Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 21 09:34
    Poil opened #175
  • Jun 16 16:13
    bensincs opened #174
  • Jun 16 16:12
    bensincs closed #173
  • Jun 16 16:12
    bensincs opened #173
  • Jun 16 06:50
    arnaudlh closed #172
  • Jun 16 06:50
    arnaudlh closed #162
  • Jun 16 03:19
    LaurentLesle closed #267
  • Jun 16 03:19
    LaurentLesle assigned #267
  • Jun 16 03:18
    LaurentLesle labeled #267
  • Jun 16 03:12
    arnaudlh closed #268
  • Jun 16 02:40
    arnaudlh closed #266
  • Jun 16 02:29
    arnaudlh labeled #268
  • Jun 16 02:29
    arnaudlh assigned #268
  • Jun 16 00:28
    DrDarinda opened #268
  • Jun 15 07:31
    DrDarinda opened #267
  • Jun 14 06:40
    arnaudlh assigned #266
  • Jun 14 06:40
    arnaudlh labeled #266
  • Jun 14 06:40
    arnaudlh opened #266
  • Jun 14 06:40
    arnaudlh review_requested #266
  • Jun 14 06:37
    arnaudlh closed #265
kgib
@kgibson-insight:matrix.org
[m]
can anyone explain the decision to use nested modules and how to prevent one module changes from breaking another?
Arnaud Lheureux
@arnaudlh
BACK FROM VACATION! --> For those wondering, yes we are back from vacation and will resume normal operations starting this week :)
Tanner Watson
@tannerwatson

BACK FROM VACATION! --> For those wondering, yes we are back from vacation and will resume normal operations starting this week :)

Welcome back :D

kgib
@kgibson-insight:matrix.org
[m]
I've been evaluating the unified the repo and have a pretty good grasp on the concept of separating configuration from logic, though I'm still missing possible configuration specs to reference.
for example this sandpit config for event hub namespaces (https://github.com/Azure/caf-terraform-landingzones-starter/blob/starter/configuration/sandpit/level0/launchpad/diagnostic_event_hub_namespaces.tfvars), are potential diagnostic_event_hub_namespace options posted anywhere?
2 replies
I'm still very unclear how to build out my own configuration specs
kgib
@kgibson-insight:matrix.org
[m]
I still don't follow
so If I want to define a resource group in CAF configuration, how do I reference this https://github.com/aztfmod/terraform-azurerm-caf/blob/master/resource_groups.tf
where is it specified which properties are available and possible values?
But in CAF config example, we have
    resource_groups = {
      level0 = {
        "Reader" = {
          azuread_groups = {
            keys = ["caf_launchpad_Reader"]
          }
        }
      }
kgib
@kgibson-insight:matrix.org
[m]
OK...here is the resource group module code
# naming convention
resource "azurecaf_name" "rg" {
  name          = var.resource_group_name
  resource_type = "azurerm_resource_group"
  prefixes      = var.global_settings.prefixes
  random_length = var.global_settings.random_length
  clean_input   = true
  passthrough   = var.global_settings.passthrough
  use_slug      = var.global_settings.use_slug
}

resource "azurerm_resource_group" "rg" {
  name     = azurecaf_name.rg.result
  location = var.global_settings.regions[lookup(var.settings, "region", var.global_settings.default_region)]
  tags = merge(
    var.tags,
    lookup(var.settings, "tags", {})
  )
}

having used many TF modules, it's pretty standard to do something like

module "resource_group" "rg" {
  source  = "git::https://github.com/aztfmod/terraform-azurerm-caf/blob/master/modules/resource_group/module.tf"
  version = "1.0.0"

  name      = var.rg_name
  location  = var.rg_location
  tags      = var.rg_tags
}

How is it better to use this round about way of specifying configs?

kgib
@kgibson-insight:matrix.org
[m]
@arnaudlh: would really love some help here
kgib
@kgibson-insight:matrix.org
[m]

if nothing else, it'd be nice to have things structured as something that matches the CAF config definition like

resource_group = {
  name = "Reader"
  azuread_groups = [group1, group2]
  caf_level = level0
}

My real confusion is how do I know which landing zone configs the resource group needs to specify. Where is the landing zone configuration spec?

1 reply
Ryan Bartram
@rdbartram
Hey Guys, first question in here...stuck at the beginning seemingly. I'm trying to deploy azure_devops_v1 and it requires the pat token. I noticed there was a bug where it was pulling from the secrets keyvault key and not the level0...problem is the pat token "azdo-pat-admin" isn't filled out. I know I can fill it out myself in the launchpad...but what is the purpose of "aad-user-devops-user-admin", username pat-rotation...should this be automatic some how? thanks!
1 reply
Ryan Bartram
@rdbartram
perhaps easier said, does someone have a working configuration for azure_devops v1 or otherwise
3 replies
Henry Dobson
@henrydobson
Hi @arnaudlh and all, I have recently switched from AWS to Azure and keen to adopt CAF. I've tried a couple of standalone module implementations and had varying levels of success. As a newcomer, I find the approach used for the tfvars a bit ambiguous at times. I couldn't find an explanation of the approach in the contribution guide or other docs. Is there a reference someone can point me to?
2 replies
kgib
@kgibson-insight:matrix.org
[m]
the AWS community modules are such a great resource, and I feel like that's what MSFT are attempting to build here, but the implementation is completely different than other TF modules and it's difficult to understand how to use the proprietary tfvars format
Henry Dobson
@henrydobson
Are the caf-terraform-landingzones-starter and caf-terraform-landingzones capable of replicating the Enterprise Scale conceptual architecture in multiple subscriptions or is it designed to be deployed to a single subscription? If multiple subs in Enterprise scale, are the landingzone layers used to target different subscriptions and therefore have a relationship to the connectivity (layer2) and management subs (layer1) etc?
3 replies
Luke Heidecke
@heidecke
This message was deleted
2 replies
Dominic Motuka
@daumie

Importing KeyVault with rover πŸ”

Command used

rover   -lz /tf/caf/landingzones/caf_solution/  -tfstate example.tfstate -var-folder /tf/caf/configuration/example/level3/example-linux-vm -parallelism 30  -env example -level level3 -a import module.solution.module.keyvaults[\"example_vm_rg1\"].module.initial_policy[0].module.logged_in_user[\"logged_in_user\"].azurerm_key_vault_access_policy.policy /subscriptions/<subscription-id>/resourceGroups<example>-virtual-machine-rg1/providers/Microsoft.KeyVault/vaults/<vault-name>/objectId/<objectId>

I could use some help importing Keyvault. Seeing the following errors:

Terraform import return code: 1
Terraform returned errors:
β•·
β”‚ Error: Invalid index
β”‚ 
β”‚   on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 39, in output "ssh_keys":
β”‚   39:     ssh_private_key_pem      = azurerm_key_vault_secret.ssh_private_key[local.os_type].name
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ azurerm_key_vault_secret.ssh_private_key is object with no attributes
β”‚     β”‚ local.os_type is "linux"
β”‚ 
β”‚ The given key does not identify an element in this collection value.
β•΅

β•·
β”‚ Error: Invalid index
β”‚ 
β”‚   on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 40, in output "ssh_keys":
β”‚   40:     ssh_public_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ azurerm_key_vault_secret.ssh_public_key_openssh is object with no attributes
β”‚     β”‚ local.os_type is "linux"
β”‚ 
β”‚ The given key does not identify an element in this collection value.
β•΅

β•·
β”‚ Error: Invalid index
β”‚ 
β”‚   on /home/vscode/.terraform.cache/modules/solution/modules/compute/virtual_machine/output.tf line 41, in output "ssh_keys":
β”‚   41:     ssh_private_key_open_ssh = azurerm_key_vault_secret.ssh_public_key_openssh[local.os_type].name #for backard compat, wrong name, will be removed in future version.
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ azurerm_key_vault_secret.ssh_public_key_openssh is object with no attributes
β”‚     β”‚ local.os_type is "linux"
β”‚ 
β”‚ The given key does not identify an element in this collection value.
β•΅

Error on or near line 573: Error running terraform import; exiting with status 2003
Paul Matthews
@pmatthews05

@arnaudlh following your youtube video https://www.youtube.com/watch?v=fqgv4Wsvo88 I'm doing nothing different from you apart from the location of UKSouth and my own password, and I get the below error message.

TASK [wait for the WinRM port to come online] *****************************************************************************************************************************
ok: [localhost]

PLAY [Setup the CAF development tools] ************************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************************************
fatal: [localhost]: UNREACHABLE! => {"changed": false, "msg": "ntlm: the specified credentials were rejected by the server", "unreachable": true}

PLAY RECAP ****************************************************************************************************************************************************************
localhost                  : ok=12   changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0

I'm able to log into the VM using RDP with the king.admin and password I have set. Are you able to advise why its failing for me?

3 replies
kgib
@kgibson-insight:matrix.org
[m]
can anyone share an experience around why CAF is preferred over individual TF modules that create resources? I can see a benefit in using the enterprise scale repo to build out the management group structure, but using the CAF unified repo to deploy resources appears to be suicide at this point.
1 reply
Luke Heidecke
@heidecke
@LaurentLesle With the 5.4.1 patch release, a regression was introduced with next hop for routing tables.
Error: Error in function call

  on /home/vsts_azpcontainer/modules/solution/modules/networking/virtual_hub_route_tables/route_local.tf line 9, in locals:
   9:         nextHop = coalesce(
  10:           try(value.next_hop_id, ""),
  11:           try(var.remote_objects.virtual_hub_connections[value.next_hop.lz_key][value.next_hop.key].id, ""),
  12:           try(var.remote_objects.azurerm_firewalls[value.next_hop.lz_key][value.next_hop.key].id, ""),
  13:           try(var.resource_ids[value.next_hop.resource_type][value.next_hop.lz_key][value.next_hop.key].id, "")   # Note the virtual_hub_connection must come from a remote tfstate only. PB with circular reference in the object model of vhub tables and connections
  14:         )
    β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
    β”‚ value.next_hop is object with 2 attributes
    β”‚ value.next_hop.resource_type is "azurerm_firewall"
    β”‚ var.remote_objects.azurerm_firewalls is object with 3 attributes
    β”‚ var.remote_objects.virtual_hub_connections is object with 3 attributes
    β”‚ var.resource_ids is object with 1 attribute "virtual_hub_connection"

Call to function "coalesce" failed: no non-null, non-empty-string arguments.
Terraform plan return code: 1
5 replies
Paul Matthews
@pmatthews05
Is there a way to assign a MSI, graph API permissions with CAF?
3 replies
Ryan Bartram
@rdbartram
can anyone help with the definition for the eslz custom_landing_zone subscriptions object...it requires lz_key and key...but what are they?
4 replies
nusrath432
@nusrath432
Hi, I am trying to create a front-door with 2nd Frontend Domain (custom) which depends on CNAME record of the format "record=<frontdoor-name>.azurefd.net". When using a random slug for resource names this becomes tricky - a chicken & egg problem. Could anyone help me understand the order/workflow for creating the "Frontdoor with custom domain, please"
Paul Matthews
@pmatthews05
Hopefully a quick answer for someone. The readme file for deploying LandingZones have export ARM_USE_AZUREAD=true just before calling Rover. What is this Export actual for?
3 replies
Henry Dobson
@henrydobson
@arnaudlh @LaurentLesle Can you confirm how the central_logs is intended to be used when using enterprise scale landing zones with multiple subscriptions. I have deployed management resources using caf-terraform-landingzones rather than the than enterprise-scale modules in the same way as https://github.com/Azure/caf-terraform-landingzones-starter/tree/AL-contoso/configuration/contoso/platform/demo/level1 however when this approach is used with multiple subscriptions the diagnostics settings blocks used for the landing zone fail with the correct resource names but incorrect subscription. I presume that with enterprise scale, the diagnostics settings should not be defined in the tfvars and instead should be managed with the enterprise scale deployifdoesnotexist policies. Is that correct or is there a way to target the correct subscription?
9 replies
Elgeario
@Elgeario
@arnaudlh @LaurentLesle Currently we are deploying the CAF code into our Azure environment. When we originally applied the Launchpad we deployed a log analytics workspace and a number of in built solutions as part of diagnostics_log_analytics. We are also using the enterprise scale code which again looks to deploy a log analytics workspace, with some new and overlapping solutions. We want to configure our environment to manage the Log analystics workspace from either the Launchpad or Enterprise scale code, but which is best so that we follow the diirection of travel for configuring log analytics?
Thanks
Tom Howarth
@TomHowarth
Is there an issue with the Latest Rover? I cannot get it to start and load the modules
Paul Matthews
@pmatthews05
Is there a way to selectively not add the prefix to an AD Group I want to create?
11 replies
richardf5
@richardf5
image.png
Good morning (Here in Australia)! We're just starting our journey with this project - trying to get it up and running internally for evaluation. Firstly, thank you for putting it together - looks like an incredible amount of work has gone into it.
Question though: The example videos I have seen have a different file structure to the ones in the landing zone/starter-kit as it is now. We are unable to run any of the examples without an error. This may be down to our understanding as there are clearly people using this successfully!
As an example, trying to run the eslz addon results in the following errors. What are we doing wrong?
BTW: As we are beginning our journey, I am more than happy to contribute/update any 'beginner/getting started with' type documentation if it would assist you?
8 replies
florentvaldelievre
@florentvaldelievre

Hello guys,

I need to do something really simple: Create a new secret to a keyvault. The secret value must be randomly generated
I was hoping to do something as simple as that:

keyvaults.tfvars

random_strings = {
  foo_password = {
    length  = 20
    special = true
    upper   = true
    number  = true
  }
}

dynamic_keyvault_secrets = {
  kv = {
    secret_key1 = {
      secret_name = "foo_key"
      value       = foo_password.value
    }
  }
}

However, I don't think we can put any logic in tfvars files. It means that the logic must be placed somewhere else.
Do you have any recommendation ?

1 reply
richardf5
@richardf5
image.png
1 reply
Axel Bellermann
@DataAffairs_twitter
Hello guys, just started my journey with the CAF Terraform approach.
I want to build an enterprise scale environment having platform subscriptions for management, identity and connectivity, as well as different landing zones for various applications like analytics, aks ... I started with the CAF landingzones having a launchpad (which I understood will have only one in my environment) and a solution (for level 1-4). Since for example AKS has different solution requirements than analytics, what will be the best way to separate these environments - a own solution per landing zone? besides will the app subscriptions then start at Level 2 or will they have empty Level 0 and empty Level 1 (asumption L0 & L1 are managed on platform level in the management subscription). Hope someone can point me to the right direction and have some recommendations! Thanks
Roland
@schoenr79
Hello together...
is there any code snippet / sample available, how to create the management group structure with the terraform caf-enterprise-scale module? thx
Axel Bellermann
@DataAffairs_twitter
1 reply
richardf5
@richardf5

Hi. I finally have something working :-).
There's a gap between creating the launchpad and then creating level 2 resources.
I've used the CAF_TERRAFORM_LANDING_ZONES repository.
Running the level 100 launchpad shows no issues, however when running the Level 2 networking example (100-Single-Region-Hub), the command fails with an error about a NULL value for global_setting.regions.

In the end, it's to do with the content of the remote state file.

Level 1 is not populated with the 'Global_Settings' block in the Output section of the state file.

Running the level 1 Foundations doesn't work either as it seems to write to a different state file!

However, copying the Global_Settings block from the CAF_Solutions.tfstate to the caf_foundations.tfstate works!

I'm guessing therefore that there is a disconnect in the state files that the examples (scenarios) use which has thrown me?

Or have I missed something monumentally important?

Thanks

2 replies
Henry Dobson
@henrydobson
terraform-azurerm-caf contains the modules for the caf-terraform-landingzone/caf-solution. terraform-azurerm-caf-enterprise-scale contains the modules for caf-terraform-landingzone/caf-solution/add-ons/eslz. I’d recommend looking at the work in progess branch AL_Contoso on caf-terraform-landingzone-starter to see how it’s intended to be used.
1 reply
tenletters10
@tenletters10

Hello there. I have been searching for documentation on this topic for a few hours, but have not been able to identify if what I am trying to do is something that the caf terraform module supports.

I am attempting to use subdirectory modules of https://github.com/aztfmod/terraform-azurerm-caf . Take for example trying to use the resource_group subdirectory module (aztfmod/caf/azurerm//modules/resource_group).

Is this something this module is intended to support the usage of?

Henry Dobson
@henrydobson
When using the enterprise scale multi-subscription approach, I have run into an issue peering the vnet hub from the connectivity subscription to the lz subscriptions. It looks like the peering only supports vnets in the same subscription. Is there a multi-subscription implemention?
# The code tries to peer to a vnet created in the same landing zone. If it fails it tries with the data remote state
resource "azurerm_virtual_network_peering" "peering" {
  depends_on = [module.networking]
  for_each   = local.networking.vnet_peerings

  name                         = azurecaf_name.peering[each.key].result
  virtual_network_name         = try(each.value.from.virtual_network_name, null) != null ? each.value.from.virtual_network_name : try(each.value.from.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.from.vnet_key].name, null) : try(local.combined_objects_networking[each.value.from.lz_key][each.value.from.vnet_key].name, null)
  resource_group_name          = try(each.value.from.resource_group_name, null) != null ? each.value.from.resource_group_name : try(each.value.from.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.from.vnet_key].resource_group_name, null) : try(local.combined_objects_networking[each.value.from.lz_key][each.value.from.vnet_key].resource_group_name, null)
  remote_virtual_network_id    = try(each.value.to.remote_virtual_network_id, null) != null ? each.value.to.remote_virtual_network_id : try(each.value.to.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.to.vnet_key].id, null) : try(local.combined_objects_networking[each.value.to.lz_key][each.value.to.vnet_key].id, null)
  allow_virtual_network_access = try(each.value.allow_virtual_network_access, true)
  allow_forwarded_traffic      = try(each.value.allow_forwarded_traffic, false)
  allow_gateway_transit        = try(each.value.allow_gateway_transit, false)
  use_remote_gateways          = try(each.value.use_remote_gateways, false)
}
vnet_peerings = {
  mgmt_spoke_re1_TO_hub_re1 = {
    name = "mgmt_spoke_re1_TO_hub_re1"
    from = {
      vnet_key = "mgmt_spoke_re1" # in landingzone subscription
    }
    to = {
      lz_key     = "networking_hub" # in connectivity subscription
      output_key = "vnets"
      vnet_key   = "hub_re1"
    }
    allow_virtual_network_access = true
    allow_forwarded_traffic      = true
    allow_gateway_transit        = false
    use_remote_gateways          = false
  }

  hub_re1_TO_mgmt_spoke_re1 = {
    name = "hub_re1_TO_mgmt_spoke_re1"
    from = {
      lz_key     = "networking_hub"
      output_key = "vnets"
      vnet_key   = "hub_re1"
    }
    to = {
      vnet_key = "mgmt_spoke_re1"
    }
    allow_virtual_network_access = true
    allow_forwarded_traffic      = true
    allow_gateway_transit        = true
    use_remote_gateways          = false
  }
}
Henry Dobson
@henrydobson
terraform returned errors:
β•·
β”‚ Error: network.VirtualNetworkPeeringsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ResourceGroupNotFound" Message="Resource group 'dso01-rg-hub-re1' could not be found."
β”‚ 
β”‚   with module.solution.azurerm_virtual_network_peering.peering["hub_re1_TO_mgmt_spoke_re1"],
β”‚   on ../../terraform-azurerm-caf/networking.tf line 107, in resource "azurerm_virtual_network_peering" "peering":
β”‚  107: resource "azurerm_virtual_network_peering" "peering" {
β”‚ 
β•΅
Henry Dobson
@henrydobson
Indeed. This is a limitation aztfmod/terraform-azurerm-caf#119
Henry Dobson
@henrydobson
Any update you can provide @LaurentLesle seems this was raised by you last year