I'm extremely confused by this whole framework. In AWS, there are community supported modules. Is MSFT working on something similar? It would be much more useful to develop a framework of modules and offer guidance for implementing in a well architected framework. Or, as AWS did, develop an Azure product to enforce guardrails. Managing with code is extremely complex
these things (policies, policy assignments, role definitions and rbac assignments) attached to a subscription is how I've interpreted a Landing Zone to be. Accurate?
3 replies
can anyone explain the decision to use nested modules and how to prevent one module changes from breaking another?
I've been evaluating the unified the repo and have a pretty good grasp on the concept of separating configuration from logic, though I'm still missing possible configuration specs to reference.
for example this sandpit config for event hub namespaces (https://github.com/Azure/caf-terraform-landingzones-starter/blob/starter/configuration/sandpit/level0/launchpad/diagnostic_event_hub_namespaces.tfvars), are potential
diagnostic_event_hub_namespace options posted anywhere?
2 replies
I'm still very unclear how to build out my own configuration specs
so If I want to define a resource group in CAF configuration, how do I reference this https://github.com/aztfmod/terraform-azurerm-caf/blob/master/resource_groups.tf
where is it specified which properties are available and possible values?
If I reference azurerm https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group we have
name and location
But in CAF config example, we have
resource_groups = {
level0 = {
"Reader" = {
azuread_groups = {
keys = ["caf_launchpad_Reader"]
}
}
}
OK...here is the resource group module code
# naming convention
resource "azurecaf_name" "rg" {
name = var.resource_group_name
resource_type = "azurerm_resource_group"
prefixes = var.global_settings.prefixes
random_length = var.global_settings.random_length
clean_input = true
passthrough = var.global_settings.passthrough
use_slug = var.global_settings.use_slug
}
resource "azurerm_resource_group" "rg" {
name = azurecaf_name.rg.result
location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)]
tags = merge(
var.tags,
lookup(var.settings, "tags", {})
)
}having used many TF modules, it's pretty standard to do something like
module "resource_group" "rg" {
source = "git::https://github.com/aztfmod/terraform-azurerm-caf/blob/master/modules/resource_group/module.tf"
version = "1.0.0"
name = var.rg_name
location = var.rg_location
tags = var.rg_tags
}How is it better to use this round about way of specifying configs?
if nothing else, it'd be nice to have things structured as something that matches the CAF config definition like
resource_group = {
name = "Reader"
azuread_groups = [group1, group2]
caf_level = level0
}My real confusion is how do I know which landing zone configs the resource group needs to specify. Where is the landing zone configuration spec?
1 reply
Hey Guys, first question in here...stuck at the beginning seemingly. I'm trying to deploy azure_devops_v1 and it requires the pat token. I noticed there was a bug where it was pulling from the secrets keyvault key and not the level0...problem is the pat token "azdo-pat-admin" isn't filled out. I know I can fill it out myself in the launchpad...but what is the purpose of "aad-user-devops-user-admin", username pat-rotation...should this be automatic some how? thanks!
1 reply
Hi @arnaudlh and all, I have recently switched from AWS to Azure and keen to adopt CAF. I've tried a couple of standalone module implementations and had varying levels of success. As a newcomer, I find the approach used for the tfvars a bit ambiguous at times. I couldn't find an explanation of the approach in the contribution guide or other docs. Is there a reference someone can point me to?
2 replies
the AWS community modules are such a great resource, and I feel like that's what MSFT are attempting to build here, but the implementation is completely different than other TF modules and it's difficult to understand how to use the proprietary tfvars format
this part of the starter repo as well https://github.com/Azure/caf-terraform-landingzones-starter/tree/starter/enterprise_scale/construction_sets/aks/online/aks_secure_baseline
1 reply
Are the caf-terraform-landingzones-starter and caf-terraform-landingzones capable of replicating the Enterprise Scale conceptual architecture in multiple subscriptions or is it designed to be deployed to a single subscription? If multiple subs in Enterprise scale, are the landingzone layers used to target different subscriptions and therefore have a relationship to the connectivity (layer2) and management subs (layer1) etc?
3 replies
Importing KeyVault with rover 🔐
Command used
rover -lz /tf/caf/landingzones/caf_solution/ -tfstate example.tfstate -var-folder /tf/caf/configuration/example/level3/example-linux-vm -parallelism 30 -env example -level level3 -a import module.solution.module.keyvaults[\"example_vm_rg1\"].module.initial_policy[0].module.logged_in_user[\"logged_in_user\"].azurerm_key_vault_access_policy.policy /subscriptions/<subscription-id>/resourceGroups<example>-virtual-machine-rg1/providers/Microsoft.KeyVault/vaults/<vault-name>/objectId/<objectId>I could use some help importing Keyvault. Seeing the following errors:
Terraform import return code: 1
Terraform returned errors:
╷
│ Error: Invalid index
│
│ on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 39, in output "ssh_keys":
│ 39: ssh_private_key_pem = azurerm_key_vault_secret.ssh_private_key[local.os_type].name
│ ├────────────────
│ │ azurerm_key_vault_secret.ssh_private_key is object with no attributes
│ │ local.os_type is "linux"
│
│ The given key does not identify an element in this collection value.
╵
╷
│ Error: Invalid index
│
│ on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 40, in output "ssh_keys":
│ 40: ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name
│ ├────────────────
│ │ azurerm_key_vault_secret.ssh_public_key_openssh is object with no attributes
│ │ local.os_type is "linux"
│
│ The given key does not identify an element in this collection value.
╵
╷
│ Error: Invalid index
│
│ on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 41, in output "ssh_keys":
│ 41: ssh_private_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name #for backard compat, wrong name, will be removed in future version.
│ ├────────────────
│ │ azurerm_key_vault_secret.ssh_public_key_openssh is object with no attributes
│ │ local.os_type is "linux"
│
│ The given key does not identify an element in this collection value.
╵
Error on or near line 573: Error running terraform import; exiting with status 2003
@arnaudlh following your youtube video https://www.youtube.com/watch?v=fqgv4Wsvo88 I'm doing nothing different from you apart from the location of UKSouth and my own password, and I get the below error message.
TASK [wait for the WinRM port to come online] *****************************************************************************************************************************
ok: [localhost]
PLAY [Setup the CAF development tools] ************************************************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************************************************
fatal: [localhost]: UNREACHABLE! => {"changed": false, "msg": "ntlm: the specified credentials were rejected by the server", "unreachable": true}
PLAY RECAP ****************************************************************************************************************************************************************
localhost : ok=12 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0I'm able to log into the VM using RDP with the king.admin and password I have set. Are you able to advise why its failing for me?
3 replies
can anyone share an experience around why CAF is preferred over individual TF modules that create resources? I can see a benefit in using the
enterprise scale repo to build out the management group structure, but using the CAF unified repo to deploy resources appears to be suicide at this point.
1 reply
@LaurentLesle With the 5.4.1 patch release, a regression was introduced with next hop for routing tables.
Error: Error in function call
on /home/vsts_azpcontainer/modules/solution/modules/networking/virtual_hub_route_tables/route_local.tf line 9, in locals:
9: nextHop = coalesce(
10: try(value.next_hop_id, ""),
11: try(var.remote_objects.virtual_hub_connections[value.next_hop.lz_key][value.next_hop.key].id, ""),
12: try(var.remote_objects.azurerm_firewalls[value.next_hop.lz_key][value.next_hop.key].id, ""),
13: try(var.resource_ids[value.next_hop.resource_type][value.next_hop.lz_key][value.next_hop.key].id, "") # Note the virtual_hub_connection must come from a remote tfstate only. PB with circular reference in the object model of vhub tables and connections
14: )
├────────────────
│ value.next_hop is object with 2 attributes
│ value.next_hop.resource_type is "azurerm_firewall"
│ var.remote_objects.azurerm_firewalls is object with 3 attributes
│ var.remote_objects.virtual_hub_connections is object with 3 attributes
│ var.resource_ids is object with 1 attribute "virtual_hub_connection"
Call to function "coalesce" failed: no non-null, non-empty-string arguments.
Terraform plan return code: 1
Hi, I am trying to create a front-door with 2nd Frontend Domain (custom) which depends on CNAME record of the format "record=<frontdoor-name>.azurefd.net". When using a random slug for resource names this becomes tricky - a chicken & egg problem. Could anyone help me understand the order/workflow for creating the "Frontdoor with custom domain, please"
@arnaudlh @LaurentLesle Can you confirm how the central_logs is intended to be used when using enterprise scale landing zones with multiple subscriptions. I have deployed management resources using caf-terraform-landingzones rather than the than enterprise-scale modules in the same way as https://github.com/Azure/caf-terraform-landingzones-starter/tree/AL-contoso/configuration/contoso/platform/demo/level1 however when this approach is used with multiple subscriptions the diagnostics settings blocks used for the landing zone fail with the correct resource names but incorrect subscription. I presume that with enterprise scale, the diagnostics settings should not be defined in the tfvars and instead should be managed with the enterprise scale deployifdoesnotexist policies. Is that correct or is there a way to target the correct subscription?
9 replies
@arnaudlh @LaurentLesle Currently we are deploying the CAF code into our Azure environment. When we originally applied the Launchpad we deployed a log analytics workspace and a number of in built solutions as part of diagnostics_log_analytics. We are also using the enterprise scale code which again looks to deploy a log analytics workspace, with some new and overlapping solutions. We want to configure our environment to manage the Log analystics workspace from either the Launchpad or Enterprise scale code, but which is best so that we follow the diirection of travel for configuring log analytics?
Thanks
Thanks
Good morning (Here in Australia)! We're just starting our journey with this project - trying to get it up and running internally for evaluation. Firstly, thank you for putting it together - looks like an incredible amount of work has gone into it.
Question though: The example videos I have seen have a different file structure to the ones in the landing zone/starter-kit as it is now. We are unable to run any of the examples without an error. This may be down to our understanding as there are clearly people using this successfully!
As an example, trying to run the eslz addon results in the following errors. What are we doing wrong?
BTW: As we are beginning our journey, I am more than happy to contribute/update any 'beginner/getting started with' type documentation if it would assist you?
Question though: The example videos I have seen have a different file structure to the ones in the landing zone/starter-kit as it is now. We are unable to run any of the examples without an error. This may be down to our understanding as there are clearly people using this successfully!
As an example, trying to run the eslz addon results in the following errors. What are we doing wrong?
BTW: As we are beginning our journey, I am more than happy to contribute/update any 'beginner/getting started with' type documentation if it would assist you?
8 replies
Hello guys,
I need to do something really simple: Create a new secret to a keyvault. The secret value must be randomly generated
I was hoping to do something as simple as that:
keyvaults.tfvars
random_strings = {
foo_password = {
length = 20
special = true
upper = true
number = true
}
}
dynamic_keyvault_secrets = {
kv = {
secret_key1 = {
secret_name = "foo_key"
value = foo_password.value
}
}
}However, I don't think we can put any logic in tfvars files. It means that the logic must be placed somewhere else.
Do you have any recommendation ?
1 reply
Hello guys, just started my journey with the CAF Terraform approach.
I want to build an enterprise scale environment having platform subscriptions for management, identity and connectivity, as well as different landing zones for various applications like analytics, aks ... I started with the CAF landingzones having a launchpad (which I understood will have only one in my environment) and a solution (for level 1-4). Since for example AKS has different solution requirements than analytics, what will be the best way to separate these environments - a own solution per landing zone? besides will the app subscriptions then start at Level 2 or will they have empty Level 0 and empty Level 1 (asumption L0 & L1 are managed on platform level in the management subscription). Hope someone can point me to the right direction and have some recommendations! Thanks
I want to build an enterprise scale environment having platform subscriptions for management, identity and connectivity, as well as different landing zones for various applications like analytics, aks ... I started with the CAF landingzones having a launchpad (which I understood will have only one in my environment) and a solution (for level 1-4). Since for example AKS has different solution requirements than analytics, what will be the best way to separate these environments - a own solution per landing zone? besides will the app subscriptions then start at Level 2 or will they have empty Level 0 and empty Level 1 (asumption L0 & L1 are managed on platform level in the management subscription). Hope someone can point me to the right direction and have some recommendations! Thanks
@schoenr79 - you might be looking for this ... https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Management-Resources
1 reply
Hi. I finally have something working :-).
There's a gap between creating the launchpad and then creating level 2 resources.
I've used the CAF_TERRAFORM_LANDING_ZONES repository.
Running the level 100 launchpad shows no issues, however when running the Level 2 networking example (100-Single-Region-Hub), the command fails with an error about a NULL value for global_setting.regions.
In the end, it's to do with the content of the remote state file.
Level 1 is not populated with the 'Global_Settings' block in the Output section of the state file.
Running the level 1 Foundations doesn't work either as it seems to write to a different state file!
However, copying the Global_Settings block from the CAF_Solutions.tfstate to the caf_foundations.tfstate works!
I'm guessing therefore that there is a disconnect in the state files that the examples (scenarios) use which has thrown me?
Or have I missed something monumentally important?
Thanks
2 replies
What is the difference/relationship between https://github.com/Azure/terraform-azurerm-caf-enterprise-scale & https://github.com/Azure/caf-terraform-landingzones ?
terraform-azurerm-caf contains the modules for the caf-terraform-landingzone/caf-solution. terraform-azurerm-caf-enterprise-scale contains the modules for caf-terraform-landingzone/caf-solution/add-ons/eslz. I’d recommend looking at the work in progess branch AL_Contoso on caf-terraform-landingzone-starter to see how it’s intended to be used.
1 reply
Hello there. I have been searching for documentation on this topic for a few hours, but have not been able to identify if what I am trying to do is something that the caf terraform module supports.
I am attempting to use subdirectory modules of https://github.com/aztfmod/terraform-azurerm-caf . Take for example trying to use the resource_group subdirectory module (aztfmod/caf/azurerm//modules/resource_group).
Is this something this module is intended to support the usage of?
When using the enterprise scale multi-subscription approach, I have run into an issue peering the vnet hub from the connectivity subscription to the lz subscriptions. It looks like the peering only supports vnets in the same subscription. Is there a multi-subscription implemention?
# The code tries to peer to a vnet created in the same landing zone. If it fails it tries with the data remote state
resource "azurerm_virtual_network_peering" "peering" {
depends_on = [module.networking]
for_each = local.networking.vnet_peerings
name = azurecaf_name.peering[each.key].result
virtual_network_name = try(each.value.from.virtual_network_name, null) != null ? each.value.from.virtual_network_name : try(each.value.from.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.from.vnet_key].name, null) : try(local.combined_objects_networking[each.value.from.lz_key][each.value.from.vnet_key].name, null)
resource_group_name = try(each.value.from.resource_group_name, null) != null ? each.value.from.resource_group_name : try(each.value.from.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.from.vnet_key].resource_group_name, null) : try(local.combined_objects_networking[each.value.from.lz_key][each.value.from.vnet_key].resource_group_name, null)
remote_virtual_network_id = try(each.value.to.remote_virtual_network_id, null) != null ? each.value.to.remote_virtual_network_id : try(each.value.to.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.to.vnet_key].id, null) : try(local.combined_objects_networking[each.value.to.lz_key][each.value.to.vnet_key].id, null)
allow_virtual_network_access = try(each.value.allow_virtual_network_access, true)
allow_forwarded_traffic = try(each.value.allow_forwarded_traffic, false)
allow_gateway_transit = try(each.value.allow_gateway_transit, false)
use_remote_gateways = try(each.value.use_remote_gateways, false)
}