Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 21 22:59
    nusrath432 edited #137
  • Jan 21 22:58
    nusrath432 edited #149
  • Jan 21 22:58
    nusrath432 edited #149
  • Jan 21 22:57
    nusrath432 opened #150
  • Jan 21 22:54
    nusrath432 opened #149
  • Jan 21 11:02
    arnaudlh closed #236
  • Jan 21 05:51
    arnaudlh synchronize #236
  • Jan 21 04:00
    LaurentLesle synchronize #236
  • Jan 21 02:46
    LaurentLesle synchronize #236
  • Jan 21 02:44
    LaurentLesle synchronize #236
  • Jan 21 00:40
    arnaudlh synchronize #236
  • Jan 21 00:33
    arnaudlh review_requested #236
  • Jan 21 00:33
    arnaudlh labeled #236
  • Jan 21 00:33
    arnaudlh assigned #236
  • Jan 21 00:33
    arnaudlh opened #236
  • Jan 20 09:38
    arnaudlh closed #235
  • Jan 20 07:53
    dependabot[bot] labeled #235
  • Jan 20 07:53
    dependabot[bot] labeled #235
  • Jan 20 07:53
    dependabot[bot] opened #235
  • Jan 20 07:52
    LaurentLesle closed #234
Kieran
@kiebre92
Hi all, I'm looking to deploy a site-to-site VPN connection with the CAF supermodule, part of this deployment requires the local_network_gateways to have a Pre-Shared Key which is a sensitive key, I don't want this in plain text within the tfvars file, what options do I have for passing these in? Ideally i'd like to store the key in a key-vault
2 replies
Roland
@schoenr79

Good afternoon. Im trying to create an azuread application with service principal and a assigned built in role but still the example (examples/azuread/100-azuread-application-with-sevice-principle-with-builtin-roles) fails. with the following error

```Error: Error in function call
on /home/vscode/.terraform.cache/Dev/rover_jobs/20211029113352728156040/modules/solution/azuread_service_principals.tf line 15, in module "azuread_service_principals":
15: application_id = coalesce(
16: try(each.value.azuread_application.application_id, ""),
17: try(local.combined_objects_azuread_applications[each.value.azuread_application.lz_key][each.value.azuread_application.key].application_id, ""),
18: try(local.combined_objects_azuread_applications[local.client_config.landingzone_key][each.value.azuread_application.key].application_id, "")
19: )
────────────────
each.value.azuread_application is object with 1 attribute "key"
each.value.azuread_application.key is "test_client"
local.client_config.landingzone_key is "management"
local.combined_objects_azuread_applications is object with 2 attributes

Call to function "coalesce" failed: no non-null, non-empty-string arguments.

Terraform plan return code: 1
Error on or near line 287: Error running terraform plan; exiting with status 1
```

i am using terraform caf solution v5.4.4

seems to be that the applicaiton id could not be obtained. any hint on that would be welcome. thx

41 replies
Paul Bourke
@brk3
I just noticed that some resources don't seem to be honoring azurecaf_name separator argument (which should be '-' by default... anyone else? E.g. my log analytics workspace is called pxmo-log-logs, but my storage accounts are being created as pxmostbootdiag (I'd expect pxmo-st-bootdiag)
4 replies
Paul Bourke
@brk3
Another basic question. I take it it's not possible to access keyvaults provisioned in l0 from l3?
3 replies
Soy Milk
@SoyMilkOR_twitter
Hi Guys, Ive recently been exploring caf and the launchpad.. I wanna ask a dumb question, so suppose if we want to create a resource thats not part of the current scenario in launchpad, how to we go about adding it? Anybody can point me to a sample/ resource for it.. Thanks!!
9 replies
Paul Bourke
@brk3
Having an issue deploying flux as the manifests aren't compliant with the memory/cpu contraint policy. Anyone ran across this?
Stefan
@stefangrafisec
Guys, I am trying to enable CI tasks in Azure DevOps and I am struggling with the Rover-Agent and the installed tflint tool in the AZDO Pipeline.
Does anyone have a working AZDO Pipeline definition running tflint successfully as an example?
8 replies
Roland
@schoenr79
Concerning enterprise landing zone (eslz) Could somebody explain the objects subscription_id_overrides_by_keys in subscription_id_overrides.tfvars to me.
I knew if i put a subscription id to subscription_id_overrides it will move it to the dependent management group. but what is the other key for.
3 replies
Sean Hill
@evershade
Is there any development activity towards using the caf-terraform-landingzones module with a different backend, specifically Terraform Cloud? It seems to be pretty strongly joined to keeping state in a storage account via the launchpad azurerm backend.
2 replies
nusrath432
@nusrath432
Has anyone used Service Principal for Rover authentication - if yes, can you provide the syntax or reference to the docs please. Seeing this error when using SP:
Initializing the backend...
╷
│ Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
│ 
│ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
│ auth method - instructions for which can be found here: https://www.terraform.io/docs/providers/azurerm/guides/service_principal_client_secret.html
│ 
│ Alternatively you can authenticate using the Azure CLI by using a User Account.
│ 
│
11 replies
jasonhornatcrowe
@jasonhornatcrowe

Does the aztfmod/terraform-azurerm-caf super module contain any coverage for CDN profiles / endpoints?

Sorry if this blatantly obvious, I searched the repo and came up empty. I did get the static site stubbed, but want to add these resources as well. I can, of course, create these using the hashicorp/azurerm provider resources, but don't want to go outside of CAF if I can help it.

2 replies
Paul Bourke
@brk3
Is anyone using the CSI keyvault provider to provide TLS certs to the ingress controller for AKS?
5 replies
nusrath432
@nusrath432
Hi, Where in the Azure Portal can I find the Diagnostic Definations created - the underlying module used is "azurerm_monitor_diagnostic_setting" but I could not find them anywhere in the UI - can anyone guide on it please?
8 replies
Henry Dobson
@henrydobson
Diagnostic definitions are not an Azure resource. It’s an entity used in CAF only that defines the configuration objects for diagnostic profiles.
3 replies
Paul Bourke
@brk3
Has anyone found a way to refer to local files from configuration? E.g. say a module wants to take a yaml file and apply kustomize on it, is there a way to give the module a path relative to the configuration via a var?
4 replies
nusrath432
@nusrath432
Can someone provide me an idiots guide on generating reg-ex with an example for terraform-provider-azurecaf please:
https://github.com/aztfmod/terraform-provider-azurecaf/blob/master/resourceDefinition.json
5 replies
nusrath432
@nusrath432
CI/CD Pipeline Desgin: Has anyone implemented CAF using CICD pipelines successfully? either a single stack (single tenant) or multistack (single tenant) or multistack (multi-tenant) - using Github or Gilab or other CI tools - could you share your experiance please. Thanks
  • How do we handle changes in lower layers and run the pipeline for all the impacted layers?
  • How do we handle multi-user mode and merge conflicts using CI/CD?
    ... more
17 replies
tenletters10
@tenletters10

Hello. I am trying to use the module "resource_group_reused" to use an existing resource group vs the CAF module creating a new one for me, but running into some errors.

When I attempt to use it in my module I get the following error message:
Error: Unsupported argument

│ on main.tf line 37, in module "caf":
│ 37: resource_group_reused = {

│ An argument named "resource_group_reused" is not expected here.

In my code I am using it this way:

resource_group_reused = {
    rg = {
      name = var.resource_group_name
    }    
  }

I can successfully run this code block, but it creates a new resource group which is unwanted in my scenario:

 resource_groups = {
    rg = {
      name = local.resource_group_suffix
    }
  }

I found this resource_group_reused via this file: https://github.com/aztfmod/terraform-azurerm-caf/blob/master/resource_groups.tf

When I dig into the module it references it shows it using a data block which is desired vs the resource_group module which has a resource block

What am I doing wrong?

I have looked through a ton of the examples configurations in the github repo, but all of them seem to show examples of creating a new resource group. I can't find any examples for reusing a resource group that already exist.

6 replies
alisha-dev
@alisha-dev
Hello Team,
I am trying to deploy caf for one of our workloads and I am facing the below issues.
  • I am unable to deploy vmss, application gateway in existing vnet and subnet. All the examples are creating new vnet everytime.
  • creating automation account in level0 - (Does it mean that level0 is only ment to be deploying the base landing zone setup and all the other resources should be deployed level1 onwards?)
44 replies
alisha-dev
@alisha-dev
Hello Team,
Is there any sample available to deploy non waf tier application gateway (standard)
7 replies
nusrath432
@nusrath432
How can we make a block within terraform resource defination - conditional - either based on a single value defined in the tfvars or a block defined in the tfvars. For example:
resource "my_resource" "demo"{
region = var.settings.region

config {
  var1 = lookup(var.settings.config_in_tfvars, "var1", null)
  var2 = lookup(var.settings.config_in_tfvars, "var2", null)
}

}
1 reply
nusrath432
@nusrath432
Has anyone managed to bootstrap CAF / level0 using a service principal - when I run the plan using UPN it works fine but when I run the same with SP (subscription owner), it throws "Building AzureAD Client" Authenticating using the Azure CLI is only supported as a User (not a│ Service Principal).
20 replies
Soy Milk
@SoyMilkOR_twitter
Hi folks, anyone knows how to force-unlock a state file through rover?
4 replies
Sergi Asensio
@asensionacher
Hi all, it is possible to add Suffixes to all resources as we use the prefix?
7 replies
florentvaldelievre
@florentvaldelievre
Hi all, I was wondering if you had a timeline regarding contoso-2109 branch, especially ado_pipeline component template ? (https://github.com/Azure/caf-terraform-landingzones-starter/tree/contoso-2109/templates)
nusrath432
@nusrath432
Does anyone (@arnaudlh) know the purpose of auditing.tf & threat_detection.tf within the postgresql_server module. Ref: https://github.com/aztfmod/terraform-azurerm-caf/blob/103887136309a41ad7772bd7bb433b445be8652e/modules/databases/postgresql_server/auditing.tf - it looks like it is just data source to storage accounts but not really used anywhere - did anyone use it or have an understanding please?
11 replies
Paul Bourke
@brk3
Has anyone used a shared level across multiple environments? E.g. say I have a network hub deployed at level2, and would like to reference that in both -env team1 and -env team2. Is this possible?
19 replies
Ryan Bartram
@rdbartram
FYI, a friend and I are working on rovergo tonight...we're going to try push that project forward and will stream about caf and how we use it in future streams...if you're interested and can help us maybe, then drop by https://www.twitch.tv/worxspace
5 replies
rahulkkeerthi
@rahulkkeerthi
Hi all, my function app is getting recreated after each plan even when no changes were made to it. Is there some that I have to change ? I want to set my function app os_type to windows. Thanks.
15 replies
Arnaud Lheureux
@arnaudlh
Preview Module 5.5.0 - Hi community we are preparing release of module 5.5.0 which includes lot of improvements tracked under this milestone: https://github.com/aztfmod/terraform-azurerm-caf/milestone/6?closed=1. Almost everything is currently already in master branch. The main reason while we move to 5.5.x instead of 5.4.x is because we are introducing configuration aliases for virtual wan. Since provider configuration aliases were introduce in 0.15 we will need to drop support of Terraform 0.13 and 0.14. If you have a test environment, dont hesitate to test the module and give us feedbacks :)
6 replies
nusrath432
@nusrath432

@arnaudlh Best practices - Design pattern for referencing resources within CAF. For example:

private_dns_zone_id = try(
local.combined_objects_private_dns[each.value.private_dns_zone.lz_key][each.value.private_dns_zone.key].id,
local.combined_objects_private_dns[local.client_config.landingzone_key][each.value.private_dns_zone.key].id,
each.value.private_dns_zone.id,
null
)

Q1. For local & lower landingzones, we are using remote_objects = {}. But when do we used local.combined_objects vs local.<resource>?
Q2. Do we have a pattern that works for all scenarios? if the reference objects exists remote state or local state or local code block or external resource?
Q3. Are we supporting patterns such as vnet_key or switch to vnet { key="" lz_key=""} or support both?

5 replies
Darryl Sw
@darryl-sw
Hi all, has anyone successfully integrated a policy engine (like Open Policy Agent) with Rover? I'm hoping to make use of it to prevent certain resources from being deployed with Rover.
2 replies
Sergi Asensio
@asensionacher

Hi, when I deploy an Access Policy in a Key Vault it appears as Unknown, instead of Application

creation_policies = {
      logged_in_user = {
        secret_permissions      = ["Set", "Get", "List", "Delete", "Purge"]
        certificate_permissions = ["managecontacts", "manageissuers"]
      }

      azuread_application = {
        object_id = "c432f4fc-a70e-4833-9d8e-fa44bcexxxxx"
        secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
      }
    }

alt

How I have to do it as an application instead of unknown? Is it possible to use function app key name instead of the object_id?

4 replies
Himanshu Sharma
@hsharma1528
Hello All, I am planning to write my own tf file for Function App as the module within aztfmod doesn't work as expected for Windows function apps. How can a refer to the output of resources created by atfmod in my tf file? I have few more custom tf files to write for other services.
pp-csievering
@pp-csievering
Have a question about Dynamic Keyvault Secrets. Is it possible to reference a keyvault in another landing zone? I tried adding lz_key to the config and would still only find keyvaults in the same landing zone
4 replies
image.png
68747470733a2f2f66696c65732e6769747465722e696d2f3565346330333832643733343038636534666439663937382f73676a612f7468756d622f696d6167652e706e67.png
Soy Milk
@SoyMilkOR_twitter
Hi Folks, anybody know what keyvault_certificate_request module does/ how it works? More specifically for AGW aztfmod/terraform-azurerm-caf#267
3 replies
Soy Milk
@SoyMilkOR_twitter
Also, has anybody implemented through caf an app gateway with ssl certs that are already preexisting, and referencing it by the id ? from what i see, the examples are mostly generating a cert , putting it in keyvault and then referencing the object's key (CAF)
rahulkkeerthi
@rahulkkeerthi
This message was deleted
2 replies
Jonathan
@jonathan-opsguru
This message was deleted
2 replies
Kieran
@kiebre92
Am I right in saying that the supermodule doesn't currently support Azure Monitor Private Link Scope (AMPLS) for connecting to Azure Monitor? I can't see anything in the repo or examples
anasmohana
@anasmohana
Hi is there any documents on how I can deploy resources in multi subscription
1 reply
Kieran
@kiebre92

Hey, we're trying to upgrade our rover version from aztfmod/rover:1.0.4-2108.1305 to the latest versin: aztfmod/rover:1.0.11-2112.0809

Getting a strange error which we can't quite figure out, it's worth noting that we haven't change any configuration code, we're simply changing the image version:

Error on or near line 391: Error running terraform plan; exiting with status 1
cleanup variables
clean_up backend_files
##[error]Bash exited with code '1'.
##[error]Bash wrote one or more lines to the standard error stream.
##[error]WARNING: The command requires the extension resource-graph. It will be installed first.

##[error]
Error: Error loading state error

  with data.terraform_remote_state.remote["launchpad"],
  on locals.remote_tfstates.tf line 19, in data "terraform_remote_state" "remote":
  19:   backend = var.landingzone.backend_type

error loading the remote state: blobs.Client#Get: Failure responding to
request: StatusCode=403 -- Original Error: autorest/azure: Service returned
an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This
request is not authorized to perform this operation using this
permission.\nRequestId:xxxxxxxxxxxxxxxxxxxxxxx\nTime:2022-01-12T08:30:52.9562577Z"

Has anybody else come across this issue?

11 replies
Israel Ayongwa
@iayongwa
image.png
5 replies
Hello everyone, I ran into some errors while trying to deploy GitOps configuration for Azure https://github.com/Azure/caf-terraform-landingzones-starter/blob/starter/configuration/sandpit/pipelines/README-pipelines.md (3.3.3). Has anyone experienced something similar or knows a workaround? I've been looking at it since yesterday without success. Thanks.
anasmohana
@anasmohana
Hello everyone, any idea how to assign the role to the MSI for GitOps to multi subscription by another way can I assign MSI role in existing sub, thanks in advance
asid007
@asid007:matrix.org
[m]
hello everyone....I am new to this CAF based implementation of ESLZ through terraform. Can anyone provide some guidance about how we can setup Enterprise Scale Landing Zone using Terraform (Rover)? There are lot of documentation available but they are confusing as there are some old documents which are no where related now. Kindly provide some info how can we setup ESLZ using Terraform (Rover approach) where will have a management group structure setup, multiple subscriptions - connectivity, identity, management, landing zone etc? Thanks in advance.
1 reply
jasonhornatcrowe
@jasonhornatcrowe

Hello all, please forgive me if this has already been answered, but I am not finding in the examples the proper way to assign group owners... I have what I believe to be a legitimate configuration for the group:

azuread_groups = {
  architects = {
    name        = "AZ Group 1"
    description = "a super cool group"
    members = {
      user_principal_names = [
        "me@mycompany.com"
      ]
      group_names          = []
      object_ids           = []
      group_keys           = []

      service_principal_keys = []

    }
    owners = {
      user_principal_names = [
        "somebody_else@mycompany.com"
      ]
    }
    prevent_duplicate_name = true
  }
}

I can see that the member is getting applied correctly... but the owner object id in the plan is always the person etc. running the command... Anyone know what I am doing wrong here?

Thanks in advance!

4 replies
Israel Ayongwa
@iayongwa

Hi, Just wanted to ask if anyone else has come across the same issue. I have tried to deploy https://github.com/Azure/caf-terraform-landingzones-starter/tree/starter/configuration/sandpit/level1/gitops/azure_devops. and get below error when running PLAN: on /home/vscode/.terraform.cache/modules/caf/modules/security/keyvault_access_policies/policies.tf line 12, in module "azuread_apps":
│ 12: object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key),var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id
│ ├────────────────
│ │ each.value is object with 3 attributes
│ │ each.value.lz_key is "launchpad"
│ │ var.azuread_apps is object with 1 attribute "azdo-contoso"
│ │ var.client_config.landingzone_key is "azdo-contoso"

│ The given key does not identify an element in this collection value.

Hello forum. I ran into a similar error like the one quoted here. The proposed solution by Luke to set azure_devops to "level1" and launchpad level to "lower" is incorporated in the new stable release. Has anyone experienced this? So I have been trying to 'customize' the starter template a bit to suit my needs by commenting out deployments to level3 and level4 which I do not need. I don't know if that has anything to do with this error. Thanks in advance for any tips or advice.