-
Notifications
You must be signed in to change notification settings - Fork 113
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Terraform implementation refactor (#215)
* testing bicep cicd - added new oidc client id for read-only access, testing what-if flag * Adding region into the bicep yml, env var and to the what-if arm-deploy action * testing pipeline, adding puysh trigger for this branch * testing pipeline, adding puysh trigger for this branch * testing with prod id as the what-if scenario requires same level of permissions * testing with prod id as the what-if scenario requires same level of permissions * testing the deployment * testing the deployment * testing cicd bicep templates * testing cicd * testing cicd * testing cicd * disabling psrule for now * disabling psrule for now * consolidating tf scenario 1 workflows into a single cicd pipeline * consolidating tf scenario 1 workflows into a single cicd pipeline * consolidating tf scenario 1 workflows into a single cicd pipeline * consolidating tf scenario 1 workflows into a single cicd pipeline * renaming consolidated scenario 1 tf pipeline * Adding concurrency, removed redundant param files * Adding concurrency, removed redundant param files * removing test branch trigger * cleanup * cleanup * wip * Functional deployment, further testing required * Spoke deployment fixes/cleanup * added backend.hcl file * shared resource group * cleaned up windows vm create and custom script * Add files via upload * Add files via upload * pulling latest * updating latest changes for terraform * Refactoring TF changes * pre-commit formatting and docs * adding scenario deployment input file * fixing gha tf scenario deployment yaml * fixed private endpoints for app svc slots * fixed private endpoints for app svc slots * fixed private endpoints for app svc slots * fixed private endpoints for app svc slots * removing entra data lookups for sql server * removing entra data lookups for sql server * removing entra data lookups for sql server * removing /deployment dir * constraining deployment to azurerm versions 4.5.0 - 5.0.0 --------- Co-authored-by: ahmeds <[email protected]> Co-authored-by: Kunal Babre <[email protected]>
- Loading branch information
1 parent
62bd83c
commit 5153a9a
Showing
88 changed files
with
1,922 additions
and
674 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,2 @@ | ||
.azure | ||
backend.hcl |
139 changes: 136 additions & 3 deletions
139
scenarios/secure-baseline-multitenant/terraform/README.md
Large diffs are not rendered by default.
Oops, something went wrong.
33 changes: 33 additions & 0 deletions
33
scenarios/secure-baseline-multitenant/terraform/_locals.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
locals { | ||
deployment_name = "sec-baseline-1" | ||
|
||
global_settings = merge({ | ||
environment = try(var.global_settings.environment, var.environment) | ||
passthrough = try(var.global_settings.passthrough, false) | ||
prefixes = try(var.global_settings.prefixes, [local.deployment_name, local.short_location]) | ||
suffixes = try(var.global_settings.suffixes, [var.environment]) | ||
random_length = try(var.global_settings.random_length, 0) | ||
regions = try(var.global_settings.regions, null) | ||
tags = try(var.global_settings.tags, null) | ||
use_slug = try(var.global_settings.use_slug, true) | ||
}, var.global_settings) | ||
|
||
short_location_map = { | ||
"eastus" : "eus" | ||
"eastus2" : "eus2" | ||
"westus" : "wus" | ||
"westus2" : "wus2" | ||
"westeurope" : "weu" | ||
"easteurope" : "eeu" | ||
"southcentralus" : "scus" | ||
} | ||
|
||
short_location = try(local.short_location_map[var.location], var.location) | ||
|
||
base_tags = merge({ | ||
"Terraform" = true | ||
"Environment" = local.global_settings.environment | ||
"Owner" = var.owner | ||
"Project" = "[Scenario 1] App Service Landing Zone Accelerator" | ||
}, var.tags) | ||
} |
151 changes: 73 additions & 78 deletions
151
...ameters/ase-multitenant.parameters.tfvars → ...ameters/ase-multitenant.parameters.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,78 +1,73 @@ | ||
application_name = "eslz2" | ||
environment = "prod" | ||
location = "westus3" | ||
owner = "[email protected]" | ||
|
||
# For the hub state, use the same settings as the remote state config on the hub deployment from /hub/main.tf | ||
hub_state_resource_group_name = "backend-appsrvc-dev-westus2-001" | ||
hub_state_storage_account_name = "stbackendappsrwestus2001" | ||
hub_state_container_name = "tfstate" | ||
hub_state_key = "scenario1.hub.tfstate" | ||
|
||
entra_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" | ||
entra_admin_group_name = "AppSvcLZA Microsoft Entra SQL Admins" | ||
|
||
## Lookup the Microsoft Entra User | ||
# vm_entra_admin_username = "[email protected]" | ||
## Reference an existing Microsoft Entra User/Group Object ID to bypass lookup | ||
vm_entra_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Microsoft Entra SQL Admins" | ||
|
||
|
||
## Optionally provide non-Entra ID admin credentials for the VM | ||
# vm_admin_username = "daniem" | ||
# vm_admin_password = "**************" | ||
|
||
## These settings are used for peering the spoke to the hub. Fill in the appropriate settings for your environment | ||
hub_settings = { | ||
rg_name = "rg-hub-scenario1-wus3" | ||
vnet_name = "vnet-hub-scenario1-wus3" | ||
|
||
firewall = { | ||
private_ip = "10.242.0.4" | ||
} | ||
} | ||
|
||
## Toggle deployment of optional features and services for the Landing Zone | ||
deployment_options = { | ||
enable_waf = true | ||
enable_egress_lockdown = true | ||
enable_diagnostic_settings = true | ||
deploy_bastion = true | ||
deploy_redis = true | ||
deploy_sql_database = true | ||
deploy_app_config = true | ||
deploy_vm = false | ||
deploy_openai = true | ||
} | ||
|
||
## Optionally deploy a Github runner, DevOps agent, or both to the VM. | ||
# devops_settings = { | ||
# github_runner = { | ||
# repository_url = "https://github.com/{organization}/{repository}" | ||
# token = "runner_registration_token" # See: https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28 | ||
# } | ||
# | ||
# devops_agent = { | ||
# organization_url = "https://dev.azure.com/{organization}/" | ||
# token = "pat_token" | ||
# } | ||
# } | ||
|
||
appsvc_options = { | ||
service_plan = { | ||
os_type = "Windows" | ||
sku_name = "S1" | ||
|
||
# Optionally configure zone redundancy (requires a minimum of three workers and Premium SKU service plan) | ||
# worker_count = 3 | ||
# zone_redundant = true | ||
} | ||
|
||
web_app = { | ||
application_stack = { | ||
current_stack = "dotnet" | ||
dotnet_version = "v6.0" | ||
} | ||
slots = ["staging"] | ||
} | ||
} | ||
application_name = "eslztest" | ||
environment = "dev" | ||
location = "westus3" | ||
owner = "[email protected]" | ||
|
||
# entra_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" | ||
# entra_admin_group_name = "AppSvcLZA Entra SQL Admins" | ||
|
||
## Lookup the Entra User | ||
# vm_entra_admin_username = "[email protected]" | ||
## Reference an existing Entra User/Group Object ID to bypass lookup | ||
vm_entra_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Entra SQL Admins" | ||
|
||
## Optionally provide non-entra admin credentials for the VM | ||
# vm_admin_username = "daniem" | ||
# vm_admin_password = "**************" | ||
|
||
## Toggle deployment of optional features and services for the Landing Zone | ||
deployment_options = { | ||
deploy_asev3 = true | ||
enable_waf = true | ||
enable_egress_lockdown = true | ||
enable_diagnostic_settings = true | ||
deploy_bastion = true | ||
deploy_redis = true | ||
deploy_sql_database = true | ||
deploy_app_config = true | ||
deploy_vm = false | ||
deploy_openai = true | ||
} | ||
|
||
## OpenAI Deployment Models | ||
oai_deployment_models = { | ||
"text-embedding-ada-002" = { | ||
name = "text-embedding-ada-002" | ||
model_format = "OpenAI" | ||
model_name = "text-embedding-ada-002" | ||
model_version = "2" | ||
sku_name = "Standard" | ||
} | ||
} | ||
|
||
## Optionally deploy a Github runner, DevOps agent, or both to the VM. | ||
# devops_settings = { | ||
# github_runner = { | ||
# repository_url = "https://github.com/{organization}/{repository}" | ||
# token = "runner_registration_token" # See: https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28 | ||
# } | ||
# | ||
# devops_agent = { | ||
# organization_url = "https://dev.azure.com/{organization}/" | ||
# token = "pat_token" | ||
# } | ||
# } | ||
|
||
appsvc_options = { | ||
service_plan = { | ||
os_type = "Windows" | ||
sku_name = "I1v2" | ||
|
||
# Optionally configure zone redundancy (requires a minimum of three workers and Premium SKU service plan) | ||
# worker_count = 3 | ||
# zone_redundant = true | ||
} | ||
|
||
web_app = { | ||
application_stack = { | ||
current_stack = "dotnet" | ||
dotnet_version = "v6.0" | ||
} | ||
slots = ["staging"] | ||
} | ||
} |
10 changes: 10 additions & 0 deletions
10
scenarios/secure-baseline-multitenant/terraform/backend.hcl.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
### To use this template, rename the file to `backend.tf` | ||
### and update the values below to match your remote state config | ||
### | ||
### To use this file as part of your deployment, provide the following flag as you initialize: | ||
### terraform init -backend-config=backend.tf | ||
|
||
resource_group_name = "my-tf-remote-state-rg-name" | ||
storage_account_name = "my-tf-remote-state-sa-name" | ||
container_name = "my-tf-remote-state-container-name" | ||
key = "my-state-file-name.tfstate" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.