Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 10:37
    brk3 edited #225
  • 10:37
    brk3 opened #225
  • 10:08
    LaurentLesle synchronize #223
  • 08:40
    arnaudlh closed #190
  • 08:39
    LaurentLesle synchronize #223
  • 07:10
    arnaudlh closed #213
  • 07:04
    arnaudlh pinned #224
  • 07:04
    arnaudlh labeled #224
  • 07:04
    arnaudlh unpinned #111
  • 07:03
    arnaudlh opened #224
  • 07:03
    arnaudlh assigned #224
  • 07:00
    arnaudlh synchronize #223
  • 07:00
    arnaudlh closed #215
  • 06:59
    arnaudlh edited #215
  • 06:58
    arnaudlh labeled #213
  • Dec 02 11:51
    arnaudlh assigned #222
  • Dec 02 11:51
    arnaudlh closed #222
  • Dec 02 11:51
    arnaudlh synchronize #223
  • Dec 02 11:30
    LaurentLesle closed #139
  • Dec 02 11:30
    LaurentLesle closed #137
Jamel Achahbar
@jamelachahbar
HI all, I am trying to deploy the devops agent vms to use in the pipelines but the custom script extension fails each time
│ with module.vm_extensions["level2"].azurerm_virtual_machine_extension.devops_selfhosted_agent["devops_selfhosted_agent"],
│ on extensions/devops_selfhosted_agent.tf line 2, in resource "azurerm_virtual_machine_extension" "devops_selfhosted_agent":
│ 2: resource "azurerm_virtual_machine_extension" "devops_selfhosted_agent" {
anyone had this issue before and sorted it out?
image.png
2 replies
Stefan
@stefangrafisec

After having the launchpad running (with only level0 and level1 for training purposes) I am trying to get my first landingzone on level1 up and running. Unfortunately Rover complains:

var.dynamic_keyvault_secrets
  Enter a value: 

var.keyvaults
  Enter a value: 

var.launchpad_key_names
  Enter a value: 

var.resource_groups
  Enter a value: 

var.storage_accounts
  Enter a value:

In the landingzone configuration there is only a landingzone.tfvar file with following content:
landingzone = { backend_type = "azurerm" global_settings_key = "launchpad" level = "level1" key = "networking_HUB" tfstates = { launchpad = { level = "lower" tfstate = "caf_landingzones.tfstate" } } }

I am running rover with the following command:
rover -lz /tf/caf/caf_landingzones/ -var-folder /tf/caf/caf_landingzones/Level1/Networking_HUB -tfstate Networking_HUB.tfstate -level level1 -a plan

I don't find the reason why rover is asking for those variables?

12 replies
Henry Dobson
@henrydobson

Its a 3 issues kind of day...
If UPN1 deploys the launchpad with n subscriptions, then UPN2 try to execute plan or apply for the launchpad then the following error is shown:

Error: reading Subscription Alias "subscription_alias_name": subscription.AliasClient#Get: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/subscription_alias_name"

Both UPN1 and UPN2 have the billing role assignment and I cannot find any (and I mean any) docs on subscription alias permission. Using az account alias list confirms that the subscription creator (UPN1) has access whilst UPN2 does not. Does anyone know about this issue?

1 reply
LV-2020
@stormtrooperdev
Hi. I am new to the terraform caf rover. Is this a tool that I have to use in caf terraform?
3 replies
LV-2020
@stormtrooperdev
Hello. How do you structure your landingzone folders that requires staging and production environment configurations?
4 replies
florentvaldelievre
@florentvaldelievre
Hi, I am looking at contoso-2109 branch as we are really interesting in the templating feature. Is it at a working stage ? I've tried to deploy templates/platform but I have a few files missing. @LaurentLesle ?
I also saw that this templating feature is available on AL-contoso branch. I am able to generate configuration files, but it feels like this branch is not maintained anymore.
9 replies
Paul Bourke
@brk3
Hi all, I've created a simple launchpad module which aims to serve as a learning tool / starting point for those looking to use their own Terraform modules instead of (or along side) things like caf_solution. Hopefully it may be of help to someone https://github.com/brk3/terraform-landingzone-template
Also the documentation serves to highlight my understanding of how each piece works, if I've got it wrong please let me know!
LV-2020
@stormtrooperdev
Thanks for @brk3 for answering.
Thanks also @nusrath432 !
Hi all. How can I defend CAF to my colleague who is saying that CAF is a Microsoft Lab and it’s not based in a real-world scaling enterprise design architecture?
3 replies
nusrath432
@nusrath432
Terraform returned errors:
╷
│ Error: validating Template Deployment "g23d2gb1.com" (Resource Group "myrg"): requesting validating: resources.DeploymentsClient#Validate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidTemplateDeployment" Message="The template deployment 'e23d2gb1.com' is not valid according to the validation procedure. The tracking id is 'c85cc5fa-66ef-4f1c-a9f5-a094d2ae034f'. See inner errors for details." Details=[{"code":"ValidationForResourceFailed","details":[{"code":"INVALID_AGREEMENT_KEYS","message":"End-user must read and consent to all of the following legal agreements: DNRA DNPA"}],"message":"Validation failed for a resource. Check 'Error.Details[0]' for more information."}]
│ 
│   with module.solution.module.domain_name_registrations["domain_cdn"].azurerm_resource_group_template_deployment.domain,
│   on ../../terraform-azurerm-caf/modules/networking/domain_name_registrations/module.tf line 11, in resource "azurerm_resource_group_template_deployment" "domain":
│   11: resource "azurerm_resource_group_template_deployment" "domain" {
3 replies
Paul Bourke
@brk3

Is anyone successfully using the level0 service principal to run rover?

Certain lzs by default only configure access to keyvaults for this SP (which I'd expect), but Rover's --impersonate functionality seems broken (aztfmod/terraform-azurerm-caf#554, https://github.com/aztfmod/rover/pull/190)

7 replies
Roland
@schoenr79
@Nepomuceno , @arnaudlh any estimation when my PR on terraform-provider-azurecaf can be approved? => aztfmod/terraform-provider-azurecaf#125
6 replies
nusrath432
@nusrath432
Has anyone seen this error - it is intermittent
│ Error: Unsupported attribute
│ 
│   on ../../terraform-azurerm-caf/modules/networking/domain_name_registrations/output.tf line 8, in output "dns_domain_registration_id":
│    8:   value       = jsondecode(azurerm_resource_group_template_deployment.domain.output_content).id.value
│     ├────────────────
│     │ azurerm_resource_group_template_deployment.domain.output_content is "{}"
│ 
│ This object does not have an attribute named "id".
╵
@calling apply
running terraform apply
Terraform version 0.15 or greater
Terraform apply return code: 1
Terraform returned errors:
1 reply
Nik Sheridan
@niksheridan
Hi all, really basic question, I am really struggling to find the documentation on rover - I really want to do with rover, what i would do via 'terraform show' or 'terraform state list' - can anyone provide me with some pointers? thanks in advance
8 replies
Roland
@schoenr79
Hello community, is there any sample available, in the enterprise scale approach, how to deploy a central eventhub. Docs or readme's would be ok, too.
3 replies
Henry Dobson
@henrydobson

I'm exploring the possibility of configuring certain aspects of B2C with CAF and experiencing the following error:

│ Error: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: resources.ProvidersClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="SubscriptionNotFound" Message="The subscription '000000-0000-0000-0000-000000000000' could not be found."
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 30, in provider "azurerm":
│   30: provider "azurerm" {
│ 
╵

The subscription ID (000000-0000-0000-0000-000000000000) is actually the B2C tenant ID which I believe is one cause for the error. Has anyone had success using CAF and rover with B2C?

dimitrifc
@dimitrifc
Hi, can you please take a look at aztfmod/terraform-azurerm-caf#735 ? This is a blocking problem for us and should be an easy bug fix changing one string try(azurerm_linux_virtual_machine_scale_set.vmss["windows"].id, null)
} to try(azurerm_windows_virtual_machine_scale_set.vmss["windows"].id, null)}
1 reply
Kieran
@kiebre92
Hi all, I'm looking to deploy a site-to-site VPN connection with the CAF supermodule, part of this deployment requires the local_network_gateways to have a Pre-Shared Key which is a sensitive key, I don't want this in plain text within the tfvars file, what options do I have for passing these in? Ideally i'd like to store the key in a key-vault
2 replies
Roland
@schoenr79

Good afternoon. Im trying to create an azuread application with service principal and a assigned built in role but still the example (examples/azuread/100-azuread-application-with-sevice-principle-with-builtin-roles) fails. with the following error

```Error: Error in function call
on /home/vscode/.terraform.cache/Dev/rover_jobs/20211029113352728156040/modules/solution/azuread_service_principals.tf line 15, in module "azuread_service_principals":
15: application_id = coalesce(
16: try(each.value.azuread_application.application_id, ""),
17: try(local.combined_objects_azuread_applications[each.value.azuread_application.lz_key][each.value.azuread_application.key].application_id, ""),
18: try(local.combined_objects_azuread_applications[local.client_config.landingzone_key][each.value.azuread_application.key].application_id, "")
19: )
────────────────
each.value.azuread_application is object with 1 attribute "key"
each.value.azuread_application.key is "test_client"
local.client_config.landingzone_key is "management"
local.combined_objects_azuread_applications is object with 2 attributes

Call to function "coalesce" failed: no non-null, non-empty-string arguments.

Terraform plan return code: 1
Error on or near line 287: Error running terraform plan; exiting with status 1
```

i am using terraform caf solution v5.4.4

seems to be that the applicaiton id could not be obtained. any hint on that would be welcome. thx

41 replies
Paul Bourke
@brk3
I just noticed that some resources don't seem to be honoring azurecaf_name separator argument (which should be '-' by default... anyone else? E.g. my log analytics workspace is called pxmo-log-logs, but my storage accounts are being created as pxmostbootdiag (I'd expect pxmo-st-bootdiag)
4 replies
Paul Bourke
@brk3
Another basic question. I take it it's not possible to access keyvaults provisioned in l0 from l3?
3 replies
Soy Milk
@SoyMilkOR_twitter
Hi Guys, Ive recently been exploring caf and the launchpad.. I wanna ask a dumb question, so suppose if we want to create a resource thats not part of the current scenario in launchpad, how to we go about adding it? Anybody can point me to a sample/ resource for it.. Thanks!!
9 replies
Paul Bourke
@brk3
Having an issue deploying flux as the manifests aren't compliant with the memory/cpu contraint policy. Anyone ran across this?
Stefan
@stefangrafisec
Guys, I am trying to enable CI tasks in Azure DevOps and I am struggling with the Rover-Agent and the installed tflint tool in the AZDO Pipeline.
Does anyone have a working AZDO Pipeline definition running tflint successfully as an example?
8 replies
Roland
@schoenr79
Concerning enterprise landing zone (eslz) Could somebody explain the objects subscription_id_overrides_by_keys in subscription_id_overrides.tfvars to me.
I knew if i put a subscription id to subscription_id_overrides it will move it to the dependent management group. but what is the other key for.
3 replies
Sean Hill
@evershade
Is there any development activity towards using the caf-terraform-landingzones module with a different backend, specifically Terraform Cloud? It seems to be pretty strongly joined to keeping state in a storage account via the launchpad azurerm backend.
2 replies
nusrath432
@nusrath432
Has anyone used Service Principal for Rover authentication - if yes, can you provide the syntax or reference to the docs please. Seeing this error when using SP:
Initializing the backend...
╷
│ Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
│ 
│ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
│ auth method - instructions for which can be found here: https://www.terraform.io/docs/providers/azurerm/guides/service_principal_client_secret.html
│ 
│ Alternatively you can authenticate using the Azure CLI by using a User Account.
│ 
│
10 replies
jasonhornatcrowe
@jasonhornatcrowe

Does the aztfmod/terraform-azurerm-caf super module contain any coverage for CDN profiles / endpoints?

Sorry if this blatantly obvious, I searched the repo and came up empty. I did get the static site stubbed, but want to add these resources as well. I can, of course, create these using the hashicorp/azurerm provider resources, but don't want to go outside of CAF if I can help it.

2 replies
Paul Bourke
@brk3
Is anyone using the CSI keyvault provider to provide TLS certs to the ingress controller for AKS?
5 replies
nusrath432
@nusrath432
Hi, Where in the Azure Portal can I find the Diagnostic Definations created - the underlying module used is "azurerm_monitor_diagnostic_setting" but I could not find them anywhere in the UI - can anyone guide on it please?
8 replies
Henry Dobson
@henrydobson
Diagnostic definitions are not an Azure resource. It’s an entity used in CAF only that defines the configuration objects for diagnostic profiles.
3 replies
Paul Bourke
@brk3
Has anyone found a way to refer to local files from configuration? E.g. say a module wants to take a yaml file and apply kustomize on it, is there a way to give the module a path relative to the configuration via a var?
4 replies
nusrath432
@nusrath432
Can someone provide me an idiots guide on generating reg-ex with an example for terraform-provider-azurecaf please:
https://github.com/aztfmod/terraform-provider-azurecaf/blob/master/resourceDefinition.json
5 replies
nusrath432
@nusrath432
CI/CD Pipeline Desgin: Has anyone implemented CAF using CICD pipelines successfully? either a single stack (single tenant) or multistack (single tenant) or multistack (multi-tenant) - using Github or Gilab or other CI tools - could you share your experiance please. Thanks
  • How do we handle changes in lower layers and run the pipeline for all the impacted layers?
  • How do we handle multi-user mode and merge conflicts using CI/CD?
    ... more
17 replies
tenletters10
@tenletters10

Hello. I am trying to use the module "resource_group_reused" to use an existing resource group vs the CAF module creating a new one for me, but running into some errors.

When I attempt to use it in my module I get the following error message:
Error: Unsupported argument

│ on main.tf line 37, in module "caf":
│ 37: resource_group_reused = {

│ An argument named "resource_group_reused" is not expected here.

In my code I am using it this way:

resource_group_reused = {
    rg = {
      name = var.resource_group_name
    }    
  }

I can successfully run this code block, but it creates a new resource group which is unwanted in my scenario:

 resource_groups = {
    rg = {
      name = local.resource_group_suffix
    }
  }

I found this resource_group_reused via this file: https://github.com/aztfmod/terraform-azurerm-caf/blob/master/resource_groups.tf

When I dig into the module it references it shows it using a data block which is desired vs the resource_group module which has a resource block

What am I doing wrong?

I have looked through a ton of the examples configurations in the github repo, but all of them seem to show examples of creating a new resource group. I can't find any examples for reusing a resource group that already exist.

6 replies
alisha-dev
@alisha-dev
Hello Team,
I am trying to deploy caf for one of our workloads and I am facing the below issues.
  • I am unable to deploy vmss, application gateway in existing vnet and subnet. All the examples are creating new vnet everytime.
  • creating automation account in level0 - (Does it mean that level0 is only ment to be deploying the base landing zone setup and all the other resources should be deployed level1 onwards?)
44 replies
alisha-dev
@alisha-dev
Hello Team,
Is there any sample available to deploy non waf tier application gateway (standard)
7 replies
nusrath432
@nusrath432
How can we make a block within terraform resource defination - conditional - either based on a single value defined in the tfvars or a block defined in the tfvars. For example:
resource "my_resource" "demo"{
region = var.settings.region

config {
  var1 = lookup(var.settings.config_in_tfvars, "var1", null)
  var2 = lookup(var.settings.config_in_tfvars, "var2", null)
}

}
1 reply
nusrath432
@nusrath432
Has anyone managed to bootstrap CAF / level0 using a service principal - when I run the plan using UPN it works fine but when I run the same with SP (subscription owner), it throws "Building AzureAD Client" Authenticating using the Azure CLI is only supported as a User (not a│ Service Principal).
20 replies
Soy Milk
@SoyMilkOR_twitter
Hi folks, anyone knows how to force-unlock a state file through rover?
4 replies
Sergi Asensio
@asensionacher
Hi all, it is possible to add Suffixes to all resources as we use the prefix?
7 replies
florentvaldelievre
@florentvaldelievre
Hi all, I was wondering if you had a timeline regarding contoso-2109 branch, especially ado_pipeline component template ? (https://github.com/Azure/caf-terraform-landingzones-starter/tree/contoso-2109/templates)
nusrath432
@nusrath432
Does anyone (@arnaudlh) know the purpose of auditing.tf & threat_detection.tf within the postgresql_server module. Ref: https://github.com/aztfmod/terraform-azurerm-caf/blob/103887136309a41ad7772bd7bb433b445be8652e/modules/databases/postgresql_server/auditing.tf - it looks like it is just data source to storage accounts but not really used anywhere - did anyone use it or have an understanding please?
11 replies
Paul Bourke
@brk3
Has anyone used a shared level across multiple environments? E.g. say I have a network hub deployed at level2, and would like to reference that in both -env team1 and -env team2. Is this possible?
19 replies
Ryan Bartram
@rdbartram
FYI, a friend and I are working on rovergo tonight...we're going to try push that project forward and will stream about caf and how we use it in future streams...if you're interested and can help us maybe, then drop by https://www.twitch.tv/worxspace
5 replies