Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Apr 16 21:36
    hattan opened #143
  • Apr 16 21:34
    hattan closed #140
  • Apr 16 21:33
    hattan closed #142
  • Apr 16 21:06
    rguthriemsft closed #139
  • Apr 16 21:05
    rguthriemsft synchronize #140
  • Apr 16 21:01
    rguthriemsft synchronize #140
  • Apr 16 20:58
    hattan review_requested #142
  • Apr 16 20:58
    hattan opened #142
  • Apr 16 20:57
    hattan closed #141
  • Apr 16 20:57
    hattan opened #141
  • Apr 16 20:57
    hattan review_requested #141
  • Apr 16 20:49
    rguthriemsft opened #140
  • Apr 16 20:49
    rguthriemsft review_requested #140
  • Apr 16 20:42
    rguthriemsft synchronize #139
  • Apr 16 20:25
    rguthriemsft review_requested #139
  • Apr 16 20:25
    rguthriemsft opened #139
  • Apr 16 15:12
    rguthriemsft closed #138
  • Apr 16 11:13
    arnaudlh edited #111
  • Apr 16 11:01
    arnaudlh closed #137
  • Apr 16 00:37
    hattan review_requested #138
Ibrahima MBODJI
@ibnmbodji
Hi does anyone can show implementation of an external module ? I’ve seen Caf solutions but fail to deploy from an external module
A. Gaur
@nitkkraman_twitter
Hi i am planning to deploy azure landing zone in our organization, with launchpad+foundations+shared services, is it possible to deploy all 3 in one account , like can we deploy 1 launch pad and then moving forward to foundations or they all are separate entity.
1 reply
Ibrahima MBODJI
@ibnmbodji
Hi Guys are you working on Windows Virtual Destop in Landing Zones ? How can we call external modules ? I’m calling a module which not available in CAF but got errors
vishnu-vashist
@vishnu-vashist
image.png
Hi Guys, somehow I am not able to work with Rover , it fails with problem ContainerUser not allowed and I dont get rover prompts as shown above
1 reply
can someone help
vishnu-vashist
@vishnu-vashist
Hi Team, is anyone has come across something like this, all was working fine and suddenly it starts showing this error in count argument
1 reply
image.png
Aaron Saikovski
@AaronSaikovski
Hi all. Are there any examples available for using PowerShell DSC for custom powershell scripts?
Tanner Watson
@tannerwatson
Question, and forgive me i've missed this in the documentation, but whats the intended scope of an "environment" regarding CAF, is it separation down to the vnet/subnet?
I'm currently implementing the caf landing zones we have 1 tenant with 2 subscriptions (prod/nonprod). The nonprod subscription contains 8 "environments" all sharing the same vnet/subnets. The prod subscription has 4 "environments" including staging, again all sharing the same vnet/subnets.
In this type of scenario of "brownfield" would we want to deploy level0/foundation to every one of what we call environments? Or, would it be safe to say that level0 would be deployed once per tenant or subscription in this scenario?
Alex Bevan
@AlexBevan
image.png
Hey Gang, having a hard time wrapping my head around how the state is used across the LZs. I have an adgroup that I create at a lower LZ (lz1) that I want to use in the keyvault_access_policies in LZ3, LZ 3 can see it via the state but im not sure what to put for azuread_group_key and the logic in the TF is hurting my head! anyone tried to do this/similar? error msg above
var.azuread_groups is object with 3 attributes. the three attributes look to be the top level, not the nested maps, i.e.launchpad,shared_services rather than shared_services['lz_admins']
image.png
Alex Bevan
@AlexBevan
found the badger that i needed, you can ignore me now
1 reply
image.png
Josh
@jshchn
image.png
Josh
@jshchn

Hi friends, I've been having trouble trying to deploy the launchpad via this command from this walkthrough : https://github.com/Azure/caf-terraform-landingzones-starter/blob/starter/configuration/sandpit/pipelines/README-pipelines.md

environment=sandpit
rover -lz /tf/caf/public/landingzones/caf_launchpad \
-var-folder /tf/caf/configuration/${environment}/level0/launchpad \
-parallelism 30 \
-level level0 \
-env ${environment} \
-launchpad \
-a [plan|apply|destroy]

I've tried using the master branch instead of 2101.0.0 and also downgraded AzureRM to 5.1.0 from 5.2.0 but still the same issue as in the screenshot above. @arnaudlh do you know what I'm missing here?

Josh
@jshchn
synced with Arnaud offline, for above issue, upgrading to 5.2.1 fixed it for me
keenz
@kindlychung
Could anyone explain what var.dynamic_keyvault_secrets and var.keyvaults mean? Every time I try to plan something with rover i get prompted to enter these values.
2 replies
Thanks.
Ben
@benhurjoel

@benhurjoel To support proof-of-concept with a client, I put together a good portion of the Contoso landing zone using the CAF Terraform stack. It looks like you are working on something similar: Azure/caf-terraform-landingzones-starter#21
I created my own fork of caf-terraform-landingzones-starter. I'd like to collaborate with you and contribute what I've done. Is there a branch in the caf-terraform-landingzones-starter project that I can submit a PR to?

Hi @jleonelion Thank you! Sure, please submit a PR with your branch.. We'll work together and take it forward.

abhilash-keloth
@abhilash-keloth

Hi all. Are there any examples available for using PowerShell DSC for custom powershell scripts?

Hi, We do have extensions as part of the current module but I doubt there is any custom extension available. If you would like to add, please create an issue. You can also refer the existing extension module here https://github.com/aztfmod/terraform-azurerm-caf/tree/master/modules/compute/virtual_machine_extensions

Sascha Gottfried
@saschagottfried
image.png

I am following "get started with your laptop" using VSCode 1.54.3 with latest version of extension "Visual Studio Code Remote - Containers", Docker 20.10 and WSL2. I am stuck here (https://github.com/Azure/caf-terraform-landingzones/blob/master/documentation/getting_started/getting_started.md#open-the-repository-in-visual-studio-code) since I have no 'rover' command available.

Have seen "fatal: cannot chdir to 'C:/Users/gottfried/source/repos/caf-terraform-landingzones': No such file or directory"
How to fix this ?

image.png
image.png
Sascha Gottfried
@saschagottfried
image.png
Got it. Somehow a line in .bashrc got mixed up - a trailing double quote was missing. Fixed that and the shell had the missing aliases after creating a new terminal in the container runtime. How that could happen. It did not change anything before, just closed the repo, build the container and repeated several times. Any ideas ?
Sascha Gottfried
@saschagottfried
From a beginner perspective I would say that coverage of "how to change the default location from "south east asia" to a custom location like "West Europe" could be improved. Changed variables.tf in "Lauchpad" but with no effect. Can some provide guidance please ?
Sascha Gottfried
@saschagottfried
image.png
Found it here - of course in a *.tfvars file.
ozduy
@ozduy
Hi
jleonelion
@jleonelion
Hello all, I have a question about the level based design pattern. I'd like to apply policy initiative to enable Azure Monitor on all VMs. To do this, I need to specify the log analytics workspace that the VMs will dump their logs into. The level based design pattern has policy assignment at level1 and core services (such as log monitoring) at level2. I noticed the launchpad scenario 200 deploys a log analytics workspace (level0) - which seems to contradict the design pattern. Am I misunderstanding the level based design pattern, or does it break-down in this situation? In other words, what is the recommended approach (in terms of which items reside at which levels) if I want to create policies to enforce resources are logging to a central log analytics workspace?
1 reply
sayedn
@sayedn
Hi @LaurentLesle. When trying to destroy a virtual WAN that was created with caf_networking, my terraform has gone of out sync and I get the following error. The hub has been deleted in a previous attempt, but most likely it could not report back to the pipeline so the tfstate get updated properly. Can you please advise what can be done in such situation when the tfstate gets out of synch?
module.networking.module.virtual_wans["vwan_re1"].azurerm_virtual_wan.vwan: Destroying... [id=/subscriptions/29668afe-fc13-4205-83cf-0b79d44c16f0/resourceGroups/TRSU-rg-vnet-hub-re1/providers/Microsoft.Network/virtualWans/TRSU-vwan-SanofiWAN-re1]
module.networking.module.virtual_wans["vwan_re1"].module.hubs["hub_re1"].azurerm_virtual_hub.vwan_hub: Destroying... [id=/subscriptions/29668afe-fc13-4205-83cf-0b79d44c16f0/resourceGroups/TRSU-rg-vnet-hub-re1/providers/Microsoft.Network/virtualHubs/TRSU-vhub-hub-re1]
module.networking.module.virtual_wans["vwan_re1"].azurerm_virtual_wan.vwan: Destruction complete after 1s

Error: Error deleting Virtual Hub "TRSU-vhub-hub-re1" (Resource Group "TRSU-rg-vnet-hub-re1"): network.VirtualHubsClient#Delete: Failure sending request: StatusCode=0 -- Original Error: Code="ResourceGroupNotFound" Message="Resource group 'TRSU-rg-vnet-hub-re1' could not be found."


Error on or near line 278; exiting with status 1

@calling clean_up_variables
cleanup variables
clean_up backend_files
Error: Process completed with exit code 1.
Marcel B
@Plork

Hey all, I am starting to play around with the CAF mainly to compare it to our own custom coded landingzones. So keep in mind my terraform knowledge is beginning to form ;)

I have a question at the moment about tags. I see there is a tag variable in the launchpad. which gets merged with landing zone tags and even enriched with resource group tags.

For the launchpad this works fine and I see the resource groups with tags in the portal.

However I am now deploying management. I don't have specific tags configured at the moment but my "view" on this would be that it would grab the "global" tags from the tfstate then merge this with resource group specific keys.

I see this in the caf_solution

tags = merge(try(local.global_settings.tags, {}), local.landingzone_tag, { "level" = var.landingzone.level }, try({ "environment" = local.global_settings.environment }, {}), { "rover_version" = var.rover_version }, var.tags)

So it looks likes it only grabs default from the module and overwrites from vars?

So is my view on this incorrect? I don't feel like specifying global tags everywhere since this is quite error prone.

The resource groups created by mgmt however dont have any tags at all. I would at least suspect environment and rover_version etc.

Marcel B
@Plork

So the tag work like i think they do ... but for the other resources that are created they do.

however the resource groups have an empty hash as tags.

"global_settings": { "default_region": "region1", "environment": "sitesmith", "inherit_tags": true, "passthrough": false, "prefix": "sism", "prefix_with_hyphen": "sism", "prefixes": [ "sism" ], "random_length": null, "regions": { "region1": "westeurope", "region2": "northeurope" }, "tags": { "BusinessUnit": "SHARED", "DR": "NON-DR-ENABLED", "costCenter": "0", "deploymentType": "Terraform", "owner": "CCOE" }, "use_slug": true }, "resource_groups": { "sitesmith_mgmt": { "id": "/subscriptions/<guid>/resourceGroups/sism-rg-management", "location": "westeurope", "name": "sism-rg-management", "rbac_id": "/subscriptions/<guid>/resourceGroups/sism-rg-management", "tags": {} }, "sitesmith_secrets": { "id": "/subscriptions/<guid>/resourceGroups/sism-rg-secrets", "location": "westeurope", "name": "sism-rg-secrets", "rbac_id": "/subscriptions/<guid>/resourceGroups/sism-rg-secrets", "tags": {} },

Marcel B
@Plork

/tf/caf/landingzones/caf_solution/landingzone.tf

tags = var.tags local.tags

sayedn
@sayedn
We are creating Virtual WANS with S2S VPN configuration using caf_networking (level2) landingzone. that in Azure takes a while and the Terraform times out. I'm wondering how the timeout can be set on the resources created by CAF modules. With some providers, the timeout inline-block can be set (as shown below). Is there any way we can increase the timeout at the resource creation for CAF modules:
resource "aws_db_instance" "example" {
  # ...

  timeouts {
    create = "60m"
    delete = "2h"
  }
}
Ben
@benhurjoel
@sayedn Timeout block can be set for CAF modules the exactly same way you have mentioned above. In fact, I see that a timeout has been set on 'S2S gateway' resource already. To increase/change it, please do it here : \modules\networking\virtual_wan\virtual_hub\site_to_site_gateway.tf
6 replies
sayedn
@sayedn
Thank you @benhurjoel for your prompt response. I'll be working on it and get back to you.
wwtche
@wwtche

Hi everyone, please can someone help me with the storage account network configuration?

I don't this example actually works:
https://github.com/aztfmod/terraform-azurerm-caf/blob/8877356803839625a3091ed2b8ddccecc66ad2b3/modules/storage_account/examples/102-storage_with_vnet.tfvars#L18

reason being the storage_account caf module doesn't have a key called 'network_rules' defined:
https://github.com/aztfmod/terraform-azurerm-caf/blob/8877356803839625a3091ed2b8ddccecc66ad2b3/modules/storage_account/storage_account.tf#L138

tenderitaf
@tenderitaf
Hi I wanted to start using the landing zones concepts and wanted to run the networking scenario, the doc is completely confusing and changed a lot lately could guys please guide me ?
tenderitaf
@tenderitaf
I want to deploy and peer the vnet to a hub that exists in other sub, how I can achieve that ?
sayedn
@sayedn

@tenderitaf, One way you may be able to peer with a network in another subscription is by using it's remote state. in most of the landing zone scenarios you can find how the hub has peered with the launchpad

hub_rg1-TO-launchpad_devops = {
    name = "hub_rg1-TO-devops_region1"
    from = {
      vnet_key = "hub_rg1"
    }
    to = {
      tfstate_key = "foundations"
      lz_key      = "launchpad"
      output_key  = "vnets"
      vnet_key    = "devops_region1"
    }
    allow_virtual_network_access = true
    allow_forwarded_traffic      = false
    allow_gateway_transit        = false
    use_remote_gateways          = false
  }

as shown above, the VNET in launchpad is peered with the hub in a different subscription. The to in above example is pointing to the the terraform state in the launchpad subscription.

tenderitaf
@tenderitaf
@sayedn could you please give the link where you have that code snippet? also how terraform will have access to the storage account in the other sub (we don't pass the sub id)
sayedn
@sayedn
@tenderitaf you can find a similar concept in this link: https://github.com/Azure/caf-terraform-landingzones/blob/master/caf_solution/scenario/networking/201-multi-region-hub/configuration.tfvars.
sayedn
@sayedn
@LaurentLesle and @arnaudlh in our implementation of the landing zone we have to use GitHub Self-Hosted Runners in the launchpad due to security and governance restrictions. We're looking at creating a rover environment in an Azure VM instead of a docker container due to the fact that we cannot use the managed identities to grant rover access to configure the Landing Zone subscriptions The other option we may be investigating is to use ACI (Azure Container Instances) in the Launchpad, as it supports Managed Identities. Do you have any advice/recommendations or Gotchas? Your inputs is much appreciated.
tenderitaf
@tenderitaf
@sayedn thanks for you answer could you please help me to understand how terraform will access a state file in other subs ?
sayedn
@sayedn
@tenderitaf if you are using Rover (which I highly recommend too based on my few days of experience) then there's a switch on the rover where you can specify in which subscription the state is at. Please see below as an example:
 /tf/rover/rover.sh -lz  ${<your lz folder> }/caf_networking/ -a apply \
            -tfstate $(basename ${{config_files }}).tfstate \
            -tfstate_subscription_id ${{ sub_id }} \
...