Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 21 09:34
    Poil opened #175
  • Jun 16 16:13
    bensincs opened #174
  • Jun 16 16:12
    bensincs closed #173
  • Jun 16 16:12
    bensincs opened #173
  • Jun 16 06:50
    arnaudlh closed #172
  • Jun 16 06:50
    arnaudlh closed #162
  • Jun 16 03:19
    LaurentLesle closed #267
  • Jun 16 03:19
    LaurentLesle assigned #267
  • Jun 16 03:18
    LaurentLesle labeled #267
  • Jun 16 03:12
    arnaudlh closed #268
  • Jun 16 02:40
    arnaudlh closed #266
  • Jun 16 02:29
    arnaudlh labeled #268
  • Jun 16 02:29
    arnaudlh assigned #268
  • Jun 16 00:28
    DrDarinda opened #268
  • Jun 15 07:31
    DrDarinda opened #267
  • Jun 14 06:40
    arnaudlh assigned #266
  • Jun 14 06:40
    arnaudlh labeled #266
  • Jun 14 06:40
    arnaudlh opened #266
  • Jun 14 06:40
    arnaudlh review_requested #266
  • Jun 14 06:37
    arnaudlh closed #265
pp-csievering
@pp-csievering
image.png
68747470733a2f2f66696c65732e6769747465722e696d2f3565346330333832643733343038636534666439663937382f73676a612f7468756d622f696d6167652e706e67.png
Soy Milk
@SoyMilkOR_twitter
Hi Folks, anybody know what keyvault_certificate_request module does/ how it works? More specifically for AGW aztfmod/terraform-azurerm-caf#267
3 replies
Soy Milk
@SoyMilkOR_twitter
Also, has anybody implemented through caf an app gateway with ssl certs that are already preexisting, and referencing it by the id ? from what i see, the examples are mostly generating a cert , putting it in keyvault and then referencing the object's key (CAF)
rahulkkeerthi
@rahulkkeerthi
This message was deleted
2 replies
Jonathan
@jonathan-opsguru
This message was deleted
2 replies
Kieran
@kiebrew
Am I right in saying that the supermodule doesn't currently support Azure Monitor Private Link Scope (AMPLS) for connecting to Azure Monitor? I can't see anything in the repo or examples
anasmohana
@anasmohana
Hi is there any documents on how I can deploy resources in multi subscription
1 reply
Kieran
@kiebrew

Hey, we're trying to upgrade our rover version from aztfmod/rover:1.0.4-2108.1305 to the latest versin: aztfmod/rover:1.0.11-2112.0809

Getting a strange error which we can't quite figure out, it's worth noting that we haven't change any configuration code, we're simply changing the image version:

Error on or near line 391: Error running terraform plan; exiting with status 1
cleanup variables
clean_up backend_files
##[error]Bash exited with code '1'.
##[error]Bash wrote one or more lines to the standard error stream.
##[error]WARNING: The command requires the extension resource-graph. It will be installed first.

##[error]
Error: Error loading state error

  with data.terraform_remote_state.remote["launchpad"],
  on locals.remote_tfstates.tf line 19, in data "terraform_remote_state" "remote":
  19:   backend = var.landingzone.backend_type

error loading the remote state: blobs.Client#Get: Failure responding to
request: StatusCode=403 -- Original Error: autorest/azure: Service returned
an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This
request is not authorized to perform this operation using this
permission.\nRequestId:xxxxxxxxxxxxxxxxxxxxxxx\nTime:2022-01-12T08:30:52.9562577Z"

Has anybody else come across this issue?

11 replies
Israel Ayongwa
@iayongwa
image.png
5 replies
Hello everyone, I ran into some errors while trying to deploy GitOps configuration for Azure https://github.com/Azure/caf-terraform-landingzones-starter/blob/starter/configuration/sandpit/pipelines/README-pipelines.md (3.3.3). Has anyone experienced something similar or knows a workaround? I've been looking at it since yesterday without success. Thanks.
anasmohana
@anasmohana
Hello everyone, any idea how to assign the role to the MSI for GitOps to multi subscription by another way can I assign MSI role in existing sub, thanks in advance
asid007
@asid007:matrix.org
[m]
hello everyone....I am new to this CAF based implementation of ESLZ through terraform. Can anyone provide some guidance about how we can setup Enterprise Scale Landing Zone using Terraform (Rover)? There are lot of documentation available but they are confusing as there are some old documents which are no where related now. Kindly provide some info how can we setup ESLZ using Terraform (Rover approach) where will have a management group structure setup, multiple subscriptions - connectivity, identity, management, landing zone etc? Thanks in advance.
1 reply
jasonhornatcrowe
@jasonhornatcrowe

Hello all, please forgive me if this has already been answered, but I am not finding in the examples the proper way to assign group owners... I have what I believe to be a legitimate configuration for the group:

azuread_groups = {
  architects = {
    name        = "AZ Group 1"
    description = "a super cool group"
    members = {
      user_principal_names = [
        "me@mycompany.com"
      ]
      group_names          = []
      object_ids           = []
      group_keys           = []

      service_principal_keys = []

    }
    owners = {
      user_principal_names = [
        "somebody_else@mycompany.com"
      ]
    }
    prevent_duplicate_name = true
  }
}

I can see that the member is getting applied correctly... but the owner object id in the plan is always the person etc. running the command... Anyone know what I am doing wrong here?

Thanks in advance!

4 replies
Israel Ayongwa
@iayongwa

Hi, Just wanted to ask if anyone else has come across the same issue. I have tried to deploy https://github.com/Azure/caf-terraform-landingzones-starter/tree/starter/configuration/sandpit/level1/gitops/azure_devops. and get below error when running PLAN: on /home/vscode/.terraform.cache/modules/caf/modules/security/keyvault_access_policies/policies.tf line 12, in module "azuread_apps":
│ 12: object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key),var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id
│ ├────────────────
│ │ each.value is object with 3 attributes
│ │ each.value.lz_key is "launchpad"
│ │ var.azuread_apps is object with 1 attribute "azdo-contoso"
│ │ var.client_config.landingzone_key is "azdo-contoso"

│ The given key does not identify an element in this collection value.

Hello forum. I ran into a similar error like the one quoted here. The proposed solution by Luke to set azure_devops to "level1" and launchpad level to "lower" is incorporated in the new stable release. Has anyone experienced this? So I have been trying to 'customize' the starter template a bit to suit my needs by commenting out deployments to level3 and level4 which I do not need. I don't know if that has anything to do with this error. Thanks in advance for any tips or advice.

3 replies
image.png
bobbyDazzle
@bobbyDazzle5_twitter

Evening all, hopefully someone can help me here. I've been using Terraform since the early days, probably started with v0.8 and loved it from day one. Deployed to AWS, Azure, VMWare and various other providers in all sorts of environments. So I'm very comfortable with it.

However, I'm struggling with the CAF. Not necessarily the actual module (it's complex but I know when I sit down and work through it I'll be fine). The issue is the actual implementation of it for real-world deployments. I'm really struggling following all the different repos and examples. Seems that there's always some other example or repo lurking that only serves to make me 'unlearn what I have just learnt' .

Is anyone aware of any good content that brings all this together and may help bridge the gap? I've not been able to put my finger on why I'm struggling having this all sink in.

Thanks all.....

20 replies
Happy Elegance
@happyelegance

Hello everyone, I have a question I hope someone can help me out with. Our environment does not use Rover.

I created the azuread group in a shared.tfstate file. But for different environments stored in env.tfstate I'd like to create the role assignments and pass the group_key. I want to reference this group through terraform_remote_state. I folowed the pattern in that doc: https://github.com/Azure/caf-terraform-landingzones/blob/master/documentation/code_architecture/service_composition.md
I added the data "terraform_remote..." and the local variable for azuread_groups in my main.tf. But when I try to reference the group in my env.tfvar it doesn't know about it. Any help would be appreciated.
Thanks in advance!

azuread_groups = {
  group_key = {
     id   = "data.terraform_remote_state.shared.outputs.objects.test.azuread_groups.group_key.id"
  }
}
#shared.tf
azuread_groups = {
  group_key = {
    name        = "Test Group"
    description = "Test Group"
    members = {
      user_principal_names = []
      group_names          = []
      object_ids           = []
      group_keys           = []
      service_principal_keys = []
    }
    owners = {
      user_principal_names = []
      service_principal_keys = []
    }
    prevent_duplicate_name = false
  }
}

# main.tf
data "terraform_remote_state" "shared" {
  backend = "azurerm" 
  config = {
    ...
    key = "shared.tfstate"
  }
}

#env.tf
locals { 
...
   azuread_groups = data.terraform_remote_state.shared.outputs.azuread_groups
...
10 replies
Shane Holder
@sholder_twitter

Hi, I've stood up the CAF demo environment through Level 2 and used the 100-single-linux-vm to stand a VM up in Level 3. I then wanted to tear down the level 3 vm, change some stuff and re-run it. When I ran the rover destroy process I received errors from KeyVault.

Error: purging of Secret "xyzzy-vm-examplevm1-ssh-public-key-openssh" (Key Vault "https://xyzzy-kv-vmlinuxakv.vault.azure.net/") : keyvault.BaseClient#PurgeDeletedSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Operation \"purge\" is not allowed because purge protection is enabled for this vault. Key Vault service will automatically purge it after the retention period has passed.\r\nVault: xyzzy-kv-vmlinuxakv;location=eastus2"

What is the proper recovery process when an error like this occurs? Also is this an error that should be reported somewhere?

Hein Tonny Køien
@heintonny
Hi. Thanks for grate work with Enterprise Scale and CAF. When we use Enteprise Scale (ES) Management to deploy Log Analytics workspace and diagnostic_definitions, what would be the best /recomended aproach to deploy Azure CAF resources with this diagnostics profiles? I can't find any "link" between ES output and CAF input (or visa versa) to do this "out-of-the-box". I guess we can leave it to ES policies to deploy diagnostic profiles, but I think it would be better to do the linking directly when we create CAF resources. Apriciate your thoughts and recomendations?
6 replies
florentvaldelievre
@florentvaldelievre

Hi, I have question regarding ip_groups scope and landing zone. See below my issue:

lz_1
   ip_groups.tfvars
lz_2
   firewall_policies.tfvars

firewall_policies.tfvars contains a list of firewall rules.
Can I reference source_ip_groups_keys with keys defined in lz_1 or keys only works withing the same landing zone ?
I have tried to add lz1 tfstate in the lz2 landingzone block, but it still can't recognize the group key defined in lz_1

// lz_2/configuration.tfvars
landingzone = {
  backend_type        = "azurerm"
  global_settings_key = "foundations"
  level               = "level2"
  key                 = "lz_2"
  tfstates = {
    lz1 = {
      level   = "current"
      tfstate = "lz1.tfstate"
    }
  }
}
10 replies
Roland
@schoenr79

Hi everyone,
what could cause the problem that i am not able do access global_settings from level0 in the higher level1 / eslz?

│ Error: Unsupported attribute │ │ on enterprise_scale.tf line 10, in module "enterprise_scale": │ 10: default_location = local.global_settings.regions[local.global_settings.default_region] │ ├──────────────── │ │ local.global_settings is object with no attributes │ │ This object does not have an attribute named "regions".

2 replies
Ronaldschouw
@Ronaldschouw

Hi, I wrote our image gallery module in level1. Its it working fine. We are using our own harded RHEL images.
The output in the tstate file is as follow:

    "shared_image_gallery": {
      "value": {
        "rhel84": {
          "id": "/subscriptions/xxxxxx/resourceGroups/mcdta-rg-image-gallery-ocpe/providers/Microsoft.Compute/galleries/RedHat/images/RHEL_8/versions/8.4.0"
        }

The id of the image is used to create a virtual machine in level2.
A snip of the tfvar file of the virtual server.

        os_disk = {
          name                    = "idm1-os"
          caching                 = "ReadWrite"
          storage_account_type    = "Standard_LRS"
          disk_size_gb            = "40"
          disk_encryption_set_key = "set1"
        }
        custom_image_ids = {
          lz_key           = "shared_image_gallery"
          custom_image_key = "rhel84"
         }

And the config to read the lower tfstate file.

landingzone = {
  backend_type        = "azurerm"
  global_settings_key = "management"
  level               = "level2"
  key                 = "identity_virtual_host"
  tfstates = {
    identity_network = {
      level   = "current"
      tfstate = "identity_network.tfstate"
    }
    shared_image_gallery = {
      level   = "lower"
      tfstate = "shared_image_gallery.tfstate"
    }
  }
}

Unfortunately, the custom_image_ids is not handled properly in the module. I think the problem is in the module of the virtualserver. This one looks like this:

source_image_id = try(each.value.custom_image_id,var.custom_image_ids[each.value.lz_key][each.value.custom_image_key].id, null)

If the module terraform-azurerm-caf/modules/compute/virtual_machine/vm_linux.tf is modified as follows, will the variable from the lower tfstate file be retrieved correctly? Are we missing a landingzone_key ?

source_image_id = try(each.value.custom_image_id,try(var.custom_image_ids[var.client_config.landingzone_key][each.value.lz_key][each.value.custom_image_key].id,var.custom_image_ids[each.value.lz_key][each.value.custom_image_key].id))

Nevertheless, if the custom_image_id is used with the full id:/subscription/.. from the azure configuration, everything works properly. But then we have added a static value to a variable configuration.
How can the module be adapted?
It will help us a lot

6 replies
Joseph Perez
@zepperez
Hello, I'm looking to see if we can deploy resources without using the dev container. Can anyone provide guidance on how it works? Thanks!
Sebastian Gräf
@segraef
image.png

Hi there,

After deploying launchpad level0 via rover ignite from contoso-2201 it fails with

Apply complete! Resources: 146 added, 0 changed, 0 destroyed.

Outputs:

diagnostics = <sensitive>
global_settings = <sensitive>
launchpad_identities = <sensitive>
objects = <sensitive>
tfstates = <sensitive>
Terraform apply return code: 0
@calling get_storage_id
@calling upload_tfstate
Moving launchpad to the cloud
ERROR: argument --ids: expected at least one argument

Examples from AI knowledge base:
az storage account show --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}
Show properties for a storage account by resource ID.

az storage account show --resource-group MyResourceGroup --name MyStorageAccount
Show properties for a storage account using an account name and resource group.

https://docs.microsoft.com/en-US/cli/azure/storage/account#az_storage_account_show
Read more about the command in reference docs
Error on or near line 142; exiting with status 1
Error on or near line 142; exiting with status 1

@calling clean_up_variables
cleanup variables
clean_up backend_files
vscode@7b5da0201736:/tf/caf/$

My details:

aztfmod/rover:1.1.3-2201.2106

When I execute the rover command again it fails again.
Any idea what I'm missing or is this error known?

Not sure how to check the logs in the rover to actually see what's happening ;)
nusrath432
@nusrath432
Application Gateway - Backend Pools and Targets - How can we set multiple Backend Pools with mutiple Rules/Targets for a given App GW - The code seems to be picking only on Backend Pool with name as App GW name instead of picking name from value.backend_pool.name
Ref: locals.backend_pools.tf:L28 - Anyone has an example block please
1 reply
tpatrizio
@tpatrizio
Hi everyone, I'm looking for someone who can share his experience deploying rover as a GitLab runner. I saw the documentation will be updated in the next months but I'm wondering if someone has already had a chance to test this setup. I'd also like to have your opinion about the possibility to store terraform state in GitLab instead of Azure storage account. Thanks a lot for your time
jleonelion
@jleonelion
@arnaudlh @LaurentLesle - partitioning TF code into levels is a great design pattern, but I am having a tough time keeping the resource types intended for each level at their respective level. As a specific example, I want to create a policy that requires all VMs within a particular region send their logs to the log analytics workspace for that region. Policies are level1 and common logging services level2. This creates a problem in that the policy (level1) needs to reference a resource at level2. Only work-around I can think of is creating the policy at level2 (or create the LAW at level0 or level1). Both of these approaches break the proposed design pattern and roles intended for the levels. Hoping you or other members of the channel can advise if I am misunderstanding the intent of each level.
5 replies
jbla9028
@jbla9028
I think we may be running into a similar issue. I have concerns about how large certain states may get. We are trying to break up into layers but finding some difficulties joining layers since there are no way to connect layers without using resource Ids as far as we can see?
8 replies
Roland
@schoenr79
I am looking for an example, how to implement network peering across different subscriptsion. What is the best way to implement that?
3 replies
tpatrizio
@tpatrizio
Hi all, what about the rovergo project? is there someone who can share his experience in using it as a replacement of the traditional rover implementation?
12 replies
Shane Holder
@sholder_twitter
Hello, I am running into an issue with running the level1 platform_subscriptions step of the enterprise framework (2201). The rover plan is says that it needs to create the launchpad subscription which is the same subscription as our TF states, are they supposed to be the same or different? The other subscriptions we have also already exist, management, identity, connectivity however the rover plan shows that these subs already exist and all it wants to do is create the alias. Is there a recovery from this?
1 reply
Traiano Welcome
@archmangler
Hi - is it possible we could get rid of this "rover" thing and use something more generic? Not only is it poorly documented, obscure, but it also conflicts with another open source cli tool in wide use called "rover" , e.g:

```base) welcome@Traianos-MacBook-Pro landingzones % rover landingzone list -level level0
error: Found argument 'landingzone' which wasn't expected, or isn't valid in this context

USAGE:
rover [FLAGS] [OPTIONS] <SUBCOMMAND>

For more information try --help
```

Traiano Welcome
@archmangler
Another question about rover:
I get this with every version, when trying to run it in the container:

`
version: aztfmod/rover:1.0.11-2201.2106

cat: /tf/caf/.devcontainer/docker-compose.yml: No such file or directory
The version of your local devcontainer rover:1.0.11-2201.2106 does not match the required version .
Click on the Dev Container buttom on the left bottom corner and select rebuild container from the options.
`

This is when I run rover in the container: rover login -t xxxxxxxx -s yyyyyyyyyyyyyy
Is there an alternative guide for deploying the tf LZ without the use of rover ?
Ronaldschouw
@Ronaldschouw
Hi all,
We have a strange problem with level 1. We are getting the authorization error below with a plan. This problem does not occur on all other levels. Friday we made a change in level1 management. We have added a storage account. This should not give the authorization problem. The error message on level 1 occurs in the acceptance environment and the production environment. Anyone any idea?
Initializing the backend...

Successfully configured the backend "azurerm"! Terraform will automatically
use this backend unless the backend configuration changes.
╷
│ Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:01a538f8-201e-004a-214f-1c5e3d000000\nTime:2022-02-07T18:18:41.2116142Z"
│ 
│ 
╵

Error on or near line 211; exiting with status 1
Ronaldschouw
@Ronaldschouw

Hi All,
Problem solved. Never use a tag like this with a new storage account.

    tags = {
      # Those tags must never be changed while set as they are used by the rover to locate the launchpad and the tfstates.
      tfstate     = "level1"
      environment = "mcdta"
      launchpad   = "launchpad"

A quick copy and paste 'll never be good.

Josh K
@jkewley

Hello,

We are deploying the multi-subscription contoso sample of enterprise scale based on the 2112.int branch (/templates/enterprise-scale/contoso/platform).
We've hit a wall when trying to rover-plan the eslz step after running management :

 Error: Invalid index
│ 
│   on archetype_config_overrides.tf line 98, in locals:
│   98:         for key, value in param_value : key => local.caf[value.output_key][value.lz_key][value.resource_type][value.resource_key][value.attribute_key]
│     ├────────────────
│     │ local.caf is object with 8 attributes
│     │ value.lz_key is "management"
│     │ value.output_key is "diagnostics"
│     │ value.resource_key is "eastus2logs"
│     │ value.resource_type is "log_analytics"
│ 
│ The given key does not identify an element in this collection value.

Our override looks like this

    logAnalytics:
      lz_key: management
      output_key: diagnostics
      resource_type: log_analytics
      resource_key: eastus2logs
      attribute_key: id

based on the sample that ships with contoso which looks like this

    logAnalytics:
      lz_key: management
      output_key: diagnostics
      resource_type: log_analytics
      resource_key: central_logs_sea
      attribute_key: id

The only difference being the name of the resource key which we changed in management.yaml. My gut is that the terraform isn't able to resolve the id of the LA workspace we deployed to management, but I can't understand why. Our LA workspace is in a rg named management in the management sub with the name eastus2logs Any ideas

8 replies
nusrath432
@nusrath432
Diagnostic Settings Complaining about: Objects have changed outside of Terraform
  • Has anyone observed this behaviour? no matter I delete them via TF code or Manually and TF apply multiple times - each time it complains the same

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # module.solution.module.diagnostic_event_hub_namespaces_diagnostics["mylogs"].azurerm_monitor_diagnostic_setting.diagnostics["mylogs"] has been changed
  ~ resource "azurerm_monitor_diagnostic_setting" "diagnostics" {
        id                 = "/subscriptions/2cf1acf7-2536-4dae-8893-867367e0e202/resourceGroups/xxo01-rg-mgmt/providers/Microsoft.EventHub/namespaces/xxo01-ehn-logs|operational_logs_and_metrics"
        name               = "operational_logs_and_metrics"
        # (2 unchanged attributes hidden)

      + log {
          + category = "ApplicationMetricsLogs"
          + enabled  = false

          + retention_policy {
              + days    = 0
              + enabled = false
            }
        }
      + log {
          + category = "RuntimeAuditLogs"
          + enabled  = false

          + retention_policy {
              + days    = 0
              + enabled = false
            }
        }

        # (8 unchanged blocks hidden)
    }
  # module.solution.module.keyvaults["secrets"].module.diagnostics.azurerm_monitor_diagnostic_setting.diagnostics["mylogs"] has been changed
  ~ resource "azurerm_monitor_diagnostic_setting" "diagnostics" {
        id                             = "/subscriptions/2cf1acf7-2536-4dae-8893-867367e0e202/resourceGroups/xxo01-rg-mgmt/providers/Microsoft.KeyVault/vaults/xxo01-kv-mgmtsecrets|eh_logs_and_metrics"
        name                           = "eh_logs_and_metrics"
        # (3 unchanged attributes hidden)

      + log {
          + category = "AzurePolicyEvaluationDetails"
          + enabled  = false

          + retention_policy {
              + days    = 0
              + enabled = false
            }
        }

        # (2 unchanged blocks hidden)
    }
  # module.solution.module.keyvaults["secrets"].module.diagnostics.azurerm_monitor_diagnostic_setting.diagnostics["mylogs"] has been changed
  ~ resource "azurerm_monitor_diagnostic_setting" "diagnostics" {
        id                         = "/subscriptions/2cf1acf7-2536-4dae-8893-867367e0e202/resourceGroups/xxo01-rg-mgmt/providers/Microsoft.KeyVault/vaults/xxo01-kv-mgmtsecrets|operational_logs_and_metrics"
        name                       = "operational_logs_and_metrics"
        # (2 unchanged attributes hidden)

      + log {
          + category = "AzurePolicyEvaluationDetails"
          + enabled  = false

          + retention_policy {
              + days    = 0
              + enabled = false
            }
        }

        # (2 unchanged blocks hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.solution.module.diagnostic_event_hub_namespaces_diagnostics["mylogs"].azurerm_monitor_diagnostic_setting.diagnostics["mylogs"] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "diagnostics" {
        id                 = "/subscriptions/2cf1acf7-2536-4dae-8893-867367e0e202/resourceGroups/xxo01-rg-mgmt/providers/Microsoft.EventHub/namespaces/xxo01-ehn-logs|operational_logs_and_metrics"
        name               = "operational_logs_and_metrics"
        # (2 unchanged attributes hidden)

      - log {
          - category = "ApplicationMetricsLogs" -> null
          - enabled  = false -> null

          - retention_policy {
              - days    = 0
10 replies
nusrath432
@nusrath432
@arnaudlh @LaurentLesle Dynamic Providers: How do we use CAF for managing multiple AAD / B2C using dynamic providers. I tried to use dynamic_providers.tf under caf_solution but I can only authenticate to one AAD or B2C at a time. The use case is: I got an AAD with 3 B2Cs and my TF State files for the stack (level0-level4) in a Storage Blob in the AAD. Hence, I am able to authenticate azurerm provider and azuread provider with only one AAD tenant but not with the B2Cs. Any advice or examples please. Thanks
3 replies
nusrath432
@nusrath432
@arnaudlh @LaurentLesle Upgrading: CAF module, Landingzone & Rover post deployment: Hi, do we have a guide on the upgrade path for the various CAF bells and whistles in general and in specfic upgrading terraform-azurerm-caf modules to the latest and its effects on existing configuration deployed.
Tony Skidmore
@tonyskidmore
We would like to use the Terraform Module for Cloud Adoption Framework Enterprise-scale and have been looking on whether we can use Rover and the launchpad and levels mechanisms as the basis for the deployment. In my organization we do not have write access to Azure Active Directory, we only have Owner level access to our Azure Enrolment level (where we can create Management Group hierarchies). With what I have seen so far Rover needs rights in AAD to create apps, groups etc. Is it still possible to use Rover as the deployment mechanism for CAF ES LZ based on these constraints?
2 replies
anasmohana
@anasmohana
Hi All after I have updated the rover to the last version start to get this error, any idea :)