Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Nov 26 00:03
    Nepomuceno closed #72
  • Nov 26 00:03
    Nepomuceno closed #64
  • Nov 25 10:17
    Nepomuceno synchronize #72
  • Nov 25 09:56
    arnaudlh labeled #72
  • Nov 25 09:56
    arnaudlh assigned #72
  • Nov 25 09:54
    Nepomuceno review_requested #72
  • Nov 25 09:54
    Nepomuceno opened #72
  • Nov 25 04:24
    LaurentLesle assigned #65
  • Nov 25 03:40
    LaurentLesle assigned #61
  • Nov 24 22:29
    Nepomuceno closed #71
  • Nov 24 22:29
    Nepomuceno opened #71
  • Nov 23 10:51
    runemy opened #8
  • Nov 20 18:16
    sebastus opened #70
  • Nov 20 15:29
    jamalikake opened #11
  • Nov 20 15:00
    xpillons opened #91
  • Nov 18 22:42
    arnoldna synchronize #66
  • Nov 18 06:39
    arnaudlh closed #54
  • Nov 18 06:38
    arnaudlh closed #62
  • Nov 18 06:38
    arnaudlh assigned #62
  • Nov 18 06:37
    arnaudlh labeled #62
bernardmaltais
@bernardmaltais
But I hope you can get to a point where you minimize those highly impactfull changes such that upgrades from release to release can be easilly done... otherwise this will be like upgrading Openstack from one release to the next... not pretty and sometime impossible.
I noticed the new rover -a flag before the "apply, destroy, plan" terraform commands. Will rover support other terraform commands in the future?
bernardmaltais
@bernardmaltais
So, I guess to upgrade from 2006 to vnext the proper approach is to back up the L1 and other L+ state files from the 2006 storage, destroy the old launchpad, deploy the new launchpad using the new release and restore the statefiles where they belong, manually creating the storage account container structure.
After that things should be good.
bernardmaltais
@bernardmaltais
I also noticed the new vnext appear to create a vnet as part of the launchpad. Is this something that is otional and can be optionally deployed only when needed or something that is always required?
And one last suggestion. When running rover manually it would be nice if doing an apply would prompt the user for approval to proceed rather than apply unconditionally. Essentially like it does for destroy. CI/CD should auto-apply but manually running rover should not. It provides a last chance to catch issue and avoid disaster ;-)
bernardmaltais
@bernardmaltais
@arnaudlh Tested vnext13 and all went well. I noticed vnext13 does not create the network RG like vnext did.
bernardmaltais
@bernardmaltais
Trying to deploy my L1_blueprint result in this error... THis might be related to the fact that my L1_blueprint is using terraform 12 syntax with a modified main.tf to implement the terraform 13 backend structure...

Backend reinitialization required. Please run "terraform init".
Reason: Unsetting the previously set backend "azurerm"

The "backend" is the interface that Terraform uses to store state,
perform operations, etc. If this message is showing up, it means that the
Terraform configuration you're using is using a custom configuration for
the Terraform backend.

Changes to backend configurations require reinitialization. This allows
Terraform to setup the new configuration, copy existing state, etc. This is
only done during "terraform init". Please run that command now then try again.

If the change reason above is incorrect, please verify your configuration
hasn't changed and try again. At this point, no changes to your existing
configuration or state have been made.

Terraform plan return code: 0
Terraform returned errors:

Error: Initialization required. Please see the error message above.

Error on or near line 509: Error running terraform plan; exiting with status 2000

bernardmaltais
@bernardmaltais
Performing a terraform 0.13upgrade on my code and manually fixing the aztfmod/azurecaf provider appeared to have done the trick ;-)
bernardmaltais
@bernardmaltais
@arnaudlh I hope everything if fine with the project. I noticed no activity since Aug 3rd. Is rover and the landingzone still alive and well? I think it is a great project and hope it will keep evolving.
Arnaud Lheureux
@arnaudlh
hi @bernardmaltais everything is fine with the project, we have been taking some time off, but have a look at vnext13 branch, you should see a lot of goodies coming up :)
bernardmaltais
@bernardmaltais
@arnaudlh Nice. I have already converted my landingzones to 0.13 and used the vnext13 launchpad code as the launchpad source.
Will be interesting to see things evolve now that 0.13 is GA.
bernardmaltais
@bernardmaltais
I am also starting to wonder if those landingzone blueprints should not be implemented as separate independent terraform modules to simplify updates across multiple deployments. Right now everytime there is a new version I need to go in each deployment and update the code and weave things back together. If it was a separate module I would just need to change the version of the module I want to deploy...
Essentially the landingzone folders would just be a stub used to call the desired landingzone module in a separate repo.
Peter Joseph
@cloudynetwork
@bernardmaltais A new version of the blueprints or a new version of terraform? Or both maybe?
bernardmaltais
@bernardmaltais
@cloudynetwork A new version of a landingzone like launchpad for example.
Essentially treat a landingzone blueprint like a terraform module
Each landingzone could then evolve separately from the project that call them for deployment. I know, there are pros and cons to both. I, myself, sometime like to have local code that I can easilly modify vs needing to update another repo to make a change... so I am not 100% convinced which way is best.
bernardmaltais
@bernardmaltais
Well... maybe my usecase is different from what you intended this project to be... What I am building is a template we can use to quickly create secure Azure space for a project that will meet Canadian Government Protected B Medium Medium security level: https://github.com/ssc-spc-cloud-nuage/eslz-template
So we essentially use the repo as a template for each project. THe thing is... with landingzone blueprint code in each it becomes tedious to maintain overtime as it quickly multiply. If each landingzone was a seperate repo and called as a module then upgrading would be as easy as changing the module version and run rover apply again... if the update is non destructive to the old one obviously... And that is hard to accomplish... as decisions of the past quickly come to haunt you with terraform.
bernardmaltais
@bernardmaltais
I did a test and converted the launchpad to a module and updated the deployment to call it instead of deploying from local code. Worked just fine. Only thing I had to do was to modify the output of the calling landingzone code to adapt to use the returned outputs from module.
Peter Joseph
@cloudynetwork
Great information @bernardmaltais , tradtionally the Modules/non-modules conversation comes up a lot around Terraform, unfortunately there doesn't seem to be a universally successful approach for what/when to split into modules. It's something that needs some thought for sure.
dnyfrs
@dnyfrs
hello everyone. is there any module provisions zonal networks?
thanks in advance.
Philipp Paland
@therealppa

Hi channel! I'm trying to bring up the caf_foundations landing zone in our Azure subscription. The launchpad / level 0 stuff was created successfully but now I'm stuck on

module.blueprint_foundations_security.module.security_center.azurerm_security_center_workspace.sc[0]: Still creating... [57m7s elapsed]

After 60m this times out. I already tried to apply again and got an error about some existing resources. I deleted those using az but now I get the timeout again. A complete destroy / apply did not work either. Any idea what else I can try?

1 reply
module.blueprint_foundations_security.module.security_center.azurerm_security_center_workspace.sc[0]: Still creating... [59m57s elapsed]
Terraform apply return code: 0
Terraform returned errors:

Error: Error creating Security Center Contact: security.ContactsClient#Create: Failure responding to request: StatusCode=201 -- Original Error: autorest/azure: Service returned an error. Status=201 Code="Unknown" Message="Unknown service error" Details=[{"etag":"\"4900210e-0000-0d00-0000-5f48c27c0000\"","id":"/subscriptions/c5c99cf6-3659-457c-9e69-d3f24948136c/providers/Microsoft.Security/securityContact/default1","location":"West Europe","name":"default1","properties":{"alertNotifications":"On","alertsToAdmins":"On","email":"team-pangaea@foryouandyourcustomers.com","phone":"9293829328"},"type":"Microsoft.Security/securityContact"}]

  on /home/vscode/.terraform.cache/modules/blueprint_foundations_security.security_center/terraform-azurerm-caf-security-center-1.0/module.tf line 1, in resource "azurerm_security_center_contact" "contact":
   1: resource "azurerm_security_center_contact" "contact" {



Error: Error waiting: timeout while waiting for state to become 'Populated' (last state: 'Waiting', timeout: 1h0m0s)

  on /home/vscode/.terraform.cache/modules/blueprint_foundations_security.security_center/terraform-azurerm-caf-security-center-1.0/module.tf line 15, in resource "azurerm_security_center_workspace" "sc":
  15: resource "azurerm_security_center_workspace" "sc" {


Error on or near line 533: Error running terraform apply; exiting with status 2001
bernardmaltais
@bernardmaltais
@therealppa Hello Philipp. Welcome! This issue is recent. Microsoft removed the phone number support for contact but I think the provider still try to set it up and as a result timeout. I personally commented out that section on the code on my deployment... but if you use the provided landingzone then this is in a module and there is not much you can do about it ;-( But the problem is in the contact resource. The section to comment out is in this file insode the module: https://github.com/aztfmod/terraform-azurerm-caf-security-center/blob/master/module.tf
1 reply
But frankly the security center has been a torn on my side. Since I removed that 1st resource in the module I have not had issue since.
Sunny Nazar
@sunnynazar
I have just started to look around the landing zone. I have a use-case, i want to use level-2 landing zone basically network and shared components. But i donot want to create launchpad-level0 and level-1 . Is it currently possible to do it like that ?
2 replies
bernardmaltais
@bernardmaltais
@arnaudlh Saw the new release. From what I can tell the launchpad has not significantly changed, nor rover. So from what I can tell, beside the networking defaults, nothing destructive should happen if one does a rover apply on top of the previous launchpad deployment.
1 reply
Sunny Nazar
@sunnynazar
@arnaudlh - I want to automate the execution of the landing zones in Azure Devops. I have few questions - for launchapad the tfstate at the end of the execution gets uploaded to container if it was successful tf apply. When we run in pipelines if launchpad execution was not successful , how do we manage the state - it will not be uploaded to remote state . when we run locally it persists on our system. Second - https://github.com/Azure/caf-terraform-landingzones/blob/master/documentation/delivery/intro_ci_ado.md - is this documentation still valid with latest rover image ?
bernardmaltais
@bernardmaltais
@sunnynazar @arnaudlh This has been a frustration of mine also. TO the point where I think managing deployment via CI/CD is just not reliable enough for production use. I have run into many deployment where a resource will not deploy as expected or worst, when one does not destroy as expected. Azure + Terraform does not always result in perfect deployment... Hence manually deploying and manually fixing those type of issues by either re deploying or manually removing resources fro the state file is necessary.
Sometime a VM will have been stopped by a user and trying to run a plan against it will result in failure to apply. One then need to manually start the VM, fix any state file issue that might have arised from the failure and then hope another apply will work... which often is not the case and will require code adjustments.
This mostly is true for day 2 operations. Usually deploying a new infra using the LZ will work... but once you start making changes and maintaining it with rover afterward things goes sideways quickly.
3 replies
Sunny Nazar
@sunnynazar
@arnaudlh - Could you please have a look at the query post by me above on sep 24 ? It would help me to proceed ahead with my next steps.
Sunny Nazar
@sunnynazar

@all - i am facing an issue while trying to create container for tfstate in launchpad , i am getting below error. So, basically its unable to create container - but i donot understand why - i have all the permissions. It worked previously in my other subscription where i had owner permission. I just switched to a new subscription, I have Account Admin role in this new subscription. Anyone has an idea whats going wrong here or someone faced similar issue ?
Error: Error checking for existence of existing Container "level0" (Account "stlevel0devdrensdsns7gqk" / Resource Group "rg-launchpad-tfstates-kzn"): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthenticationFailed" Message="Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:5961f21b-801e-0008-11ae-957a33000000\nTime:2020-09-28T15:49:44.6442938Z"

on storage.tf line 33, in resource "azurerm_storage_container" "launchpad":
33: resource "azurerm_storage_container" "launchpad" {

Error on or near line 533: Error running terraform apply; exiting with status 2001

Brock Davis
@brockneedscoffee
going up to 0.4.0 we are getting tenant_id and current_landingzone_key errors
5 replies
wblanchard-concurrency
@wblanchard-concurrency
Greetings, CAF noob here. I ran through the tutorial and was able to get CAF deployed to my MSDN subscription using Rover without an issue but I'm now working on integration with Drone. I've tried the latest container from docker hub (2010.3011) as well as a previous version (2009.0210). I wasn't able to get 2010.3011 to deploy within Docker Desktop but I was able to get 2009.0210 to deploy but it looks like the aztfmod/rover containers are different from aztfmod/roverdev. It appears that I'm unable to get the aztfmod/rover container to clone the CAF repos. "cat: /tf/caf/.devcontainer/docker-compose.yml: No such file or directory
The version of your local devcontainer aztfmod/rover:2010.3011 does not match the required version .
Click on the Dev Container buttom on the left bottom corner and select rebuild container from the options.
  • rover -lz /tf/caf/landingzones/launchpad --clone-launchpad --environment test -a apply -launchpad -var 'location=westus'"
2 replies
On another note, the "rover" alias isn't set up in the aztfmod/rover container so I had to add that.
Kieran
@kiebre92

Hi guys, I am having a play around with the new caf-landingzones-starter, i've already got level 0-2 deployed from some testing earlier in the week so i've copied the level 3 networking/spoke folder and in the first instance, i'm just trying to create a spoke vnet, nothing else. I'm getting the following error:
Error: Unable to find remote state

on locals.remote_tfstates.tf line 16, in data "terraform_remote_state" "remote":
16: data "terraform_remote_state" "remote" {

No stored state was found for the given workspace in the given backend.

Error on or near line 446: Error running terraform plan; exiting with status 2000

The command I'm using to run is:
rover -lz /tf/caf/landingzones/caf_networking \
-tfstate networking_spoke_websqlapp.tfstate \
-var-folder /tf/caf/landingzones/landingzone_webSQLApp/networking/spoke \
-level level3 \
-a plan

It's not exactly the same as in the example as mentioned i've moved the folder into my existing project, so could be something to do with that as i'd like to avoid recreating it. Am I missing anything obvious?

1 reply
Simon Brady
@simonbrady
Hi, first off it's great to see the October release frozen! I feel like I'm fundamentally misunderstanding something here, but I'm struggling to work out how to deploy a multi-subscription hub and spoke network: my plan was to deploy the launchpad, foundations and shared services resources in a single hub subscription, then for networking peer my vnets between the hub and the spoke subscriptions. However, I can't find any examples of specifying a target subscription for one end of the peering, or cross-subscription resource creation in general. Is the intent that each spoke subscription needs its own minimal level 0-2, along with a dedicated pipeline for that subscription? That's fine if so, although in my case it places too much plumbing in the spokes so maybe I just need to code my own spoke networking outside the CAF modules? Thanks for any advice!
1 reply
Paul Bourke
@brk3
Just getting started with the October release. Terraform is asking for a value for var.dynamic_keyvault_secrets ... Have I missed something or what kind of value should I be providing here?
3 replies
Kieran
@kiebre92

hey, I'm trying to deploy an example application in levels 3/4, imaginatively named websqlapp which will consist of a new network spoke, web app, sql server + sql db. I've been using the caf-terraforn-landingzones-starter and what i'm struggling to grasp, is how to deploy something not included in the standard caf example, for example there's the AKS example which consists of tfvars with codeblock headings like "aks_clusters = {<code here>}" and "azure_container_registries = {<code here>}" I can't see where these modules are called in, only the tfvars with the configuration of them.
How do I declare/call the azurerm_sql_server module? Do I need to write/import a module in or can I just declare something like sql_servers = {code here} similar to the way aks is written. If so, how do I know what codeblock heading to use to call the correct module?

Apologies in advance, i'm new to all this!

7 replies
wwtche
@wwtche
Hello, thanks for giving us the Terraform CAF LZ. I'm currently stuck at this step: https://github.com/Azure/caf-terraform-landingzones/tree/master/landingzones/caf_launchpad/add-ons/azure_devops_agent#deploy-the-azure-devops-agent-for-level1.
Level0 devops agents deployed fine but I'm getting the following error for level1:
@calling plan
running terraform plan with -var-file /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-mydemo/level1/configuration.tfvars -var-file /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-mydemo/level1/keyvaults.tfvars -var-file /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-mydemo/level1/storage_accounts.tfvars -var-file /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-mydemo/level1/virtual_machines.tfvars -parallelism 30
 -TF_VAR_workspace: tfstate
 -state: /home/vscode/.terraform.cache/tfstates/level1/tfstate/azdo-agent-level1.tfstate
 -plan:  /home/vscode/.terraform.cache/tfstates/level1/tfstate/azdo-agent-level1.tfplan
/tf/caf/landingzones/caf_launchpad/add-ons/azure_devops_agent
Acquiring state lock. This may take a few moments...
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.terraform_remote_state.remote["azdo-agent-level0"]: Refreshing state...
data.terraform_remote_state.remote["azdo-mydemo"]: Refreshing state...
data.terraform_remote_state.remote["launchpad"]: Refreshing state...
data.azurerm_client_config.current: Refreshing state...
module.caf.data.azurerm_client_config.current: Refreshing state...
module.caf.data.azurerm_subscription.primary: Refreshing state...
Releasing state lock. This may take a few moments...
Terraform plan return code: 0
Terraform returned errors:

Error: Unsupported attribute

  on /home/vscode/.terraform.cache/modules/caf/modules/compute/virtual_machine/managed_identities.tf line 14, in locals:
  14:       for managed_identity_key in value.managed_identity_keys : [

This value does not have any attributes.


Error: Unsupported attribute

  on /home/vscode/.terraform.cache/modules/caf/modules/compute/virtual_machine/managed_identities.tf line 14, in locals:
  14:       for managed_identity_key in value.managed_identity_keys : [

This value does not have any attributes.

Error on or near line 446: Error running terraform plan; exiting with status 2000
1 reply
Adam Clark
@madakralc
Hello World! Super excited to get to try all of this awesome TF-code for CAF. I might be late to the party but just found all these goodies today, better late than never :)
1 reply
Patrick Seidler
@ps23
Question for @arnaudlh. Are you able to give some instructions on a setup that works for teams that do not have sufficient access rights on Azure to apply the roles generally needed to set this all up (at least if going by the examples)? What is done here on top of Graph is something that only our IT department can actually do, and I do not want to go back to them every time. Maybe we can have a chat, my company is MS Gold Partner too.
2 replies
ljwfox
@ljwfox

Hi all. Loving the CAF TF stuff. Really loving the layered approach and segregation. Quick question in relation to Rover and ADO pipelines if that is possible? I'm attempting to deploy via an ADO pipeline with the Rover container being pulled down and initialised as per the example in the documentation. I had this working fine on a Linux self-hosted agent however I'm hitting a snag on a Windows one. When I run the pipeline it fails to start the container with an error at the Docker start & create stage:

C:\ProgramData\DockerDesktop\version-bin\docker.EXE create --name rover_ROVER_IMAGE_d90940 --label c00844 --network vsts_network_7b6a231ca9704c558f051ef319f447de --user 0:0 -e TF_PLUGIN_CACHE_DIR="/home/vscode/tf-plugin-cache" -e TF_DATA_DIR="/home/vscode" -v "/1":"/1" -v "D:_temp":"/_temp" -v "D:_tasks":"/_tasks" -v "D:_tool":"/t" -v "C:\Agent\myagent\externals":"/a/externals":ro -v "D:.taskkey":"/.taskkey" aztfmod/rover:2010.3011 "node" -e "setInterval(function(){}, 24 60 60 * 1000);"
17a17f47bbb7f649831ac7bb48109ba2ee2dc64869fedecde824aa5cdb39347e
C:\ProgramData\DockerDesktop\version-bin\docker.EXE start 17a17f47bbb7f649831ac7bb48109ba2ee2dc64869fedecde824aa5cdb39347e
Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"node\": executable file not found in $PATH": unknown
Error: failed to start containers: 17a17f47bbb7f649831ac7bb48109ba2ee2dc64869fedecde824aa5cdb39347e

[error]Docker start fail with exit code 1

Finishing: Initialize containers

The error seems to relate to node.js not being part of container and indeed the node" -e "setInterval(function(){}, 24 60 60 * 1000);" bit works if I install node.js into the container post-init. Am I missing something obvious here?

Thanks in advance!