aztfmod/community

Dominic Motuka

@daumie

Like, how do I move from level0 to level1 .. and how do these things relate....how do I structure my work?

kgib

@kgibson-insight:matrix.org

I'm confused by this https://github.com/Azure/caf-terraform-landingzones-starter/tree/starter/configuration/sandpit/level1/foundations#deploying-caf-foundations-with-enterprise-scale-experimental

Am I able to deploy CAF according to enterprise scale philosophy using the unified repo?

unified repo is here https://github.com/Azure/caf-terraform-landingzones-starter/tree/starter/configuration/sandpit

kgib

@kgibson-insight:matrix.org

[m]

or said more simply, how do the enterprise scale repo (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) and the unified repo differ?

kgib

@kgibson-insight:matrix.org

[m]

I'm also curious how sandpit level 1 gets deployed as I can't seem to find any azure devops modules

kgib

@kgibson-insight:matrix.org

[m]

getting an error on level 1 deploy

│ Error: Attempt to index null value
│ 
│   on /home/vscode/.terraform.cache/modules/solution/modules/resource_group/module.tf line 15, in resource "azurerm_resource_group" "rg":
│   15:   location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)]
│     ├────────────────
│     │ var.global_settings.default_region is "region1"
│     │ var.global_settings.regions is null
│     │ var.settings is object with 1 attribute "name"
│ 
│ This value is null, so it does not have any indices.

Dominic Motuka

@daumie

getting an error on level 1 deploy │ Error: Attempt to index null value │ │ on /home/vscode/.terraform.cache/modules/solution/modules/resource_group/module.tf line 15, in resource "azurerm_resource_group" "rg": │ 15: location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)] │ ├──────────────── │ │ var.global_settings.default_region is "region1" │ │ var.global_settings.regions is null │ │ var.settings is object with 1 attribute "name" │ │ This value is null, so it does not have any indices.

@kgibson-insight:matrix.org If you would like, we can pair on this over zoom.
Let me know if you have 15 mins.

Paul Matthews

@pmatthews05

Attempting to deploy the ESLZ add-on. Currently deploying logged in as me a Global Administrator. However, once I'm confident that I've created a configuration, I want to deploy this using pipelines. I've realised that all the permissions so far created for managed identity were on just a single subscription, the launchpad subscription. Is there example code on how to ensure the managed identity permissions are correct to deploy ESLZ?

2 replies

Dominic Motuka

@daumie

Do we have a way to import resources using rover?

4 replies

Kieran

@kiebrew

Hi I'm trying to deploy the es_root archetype (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/archetypes/lib). But when I do so, I keep getting the following error

Terraform returned errors:
╷
│ Error: reading Policy Set Definition "Deploy-ASC-Config": policy.SetDefinitionsClient#GetBuiltIn: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-ASC-Config' could not be found."
│ 
│   with module.enterprise_scale.data.azurerm_policy_set_definition.external_lookup["/providers/Microsoft.Management/managementGroups/im/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASC-Config"],
│   on /home/vscode/.terraform.cache/modules/enterprise_scale/locals.policy_assignments.tf line 90, in data "azurerm_policy_set_definition" "external_lookup":
│   90: data "azurerm_policy_set_definition" "external_lookup" {
│ 
╵
╷
│ Error: reading Policy Set Definition "Deploy-Diagnostics-LogAnalytics": policy.SetDefinitionsClient#GetBuiltIn: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="PolicySetDefinitionNotFound" Message="The policy set definition 'Deploy-Diagnostics-LogAnalytics' could not be found."
│ 
│   with module.enterprise_scale.data.azurerm_policy_set_definition.external_lookup["/providers/Microsoft.Management/managementGroups/im/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics"],
│   on /home/vscode/.terraform.cache/modules/enterprise_scale/locals.policy_assignments.tf line 90, in data "azurerm_policy_set_definition" "external_lookup":
│   90: data "azurerm_policy_set_definition" "external_lookup" {

I can see that the policy definitions/assignment exist in that lib folder so i'm not sure what the issue is - has anyone else come across something like this?

3 replies

kgib

@kgibson-insight:matrix.org

[m]

Still getting error on level1 deploy with starter repo

│ Error: Invalid index
│ 
│   on /home/vscode/.terraform.cache/modules/solution/modules/security/keyvault_access_policies/policies.tf line 48, in module "azuread_group":
│   48:   object_id     = try(each.value.lz_key, null) == null ? var.azuread_groups[var.client_config.landingzone_key][each.value.azuread_group_key].id : var.azuread_groups[each.value.lz_key][each.value.azuread_group_key].id
│     ├────────────────
│     │ each.value.azuread_group_key is "keyvault_level1_rw"
│     │ each.value.lz_key is "launchpad"
│     │ var.azuread_groups is object with 4 attributes
│ 
│ The given key does not identify an element in this collection value.

Can someone help point me to where the issue might be? Not sure how to troubleshoot this error

kgib

@kgibson-insight:matrix.org

[m]

which key is message referencing?

Paul Matthews

@pmatthews05

Deployed all of Level0, using Sandpit as the example, which deploys diagnostics for the different resources. Now I'm working on ESLZ which deploys diagnostic policies and the remediation of those policies are failing because a diagnostic has already been deployed with a different name. I thought about passing in the profile name to match, however, as the "Deploy-Resource-Diag" is an initiative I can only pass in one profile name. Where some resources the diagnostics are called "operational_logs_and_metrics" or "operations" or "siem" or "storageAccountsDiagnosticsLogsToWorkspace" etc.

We have decided to remove all the diagnostics from our level0 deployment and just use Azure Policies going forward. Could the people who created this project comment on this please? Also interested in anyone elses thoughts on this.

1 reply

Tom Howarth

@TomHowarth

I banging my head against the wall with this at the moment. I have followed the documentation and I receive the following errors:

╷
│ Error: Unsupported attribute
│
│ on dynamic_secrets.tf line 11, in module "dynamic_keyvault_secrets":
│ 11: keyvault = module.launchpad.keyvaults[each.key]
│ ├────────────────
│ │ module.launchpad is a object, known only after apply
│
│ This object does not have an attribute named "keyvaults".
╵
╷
│ Error: Unsupported attribute
│
│ on main.tf line 74, in locals:
│ 74: storage_account_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply
│
│ This object does not have an attribute named "storage_accounts".
╵
╷
│ Error: Unsupported attribute
│
│ on main.tf line 75, in locals:
│ 75: container_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].containers["tfstate"].name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply
│
│ This object does not have an attribute named "storage_accounts".
╵
╷
│ Error: Unsupported attribute
│
│ on main.tf line 76, in locals:
│ 76: resource_group_name = module.launchpad.storage_accounts[var.launchpad_key_names.tfstates[0]].resource_group_name
│ ├────────────────
│ │ module.launchpad is a object, known only after apply
│
│ This object does not have an attribute named "storage_accounts".

my question is what are these lines expecting. this si attempting to deploy the launchpad 200 scenario

kgib

@kgibson-insight:matrix.org

[m]

can anyone explain how archetypes may be leverages for a CAF deployment?

2 replies

Tom Howarth

@TomHowarth

where can I find an explaination of error statuss from the rover?

Tom Howarth

@TomHowarth

  Does anybody actually monitor this community?

kgib

@kgibson-insight:matrix.org

[m]

sure doesn't seem like it, no response to issues on github either

I'm extremely confused by this whole framework. In AWS, there are community supported modules. Is MSFT working on something similar? It would be much more useful to develop a framework of modules and offer guidance for implementing in a well architected framework. Or, as AWS did, develop an Azure product to enforce guardrails. Managing with code is extremely complex

Tom Howarth

@TomHowarth

the annoying thing is that he people behind this are MS employees

kgib

@kgibson-insight:matrix.org

[m]

archetypes are collections of policies?

kgib

@kgibson-insight:matrix.org

[m]

these things (policies, policy assignments, role definitions and rbac assignments) attached to a subscription is how I've interpreted a Landing Zone to be. Accurate?

3 replies

kgib

@kgibson-insight:matrix.org

[m]

can anyone explain the decision to use nested modules and how to prevent one module changes from breaking another?

Arnaud Lheureux

@arnaudlh

BACK FROM VACATION! --> For those wondering, yes we are back from vacation and will resume normal operations starting this week :)

Tanner Watson

@tannerwatson

BACK FROM VACATION! --> For those wondering, yes we are back from vacation and will resume normal operations starting this week :)

Welcome back :D

kgib

@kgibson-insight:matrix.org

[m]

I've been evaluating the unified the repo and have a pretty good grasp on the concept of separating configuration from logic, though I'm still missing possible configuration specs to reference.

for example this sandpit config for event hub namespaces (https://github.com/Azure/caf-terraform-landingzones-starter/blob/starter/configuration/sandpit/level0/launchpad/diagnostic_event_hub_namespaces.tfvars), are potential diagnostic_event_hub_namespace options posted anywhere?

2 replies

I'm still very unclear how to build out my own configuration specs

kgib

@kgibson-insight:matrix.org

[m]

I still don't follow

so If I want to define a resource group in CAF configuration, how do I reference this https://github.com/aztfmod/terraform-azurerm-caf/blob/master/resource_groups.tf

where is it specified which properties are available and possible values?

If I reference azurerm https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group we have name and location

But in CAF config example, we have

    resource_groups = {
      level0 = {
        "Reader" = {
          azuread_groups = {
            keys = ["caf_launchpad_Reader"]
          }
        }
      }

kgib

@kgibson-insight:matrix.org

[m]

OK...here is the resource group module code

# naming convention
resource "azurecaf_name" "rg" {
  name          = var.resource_group_name
  resource_type = "azurerm_resource_group"
  prefixes      = var.global_settings.prefixes
  random_length = var.global_settings.random_length
  clean_input   = true
  passthrough   = var.global_settings.passthrough
  use_slug      = var.global_settings.use_slug
}

resource "azurerm_resource_group" "rg" {
  name     = azurecaf_name.rg.result
  location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)]
  tags = merge(
    var.tags,
    lookup(var.settings, "tags", {})
  )
}

having used many TF modules, it's pretty standard to do something like

module "resource_group" "rg" {
  source  = "git::https://github.com/aztfmod/terraform-azurerm-caf/blob/master/modules/resource_group/module.tf"
  version = "1.0.0"

  name      = var.rg_name
  location  = var.rg_location
  tags      = var.rg_tags
}

How is it better to use this round about way of specifying configs?

kgib

@kgibson-insight:matrix.org

[m]

@arnaudlh: would really love some help here

kgib

@kgibson-insight:matrix.org

[m]

if nothing else, it'd be nice to have things structured as something that matches the CAF config definition like

resource_group = {
  name = "Reader"
  azuread_groups = [group1, group2]
  caf_level = level0
}

My real confusion is how do I know which landing zone configs the resource group needs to specify. Where is the landing zone configuration spec?

1 reply

Ryan Bartram

@rdbartram

Hey Guys, first question in here...stuck at the beginning seemingly. I'm trying to deploy azure_devops_v1 and it requires the pat token. I noticed there was a bug where it was pulling from the secrets keyvault key and not the level0...problem is the pat token "azdo-pat-admin" isn't filled out. I know I can fill it out myself in the launchpad...but what is the purpose of "aad-user-devops-user-admin", username pat-rotation...should this be automatic some how? thanks!

1 reply

Ryan Bartram

@rdbartram

perhaps easier said, does someone have a working configuration for azure_devops v1 or otherwise

3 replies

Henry Dobson

@henrydobson

Hi @arnaudlh and all, I have recently switched from AWS to Azure and keen to adopt CAF. I've tried a couple of standalone module implementations and had varying levels of success. As a newcomer, I find the approach used for the tfvars a bit ambiguous at times. I couldn't find an explanation of the approach in the contribution guide or other docs. Is there a reference someone can point me to?

2 replies

kgib

@kgibson-insight:matrix.org

[m]

the AWS community modules are such a great resource, and I feel like that's what MSFT are attempting to build here, but the implementation is completely different than other TF modules and it's difficult to understand how to use the proprietary tfvars format

this part of the starter repo as well https://github.com/Azure/caf-terraform-landingzones-starter/tree/starter/enterprise_scale/construction_sets/aks/online/aks_secure_baseline

1 reply

Henry Dobson

@henrydobson

Are the caf-terraform-landingzones-starter and caf-terraform-landingzones capable of replicating the Enterprise Scale conceptual architecture in multiple subscriptions or is it designed to be deployed to a single subscription? If multiple subs in Enterprise scale, are the landingzone layers used to target different subscriptions and therefore have a relationship to the connectivity (layer2) and management subs (layer1) etc?

7 replies

Luke Heidecke

@heidecke

This message was deleted

2 replies

Dominic Motuka

@daumie

Importing KeyVault with rover 🔐

Command used

rover   -lz /tf/caf/landingzones/caf_solution/  -tfstate example.tfstate -var-folder /tf/caf/configuration/example/level3/example-linux-vm -parallelism 30  -env example -level level3 -a import module.solution.module.keyvaults[\"example_vm_rg1\"].module.initial_policy[0].module.logged_in_user[\"logged_in_user\"].azurerm_key_vault_access_policy.policy /subscriptions/<subscription-id>/resourceGroups<example>-virtual-machine-rg1/providers/Microsoft.KeyVault/vaults/<vault-name>/objectId/<objectId>

I could use some help importing Keyvault. Seeing the following errors:

Terraform import return code: 1
Terraform returned errors:
╷
│ Error: Invalid index
│ 
│   on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 39, in output "ssh_keys":
│   39:     ssh_private_key_pem      = azurerm_key_vault_secret.ssh_private_key[local.os_type].name
│     ├────────────────
│     │ azurerm_key_vault_secret.ssh_private_key is object with no attributes
│     │ local.os_type is "linux"
│ 
│ The given key does not identify an element in this collection value.
╵

╷
│ Error: Invalid index
│ 
│   on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 40, in output "ssh_keys":
│   40:     ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name
│     ├────────────────
│     │ azurerm_key_vault_secret.ssh_public_key_openssh is object with no attributes
│     │ local.os_type is "linux"
│ 
│ The given key does not identify an element in this collection value.
╵

╷
│ Error: Invalid index
│ 
│   on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 41, in output "ssh_keys":
│   41:     ssh_private_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name #for backard compat, wrong name, will be removed in future version.
│     ├────────────────
│     │ azurerm_key_vault_secret.ssh_public_key_openssh is object with no attributes
│     │ local.os_type is "linux"
│ 
│ The given key does not identify an element in this collection value.
╵

Error on or near line 573: Error running terraform import; exiting with status 2003

Paul Matthews

@pmatthews05

@arnaudlh following your youtube video https://www.youtube.com/watch?v=fqgv4Wsvo88 I'm doing nothing different from you apart from the location of UKSouth and my own password, and I get the below error message.

TASK [wait for the WinRM port to come online] *****************************************************************************************************************************
ok: [localhost]

PLAY [Setup the CAF development tools] ************************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************************************
fatal: [localhost]: UNREACHABLE! => {"changed": false, "msg": "ntlm: the specified credentials were rejected by the server", "unreachable": true}

PLAY RECAP ****************************************************************************************************************************************************************
localhost                  : ok=12   changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0

I'm able to log into the VM using RDP with the king.admin and password I have set. Are you able to advise why its failing for me?

3 replies

kgib

@kgibson-insight:matrix.org

[m]

can anyone share an experience around why CAF is preferred over individual TF modules that create resources? I can see a benefit in using the enterprise scale repo to build out the management group structure, but using the CAF unified repo to deploy resources appears to be suicide at this point.

1 reply

Where communities thrive

People

Repo info

Activity