Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • May 25 16:08
    LaurentLesle closed #241
  • May 25 16:07
    LaurentLesle closed #255
  • May 25 16:05
    LaurentLesle labeled #258
  • May 25 16:04
    LaurentLesle synchronize #254
  • May 25 14:12
    LaurentLesle synchronize #254
  • May 25 06:11
    arnaudlh synchronize #254
  • May 25 04:41
    arnaudlh synchronize #254
  • May 24 09:46
    sebastus opened #171
  • May 20 04:01
    LaurentLesle synchronize #254
  • May 20 04:00
    LaurentLesle synchronize #254
  • May 19 10:27
    LaurentLesle synchronize #254
  • May 19 01:29
    LaurentLesle synchronize #254
  • May 19 01:27
    LaurentLesle labeled #261
  • May 19 01:27
    LaurentLesle assigned #261
  • May 19 01:27
    LaurentLesle opened #261
  • May 18 06:17
    LaurentLesle synchronize #254
  • May 09 16:51
    Nepomuceno synchronize #170
  • May 09 08:04
    Nepomuceno assigned #170
  • May 09 08:04
    Nepomuceno assigned #170
  • May 09 08:04
    Nepomuceno assigned #170
Ryan Bartram
@rdbartram
can anyone help with the definition for the eslz custom_landing_zone subscriptions object...it requires lz_key and key...but what are they?
4 replies
nusrath432
@nusrath432
Hi, I am trying to create a front-door with 2nd Frontend Domain (custom) which depends on CNAME record of the format "record=<frontdoor-name>.azurefd.net". When using a random slug for resource names this becomes tricky - a chicken & egg problem. Could anyone help me understand the order/workflow for creating the "Frontdoor with custom domain, please"
Paul Matthews
@pmatthews05
Hopefully a quick answer for someone. The readme file for deploying LandingZones have export ARM_USE_AZUREAD=true just before calling Rover. What is this Export actual for?
3 replies
Henry Dobson
@henrydobson
@arnaudlh @LaurentLesle Can you confirm how the central_logs is intended to be used when using enterprise scale landing zones with multiple subscriptions. I have deployed management resources using caf-terraform-landingzones rather than the than enterprise-scale modules in the same way as https://github.com/Azure/caf-terraform-landingzones-starter/tree/AL-contoso/configuration/contoso/platform/demo/level1 however when this approach is used with multiple subscriptions the diagnostics settings blocks used for the landing zone fail with the correct resource names but incorrect subscription. I presume that with enterprise scale, the diagnostics settings should not be defined in the tfvars and instead should be managed with the enterprise scale deployifdoesnotexist policies. Is that correct or is there a way to target the correct subscription?
9 replies
Elgeario
@Elgeario
@arnaudlh @LaurentLesle Currently we are deploying the CAF code into our Azure environment. When we originally applied the Launchpad we deployed a log analytics workspace and a number of in built solutions as part of diagnostics_log_analytics. We are also using the enterprise scale code which again looks to deploy a log analytics workspace, with some new and overlapping solutions. We want to configure our environment to manage the Log analystics workspace from either the Launchpad or Enterprise scale code, but which is best so that we follow the diirection of travel for configuring log analytics?
Thanks
Tom Howarth
@TomHowarth
Is there an issue with the Latest Rover? I cannot get it to start and load the modules
Paul Matthews
@pmatthews05
Is there a way to selectively not add the prefix to an AD Group I want to create?
11 replies
richardf5
@richardf5
image.png
Good morning (Here in Australia)! We're just starting our journey with this project - trying to get it up and running internally for evaluation. Firstly, thank you for putting it together - looks like an incredible amount of work has gone into it.
Question though: The example videos I have seen have a different file structure to the ones in the landing zone/starter-kit as it is now. We are unable to run any of the examples without an error. This may be down to our understanding as there are clearly people using this successfully!
As an example, trying to run the eslz addon results in the following errors. What are we doing wrong?
BTW: As we are beginning our journey, I am more than happy to contribute/update any 'beginner/getting started with' type documentation if it would assist you?
8 replies
florentvaldelievre
@florentvaldelievre

Hello guys,

I need to do something really simple: Create a new secret to a keyvault. The secret value must be randomly generated
I was hoping to do something as simple as that:

keyvaults.tfvars

random_strings = {
  foo_password = {
    length  = 20
    special = true
    upper   = true
    number  = true
  }
}

dynamic_keyvault_secrets = {
  kv = {
    secret_key1 = {
      secret_name = "foo_key"
      value       = foo_password.value
    }
  }
}

However, I don't think we can put any logic in tfvars files. It means that the logic must be placed somewhere else.
Do you have any recommendation ?

1 reply
richardf5
@richardf5
image.png
1 reply
Axel Bellermann
@DataAffairs_twitter
Hello guys, just started my journey with the CAF Terraform approach.
I want to build an enterprise scale environment having platform subscriptions for management, identity and connectivity, as well as different landing zones for various applications like analytics, aks ... I started with the CAF landingzones having a launchpad (which I understood will have only one in my environment) and a solution (for level 1-4). Since for example AKS has different solution requirements than analytics, what will be the best way to separate these environments - a own solution per landing zone? besides will the app subscriptions then start at Level 2 or will they have empty Level 0 and empty Level 1 (asumption L0 & L1 are managed on platform level in the management subscription). Hope someone can point me to the right direction and have some recommendations! Thanks
Roland
@schoenr79
Hello together...
is there any code snippet / sample available, how to create the management group structure with the terraform caf-enterprise-scale module? thx
Axel Bellermann
@DataAffairs_twitter
@schoenr79 - you might be looking for this ... https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Management-Resources
1 reply
richardf5
@richardf5

Hi. I finally have something working :-).
There's a gap between creating the launchpad and then creating level 2 resources.
I've used the CAF_TERRAFORM_LANDING_ZONES repository.
Running the level 100 launchpad shows no issues, however when running the Level 2 networking example (100-Single-Region-Hub), the command fails with an error about a NULL value for global_setting.regions.

In the end, it's to do with the content of the remote state file.

Level 1 is not populated with the 'Global_Settings' block in the Output section of the state file.

Running the level 1 Foundations doesn't work either as it seems to write to a different state file!

However, copying the Global_Settings block from the CAF_Solutions.tfstate to the caf_foundations.tfstate works!

I'm guessing therefore that there is a disconnect in the state files that the examples (scenarios) use which has thrown me?

Or have I missed something monumentally important?

Thanks

2 replies
Paul Bourke
@brk3
What is the difference/relationship between https://github.com/Azure/terraform-azurerm-caf-enterprise-scale & https://github.com/Azure/caf-terraform-landingzones ?
Henry Dobson
@henrydobson
terraform-azurerm-caf contains the modules for the caf-terraform-landingzone/caf-solution. terraform-azurerm-caf-enterprise-scale contains the modules for caf-terraform-landingzone/caf-solution/add-ons/eslz. I’d recommend looking at the work in progess branch AL_Contoso on caf-terraform-landingzone-starter to see how it’s intended to be used.
1 reply
tenletters10
@tenletters10

Hello there. I have been searching for documentation on this topic for a few hours, but have not been able to identify if what I am trying to do is something that the caf terraform module supports.

I am attempting to use subdirectory modules of https://github.com/aztfmod/terraform-azurerm-caf . Take for example trying to use the resource_group subdirectory module (aztfmod/caf/azurerm//modules/resource_group).

Is this something this module is intended to support the usage of?

Henry Dobson
@henrydobson
When using the enterprise scale multi-subscription approach, I have run into an issue peering the vnet hub from the connectivity subscription to the lz subscriptions. It looks like the peering only supports vnets in the same subscription. Is there a multi-subscription implemention?
# The code tries to peer to a vnet created in the same landing zone. If it fails it tries with the data remote state
resource "azurerm_virtual_network_peering" "peering" {
  depends_on = [module.networking]
  for_each   = local.networking.vnet_peerings

  name                         = azurecaf_name.peering[each.key].result
  virtual_network_name         = try(each.value.from.virtual_network_name, null) != null ? each.value.from.virtual_network_name : try(each.value.from.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.from.vnet_key].name, null) : try(local.combined_objects_networking[each.value.from.lz_key][each.value.from.vnet_key].name, null)
  resource_group_name          = try(each.value.from.resource_group_name, null) != null ? each.value.from.resource_group_name : try(each.value.from.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.from.vnet_key].resource_group_name, null) : try(local.combined_objects_networking[each.value.from.lz_key][each.value.from.vnet_key].resource_group_name, null)
  remote_virtual_network_id    = try(each.value.to.remote_virtual_network_id, null) != null ? each.value.to.remote_virtual_network_id : try(each.value.to.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.to.vnet_key].id, null) : try(local.combined_objects_networking[each.value.to.lz_key][each.value.to.vnet_key].id, null)
  allow_virtual_network_access = try(each.value.allow_virtual_network_access, true)
  allow_forwarded_traffic      = try(each.value.allow_forwarded_traffic, false)
  allow_gateway_transit        = try(each.value.allow_gateway_transit, false)
  use_remote_gateways          = try(each.value.use_remote_gateways, false)
}
vnet_peerings = {
  mgmt_spoke_re1_TO_hub_re1 = {
    name = "mgmt_spoke_re1_TO_hub_re1"
    from = {
      vnet_key = "mgmt_spoke_re1" # in landingzone subscription
    }
    to = {
      lz_key     = "networking_hub" # in connectivity subscription
      output_key = "vnets"
      vnet_key   = "hub_re1"
    }
    allow_virtual_network_access = true
    allow_forwarded_traffic      = true
    allow_gateway_transit        = false
    use_remote_gateways          = false
  }

  hub_re1_TO_mgmt_spoke_re1 = {
    name = "hub_re1_TO_mgmt_spoke_re1"
    from = {
      lz_key     = "networking_hub"
      output_key = "vnets"
      vnet_key   = "hub_re1"
    }
    to = {
      vnet_key = "mgmt_spoke_re1"
    }
    allow_virtual_network_access = true
    allow_forwarded_traffic      = true
    allow_gateway_transit        = true
    use_remote_gateways          = false
  }
}
Henry Dobson
@henrydobson
terraform returned errors:
╷
│ Error: network.VirtualNetworkPeeringsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ResourceGroupNotFound" Message="Resource group 'dso01-rg-hub-re1' could not be found."
│ 
│   with module.solution.azurerm_virtual_network_peering.peering["hub_re1_TO_mgmt_spoke_re1"],
│   on ../../terraform-azurerm-caf/networking.tf line 107, in resource "azurerm_virtual_network_peering" "peering":
│  107: resource "azurerm_virtual_network_peering" "peering" {
│ 
╵
Henry Dobson
@henrydobson
Indeed. This is a limitation aztfmod/terraform-azurerm-caf#119
Henry Dobson
@henrydobson
Any update you can provide @LaurentLesle seems this was raised by you last year
jasonhornatcrowe
@jasonhornatcrowe

Hello all,

Very new to all this. Trying to step beyond running the examples and actually create something. I like the capabilities here, but am not finding what I need. I am trying to implement IAC for our ESLZ Sandbox Subscriptions. I found the following:

I am trying to "connect the dots" and get a working standalone or rover-based solution for this where I can create sandbox subscriptions upon request for our AppDev teams to use (supplementing their MSDN/VS subscriptions when they need more than the default spending limits on those subscriptions).

I submit this with the hope that I can turn around something quickly if I find the "how to guide" I seem to be missing. Any/all help would be greatly appreciated!

4 replies
Timothy
@theorange7
Hi folks, potentially silly question - how to interpret the version numbers? I'm using aztfmod/rover:1.0.4-2108.1802 from Docker Hub but on Github, when sorted chronologically the tags go up to aztfmod/rover:2102.0100 ?
Timothy
@theorange7
ok got it - it's Terraform versions at the front (before the -)
6 replies
nusrath432
@nusrath432
Hi, Has anyone seen this error when reading output values from a landing zone: Error on or near line 239: No parameters have been set in landingzone.; exiting with status 1 [aztfmod/rover:1.0.1-2106.3012]
Command: rover -lz /tf/caf/landingzones/caf_solution/ -tfstate aks.tfstate -env myenv -level level3 -tfstate_subscription_id 78c73253-4901-4f08-8784-85731562c8b8 -a output [launchpad: 78c73253-4901-4f08-8784-85731562c8b8]
Paul Bourke
@brk3

In the docs under https://github.com/Azure/caf-terraform-landingzones/blob/master/documentation/code_architecture/hierarchy.md#operate-with-landing-zones-hierarchy where it says "A deployment will typically contain: ...". What does a deployment refer to here?

I'm trying to get a feel for the distribution of levels, e.g. should there be a full set of levels 0-4 for each of dev/test/prod, or is it intended some levels are shared between environments?

3 replies
tenletters10
@tenletters10

Hello. I am trying to find a way to change the subscription_id that I am configuring against when use the standalone module as seen here: https://github.com/aztfmod/terraform-azurerm-caf/blob/master/examples/standalone.md

I have seen the documentation that says you can use "az account set --subscription <subscription_GUID>", but I am trying to perform this in code instead of switching context through the CLI. The azurerm provider itself supports supplying the "subscription_id", but when I attempt to use a provider with an alias while referencing the caf module directly I receive a message stating "Provider azurerm is configured within the module module.caf and cannot be overridden."

provider "azurerm" {
  features {}
}

provider "azurerm" {
  subscription_id = "0000000000-0000-0000-0000000000"
  alias = "set_subscription"
  features {}
}

module "caf" {
  source  = "aztfmod/caf/azurerm"
  version = "5.3.11"

  providers = {
    azurerm = azurerm.set_subscription
  }

......

}
5 replies
Paul Bourke
@brk3
I'm trying to decipher the purpose of each property of the 'landingzone{}' configuration object. Can anyone give me a few pointers on global_settings_key? I see that the terraform-azurerm-caf module takes a global_settings object as a variable, but whats the purpose of the key?
10 replies
Axel Bellermann
@DataAffairs_twitter
Hi everyone, can some give me a hint how to deploy a vnet peering into 2 different subscriptions using the caf framework. I'm struggling where to define the subscription ids and I was not able to find an example - just a peering which is done in a single subscription. Many thanks - Axel
4 replies
Stefan
@stefangrafisec
Hi, I am trying to deploy my first launchpad with leveled design and the first deployment works find and I am also able to destroy the deployment. Howerver every time I run "apply" rover deploys new ressources with a new prefix rather than connecting correctly to the exising launchpad to update the existing infrastructure. Wondering what is missing to instruct rover to update rather than deploying new ressources?
1 reply
Henry Dobson
@henrydobson
If you’re deploying Launchpad but the apply process has errors then rover will never upload the local tfstate to the storage accounts and that can cause multiple deployments. Further troubleshooting would require more information about the steps you’re taking.
6 replies
Jamel Achahbar
@jamelachahbar
HI all, I am trying to deploy the devops agent vms to use in the pipelines but the custom script extension fails each time
│ with module.vm_extensions["level2"].azurerm_virtual_machine_extension.devops_selfhosted_agent["devops_selfhosted_agent"],
│ on extensions/devops_selfhosted_agent.tf line 2, in resource "azurerm_virtual_machine_extension" "devops_selfhosted_agent":
│ 2: resource "azurerm_virtual_machine_extension" "devops_selfhosted_agent" {
anyone had this issue before and sorted it out?
image.png
2 replies
Stefan
@stefangrafisec

After having the launchpad running (with only level0 and level1 for training purposes) I am trying to get my first landingzone on level1 up and running. Unfortunately Rover complains:

var.dynamic_keyvault_secrets
  Enter a value: 

var.keyvaults
  Enter a value: 

var.launchpad_key_names
  Enter a value: 

var.resource_groups
  Enter a value: 

var.storage_accounts
  Enter a value:

In the landingzone configuration there is only a landingzone.tfvar file with following content:
landingzone = { backend_type = "azurerm" global_settings_key = "launchpad" level = "level1" key = "networking_HUB" tfstates = { launchpad = { level = "lower" tfstate = "caf_landingzones.tfstate" } } }

I am running rover with the following command:
rover -lz /tf/caf/caf_landingzones/ -var-folder /tf/caf/caf_landingzones/Level1/Networking_HUB -tfstate Networking_HUB.tfstate -level level1 -a plan

I don't find the reason why rover is asking for those variables?

12 replies
Henry Dobson
@henrydobson

Its a 3 issues kind of day...
If UPN1 deploys the launchpad with n subscriptions, then UPN2 try to execute plan or apply for the launchpad then the following error is shown:

Error: reading Subscription Alias "subscription_alias_name": subscription.AliasClient#Get: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/subscription_alias_name"

Both UPN1 and UPN2 have the billing role assignment and I cannot find any (and I mean any) docs on subscription alias permission. Using az account alias list confirms that the subscription creator (UPN1) has access whilst UPN2 does not. Does anyone know about this issue?

1 reply
LV-2020
@stormtrooperdev
Hi. I am new to the terraform caf rover. Is this a tool that I have to use in caf terraform?
3 replies
LV-2020
@stormtrooperdev
Hello. How do you structure your landingzone folders that requires staging and production environment configurations?
4 replies
florentvaldelievre
@florentvaldelievre
Hi, I am looking at contoso-2109 branch as we are really interesting in the templating feature. Is it at a working stage ? I've tried to deploy templates/platform but I have a few files missing. @LaurentLesle ?
I also saw that this templating feature is available on AL-contoso branch. I am able to generate configuration files, but it feels like this branch is not maintained anymore.
9 replies
Paul Bourke
@brk3
Hi all, I've created a simple launchpad module which aims to serve as a learning tool / starting point for those looking to use their own Terraform modules instead of (or along side) things like caf_solution. Hopefully it may be of help to someone https://github.com/brk3/terraform-landingzone-template
Also the documentation serves to highlight my understanding of how each piece works, if I've got it wrong please let me know!
LV-2020
@stormtrooperdev
Thanks for @brk3 for answering.
Thanks also @nusrath432 !
Hi all. How can I defend CAF to my colleague who is saying that CAF is a Microsoft Lab and it’s not based in a real-world scaling enterprise design architecture?
3 replies
nusrath432
@nusrath432
Terraform returned errors:
╷
│ Error: validating Template Deployment "g23d2gb1.com" (Resource Group "myrg"): requesting validating: resources.DeploymentsClient#Validate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidTemplateDeployment" Message="The template deployment 'e23d2gb1.com' is not valid according to the validation procedure. The tracking id is 'c85cc5fa-66ef-4f1c-a9f5-a094d2ae034f'. See inner errors for details." Details=[{"code":"ValidationForResourceFailed","details":[{"code":"INVALID_AGREEMENT_KEYS","message":"End-user must read and consent to all of the following legal agreements: DNRA DNPA"}],"message":"Validation failed for a resource. Check 'Error.Details[0]' for more information."}]
│ 
│   with module.solution.module.domain_name_registrations["domain_cdn"].azurerm_resource_group_template_deployment.domain,
│   on ../../terraform-azurerm-caf/modules/networking/domain_name_registrations/module.tf line 11, in resource "azurerm_resource_group_template_deployment" "domain":
│   11: resource "azurerm_resource_group_template_deployment" "domain" {
3 replies
Paul Bourke
@brk3

Is anyone successfully using the level0 service principal to run rover?

Certain lzs by default only configure access to keyvaults for this SP (which I'd expect), but Rover's --impersonate functionality seems broken (aztfmod/terraform-azurerm-caf#554, https://github.com/aztfmod/rover/pull/190)

7 replies