fixed private endpoints for app svc slots

scenarios/secure-baseline-multitenant/terraform/_parameters/ase-multitenant.parameters.tfvars

@@ -1,10 +1,10 @@
 application_name = "eslztest"
-environment      = "local"
+environment      = "dev"
 location         = "westus3"
 owner            = "[email protected]"
 
-entra_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884"
-entra_admin_group_name      = "AppSvcLZA Entra SQL Admins"
+# entra_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884"
+# entra_admin_group_name      = "AppSvcLZA Entra SQL Admins"
 
 ## Lookup the Entra User
 # vm_entra_admin_username = "[email protected]"

scenarios/secure-baseline-multitenant/terraform/hub/main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "4.5.0"
+      version = ">=4.0"
     }
     azurecaf = {
       source  = "aztfmod/azurecaf"
@@ -33,3 +33,22 @@ provider "azurerm" {
   disable_terraform_partner_id = false
   partner_id                   = "cf7e9f0a-f872-49db-b72f-f2e318189a6d"
 }
+
+## Create Hub Resource Group with the name generated from global_settings
+resource "azurecaf_name" "caf_name_hub_rg" {
+  name          = var.application_name
+  resource_type = "azurerm_resource_group"
+  prefixes      = local.global_settings.prefixes
+  suffixes      = local.global_settings.suffixes
+  random_length = local.global_settings.random_length
+  clean_input   = true
+  passthrough   = local.global_settings.passthrough
+  use_slug      = local.global_settings.use_slug
+}
+
+resource "azurerm_resource_group" "hub" {
+  name     = azurecaf_name.caf_name_hub_rg.result
+  location = var.location
+
+  tags = local.base_tags
+}

scenarios/secure-baseline-multitenant/terraform/hub/network.tf

@@ -1,30 +1,12 @@
 # Hub network config
 # -----
-# - Hub Resource Group
 #   - VNet
 #      - Firewall Subnet
 #      - Bastion Subnet
 #   - Azure Firewall [optional]
 #   - Bastion [optional]
 
-## Create Hub Resource Group with the name generated from global_settings
-resource "azurecaf_name" "caf_name_hub_rg" {
-  name          = var.application_name
-  resource_type = "azurerm_resource_group"
-  prefixes      = local.global_settings.prefixes
-  suffixes      = local.global_settings.suffixes
-  random_length = local.global_settings.random_length
-  clean_input   = true
-  passthrough   = local.global_settings.passthrough
-  use_slug      = local.global_settings.use_slug
-}
-
-resource "azurerm_resource_group" "hub" {
-  name     = azurecaf_name.caf_name_hub_rg.result
-  location = var.location
 
-  tags = local.base_tags
-}
 
 ## Deploy Hub VNet with Firewall and Bastion subnets
 module "network" {

scenarios/secure-baseline-multitenant/terraform/hub/outputs.tf

@@ -14,10 +14,6 @@ output "virtual_network" {
   value = module.network.vnet
 }
 
-# output "bastion_name" {
-#   value = var.deployment_options.deploy_bastion ? module.bastion[0].name : null
-# }
-
 output "firewall_private_ip" {
   # the 0 index for the module is needed as the module is a count
   value = var.deployment_options.enable_egress_lockdown ? module.firewall[0].private_ip_address : null

scenarios/secure-baseline-multitenant/terraform/main.tf

@@ -35,20 +35,3 @@ provider "azurerm" {
   disable_terraform_partner_id = false
   partner_id                   = "cf7e9f0a-f872-49db-b72f-f2e318189a6d"
 }
-
-resource "azurecaf_name" "caf_name_spoke_rg" {
-  name          = var.application_name
-  resource_type = "azurerm_resource_group"
-  prefixes      = concat(["spoke"], local.global_settings.prefixes)
-  random_length = local.global_settings.random_length
-  clean_input   = true
-  passthrough   = local.global_settings.passthrough
-  use_slug      = local.global_settings.use_slug
-}
-
-resource "azurerm_resource_group" "spoke" {
-  name     = azurecaf_name.caf_name_spoke_rg.result
-  location = var.location
-
-  tags = local.base_tags
-}

scenarios/secure-baseline-multitenant/terraform/multitenant-asev3.tf

@@ -32,8 +32,6 @@ module "spoke" {
   owner            = var.owner
   tenant_id        = var.tenant_id
 
-  entra_admin_group_name      = var.entra_admin_group_name
-  entra_admin_group_object_id = var.entra_admin_group_object_id
   appsvc_options              = var.appsvc_options
 
   oai_deployment_models = var.oai_deployment_models

scenarios/secure-baseline-multitenant/terraform/spoke/app.tf

@@ -60,8 +60,6 @@ module "sql_database" {
   location                    = var.location
   unique_id                   = random_integer.unique_id.result
   tenant_id                   = var.tenant_id
-  entra_admin_group_object_id = var.entra_admin_group_object_id
-  entra_admin_group_name      = var.entra_admin_group_name
   private_link_subnet_id      = module.network.subnets["privateLink"].id
   global_settings             = local.global_settings
   tags                        = local.base_tags

scenarios/secure-baseline-multitenant/terraform/spoke/main.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "4.5.0"
+      version = ">=4.0"
     }
     azurecaf = {
       source  = "aztfmod/azurecaf"
@@ -15,6 +15,7 @@ terraform {
   }
 
   # If called as a module, this backend configuration block will have no effect.
+  # Uncomment the below block to use the AzureRM backend for a spoke-specific deplployment
   # backend "azurerm" {}
 }
 
@@ -36,4 +37,23 @@ provider "azurerm" {
   partner_id                   = "cf7e9f0a-f872-49db-b72f-f2e318189a6d"
 }
 
-# provider "azurecaf" {}
+## Create Spoke Resource Group with the name generated from global_settings
+resource "azurecaf_name" "caf_name_spoke_rg" {
+  name          = var.application_name
+  resource_type = "azurerm_resource_group"
+  # prefixes      = concat(["spoke"], local.global_settings.prefixes)
+  prefixes = local.global_settings.prefixes
+  suffixes = local.global_settings.suffixes
+
+  random_length = local.global_settings.random_length
+  clean_input   = true
+  passthrough   = local.global_settings.passthrough
+  use_slug      = local.global_settings.use_slug
+}
+
+resource "azurerm_resource_group" "spoke" {
+  name     = azurecaf_name.caf_name_spoke_rg.result
+  location = var.location
+
+  tags = local.base_tags
+}

scenarios/secure-baseline-multitenant/terraform/spoke/network.tf

@@ -1,6 +1,5 @@
 # Spoke network config
 # -----
-# - Spoke Resource Group
 #   - VNet
 #      - Server Farm Subnet (App Service/compute resources)
 #      - Ingress Subnet (Azure Front Door network ingress subnet)
@@ -10,27 +9,6 @@
 #   - User Defined Routes [optional]
 #   - Azure FrontDoor
 
-## Create Spoke Resource Group with the name generated from global_settings
-resource "azurecaf_name" "caf_name_spoke_rg" {
-  name          = var.application_name
-  resource_type = "azurerm_resource_group"
-  # prefixes      = concat(["spoke"], local.global_settings.prefixes)
-  prefixes = local.global_settings.prefixes
-  suffixes = local.global_settings.suffixes
-
-  random_length = local.global_settings.random_length
-  clean_input   = true
-  passthrough   = local.global_settings.passthrough
-  use_slug      = local.global_settings.use_slug
-}
-
-resource "azurerm_resource_group" "spoke" {
-  name     = azurecaf_name.caf_name_spoke_rg.result
-  location = var.location
-
-  tags = local.base_tags
-}
-
 resource "azurecaf_name" "appsvc_subnet" {
   name          = var.application_name
   resource_type = "azurerm_subnet"

scenarios/secure-baseline-multitenant/terraform/spoke/variables.tf

@@ -60,16 +60,6 @@ variable "firewall_rules" {
   type = any
 }
 
-variable "entra_admin_group_object_id" {
-  type        = string
-  description = "[Required] The object ID of the Entra group that should be granted SQL Admin permissions to the SQL Server"
-}
-
-variable "entra_admin_group_name" {
-  type        = string
-  description = "[Required] The name of the Entra group that should be granted SQL Admin permissions to the SQL Server"
-}
-
 variable "spoke_vnet_cidr" {
   type        = list(string)
   description = "[Optional] The CIDR block(s) for the virtual network for whitelisting on the firewall. Defaults to 10.240.0.0/20"