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].containers["tfstate"].name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply

│ This object does not have an attribute named "storage_accounts".


│ Error: Unsupported attribute

│ on main.tf line 76, in locals:
│ 76: resource_group_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].resource_group_name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply

│ This object does not have an attribute named "storage_accounts".

my question is what are these lines expecting. this si attempting to deploy the launchpad 200 scenario
kgib
@kgibson-insight:matrix.org
[m]
can anyone explain how archetypes may be leverages for a CAF deployment?
2 replies
Tom Howarth
@TomHowarth
where can I find an explaination of error statuss from the rover?
Tom Howarth
@TomHowarth
  Does anybody actually monitor this community?                                                                                                          
kgib
@kgibson-insight:matrix.org
[m]
sure doesn't seem like it, no response to issues on github either
I'm extremely confused by this whole framework. In AWS, there are community supported modules. Is MSFT working on something similar? It would be much more useful to develop a framework of modules and offer guidance for implementing in a well architected framework. Or, as AWS did, develop an Azure product to enforce guardrails. Managing with code is extremely complex
Tom Howarth
@TomHowarth
the annoying thing is that he people behind this are MS employees
kgib
@kgibson-insight:matrix.org
[m]
archetypes are collections of policies?
kgib
@kgibson-insight:matrix.org
[m]
these things (policies, policy assignments, role definitions and rbac assignments) attached to a subscription is how I've interpreted a Landing Zone to be. Accurate?
3 replies
kgib
@kgibson-insight:matrix.org
[m]
can anyone explain the decision to use nested modules and how to prevent one module changes from breaking another?
Arnaud Lheureux
@arnaudlh
BACK FROM VACATION! --> For those wondering, yes we are back from vacation and will resume normal operations starting this week :)
Tanner Watson
@tannerwatson

BACK FROM VACATION! --> For those wondering, yes we are back from vacation and will resume normal operations starting this week :)

Welcome back :D

kgib
@kgibson-insight:matrix.org
[m]
I've been evaluating the unified the repo and have a pretty good grasp on the concept of separating configuration from logic, though I'm still missing possible configuration specs to reference.
for example this sandpit config for event hub namespaces (https://github.com/Azure/caf-terraform-landingzones-starter/blob/starter/configuration/sandpit/level0/launchpad/diagnostic_event_hub_namespaces.tfvars), are potential diagnostic_event_hub_namespace options posted anywhere?
2 replies
I'm still very unclear how to build out my own configuration specs
kgib
@kgibson-insight:matrix.org
[m]
I still don't follow
so If I want to define a resource group in CAF configuration, how do I reference this https://github.com/aztfmod/terraform-azurerm-caf/blob/master/resource_groups.tf