Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Sep 28 05:30
    arnaudlh closed #187
  • Sep 28 05:27
    arnaudlh synchronize #187
  • Sep 28 04:33
    arnaudlh closed #193
  • Sep 28 04:32
    arnaudlh review_requested #193
  • Sep 28 04:31
    arnaudlh review_request_removed #193
  • Sep 28 04:31
    arnaudlh review_request_removed #193
  • Sep 28 04:20
    arnaudlh edited #188
  • Sep 28 04:20
    arnaudlh labeled #188
  • Sep 28 04:20
    arnaudlh assigned #188
  • Sep 28 04:20
    arnaudlh reopened #188
  • Sep 28 04:20
    arnaudlh closed #188
  • Sep 28 04:17
    arnaudlh labeled #193
  • Sep 28 04:17
    arnaudlh review_requested #193
  • Sep 28 04:17
    arnaudlh review_requested #193
  • Sep 28 04:17
    arnaudlh assigned #193
  • Sep 28 04:17
    arnaudlh edited #193
  • Sep 28 04:17
    arnaudlh opened #193
  • Sep 28 04:13
    arnaudlh edited #192
  • Sep 28 03:36
    arnaudlh labeled #192
  • Sep 28 03:36
    arnaudlh assigned #192
laingsc
@laingsc

Good afternoon, so have just onboarded a new Application Gateway, and now have a requirement for health probes and header re-writes, however it looks like the application gateway module is only partially completed??? /modules/networking/application_gateway/application_gateway.tf:

  dynamic "backend_http_settings" {
    for_each = local.backend_http_settings

    content {
      name                                = var.application_gateway_applications[backend_http_settings.key].name
      cookie_based_affinity               = try(backend_http_settings.value.cookie_based_affinity, "Disabled")
      port                                = backend_http_settings.value.port
      protocol                            = backend_http_settings.value.protocol
      request_timeout                     = try(backend_http_settings.value.request_timeout, 30)
      pick_host_name_from_backend_address = try(backend_http_settings.value.pick_host_name_from_backend_address, false)
      trusted_root_certificate_names      = try(backend_http_settings.value.trusted_root_certificate_names, null)
    }
  }

There's no probe_name or host_name....

In addition there's no probe block, and several other blocks are missing from the actual resource....

Any plans to complete this or should I just use the resource itself you reckon?

There's some blocks rem'd out probably in a to-do list eh:

Paul Matthews
@pmatthews05

I have an Application that was created in level 0

azuread_apps = {
  # Do not rename the key "launchpad" to be able to upgrade to the standard launchpad
  caf_launchpad_level0 = {
    useprefix               = true
    application_name        = "caf_launchpad_level0"
    password_expire_in_days = 180

    # Store the ${secret_prefix}-client-id, ${secret_prefix}-client-secret...
    # Set the policy during the creation process of the launchpad
    keyvaults = {
      level0 = {
        secret_prefix = "aadapp-caf-launchpad-level0"
      }
    }
  }
}

If in Level0 I want grant access to a keyvault with this app I can put in the following

keyvault_access_policies_azuread_apps = {
  level0 = {
    caf_launchpad_level0 = {
      # Reference a key to an azure ad applications
      azuread_app_key    = "caf_launchpad_level0"
      secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
    }
  }
}

How do I grant this same app access to a keyvault in level1? I've attempted to follow examples like the MSI's and AD Groups, but I keep getting null errors.

keyvault_access_policies_azuread_apps = {
  bastion = {
     caf_launchpad_level0 = {
       lz_key               = "launchpad"
       azuread_app_key    = "caf_launchpad_level0"
       secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
    }
  }
}
1 reply
shuft
@shuft
Hi folks, (newbie here) I've had a play with the starter template via Rover, so far, so good. Is there any guidance on getting a repo setup that separates my launchpad / es configuration from the caf solution itself?
Dominic Motuka
@daumie
Hello, I'm having trouble understanding how all the landing zone pieces come together.
Is there any extra documentation you could direct me to?
5 replies
Dominic Motuka
@daumie
Like, how do I move from level0 to level1 .. and how do these things relate....how do I structure my work?
Am I able to deploy CAF according to enterprise scale philosophy using the unified repo?
kgib
@kgibson-insight:matrix.org
[m]
or said more simply, how do the enterprise scale repo (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) and the unified repo differ?
kgib
@kgibson-insight:matrix.org
[m]
I'm also curious how sandpit level 1 gets deployed as I can't seem to find any azure devops modules
kgib
@kgibson-insight:matrix.org
[m]
getting an error on level 1 deploy │ Error: Attempt to index null value │ │ on /home/vscode/.terraform.cache/modules/solution/modules/resource_group/module.tf line 15, in resource "azurerm_resource_group" "rg": │ 15: location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)] │ ├──────────────── │ │ var.global_settings.default_region is "region1" │ │ var.global_settings.regions is null │ │ var.settings is object with 1 attribute "name" │ │ This value is null, so it does not have any indices.
Dominic Motuka
@daumie

getting an error on level 1 deploy │ Error: Attempt to index null value │ │ on /home/vscode/.terraform.cache/modules/solution/modules/resource_group/module.tf line 15, in resource "azurerm_resource_group" "rg": │ 15: location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)] │ ├──────────────── │ │ var.global_settings.default_region is "region1" │ │ var.global_settings.regions is null │ │ var.settings is object with 1 attribute "name" │ │ This value is null, so it does not have any indices.

@kgibson-insight:matrix.org If you would like, we can pair on this over zoom.
Let me know if you have 15 mins.

Paul Matthews
@pmatthews05
Attempting to deploy the ESLZ add-on. Currently deploying logged in as me a Global Administrator. However, once I'm confident that I've created a configuration, I want to deploy this using pipelines. I've realised that all the permissions so far created for managed identity were on just a single subscription, the launchpad subscription. Is there example code on how to ensure the managed identity permissions are correct to deploy ESLZ?
2 replies
Dominic Motuka
@daumie
Do we have a way to import resources using rover?
4 replies
Kieran
@kiebrew

Hi I'm trying to deploy the es_root archetype (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib). But when I do so, I keep getting the following error

Terraform returned errors:
╷
│ Error: reading Policy Set Definition "Deploy-ASC-Config": policy.SetDefinitionsClient#GetBuiltIn: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-ASC-Config' could not be found."
│ 
│   with module.enterprise_scale.data.azurerm_policy_set_definition.external_lookup["/providers/Microsoft.Management/managementGroups/im/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASC-Config"],
│   on /home/vscode/.terraform.cache/modules/enterprise_scale/locals.policy_assignments.tf line 90, in data "azurerm_policy_set_definition" "external_lookup":
│   90: data "azurerm_policy_set_definition" "external_lookup" {
│ 
╵
╷
│ Error: reading Policy Set Definition "Deploy-Diagnostics-LogAnalytics": policy.SetDefinitionsClient#GetBuiltIn: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-Diagnostics-LogAnalytics' could not be found."
│ 
│   with module.enterprise_scale.data.azurerm_policy_set_definition.external_lookup["/providers/Microsoft.Management/managementGroups/im/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics"],
│   on /home/vscode/.terraform.cache/modules/enterprise_scale/locals.policy_assignments.tf line 90, in data "azurerm_policy_set_definition" "external_lookup":
│   90: data "azurerm_policy_set_definition" "external_lookup" {

I can see that the policy definitions/assignment exist in that lib folder so i'm not sure what the issue is - has anyone else come across something like this?

3 replies
kgib
@kgibson-insight:matrix.org
[m]
Still getting error on level1 deploy with starter repo
│ Error: Invalid index
│ 
│   on /home/vscode/.terraform.cache/modules/solution/modules/security/keyvault_access_policies/policies.tf line 48, in module "azuread_group":
│   48:   object_id     = try(each.value.lz_key, null) == null ? var.azuread_groups[var.client_config.landingzone_key][each.value.azuread_group_key].id : var.azuread_groups[each.value.lz_key][each.value.azuread_group_key].id
│     ├────────────────
│     │ each.value.azuread_group_key is "keyvault_level1_rw"
│     │ each.value.lz_key is "launchpad"
│     │ var.azuread_groups is object with 4 attributes
│ 
│ The given key does not identify an element in this collection value.
Can someone help point me to where the issue might be? Not sure how to troubleshoot this error
kgib
@kgibson-insight:matrix.org
[m]
which key is message referencing?
Paul Matthews
@pmatthews05

Deployed all of Level0, using Sandpit as the example, which deploys diagnostics for the different resources. Now I'm working on ESLZ which deploys diagnostic policies and the remediation of those policies are failing because a diagnostic has already been deployed with a different name. I thought about passing in the profile name to match, however, as the "Deploy-Resource-Diag" is an initiative I can only pass in one profile name. Where some resources the diagnostics are called "operational_logs_and_metrics" or "operations" or "siem" or "storageAccountsDiagnosticsLogsToWorkspace" etc.

We have decided to remove all the diagnostics from our level0 deployment and just use Azure Policies going forward. Could the people who created this project comment on this please? Also interested in anyone elses thoughts on this.

1 reply
Tom Howarth
@TomHowarth

I banging my head against the wall with this at the moment. I have followed the documentation and I receive the following errors:


│ Error: Unsupported attribute

│ on dynamic_secrets.tf line 11, in module "dynamic_keyvault_secrets":
│ 11: keyvault = module.launchpad.keyvaults[each.key]
│ ├────────────────
│ │ module.launchpad is a object, known only after apply

│ This object does not have an attribute named "keyvaults".


│ Error: Unsupported attribute

│ on main.tf line 74, in locals:
│ 74: storage_account_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply

│ This object does not have an attribute named "storage_accounts".


│ Error: Unsupported attribute

│ on main.tf line 75, in locals:
│ 75: container_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].containers["tfstate"].name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply

│ This object does not have an attribute named "storage_accounts".


│ Error: Unsupported attribute

│ on main.tf line 76, in locals:
│ 76: resource_group_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].resource_group_name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply

│ This object does not have an attribute named "storage_accounts".

my question is what are these lines expecting. this si attempting to deploy the launchpad 200 scenario
kgib
@kgibson-insight:matrix.org
[m]
can anyone explain how archetypes may be leverages for a CAF deployment?
2 replies
Tom Howarth
@TomHowarth
where can I find an explaination of error statuss from the rover?
Tom Howarth
@TomHowarth
  Does anybody actually monitor this community?                                                                                                          
kgib
@kgibson-insight:matrix.org
[m]
sure doesn't seem like it, no response to issues on github either
I'm extremely confused by this whole framework. In AWS, there are community supported modules. Is MSFT working on something similar? It would be much more useful to develop a framework of modules and offer guidance for implementing in a well architected framework. Or, as AWS did, develop an Azure product to enforce guardrails. Managing with code is extremely complex
Tom Howarth
@TomHowarth
the annoying thing is that he people behind this are MS employees
kgib
@kgibson-insight:matrix.org
[m]
archetypes are collections of policies?
kgib
@kgibson-insight:matrix.org
[m]
these things (policies, policy assignments, role definitions and rbac assignments) attached to a subscription is how I've interpreted a Landing Zone to be. Accurate?
3 replies
kgib
@kgibson-insight:matrix.org
[m]
can anyone explain the decision to use nested modules and how to prevent one module changes from breaking another?
Arnaud Lheureux
@arnaudlh
BACK FROM VACATION! --> For those wondering, yes we are back from vacation and will resume normal operations starting this week :)
Tanner Watson
@tannerwatson

BACK FROM VACATION! --> For those wondering, yes we are back from vacation and will resume normal operations starting this week :)

Welcome back :D

kgib
@kgibson-insight:matrix.org
[m]
I've been evaluating the unified the repo and have a pretty good grasp on the concept of separating configuration from logic, though I'm still missing possible configuration specs to reference.
for example this sandpit config for event hub namespaces (https://github.com/Azure/caf-terraform-landingzones-starter/blob/starter/configuration/sandpit/level0/launchpad/diagnostic_event_hub_namespaces.tfvars), are potential diagnostic_event_hub_namespace options posted anywhere?
2 replies
I'm still very unclear how to build out my own configuration specs
kgib
@kgibson-insight:matrix.org
[m]
I still don't follow
so If I want to define a resource group in CAF configuration, how do I reference this https://github.com/aztfmod/terraform-azurerm-caf/blob/master/resource_groups.tf
where is it specified which properties are available and possible values?
But in CAF config example, we have
    resource_groups = {
      level0 = {
        "Reader" = {
          azuread_groups = {
            keys = ["caf_launchpad_Reader"]
          }
        }
      }
kgib
@kgibson-insight:matrix.org
[m]
OK...here is the resource group module code
# naming convention
resource "azurecaf_name" "rg" {
  name          = var.resource_group_name
  resource_type = "azurerm_resource_group"
  prefixes      = var.global_settings.prefixes
  random_length = var.global_settings.random_length
  clean_input   = true
  passthrough   = var.global_settings.passthrough
  use_slug      = var.global_settings.use_slug
}

resource "azurerm_resource_group" "rg" {
  name     = azurecaf_name.rg.result
  location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)]
  tags = merge(
    var.tags,
    lookup(var.settings, "tags", {})
  )
}

having used many TF modules, it's pretty standard to do something like

module "resource_group" "rg" {
  source  = "git::https://github.com/aztfmod/terraform-azurerm-caf/blob/master/modules/resource_group/module.tf"
  version = "1.0.0"

  name      = var.rg_name
  location  = var.rg_location
  tags      = var.rg_tags
}

How is it better to use this round about way of specifying configs?

kgib
@kgibson-insight:matrix.org
[m]
@arnaudlh: would really love some help here
kgib
@kgibson-insight:matrix.org
[m]

if nothing else, it'd be nice to have things structured as something that matches the CAF config definition like

resource_group = {
  name = "Reader"
  azuread_groups = [group1, group2]
  caf_level = level0
}

My real confusion is how do I know which landing zone configs the resource group needs to specify. Where is the landing zone configuration spec?

1 reply
Ryan Bartram
@rdbartram
Hey Guys, first question in here...stuck at the beginning seemingly. I'm trying to deploy azure_devops_v1 and it requires the pat token. I noticed there was a bug where it was pulling from the secrets keyvault key and not the level0...problem is the pat token "azdo-pat-admin" isn't filled out. I know I can fill it out myself in the launchpad...but what is the purpose of "aad-user-devops-user-admin", username pat-rotation...should this be automatic some how? thanks!
1 reply
Ryan Bartram
@rdbartram
perhaps easier said, does someone have a working configuration for azure_devops v1 or otherwise
3 replies
Henry Dobson
@henrydobson
Hi @arnaudlh and all, I have recently switched from AWS to Azure and keen to adopt CAF. I've tried a couple of standalone module implementations and had varying levels of success. As a newcomer, I find the approach used for the tfvars a bit ambiguous at times. I couldn't find an explanation of the approach in the contribution guide or other docs. Is there a reference someone can point me to?
2 replies
kgib
@kgibson-insight:matrix.org
[m]
the AWS community modules are such a great resource, and I feel like that's what MSFT are attempting to build here, but the implementation is completely different than other TF modules and it's difficult to understand how to use the proprietary tfvars format