Merge pull request #105 from Azure/integration

December 2020 Update

.devcontainer/devcontainer.json

@@ -6,6 +6,7 @@
 
     // Container user to use in VSCode Online and GitHub Codespaces
     "containerUser" : "vscode",
+    "remoteUser" : "vscode",
 
     // The 'service' property is the name of the service for the container that VS Code should
     // use. Update this value and .devcontainer/docker-compose.yml to the real service name.

.devcontainer/docker-compose.yml

@@ -6,7 +6,7 @@
   version: '3.7'
   services:
     rover:
-      image: aztfmod/rover:2010.2808
+      image: aztfmod/rover:2012.1109
       user: vscode
 
       labels:

.github/workflows/landingzones.yml

@@ -41,7 +41,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:2010.2808
+      image: aztfmod/rover:2012.1109
       options: --user 0
 
     steps:
@@ -90,7 +90,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:2010.2808
+      image: aztfmod/rover:2012.1109
       options: --user 0
 
     steps:
@@ -134,7 +134,7 @@ jobs:
           random_length: ['5']
 
     container:
-      image: aztfmod/rover:2010.2808
+      image: aztfmod/rover:2012.1109
       options: --user 0
 
     steps:
@@ -181,7 +181,7 @@ jobs:
           ]
 
     container:
-      image: aztfmod/rover:2010.2808
+      image: aztfmod/rover:2012.1109
       options: --user 0
 
     steps:
@@ -224,7 +224,7 @@ jobs:
         random_length: ['5']
 
     container:
-      image: aztfmod/rover:2010.2808
+      image: aztfmod/rover:2012.1109
       options: --user 0
 
     steps:

README.md

@@ -29,6 +29,10 @@ This release is relying extensively on Terraform 0.13 capabilities (module itera
 
 Those new features allow more complex and more dynamic code composition. The following concepts are used:
 
+* **Multi-subscription deployment**: initial support to deploy landing zones in any subscription from the launchpad subscription.
+* **Autonomous module consumption**: consumption of the CAF module outside of landing zones.
+* **Starter kit extension**: added new scenarios for sandpit environment, added support for AKS.
+* **Verified by Hashicorp status**:  status achieved for new CAF module and provider.
 * **No-code environment composition**: a landing zone environment can be composed customizing variable files and code must be robust enough to accommodate combinations and composition.
 * **Flexible foundations to meet customer needs**: everything is customizable at all layers.
 * **Key-based configuration and customization**: all configuration objects will call each other based on the object keys.
@@ -44,7 +48,7 @@ See our [Getting Started Video](https://www.youtube.com/watch?v=t1exCkWft60)
 
 ## Sample configuration repository
 
-When starting an enterprise deployment, we recommend you start creating a configuration repository where you start crafting you configuration environment.
+When starting an enterprise deployment, we recommend you start creating a configuration repository where you craft the configuration files for your environments.
 
 You can find the [starter repository here](https://github.com/Azure/caf-terraform-landingzones-starter) and our sample configuration [onboarding video here](https://www.youtube.com/watch?v=M5BXm30IpdY)
 

landingzones/caf_foundations/README.md

@@ -22,9 +22,15 @@ By default, the content of this landing zone is empty unless you specify a confi
 
 ```bash
 #  To deploy the CAF foundations in passthrough mode
-rover -lz /tf/caf/landingzones/caf_foundations \
--level level1 \
--a apply
+rover -lz /tf/caf/public/landingzones/caf_foundations \
+  -level level1 \
+  -a apply
+
+# If the tfstates are stored in a different subscription you need to execute the following command
+rover -lz /tf/caf/public/landingzones/caf_foundations \
+  -tfstate_subscription_id <ID of the subscription> \
+  -level level1 \
+  -a apply
 ```
 
 ## Deploying CAF foundations with enterprise-scale (experimental)
@@ -33,8 +39,15 @@ This is currently work in progress.
 Use the following configuration file in order to get started with the enterprise-scale module integration:
 
 ```bash
-rover -lz /tf/caf/landingzones/caf_foundations \
--var-folder /tf/caf/landingzones/caf_foundations/scenario/200 \
--level level1 \
--a apply
+rover -lz /tf/caf/public/landingzones/caf_foundations \
+  -var-folder /tf/caf/public/landingzones/caf_foundations/scenario/200 \
+  -level level1 \
+  -a apply
+
+# If the tfstates are stored in a different subscription you need to execute the following command
+rover -lz /tf/caf/public/landingzones/caf_foundations \
+  -tfstate_subscription_id <ID of the subscription> \
+  -var-folder /tf/caf/public/landingzones/caf_foundations/scenario/200 \
+  -level level1 \
+  -a apply
 ```

landingzones/caf_foundations/dynamic_secrets.tf

@@ -0,0 +1,11 @@
+
+module dynamic_keyvault_secrets {
+  source  = "aztfmod/caf/azurerm//modules/security/dynamic_keyvault_secrets"
+  version = "0.4.20"
+
+  for_each = try(var.dynamic_keyvault_secrets, {})
+
+  settings    = each.value
+  keyvault_id = module.foundations.keyvaults[each.key].id
+  objects     = module.foundations
+}

landingzones/caf_foundations/es_main.tf

@@ -1,7 +1,7 @@
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.0.6-preview"
+  version = "0.0.7-preview"
 
   root_parent_id = data.azurerm_client_config.current.tenant_id
 

landingzones/caf_foundations/landingzone.tf

@@ -0,0 +1,20 @@
+module "foundations" {
+  source  = "aztfmod/caf/azurerm"
+  version = "0.4.20"
+
+  current_landingzone_key     = var.landingzone.key
+  tenant_id                   = var.tenant_id
+  tags                        = local.tags
+  diagnostics                 = local.remote.diagnostics
+  global_settings             = local.global_settings
+  tfstates                    = local.tfstates
+  diagnostics_definition      = var.diagnostics_definition
+  diagnostics_destinations    = var.diagnostics_destinations
+  diagnostic_storage_accounts = var.diagnostic_storage_accounts
+  logged_user_objectId        = var.logged_user_objectId
+  logged_aad_app_objectId     = var.logged_aad_app_objectId
+  resource_groups             = var.resource_groups
+  keyvaults                   = var.keyvaults
+  log_analytics               = var.log_analytics
+  event_hub_namespaces        = var.event_hub_namespaces
+}

landingzones/caf_foundations/locals.remote_tfstates.tf

@@ -21,6 +21,7 @@ data "terraform_remote_state" "remote" {
     storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name
     container_name       = local.landingzone[try(each.value.level, "current")].container_name
     resource_group_name  = local.landingzone[try(each.value.level, "current")].resource_group_name
+    subscription_id      = var.tfstate_subscription_id
     key                  = each.value.tfstate
   }
 }
@@ -34,17 +35,36 @@ locals {
 
   global_settings = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.global_settings
 
-  diagnostics = {
-    diagnostics_definition   = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_definition, var.diagnostics_definition)
-    diagnostics_destinations = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations
-    storage_accounts         = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.storage_accounts
-    log_analytics            = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.log_analytics
-    event_hub_namespaces     = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.event_hub_namespaces
-  }
-
-
 
   remote = {
+    diagnostics = {
+      # Get the diagnostics settings of services to create
+      diagnostic_event_hub_namespaces     = var.diagnostic_event_hub_namespaces
+      diagnostic_log_analytics            = var.diagnostic_log_analytics
+      diagnostic_storage_accounts         = var.diagnostic_storage_accounts
+
+      # Combine the diagnostics definitions
+      diagnostics_definition   = merge(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_definition, var.diagnostics_definition)
+      diagnostics_destinations = {
+        event_hub_namespaces = merge(
+          try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.event_hub_namespaces, {}),
+          try(var.diagnostics_destinations.event_hub_namespaces, {})
+        )
+        log_analytics = merge(
+          try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.log_analytics, {}),
+          try(var.diagnostics_destinations.log_analytics, {})
+        )
+        storage = merge(
+          try(data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.diagnostics_destinations.storage, {}),
+          try(var.diagnostics_destinations.storage, {})
+        )
+      }
+      # Get the remote existing diagnostics objects
+      storage_accounts         = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.storage_accounts
+      log_analytics            = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.log_analytics
+      event_hub_namespaces     = data.terraform_remote_state.remote[var.landingzone.global_settings_key].outputs.diagnostics.event_hub_namespaces
+    }
+
     managed_identities = {
       for key, value in try(var.landingzone.tfstates, {}) : key => merge(try(data.terraform_remote_state.remote[key].outputs.managed_identities[key], {}))
     }

landingzones/caf_foundations/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "2.37.0"
+      version = "2.40.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

landingzones/caf_foundations/output.tf

@@ -2,12 +2,10 @@ output global_settings {
   value     = local.global_settings
   sensitive = true
 }
-
 output diagnostics {
-  value     = local.diagnostics
+  value     = module.foundations.diagnostics
   sensitive = true
 }
-
 output vnets {
   value     = local.remote.vnets
   sensitive = true
@@ -20,9 +18,14 @@ output azuread_groups {
   value     = local.remote.azuread_groups
   sensitive = true
 }
-
 output tfstates {
   value     = local.tfstates
   sensitive = true
 }
-
+output keyvaults {
+  value = map(
+    var.landingzone.key,
+    try(module.foundations.keyvaults, {})
+  )
+  sensitive = true
+}

landingzones/caf_foundations/variables.tf

@@ -3,6 +3,9 @@ variable lower_storage_account_name {}
 variable lower_container_name {}
 variable lower_resource_group_name {}
 
+variable tfstate_subscription_id {
+  description = "This value is propulated by the rover. subscription id hosting the remote tfstates"
+}
 variable tfstate_storage_account_name {
   description = "This value is propulated by the rover"
 }
@@ -50,4 +53,31 @@ variable enterprise_scale {
 
 variable diagnostics_definition {
   default = {}
+}
+variable keyvaults {
+  default = {}
+}
+variable resource_groups {
+  default = {}
+}
+variable log_analytics {
+  default = {}
+}
+variable event_hub_namespaces {
+  default = {}
+}
+variable diagnostic_storage_accounts {
+  default = {}
+}
+variable diagnostic_event_hub_namespaces {
+  default = {}
+}
+variable diagnostic_log_analytics {
+  default = {}
+}
+variable diagnostics_destinations {
+  default = {}
+}
+variable dynamic_keyvault_secrets {
+  default = {}
 }

landingzones/caf_launchpad/add-ons/azure_devops/locals.remote_tfstates.tf

@@ -21,6 +21,7 @@ data "terraform_remote_state" "remote" {
     storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name
     container_name       = local.landingzone[try(each.value.level, "current")].container_name
     resource_group_name  = local.landingzone[try(each.value.level, "current")].resource_group_name
+    subscription_id      = var.tfstate_subscription_id
     key                  = each.value.tfstate
   }
 }

landingzones/caf_launchpad/add-ons/azure_devops/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 2.37.0"
+      version = "2.40.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

landingzones/caf_launchpad/add-ons/azure_devops/readme.md

@@ -42,7 +42,19 @@ rover -lz /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops \
   -var-folder /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops/scenario/200-contoso_demo \
   -parallelism 30 \
   -level level0 \
-  -a apply -env sandpit
+  -env sandpit \
+  -a apply
+
+
+# If the tfstates are stored in a different subscription you need to execute the following command
+rover -lz /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops \
+  -tfstate_subscription_id <ID of the subscription> \
+  -tfstate azure_devops-contoso_demo.tfstate \
+  -var-folder /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops/scenario/200-contoso_demo \
+  -parallelism 30 \
+  -level level0 \
+  -env sandpit \
+  -a apply 
 ```
 
 We are planning to release more examples on how to deploy the Azure Devops Agents.

landingzones/caf_launchpad/add-ons/azure_devops/solution.tf

@@ -1,6 +1,6 @@
 module "caf" {
   source  = "aztfmod/caf/azurerm"
-  version = "~> 0.4"
+  version = "0.4.20"
 
   current_landingzone_key               = var.landingzone.key
   tenant_id                             = var.tenant_id

landingzones/caf_launchpad/add-ons/azure_devops/variables.tf

@@ -8,6 +8,10 @@ variable tfstate_container_name {}
 variable tfstate_key {}
 variable tfstate_resource_group_name {}
 
+variable tfstate_subscription_id {
+  description = "This value is propulated by the rover. subscription id hosting the remote tfstates"
+}
+
 variable global_settings {
   default = {}
 }

landingzones/caf_launchpad/add-ons/azure_devops_agent/locals.current_tfstates.tf

@@ -21,6 +21,7 @@ data "terraform_remote_state" "remote" {
     storage_account_name = local.landingzone[try(each.value.level, "current")].storage_account_name
     container_name       = local.landingzone[try(each.value.level, "current")].container_name
     resource_group_name  = local.landingzone[try(each.value.level, "current")].resource_group_name
+    subscription_id      = var.tfstate_subscription_id
     key                  = each.value.tfstate
   }
 }

landingzones/caf_launchpad/add-ons/azure_devops_agent/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 2.37.0"
+      version = "2.40.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

landingzones/caf_launchpad/add-ons/azure_devops_agent/readme.md

@@ -39,4 +39,16 @@ rover -lz /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops_agent \
   -level level1 \
   -env sandpit \
   -a apply
+
+
+# If the tfstates are stored in a different subscription you need to execute the following command
+
+rover -lz /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops_agent \
+  -tfstate_subscription_id <ID of the subscription> \
+  -tfstate azdo-agent-level1.tfstate \
+  -var-folder /tf/caf/landingzones/caf_launchpad/add-ons/azure_devops_agent/scenario/200-contoso_demo/level1 \
+  -parallelism 30 \
+  -level level1 \
+  -env sandpit \
+  -a apply
 ```

landingzones/caf_launchpad/add-ons/azure_devops_agent/solution.tf

@@ -1,6 +1,6 @@
 module "caf" {
   source  = "aztfmod/caf/azurerm"
-  version = "~> 0.4"
+  version = "0.4.20"
 
   current_landingzone_key     = var.landingzone.key
   tenant_id                   = var.tenant_id