Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 21 22:59
    nusrath432 edited #137
  • Jan 21 22:58
    nusrath432 edited #149
  • Jan 21 22:58
    nusrath432 edited #149
  • Jan 21 22:57
    nusrath432 opened #150
  • Jan 21 22:54
    nusrath432 opened #149
  • Jan 21 11:02
    arnaudlh closed #236
  • Jan 21 05:51
    arnaudlh synchronize #236
  • Jan 21 04:00
    LaurentLesle synchronize #236
  • Jan 21 02:46
    LaurentLesle synchronize #236
  • Jan 21 02:44
    LaurentLesle synchronize #236
  • Jan 21 00:40
    arnaudlh synchronize #236
  • Jan 21 00:33
    arnaudlh review_requested #236
  • Jan 21 00:33
    arnaudlh labeled #236
  • Jan 21 00:33
    arnaudlh assigned #236
  • Jan 21 00:33
    arnaudlh opened #236
  • Jan 20 09:38
    arnaudlh closed #235
  • Jan 20 07:53
    dependabot[bot] labeled #235
  • Jan 20 07:53
    dependabot[bot] labeled #235
  • Jan 20 07:53
    dependabot[bot] opened #235
  • Jan 20 07:52
    LaurentLesle closed #234
Henry Dobson
@henrydobson
terraform-azurerm-caf contains the modules for the caf-terraform-landingzone/caf-solution. terraform-azurerm-caf-enterprise-scale contains the modules for caf-terraform-landingzone/caf-solution/add-ons/eslz. I’d recommend looking at the work in progess branch AL_Contoso on caf-terraform-landingzone-starter to see how it’s intended to be used.
1 reply
tenletters10
@tenletters10

Hello there. I have been searching for documentation on this topic for a few hours, but have not been able to identify if what I am trying to do is something that the caf terraform module supports.

I am attempting to use subdirectory modules of https://github.com/aztfmod/terraform-azurerm-caf . Take for example trying to use the resource_group subdirectory module (aztfmod/caf/azurerm//modules/resource_group).

Is this something this module is intended to support the usage of?

Henry Dobson
@henrydobson
When using the enterprise scale multi-subscription approach, I have run into an issue peering the vnet hub from the connectivity subscription to the lz subscriptions. It looks like the peering only supports vnets in the same subscription. Is there a multi-subscription implemention?
# The code tries to peer to a vnet created in the same landing zone. If it fails it tries with the data remote state
resource "azurerm_virtual_network_peering" "peering" {
  depends_on = [module.networking]
  for_each   = local.networking.vnet_peerings

  name                         = azurecaf_name.peering[each.key].result
  virtual_network_name         = try(each.value.from.virtual_network_name, null) != null ? each.value.from.virtual_network_name : try(each.value.from.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.from.vnet_key].name, null) : try(local.combined_objects_networking[each.value.from.lz_key][each.value.from.vnet_key].name, null)
  resource_group_name          = try(each.value.from.resource_group_name, null) != null ? each.value.from.resource_group_name : try(each.value.from.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.from.vnet_key].resource_group_name, null) : try(local.combined_objects_networking[each.value.from.lz_key][each.value.from.vnet_key].resource_group_name, null)
  remote_virtual_network_id    = try(each.value.to.remote_virtual_network_id, null) != null ? each.value.to.remote_virtual_network_id : try(each.value.to.lz_key, null) == null ? try(local.combined_objects_networking[local.client_config.landingzone_key][each.value.to.vnet_key].id, null) : try(local.combined_objects_networking[each.value.to.lz_key][each.value.to.vnet_key].id, null)
  allow_virtual_network_access = try(each.value.allow_virtual_network_access, true)
  allow_forwarded_traffic      = try(each.value.allow_forwarded_traffic, false)
  allow_gateway_transit        = try(each.value.allow_gateway_transit, false)
  use_remote_gateways          = try(each.value.use_remote_gateways, false)
}
vnet_peerings = {
  mgmt_spoke_re1_TO_hub_re1 = {
    name = "mgmt_spoke_re1_TO_hub_re1"
    from = {
      vnet_key = "mgmt_spoke_re1" # in landingzone subscription
    }
    to = {
      lz_key     = "networking_hub" # in connectivity subscription
      output_key = "vnets"
      vnet_key   = "hub_re1"
    }
    allow_virtual_network_access = true
    allow_forwarded_traffic      = true
    allow_gateway_transit        = false
    use_remote_gateways          = false
  }

  hub_re1_TO_mgmt_spoke_re1 = {
    name = "hub_re1_TO_mgmt_spoke_re1"
    from = {
      lz_key     = "networking_hub"
      output_key = "vnets"
      vnet_key   = "hub_re1"
    }
    to = {
      vnet_key = "mgmt_spoke_re1"
    }
    allow_virtual_network_access = true
    allow_forwarded_traffic      = true
    allow_gateway_transit        = true
    use_remote_gateways          = false
  }
}
Henry Dobson
@henrydobson
terraform returned errors:
╷
│ Error: network.VirtualNetworkPeeringsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ResourceGroupNotFound" Message="Resource group 'dso01-rg-hub-re1' could not be found."
│ 
│   with module.solution.azurerm_virtual_network_peering.peering["hub_re1_TO_mgmt_spoke_re1"],
│   on ../../terraform-azurerm-caf/networking.tf line 107, in resource "azurerm_virtual_network_peering" "peering":
│  107: resource "azurerm_virtual_network_peering" "peering" {
│ 
╵
Henry Dobson
@henrydobson
Indeed. This is a limitation aztfmod/terraform-azurerm-caf#119
Henry Dobson
@henrydobson
Any update you can provide @LaurentLesle seems this was raised by you last year
jasonhornatcrowe
@jasonhornatcrowe

Hello all,

Very new to all this. Trying to step beyond running the examples and actually create something. I like the capabilities here, but am not finding what I need. I am trying to implement IAC for our ESLZ Sandbox Subscriptions. I found the following:

I am trying to "connect the dots" and get a working standalone or rover-based solution for this where I can create sandbox subscriptions upon request for our AppDev teams to use (supplementing their MSDN/VS subscriptions when they need more than the default spending limits on those subscriptions).

I submit this with the hope that I can turn around something quickly if I find the "how to guide" I seem to be missing. Any/all help would be greatly appreciated!

4 replies
Timothy
@theorange7
Hi folks, potentially silly question - how to interpret the version numbers? I'm using aztfmod/rover:1.0.4-2108.1802 from Docker Hub but on Github, when sorted chronologically the tags go up to aztfmod/rover:2102.0100 ?
Timothy
@theorange7
ok got it - it's Terraform versions at the front (before the -)
6 replies
nusrath432
@nusrath432
Hi, Has anyone seen this error when reading output values from a landing zone: Error on or near line 239: No parameters have been set in landingzone.; exiting with status 1 [aztfmod/rover:1.0.1-2106.3012]
Command: rover -lz /tf/caf/landingzones/caf_solution/ -tfstate aks.tfstate -env myenv -level level3 -tfstate_subscription_id 78c73253-4901-4f08-8784-85731562c8b8 -a output [launchpad: 78c73253-4901-4f08-8784-85731562c8b8]
Paul Bourke
@brk3

In the docs under https://github.com/Azure/caf-terraform-landingzones/blob/master/documentation/code_architecture/hierarchy.md#operate-with-landing-zones-hierarchy where it says "A deployment will typically contain: ...". What does a deployment refer to here?

I'm trying to get a feel for the distribution of levels, e.g. should there be a full set of levels 0-4 for each of dev/test/prod, or is it intended some levels are shared between environments?

3 replies
tenletters10
@tenletters10

Hello. I am trying to find a way to change the subscription_id that I am configuring against when use the standalone module as seen here: https://github.com/aztfmod/terraform-azurerm-caf/blob/master/examples/standalone.md

I have seen the documentation that says you can use "az account set --subscription <subscription_GUID>", but I am trying to perform this in code instead of switching context through the CLI. The azurerm provider itself supports supplying the "subscription_id", but when I attempt to use a provider with an alias while referencing the caf module directly I receive a message stating "Provider azurerm is configured within the module module.caf and cannot be overridden."

provider "azurerm" {
  features {}
}

provider "azurerm" {
  subscription_id = "0000000000-0000-0000-0000000000"
  alias = "set_subscription"
  features {}
}

module "caf" {
  source  = "aztfmod/caf/azurerm"
  version = "5.3.11"

  providers = {
    azurerm = azurerm.set_subscription
  }

......

}
5 replies
Paul Bourke
@brk3
I'm trying to decipher the purpose of each property of the 'landingzone{}' configuration object. Can anyone give me a few pointers on global_settings_key? I see that the terraform-azurerm-caf module takes a global_settings object as a variable, but whats the purpose of the key?
10 replies
Axel Bellermann
@DataAffairs_twitter
Hi everyone, can some give me a hint how to deploy a vnet peering into 2 different subscriptions using the caf framework. I'm struggling where to define the subscription ids and I was not able to find an example - just a peering which is done in a single subscription. Many thanks - Axel
4 replies
Stefan
@stefangrafisec
Hi, I am trying to deploy my first launchpad with leveled design and the first deployment works find and I am also able to destroy the deployment. Howerver every time I run "apply" rover deploys new ressources with a new prefix rather than connecting correctly to the exising launchpad to update the existing infrastructure. Wondering what is missing to instruct rover to update rather than deploying new ressources?
1 reply
Henry Dobson
@henrydobson
If you’re deploying Launchpad but the apply process has errors then rover will never upload the local tfstate to the storage accounts and that can cause multiple deployments. Further troubleshooting would require more information about the steps you’re taking.
6 replies
Jamel Achahbar
@jamelachahbar
HI all, I am trying to deploy the devops agent vms to use in the pipelines but the custom script extension fails each time
│ with module.vm_extensions["level2"].azurerm_virtual_machine_extension.devops_selfhosted_agent["devops_selfhosted_agent"],
│ on extensions/devops_selfhosted_agent.tf line 2, in resource "azurerm_virtual_machine_extension" "devops_selfhosted_agent":
│ 2: resource "azurerm_virtual_machine_extension" "devops_selfhosted_agent" {
anyone had this issue before and sorted it out?
image.png
2 replies
Stefan
@stefangrafisec

After having the launchpad running (with only level0 and level1 for training purposes) I am trying to get my first landingzone on level1 up and running. Unfortunately Rover complains:

var.dynamic_keyvault_secrets
  Enter a value: 

var.keyvaults
  Enter a value: 

var.launchpad_key_names
  Enter a value: 

var.resource_groups
  Enter a value: 

var.storage_accounts
  Enter a value:

In the landingzone configuration there is only a landingzone.tfvar file with following content:
landingzone = { backend_type = "azurerm" global_settings_key = "launchpad" level = "level1" key = "networking_HUB" tfstates = { launchpad = { level = "lower" tfstate = "caf_landingzones.tfstate" } } }

I am running rover with the following command:
rover -lz /tf/caf/caf_landingzones/ -var-folder /tf/caf/caf_landingzones/Level1/Networking_HUB -tfstate Networking_HUB.tfstate -level level1 -a plan

I don't find the reason why rover is asking for those variables?

12 replies
Henry Dobson
@henrydobson

Its a 3 issues kind of day...
If UPN1 deploys the launchpad with n subscriptions, then UPN2 try to execute plan or apply for the launchpad then the following error is shown:

Error: reading Subscription Alias "subscription_alias_name": subscription.AliasClient#Get: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/subscription_alias_name"

Both UPN1 and UPN2 have the billing role assignment and I cannot find any (and I mean any) docs on subscription alias permission. Using az account alias list confirms that the subscription creator (UPN1) has access whilst UPN2 does not. Does anyone know about this issue?

1 reply
LV-2020
@stormtrooperdev
Hi. I am new to the terraform caf rover. Is this a tool that I have to use in caf terraform?
3 replies
LV-2020
@stormtrooperdev
Hello. How do you structure your landingzone folders that requires staging and production environment configurations?
4 replies
florentvaldelievre
@florentvaldelievre
Hi, I am looking at contoso-2109 branch as we are really interesting in the templating feature. Is it at a working stage ? I've tried to deploy templates/platform but I have a few files missing. @LaurentLesle ?
I also saw that this templating feature is available on AL-contoso branch. I am able to generate configuration files, but it feels like this branch is not maintained anymore.
9 replies
Paul Bourke
@brk3
Hi all, I've created a simple launchpad module which aims to serve as a learning tool / starting point for those looking to use their own Terraform modules instead of (or along side) things like caf_solution. Hopefully it may be of help to someone https://github.com/brk3/terraform-landingzone-template
Also the documentation serves to highlight my understanding of how each piece works, if I've got it wrong please let me know!
LV-2020
@stormtrooperdev
Thanks for @brk3 for answering.
Thanks also @nusrath432 !
Hi all. How can I defend CAF to my colleague who is saying that CAF is a Microsoft Lab and it’s not based in a real-world scaling enterprise design architecture?
3 replies
nusrath432
@nusrath432
Terraform returned errors:
╷
│ Error: validating Template Deployment "g23d2gb1.com" (Resource Group "myrg"): requesting validating: resources.DeploymentsClient#Validate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidTemplateDeployment" Message="The template deployment 'e23d2gb1.com' is not valid according to the validation procedure. The tracking id is 'c85cc5fa-66ef-4f1c-a9f5-a094d2ae034f'. See inner errors for details." Details=[{"code":"ValidationForResourceFailed","details":[{"code":"INVALID_AGREEMENT_KEYS","message":"End-user must read and consent to all of the following legal agreements: DNRA DNPA"}],"message":"Validation failed for a resource. Check 'Error.Details[0]' for more information."}]
│ 
│   with module.solution.module.domain_name_registrations["domain_cdn"].azurerm_resource_group_template_deployment.domain,
│   on ../../terraform-azurerm-caf/modules/networking/domain_name_registrations/module.tf line 11, in resource "azurerm_resource_group_template_deployment" "domain":
│   11: resource "azurerm_resource_group_template_deployment" "domain" {
3 replies
Paul Bourke
@brk3

Is anyone successfully using the level0 service principal to run rover?

Certain lzs by default only configure access to keyvaults for this SP (which I'd expect), but Rover's --impersonate functionality seems broken (aztfmod/terraform-azurerm-caf#554, https://github.com/aztfmod/rover/pull/190)

7 replies
Roland
@schoenr79
@Nepomuceno , @arnaudlh any estimation when my PR on terraform-provider-azurecaf can be approved? => aztfmod/terraform-provider-azurecaf#125
9 replies
nusrath432
@nusrath432
Has anyone seen this error - it is intermittent
│ Error: Unsupported attribute
│ 
│   on ../../terraform-azurerm-caf/modules/networking/domain_name_registrations/output.tf line 8, in output "dns_domain_registration_id":
│    8:   value       = jsondecode(azurerm_resource_group_template_deployment.domain.output_content).id.value
│     ├────────────────
│     │ azurerm_resource_group_template_deployment.domain.output_content is "{}"
│ 
│ This object does not have an attribute named "id".
╵
@calling apply
running terraform apply
Terraform version 0.15 or greater
Terraform apply return code: 1
Terraform returned errors:
1 reply
Nik Sheridan
@niksheridan
Hi all, really basic question, I am really struggling to find the documentation on rover - I really want to do with rover, what i would do via 'terraform show' or 'terraform state list' - can anyone provide me with some pointers? thanks in advance
8 replies
Roland
@schoenr79
Hello community, is there any sample available, in the enterprise scale approach, how to deploy a central eventhub. Docs or readme's would be ok, too.
5 replies
Henry Dobson
@henrydobson

I'm exploring the possibility of configuring certain aspects of B2C with CAF and experiencing the following error:

│ Error: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: resources.ProvidersClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="SubscriptionNotFound" Message="The subscription '000000-0000-0000-0000-000000000000' could not be found."
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 30, in provider "azurerm":
│   30: provider "azurerm" {
│ 
╵

The subscription ID (000000-0000-0000-0000-000000000000) is actually the B2C tenant ID which I believe is one cause for the error. Has anyone had success using CAF and rover with B2C?

dimitrifc
@dimitrifc
Hi, can you please take a look at aztfmod/terraform-azurerm-caf#735 ? This is a blocking problem for us and should be an easy bug fix changing one string try(azurerm_linux_virtual_machine_scale_set.vmss["windows"].id, null)
} to try(azurerm_windows_virtual_machine_scale_set.vmss["windows"].id, null)}
1 reply
Kieran
@kiebre92
Hi all, I'm looking to deploy a site-to-site VPN connection with the CAF supermodule, part of this deployment requires the local_network_gateways to have a Pre-Shared Key which is a sensitive key, I don't want this in plain text within the tfvars file, what options do I have for passing these in? Ideally i'd like to store the key in a key-vault
2 replies
Roland
@schoenr79

Good afternoon. Im trying to create an azuread application with service principal and a assigned built in role but still the example (examples/azuread/100-azuread-application-with-sevice-principle-with-builtin-roles) fails. with the following error

```Error: Error in function call
on /home/vscode/.terraform.cache/Dev/rover_jobs/20211029113352728156040/modules/solution/azuread_service_principals.tf line 15, in module "azuread_service_principals":
15: application_id = coalesce(
16: try(each.value.azuread_application.application_id, ""),
17: try(local.combined_objects_azuread_applications[each.value.azuread_application.lz_key][each.value.azuread_application.key].application_id, ""),
18: try(local.combined_objects_azuread_applications[local.client_config.landingzone_key][each.value.azuread_application.key].application_id, "")
19: )
────────────────
each.value.azuread_application is object with 1 attribute "key"
each.value.azuread_application.key is "test_client"
local.client_config.landingzone_key is "management"
local.combined_objects_azuread_applications is object with 2 attributes

Call to function "coalesce" failed: no non-null, non-empty-string arguments.

Terraform plan return code: 1
Error on or near line 287: Error running terraform plan; exiting with status 1
```

i am using terraform caf solution v5.4.4

seems to be that the applicaiton id could not be obtained. any hint on that would be welcome. thx

41 replies
Paul Bourke
@brk3
I just noticed that some resources don't seem to be honoring azurecaf_name separator argument (which should be '-' by default... anyone else? E.g. my log analytics workspace is called pxmo-log-logs, but my storage accounts are being created as pxmostbootdiag (I'd expect pxmo-st-bootdiag)
4 replies
Paul Bourke
@brk3
Another basic question. I take it it's not possible to access keyvaults provisioned in l0 from l3?
3 replies
Soy Milk
@SoyMilkOR_twitter
Hi Guys, Ive recently been exploring caf and the launchpad.. I wanna ask a dumb question, so suppose if we want to create a resource thats not part of the current scenario in launchpad, how to we go about adding it? Anybody can point me to a sample/ resource for it.. Thanks!!
9 replies
Paul Bourke
@brk3
Having an issue deploying flux as the manifests aren't compliant with the memory/cpu contraint policy. Anyone ran across this?
Stefan
@stefangrafisec
Guys, I am trying to enable CI tasks in Azure DevOps and I am struggling with the Rover-Agent and the installed tflint tool in the AZDO Pipeline.
Does anyone have a working AZDO Pipeline definition running tflint successfully as an example?
8 replies
Roland
@schoenr79
Concerning enterprise landing zone (eslz) Could somebody explain the objects subscription_id_overrides_by_keys in subscription_id_overrides.tfvars to me.
I knew if i put a subscription id to subscription_id_overrides it will move it to the dependent management group. but what is the other key for.
3 replies
Sean Hill
@evershade
Is there any development activity towards using the caf-terraform-landingzones module with a different backend, specifically Terraform Cloud? It seems to be pretty strongly joined to keeping state in a storage account via the launchpad azurerm backend.
2 replies
nusrath432
@nusrath432
Has anyone used Service Principal for Rover authentication - if yes, can you provide the syntax or reference to the docs please. Seeing this error when using SP:
Initializing the backend...
╷
│ Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
│ 
│ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
│ auth method - instructions for which can be found here: https://www.terraform.io/docs/providers/azurerm/guides/service_principal_client_secret.html
│ 
│ Alternatively you can authenticate using the Azure CLI by using a User Account.
│ 
│
11 replies