From f466017338652bbb1576bffb3e37cf20c555cd51 Mon Sep 17 00:00:00 2001 From: Isabelle Bersano <100224087+ibersanoMS@users.noreply.github.com> Date: Tue, 19 Mar 2024 12:08:59 -0400 Subject: [PATCH] Chore: Change Azure AD refs to Microsoft Entra (#204) * chore: update aad refs in TF files and readmes * chore: update bicep and arm files with entra * docs: update tf docs using pre-commit --- .../secure-baseline-multitenant/README.md | 2 +- .../azure-resource-manager/README.md | 12 +++++----- .../main-portal-ux.json | 14 ++++++------ .../azure-resource-manager/main.json | 18 +++++++-------- .../main.parameters.jsonc | 8 +++---- .../bicep/README.md | 2 +- .../bicep/deploy.hub.bicep | 4 ++-- .../bicep/main.parameters.json | 2 +- .../bicep/main.parameters.jsonc | 8 +++---- .../bicep/modules/vmJumphost.module.bicep | 2 +- .../terraform/README.md | 12 +++++----- .../terraform/hub/variables.tf | 2 +- .../terraform/spoke/app.tf | 22 +++++++++---------- .../ase-multitenant.parameters.tfvars | 14 ++++++------ .../terraform/spoke/shared.tf | 18 +++++++-------- .../terraform/spoke/variables.tf | 22 +++++++++---------- .../bicep/cognitive-services/open-ai.bicep | 2 +- .../shared/bicep/compute/jumphost-win11.bicep | 10 ++++----- .../role-assignments/roledefinitions.json | 6 ++--- .../terraform-modules/firewall/module.tf | 4 ++-- .../terraform-modules/key-vault/README.md | 2 +- .../terraform-modules/key-vault/variables.tf | 2 +- .../terraform-modules/sql-database/README.md | 12 +++++----- .../terraform-modules/sql-database/module.tf | 4 ++-- .../sql-database/variables.tf | 4 ++-- .../windows-vm-ext/README.md | 4 ++-- .../terraform-modules/windows-vm-ext/main.tf | 4 ++-- .../windows-vm-ext/variables.tf | 4 ++-- .../terraform-modules/windows-vm/README.md | 4 ++-- .../terraform-modules/windows-vm/module.tf | 6 ++--- .../terraform-modules/windows-vm/variables.tf | 8 +++---- 31 files changed, 119 insertions(+), 119 deletions(-) diff --git a/scenarios/secure-baseline-multitenant/README.md b/scenarios/secure-baseline-multitenant/README.md index 29b7a2c8..5533c267 100644 --- a/scenarios/secure-baseline-multitenant/README.md +++ b/scenarios/secure-baseline-multitenant/README.md @@ -1,4 +1,4 @@ -# App Service Secure Baseline (Multitenant and ASE) +# App Service Secure Baseline (Multi-tenant and ASE) This reference architecture shows how to run a web-app workload on Azure App Services in a secure configuration. This secure baseline follow [Defense in Depth](https://learn.microsoft.com/en-us/shows/azure-videos/defense-in-depth-security-in-azure) approach to protect AppService workload against cloud vulnerabilities along with additional [Well-Architected Framework](https://learn.microsoft.com/en-us/azure/architecture/framework/) pillars to enable a resilient solution. diff --git a/scenarios/secure-baseline-multitenant/azure-resource-manager/README.md b/scenarios/secure-baseline-multitenant/azure-resource-manager/README.md index 01bf8a14..12fbce7c 100644 --- a/scenarios/secure-baseline-multitenant/azure-resource-manager/README.md +++ b/scenarios/secure-baseline-multitenant/azure-resource-manager/README.md @@ -1,10 +1,10 @@ -# Multitenant App Service Secure Baseline - ARM Implementation +# Multi-tenant App Service Secure Baseline - ARM Implementation You can deploy the current LZA directly in your azure subscription by hitting the button below. [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain-portal-ux.json) -Alternatively, you can clone the repo and follow the instractions below +Alternatively, you can clone the repo and follow the instructions below ## Prerequisites - Clone this repo @@ -24,7 +24,7 @@ The table below summarizes the available parameters and the possible values that |location|Azure region where the resources will be deployed in|| |environment|Required. The name of the environment (e.g. "dev", "test", "prod", "preprod", "staging", "uat", "dr", "qa"). Up to 8 characters long.|| |vnetHubResourceId|If empty, then a new hub will be created. If you select not to deploy a new Hub resource group, set the resource id of the Hub Virtual Network that you want to peer to. In that case, no new hub will be created and a peering will be created between the new spoke and and existing hub vnet|/subscriptions// resourceGroups//providers/ Microsoft.Network/virtualNetworks/| -|firewallInternalIp|If you select to create a new Hub, the UDR for locking the egress traffic will be created as well, no matter what value you set to that variable. However, if you select to connect to an existing hub, then you need to provide the internal IP of the azure firewal so that the deployment can create the UDR for locking down egress traffic. If not given, no UDR will be created|| +|firewallInternalIp|If you select to create a new Hub, the UDR for locking the egress traffic will be created as well, no matter what value you set to that variable. However, if you select to connect to an existing hub, then you need to provide the internal IP of the azure firewall so that the deployment can create the UDR for locking down egress traffic. If not given, no UDR will be created|| |vnetHubAddressSpace|If you deploy a new hub, you need to set the appropriate CIDR of the newly created Hub virtual network|10.242.0.0/20| |subnetHubFirewallAddressSpace|CIDR of the subnet that will host the azure Firewall|10.242.0.0/26| |subnetHubBastionAddressSpace|CIDR of the subnet that will host the Bastion Service|10.242.0.64/26| @@ -92,7 +92,7 @@ done ### Connect to the Jumpbox VM (deployed in the spoke resource group) -You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is Microsoft Entra IDJoined by default. This means that you can connect to the jumpbox, either with the local user/password compination (azureuser is the default username) or with a valid Microsoft Entra ID account. In certain circumastances your organization may not allow the device to be enrolled. If the jumpbox VM is Microsoft Entra ID joined and properly intune enrolled, you can use native rdp client to connect by running the below Az CLI commands +You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is Microsoft Entra IDJoined by default. This means that you can connect to the jumpbox, either with the local user/password combination (azureuser is the default username) or with a valid Microsoft Entra ID account. In certain circumstances your organization may not allow the device to be enrolled. If the jumpbox VM is Microsoft Entra ID joined and properly Intune enrolled, you can use native rdp client to connect by running the below Az CLI commands From a PowerShell terminal, connect to the DevOps VM using your Microsoft Entra ID credentials (or Windows Hello). @@ -117,9 +117,9 @@ If your organization requires device enrollment before accessing corporate resou It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete. -If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials) +If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-microsoft-entra-id-credentials) -Once completed, and if you provided a valid (Microsoft Entra ID administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions: +Once completed, and if you provided a valid Microsoft Entra ID administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions: ```sql CREATE USER [web-app-name] FROM EXTERNAL PROVIDER; diff --git a/scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json b/scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json index 742c67ee..c803e2bb 100644 --- a/scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json +++ b/scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json @@ -923,7 +923,7 @@ "type": "Microsoft.Common.TextBlock", "visible": true, "options": { - "text": "Select the authentication method for the SQL Server administrator. Azure AD for SQL Server administrator authentication is suggested." + "text": "Select the authentication method for the SQL Server administrator. Microsoft Entra for SQL Server administrator authentication is suggested." } }, { @@ -931,13 +931,13 @@ "type": "Microsoft.Common.DropDown", "label": "Azure Sql Server Authentication", "subLabel": "", - "defaultValue": "Azure AD", - "toolTip": "Select Azure AD for SQL Server administrator authentication for better security and passwordless access. If you select SQL Server local user, you will need to provide a password for the SQL Server administrator.", + "defaultValue": "Microsoft Entra", + "toolTip": "Select Microsoft Entra for SQL Server administrator authentication for better security and password-less access. If you select SQL Server local user, you will need to provide a password for the SQL Server administrator.", "constraints": { "required": false, "allowedValues": [ { - "label": "Azure AD", + "label": "Microsoft Entra", "value": "AAD" }, { @@ -955,7 +955,7 @@ "type": "Microsoft.Common.TextBlock", "visible": "[equals(steps('SQL').sqlServerDeploySection.azureSqlAuthentication, 'AAD')]", "options": { - "text": "Replace AAD_SQL_ADMIN_GROUP with Azure AD group where your Azure administrators are members, sid value (xxxx-xxxx-xxxx-xxxx-xxxx) with Azure AD object ID of that group. The current tenantId value is already filled in." + "text": "Replace ENTRA_SQL_ADMIN_GROUP with Microsoft Entra group where your Azure administrators are members, sid value (xxxx-xxxx-xxxx-xxxx-xxxx) with Microsoft Entra object ID of that group. The current tenantId value is already filled in." } }, { @@ -963,9 +963,9 @@ "type": "Microsoft.Common.TextBox", "label": "Sql Server Administrators", "subLabel": "", - "defaultValue": "[concat('{\n\t\"login\": \"AAD_SQL_ADMIN_GROUP\",\n\t\"sid\": \"xxxx-xxxx-xxxx-xxxx-xxxx\",\n\t\"tenantId\": \"', steps('basics').resourceScope.subscription.tenantId, '\"\n}')]", + "defaultValue": "[concat('{\n\t\"login\": \"ENTRA_SQL_ADMIN_GROUP\",\n\t\"sid\": \"xxxx-xxxx-xxxx-xxxx-xxxx\",\n\t\"tenantId\": \"', steps('basics').resourceScope.subscription.tenantId, '\"\n}')]", "multiLine": true, - "toolTip": "Replace AAD_SQL_ADMIN_GROUP with Azure AD group where your Azure administrators are members, sid value with Azure AD object ID of that group and tenantId value with Azure AD tenant ID where the group is located", + "toolTip": "Replace ENTRA_SQL_ADMIN_GROUP with Microsoft Entra group where your Azure administrators are members, sid value with Microsoft Entra object ID of that group and tenantId value with Microsoft Entra tenant ID where the group is located", "constraints": { "required": false, "regex": "", diff --git a/scenarios/secure-baseline-multitenant/azure-resource-manager/main.json b/scenarios/secure-baseline-multitenant/azure-resource-manager/main.json index a4ae154a..5e6fcf25 100644 --- a/scenarios/secure-baseline-multitenant/azure-resource-manager/main.json +++ b/scenarios/secure-baseline-multitenant/azure-resource-manager/main.json @@ -1653,7 +1653,7 @@ ] }, { - "name": "allow-azure-ad-join", + "name": "allow-entra-join", "protocols": [ { "port": "443", @@ -1707,7 +1707,7 @@ "*.manage-beta.microsoft.com", "*.manage.microsoft.com" ], - "name": "allow-azure-ad-join", + "name": "allow-entra-join", "protocols": [ { "port": "443", @@ -9962,7 +9962,7 @@ "subnetId": { "value": "[parameters('subnetDevOpsId')]" }, - "enableAzureAdJoin": { + "enableEntraJoin": { "value": true }, "userAssignedIdentities": { @@ -10047,7 +10047,7 @@ "description": "mandatory, the password of the admin user" } }, - "enableAzureAdJoin": { + "enableEntraJoin": { "type": "bool", "defaultValue": true }, @@ -10116,7 +10116,7 @@ } }, "variables": { - "aadLoginExtensionName": "AADLoginForWindows", + "entraLoginExtensionName": "AADLoginForWindows", "vmNameMaxLength": 64, "vmName": "[if(greater(length(parameters('name')), variables('vmNameMaxLength')), substring(parameters('name'), 0, variables('vmNameMaxLength')), parameters('name'))]", "computerNameLength": 15, @@ -10190,14 +10190,14 @@ ] }, { - "condition": "[parameters('enableAzureAdJoin')]", + "condition": "[parameters('enableEntraJoin')]", "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2022-11-01", - "name": "[format('{0}/{1}', variables('vmName'), variables('aadLoginExtensionName'))]", + "name": "[format('{0}/{1}', variables('vmName'), variables('entraLoginExtensionName'))]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.ActiveDirectory", - "type": "[variables('aadLoginExtensionName')]", + "type": "[variables('entraLoginExtensionName')]", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true }, @@ -12972,7 +12972,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Allow only Azure AD authentication. Should be enabled for security reasons." + "description": "Optional. Allow only Microsoft Entra authentication. Should be enabled for security reasons." } }, "cMKKeyVaultResourceId": { diff --git a/scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc b/scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc index e9c4f104..b58602b0 100644 --- a/scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc +++ b/scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc @@ -109,11 +109,11 @@ // The Microsoft Entra ID administrator group used for SQL Server authentication "sqlServerAdministrators": { "value": { - // Azure AD group where your Azure administrators are members - "login": "Azure AD SQL Admins", - // Azure AD object ID of the group + // Microsoft Entra group where your Azure administrators are members + "login": "Microsoft Entra SQL Admins", + // Microsoft Entra object ID of the group "sid": "xxx-xxxx-xxxx-xxxx", - // Azure AD tenant ID where the group is located + // Microsoft Entra tenant ID where the group is located "tenantId": "xxxx-xxxxxx-xxxxx-xxxxx-xxx" } } diff --git a/scenarios/secure-baseline-multitenant/bicep/README.md b/scenarios/secure-baseline-multitenant/bicep/README.md index b22e5ad5..78e2f5a7 100644 --- a/scenarios/secure-baseline-multitenant/bicep/README.md +++ b/scenarios/secure-baseline-multitenant/bicep/README.md @@ -131,7 +131,7 @@ If your organization requires device enrollment before accessing corporate resou It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete. -If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials) +If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-microsoft-entra-id-credentials) Once completed, and if you provided a valid (Microsoft Entra ID) administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions: diff --git a/scenarios/secure-baseline-multitenant/bicep/deploy.hub.bicep b/scenarios/secure-baseline-multitenant/bicep/deploy.hub.bicep index 2c0562eb..31043d9e 100644 --- a/scenarios/secure-baseline-multitenant/bicep/deploy.hub.bicep +++ b/scenarios/secure-baseline-multitenant/bicep/deploy.hub.bicep @@ -137,7 +137,7 @@ var applicationRules = [ ] } { - name: 'allow-azure-ad-join' + name: 'allow-entra-join' protocols: [ { port: '443' @@ -195,7 +195,7 @@ var applicationRules = [ '*.manage-beta.microsoft.com' '*.manage.microsoft.com' ] - name: 'allow-azure-ad-join' + name: 'allow-entra-join' protocols: [ { port: '443' diff --git a/scenarios/secure-baseline-multitenant/bicep/main.parameters.json b/scenarios/secure-baseline-multitenant/bicep/main.parameters.json index 780731b1..4da972b9 100644 --- a/scenarios/secure-baseline-multitenant/bicep/main.parameters.json +++ b/scenarios/secure-baseline-multitenant/bicep/main.parameters.json @@ -79,7 +79,7 @@ }, "sqlServerAdministrators": { "value": { - "login": "Azure AD SQL Admins", + "login": "Microsoft Entra SQL Admins", "sid": "xxx-xxxx-xxxx-xxxx", "tenantId": "xxx-xxxx-xxxx-xxxx" } diff --git a/scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc b/scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc index e9c4f104..b58602b0 100644 --- a/scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc +++ b/scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc @@ -109,11 +109,11 @@ // The Microsoft Entra ID administrator group used for SQL Server authentication "sqlServerAdministrators": { "value": { - // Azure AD group where your Azure administrators are members - "login": "Azure AD SQL Admins", - // Azure AD object ID of the group + // Microsoft Entra group where your Azure administrators are members + "login": "Microsoft Entra SQL Admins", + // Microsoft Entra object ID of the group "sid": "xxx-xxxx-xxxx-xxxx", - // Azure AD tenant ID where the group is located + // Microsoft Entra tenant ID where the group is located "tenantId": "xxxx-xxxxxx-xxxxx-xxxxx-xxx" } } diff --git a/scenarios/secure-baseline-multitenant/bicep/modules/vmJumphost.module.bicep b/scenarios/secure-baseline-multitenant/bicep/modules/vmJumphost.module.bicep index 7df48ae8..d908a968 100644 --- a/scenarios/secure-baseline-multitenant/bicep/modules/vmJumphost.module.bicep +++ b/scenarios/secure-baseline-multitenant/bicep/modules/vmJumphost.module.bicep @@ -63,7 +63,7 @@ module vmWindows '../../../shared/bicep/compute/jumphost-win11.bicep' = { adminPassword: adminPassword adminUsername: adminUsername subnetId: subnetDevOpsId - enableAzureAdJoin: true + enableEntraJoin: true userAssignedIdentities: { '${vmJumpHostUserAssignedManagedIdentity.outputs.id}': {} } diff --git a/scenarios/secure-baseline-multitenant/terraform/README.md b/scenarios/secure-baseline-multitenant/terraform/README.md index ef875f7e..b5d30b4b 100644 --- a/scenarios/secure-baseline-multitenant/terraform/README.md +++ b/scenarios/secure-baseline-multitenant/terraform/README.md @@ -1,4 +1,4 @@ -# Multitenant App Service Secure Baseline Terraform Implementation +# Multi-tenant App Service Secure Baseline Terraform Implementation ## Steps of Implementation for App Service Construction Set @@ -37,11 +37,11 @@ location = "swedencentral" location_short = "swe" tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -aad_admin_group_object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -aad_admin_group_name = "Microsoft Entra ID SQL Admins" -vm_aad_admin_username = "bob@contoso.com" +entra_admin_group_object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" +entra_admin_group_name = "Microsoft Entra ID SQL Admins" +vm_entra_admin_username = "bob@contoso.com" -# Optionally provide non-AAD admin credentials for the VM +# Optionally provide non-Entra admin credentials for the VM # vm_admin_username = "daniem" # vm_admin_password = "**************" @@ -172,7 +172,7 @@ az upgrade az network bastion rdp --name bast-bastion --resource-group rg-hub --target-resource-id /subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Compute/virtualMachines/{vm-name} --disable-gateway ``` -If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](#unable-to-connect-to-devops-vm-using-aad-credentials) +If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](#unable-to-connect-to-devops-vm-using-microsoft-entra-id-credentials) Once completed, you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions (the exact command will be provided in the output of the Terraform deployment): diff --git a/scenarios/secure-baseline-multitenant/terraform/hub/variables.tf b/scenarios/secure-baseline-multitenant/terraform/hub/variables.tf index 4174d3b4..cb81a7e6 100644 --- a/scenarios/secure-baseline-multitenant/terraform/hub/variables.tf +++ b/scenarios/secure-baseline-multitenant/terraform/hub/variables.tf @@ -22,7 +22,7 @@ variable "owner" { # variable "tenant_id" { # type = string -# description = "[Required] The Azure AD tenant ID for the identities" +# description = "[Required] The Microsoft Entra tenant ID for the identities" # } variable "tags" { diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/app.tf b/scenarios/secure-baseline-multitenant/terraform/spoke/app.tf index 7bc0bf0e..c04c88ac 100644 --- a/scenarios/secure-baseline-multitenant/terraform/spoke/app.tf +++ b/scenarios/secure-baseline-multitenant/terraform/spoke/app.tf @@ -45,17 +45,17 @@ module "sql_database" { source = "../../../shared/terraform-modules/sql-database" - resource_group = azurerm_resource_group.spoke.name - application_name = var.application_name - environment = var.environment - location = var.location - unique_id = random_integer.unique_id.result - tenant_id = var.tenant_id - aad_admin_group_object_id = var.aad_admin_group_object_id - aad_admin_group_name = var.aad_admin_group_name - private_link_subnet_id = module.network.subnets["privateLink"].id - global_settings = local.global_settings - tags = local.base_tags + resource_group = azurerm_resource_group.spoke.name + application_name = var.application_name + environment = var.environment + location = var.location + unique_id = random_integer.unique_id.result + tenant_id = var.tenant_id + entra_admin_group_object_id = var.entra_admin_group_object_id + entra_admin_group_name = var.entra_admin_group_name + private_link_subnet_id = module.network.subnets["privateLink"].id + global_settings = local.global_settings + tags = local.base_tags sql_databases = [ { name = "sample-db" diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/parameters/ase-multitenant.parameters.tfvars b/scenarios/secure-baseline-multitenant/terraform/spoke/parameters/ase-multitenant.parameters.tfvars index 08e7367a..76d70cac 100644 --- a/scenarios/secure-baseline-multitenant/terraform/spoke/parameters/ase-multitenant.parameters.tfvars +++ b/scenarios/secure-baseline-multitenant/terraform/spoke/parameters/ase-multitenant.parameters.tfvars @@ -9,16 +9,16 @@ hub_state_storage_account_name = "stbackendappsrwestus2001" hub_state_container_name = "tfstate" hub_state_key = "scenario1.hub.tfstate" -aad_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" -aad_admin_group_name = "AppSvcLZA Azure AD SQL Admins" +entra_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" +entra_admin_group_name = "AppSvcLZA Microsoft Entra SQL Admins" -## Lookup the Azure AD User -# vm_aad_admin_username = "my-user@contoso.com" -## Reference an existing Azure AD User/Group Object ID to bypass lookup -vm_aad_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Azure AD SQL Admins" +## Lookup the Microsoft Entra User +# vm_entra_admin_username = "my-user@contoso.com" +## Reference an existing Microsoft Entra User/Group Object ID to bypass lookup +vm_entra_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Microsoft Entra SQL Admins" -## Optionally provide non-AAD admin credentials for the VM +## Optionally provide non-Entra ID admin credentials for the VM # vm_admin_username = "daniem" # vm_admin_password = "**************" diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/shared.tf b/scenarios/secure-baseline-multitenant/terraform/spoke/shared.tf index 054c347c..875fe2ec 100644 --- a/scenarios/secure-baseline-multitenant/terraform/spoke/shared.tf +++ b/scenarios/secure-baseline-multitenant/terraform/spoke/shared.tf @@ -13,15 +13,15 @@ module "devops_vm" { source = "../../../shared/terraform-modules/windows-vm" - resource_group = azurerm_resource_group.spoke.name - vm_name = "devops" - location = var.location - vm_subnet_id = module.network.subnets["devops"].id - admin_username = var.vm_admin_username - admin_password = var.vm_admin_password - aad_admin_username = var.vm_aad_admin_username - aad_admin_object_id = var.vm_aad_admin_object_id - global_settings = local.global_settings + resource_group = azurerm_resource_group.spoke.name + vm_name = "devops" + location = var.location + vm_subnet_id = module.network.subnets["devops"].id + admin_username = var.vm_admin_username + admin_password = var.vm_admin_password + entra_admin_username = var.vm_entra_admin_username + entra_admin_object_id = var.vm_entra_admin_object_id + global_settings = local.global_settings tags = local.base_tags diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/variables.tf b/scenarios/secure-baseline-multitenant/terraform/spoke/variables.tf index a54ac729..8c064392 100644 --- a/scenarios/secure-baseline-multitenant/terraform/spoke/variables.tf +++ b/scenarios/secure-baseline-multitenant/terraform/spoke/variables.tf @@ -49,7 +49,7 @@ variable "location" { variable "tenant_id" { type = string - description = "The Azure AD tenant ID for the identities. If no value provided, will use current deployment environment tenant." + description = "The Microsoft Entra tenant ID for the identities. If no value provided, will use current deployment environment tenant." default = null } @@ -62,14 +62,14 @@ variable "tags" { ##################################### # Spoke Resource Configuration Variables ##################################### -variable "aad_admin_group_object_id" { +variable "entra_admin_group_object_id" { type = string - description = "The object ID of the Azure AD group that should be granted SQL Admin permissions to the SQL Server" + description = "The object ID of the Microsoft Entra group that should be granted SQL Admin permissions to the SQL Server" } -variable "aad_admin_group_name" { +variable "entra_admin_group_name" { type = string - description = "The name of the Azure AD group that should be granted SQL Admin permissions to the SQL Server" + description = "The name of the Microsoft Entra group that should be granted SQL Admin permissions to the SQL Server" } variable "bastion_subnet_name" { @@ -149,24 +149,24 @@ variable "hub_settings" { variable "vm_admin_username" { type = string - description = "The username for the local VM admin account. Autogenerated if null. Prefer using the Azure AD admin account." + description = "The username for the local VM admin account. Autogenerated if null. Prefer using the Microsoft Entra admin account." default = null } variable "vm_admin_password" { type = string - description = "The password for the local VM admin account. Autogenerated if null. Prefer using the Azure AD admin account." + description = "The password for the local VM admin account. Autogenerated if null. Prefer using the Microsoft Entra admin account." default = null } -variable "vm_aad_admin_username" { +variable "vm_entra_admin_username" { type = string - description = "[Optional] The Azure AD username for the VM admin account. If vm_aad_admin_object_id is not specified, this value will be used." + description = "[Optional] The Microsoft Entra username for the VM admin account. If vm_entra_admin_object_id is not specified, this value will be used." default = null } -variable "vm_aad_admin_object_id" { +variable "vm_entra_admin_object_id" { type = string - description = "The Azure AD object ID for the VM admin user/group. If vm_aad_admin_username is not specified, this value will be used." + description = "The Microsoft Entra object ID for the VM admin user/group. If vm_entra_admin_username is not specified, this value will be used." default = null } variable "deployment_options" { diff --git a/scenarios/shared/bicep/cognitive-services/open-ai.bicep b/scenarios/shared/bicep/cognitive-services/open-ai.bicep index 7f833036..66e6ea67 100644 --- a/scenarios/shared/bicep/cognitive-services/open-ai.bicep +++ b/scenarios/shared/bicep/cognitive-services/open-ai.bicep @@ -104,7 +104,7 @@ param allowedFqdnList array = [] @description('Optional. The API properties for special APIs.') param apiProperties object = {} -@description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.') +@description('Optional. Allow only Microsoft Entra authentication. Should be enabled for security reasons.') param disableLocalAuth bool = true @description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') diff --git a/scenarios/shared/bicep/compute/jumphost-win11.bicep b/scenarios/shared/bicep/compute/jumphost-win11.bicep index af982223..8e1b9612 100644 --- a/scenarios/shared/bicep/compute/jumphost-win11.bicep +++ b/scenarios/shared/bicep/compute/jumphost-win11.bicep @@ -27,7 +27,7 @@ param adminUsername string = 'azureuser' @secure() param adminPassword string -param enableAzureAdJoin bool = true +param enableEntraJoin bool = true @description('optional, default value is Standard_B2ms') param vmSize string = 'Standard_B2ms' @@ -63,7 +63,7 @@ param installSsms bool = false // Variables // // =========== // -var aadLoginExtensionName = 'AADLoginForWindows' +var entraLoginExtensionName = 'AADLoginForWindows' var vmNameMaxLength = 64 var vmName = length(name) > vmNameMaxLength ? substring(name, 0, vmNameMaxLength) : name @@ -151,13 +151,13 @@ resource jumphost 'Microsoft.Compute/virtualMachines@2022-08-01' = { } } -resource virtualMachineName_aadLoginExtensionName 'Microsoft.Compute/virtualMachines/extensions@2022-11-01' = if (enableAzureAdJoin) { +resource virtualMachineName_entraLoginExtensionName 'Microsoft.Compute/virtualMachines/extensions@2022-11-01' = if (enableEntraJoin) { parent: jumphost - name: aadLoginExtensionName + name: entraLoginExtensionName location: location properties: { publisher: 'Microsoft.Azure.ActiveDirectory' - type: aadLoginExtensionName + type: entraLoginExtensionName typeHandlerVersion: '1.0' autoUpgradeMinorVersion: true } diff --git a/scenarios/shared/bicep/role-assignments/roledefinitions.json b/scenarios/shared/bicep/role-assignments/roledefinitions.json index b84c913e..2af6469f 100644 --- a/scenarios/shared/bicep/role-assignments/roledefinitions.json +++ b/scenarios/shared/bicep/role-assignments/roledefinitions.json @@ -1686,12 +1686,12 @@ }, { "ID": "/subscriptions/0a52391c-0d81-434e-90b4-d04f5c670e8a/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb", - "description": "Can view Azure AD Domain Services and related network configurations", + "description": "Can view Microsoft Entra Domain Services and related network configurations", "roleName": "Domain Services Reader" }, { "ID": "/subscriptions/0a52391c-0d81-434e-90b4-d04f5c670e8a/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2", - "description": "Can manage Azure AD Domain Services and related network configurations", + "description": "Can manage Microsoft Entra Domain Services and related network configurations", "roleName": "Domain Services Contributor" }, { @@ -1701,7 +1701,7 @@ }, { "ID": "/subscriptions/0a52391c-0d81-434e-90b4-d04f5c670e8a/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e", - "description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.", + "description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Microsoft Entra authentication.", "roleName": "Data Operator for Managed Disks" }, { diff --git a/scenarios/shared/terraform-modules/firewall/module.tf b/scenarios/shared/terraform-modules/firewall/module.tf index 18350893..96bede1b 100644 --- a/scenarios/shared/terraform-modules/firewall/module.tf +++ b/scenarios/shared/terraform-modules/firewall/module.tf @@ -217,11 +217,11 @@ resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { action = "Allow" rule { - name = "allow-azure-ad-join" + name = "allow-entra-idS-join" source_addresses = var.devops_subnet_cidr - # https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows + # https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows target_fqdns = [ "enterpriseregistration.windows.net", "pas.windows.net", diff --git a/scenarios/shared/terraform-modules/key-vault/README.md b/scenarios/shared/terraform-modules/key-vault/README.md index cc6ea84a..423b3f13 100644 --- a/scenarios/shared/terraform-modules/key-vault/README.md +++ b/scenarios/shared/terraform-modules/key-vault/README.md @@ -44,7 +44,7 @@ No modules. | [secret\_reader\_identities](#input\_secret\_reader\_identities) | The list of identities that will be granted secret reader permissions | `list(string)` | n/a | yes | | [sku\_name](#input\_sku\_name) | The sku name for the app service plan | `string` | `"standard"` | no | | [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `{}` | no | -| [tenant\_id](#input\_tenant\_id) | The Microsoft Entra ID tenant ID for the identities. If no value provided, will use current deployment environment tenant. | `string` | `null` | no | +| [tenant\_id](#input\_tenant\_id) | The Microsoft Entra tenant ID for the identities. If no value provided, will use current deployment environment tenant. | `string` | `null` | no | | [unique\_id](#input\_unique\_id) | The unique id | `string` | n/a | yes | ## Outputs diff --git a/scenarios/shared/terraform-modules/key-vault/variables.tf b/scenarios/shared/terraform-modules/key-vault/variables.tf index 9288f327..f5981702 100644 --- a/scenarios/shared/terraform-modules/key-vault/variables.tf +++ b/scenarios/shared/terraform-modules/key-vault/variables.tf @@ -22,7 +22,7 @@ variable "location" { variable "tenant_id" { type = string - description = "The Azure AD tenant ID for the identities. If no value provided, will use current deployment environment tenant." + description = "The Microsoft Entra tenant ID for the identities. If no value provided, will use current deployment environment tenant." default = null } diff --git a/scenarios/shared/terraform-modules/sql-database/README.md b/scenarios/shared/terraform-modules/sql-database/README.md index 5436eee3..15b594d7 100644 --- a/scenarios/shared/terraform-modules/sql-database/README.md +++ b/scenarios/shared/terraform-modules/sql-database/README.md @@ -1,6 +1,6 @@ -# sql-database - - +# sql-database + + ## Requirements No requirements. @@ -31,9 +31,9 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aad\_admin\_group\_name](#input\_aad\_admin\_group\_name) | n/a | `string` | n/a | yes | -| [aad\_admin\_group\_object\_id](#input\_aad\_admin\_group\_object\_id) | n/a | `string` | n/a | yes | | [application\_name](#input\_application\_name) | The name of your application | `string` | n/a | yes | +| [entra\_admin\_group\_name](#input\_entra\_admin\_group\_name) | n/a | `string` | n/a | yes | +| [entra\_admin\_group\_object\_id](#input\_entra\_admin\_group\_object\_id) | n/a | `string` | n/a | yes | | [environment](#input\_environment) | The environment (dev, test, prod...) | `string` | `"dev"` | no | | [global\_settings](#input\_global\_settings) | Global settings for the naming convention module. | `any` | n/a | yes | | [location](#input\_location) | The Azure region where all resources in this example should be created | `string` | `"westus2"` | no | @@ -52,4 +52,4 @@ No modules. | [sql\_db\_connection\_string](#output\_sql\_db\_connection\_string) | n/a | | [sql\_db\_name](#output\_sql\_db\_name) | n/a | | [sql\_server\_name](#output\_sql\_server\_name) | n/a | - + diff --git a/scenarios/shared/terraform-modules/sql-database/module.tf b/scenarios/shared/terraform-modules/sql-database/module.tf index c948683e..c5d7ccf0 100644 --- a/scenarios/shared/terraform-modules/sql-database/module.tf +++ b/scenarios/shared/terraform-modules/sql-database/module.tf @@ -24,8 +24,8 @@ resource "azurerm_mssql_server" "this" { tags = local.tags azuread_administrator { - login_username = var.aad_admin_group_name - object_id = var.aad_admin_group_object_id + login_username = var.entra_admin_group_name + object_id = var.entra_admin_group_object_id azuread_authentication_only = true tenant_id = var.tenant_id } diff --git a/scenarios/shared/terraform-modules/sql-database/variables.tf b/scenarios/shared/terraform-modules/sql-database/variables.tf index d05c2016..26c4a181 100644 --- a/scenarios/shared/terraform-modules/sql-database/variables.tf +++ b/scenarios/shared/terraform-modules/sql-database/variables.tf @@ -30,11 +30,11 @@ variable "tenant_id" { description = "The tenant id where the resources will be created" } -variable "aad_admin_group_object_id" { +variable "entra_admin_group_object_id" { type = string } -variable "aad_admin_group_name" { +variable "entra_admin_group_name" { type = string } diff --git a/scenarios/shared/terraform-modules/windows-vm-ext/README.md b/scenarios/shared/terraform-modules/windows-vm-ext/README.md index abe8b942..55f0d3b0 100644 --- a/scenarios/shared/terraform-modules/windows-vm-ext/README.md +++ b/scenarios/shared/terraform-modules/windows-vm-ext/README.md @@ -19,14 +19,14 @@ No modules. | Name | Type | |------|------| -| [azurerm_virtual_machine_extension.aad](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) | resource | +| [azurerm_virtual_machine_extension.entra](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) | resource | | [azurerm_virtual_machine_extension.install_ssms](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [enable\_azure\_ad\_join](#input\_enable\_azure\_ad\_join) | True to enable Microsoft Entra ID join of the VM. | `bool` | `true` | no | +| [enable\_microsoft\_entra\_join](#input\_enable\_microsoft\_entra\_join) | True to enable Microsoft Entra join of the VM. | `bool` | `true` | no | | [enroll\_with\_mdm](#input\_enroll\_with\_mdm) | True to enroll the device with an approved MDM provider like Intune. | `bool` | `true` | no | | [install\_extensions](#input\_install\_extensions) | n/a | `bool` | `false` | no | | [mdm\_id](#input\_mdm\_id) | The default value is the MDM Id for Intune, but you can use your own MDM id if you want to use a different MDM service. | `string` | `"0000000a-0000-0000-c000-000000000000"` | no | diff --git a/scenarios/shared/terraform-modules/windows-vm-ext/main.tf b/scenarios/shared/terraform-modules/windows-vm-ext/main.tf index 86dc4d1c..2d0bf743 100644 --- a/scenarios/shared/terraform-modules/windows-vm-ext/main.tf +++ b/scenarios/shared/terraform-modules/windows-vm-ext/main.tf @@ -1,5 +1,5 @@ -resource "azurerm_virtual_machine_extension" "aad" { - count = var.enable_azure_ad_join ? 1 : 0 +resource "azurerm_virtual_machine_extension" "entra" { + count = var.enable_microsoft_entra_join ? 1 : 0 name = "aad-login-for-windows" publisher = "Microsoft.Azure.ActiveDirectory" diff --git a/scenarios/shared/terraform-modules/windows-vm-ext/variables.tf b/scenarios/shared/terraform-modules/windows-vm-ext/variables.tf index 7cde6360..ac590417 100644 --- a/scenarios/shared/terraform-modules/windows-vm-ext/variables.tf +++ b/scenarios/shared/terraform-modules/windows-vm-ext/variables.tf @@ -8,10 +8,10 @@ variable "install_extensions" { default = false } -variable "enable_azure_ad_join" { +variable "enable_microsoft_entra_join" { type = bool default = true - description = "True to enable Azure AD join of the VM." + description = "True to enable Microsoft Entra join of the VM." } variable "enroll_with_mdm" { diff --git a/scenarios/shared/terraform-modules/windows-vm/README.md b/scenarios/shared/terraform-modules/windows-vm/README.md index 10fed98d..d9be0244 100644 --- a/scenarios/shared/terraform-modules/windows-vm/README.md +++ b/scenarios/shared/terraform-modules/windows-vm/README.md @@ -35,10 +35,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aad\_admin\_object\_id](#input\_aad\_admin\_object\_id) | The Microsoft Entra ID object ID for the VM admin user/group. If aad\_admin\_username is not specified, this value will be used. | `string` | `null` | no | -| [aad\_admin\_username](#input\_aad\_admin\_username) | [Optional] The Microsoft Entra ID username for the VM admin account. If aad\_admin\_object\_id is not specified, this value will be used. | `string` | `null` | no | | [admin\_password](#input\_admin\_password) | n/a | `string` | `null` | no | | [admin\_username](#input\_admin\_username) | n/a | `string` | `null` | no | +| [entra\_admin\_object\_id](#input\_entra\_admin\_object\_id) | The Microsoft Entra ID for the VM admin user/group. If entra\_admin\_username is not specified, this value will be used. | `string` | `null` | no | +| [entra\_admin\_username](#input\_entra\_admin\_username) | [Optional] The Microsoft Entra ID username for the VM admin account. If entra\_admin\_object\_id is not specified, this value will be used. | `string` | `null` | no | | [global\_settings](#input\_global\_settings) | Global settings for the naming convention module. | `any` | n/a | yes | | [identity](#input\_identity) | The identity type and the list of identities ids | 
object({
    type         = string
    identity_ids = optional(list(string))
  })
| 
{
  "identity_ids": [],
  "type": "SystemAssigned"
}
| no | | [key\_vault\_id](#input\_key\_vault\_id) | Optional ID of the key vault to store the VM password | `string` | `null` | no | diff --git a/scenarios/shared/terraform-modules/windows-vm/module.tf b/scenarios/shared/terraform-modules/windows-vm/module.tf index a75ea8fb..85b624c4 100644 --- a/scenarios/shared/terraform-modules/windows-vm/module.tf +++ b/scenarios/shared/terraform-modules/windows-vm/module.tf @@ -86,13 +86,13 @@ resource "azurerm_windows_virtual_machine" "vm" { } data "azuread_user" "vm_admin" { - count = var.aad_admin_object_id != null ? 0 : 1 + count = var.entra_admin_object_id != null ? 0 : 1 - user_principal_name = var.aad_admin_username + user_principal_name = var.entra_admin_username } resource "azurerm_role_assignment" "vm_admin_role_assignment" { scope = azurerm_windows_virtual_machine.vm.id role_definition_name = "Virtual Machine Administrator Login" - principal_id = var.aad_admin_object_id != null ? var.aad_admin_object_id : data.azuread_user.vm_admin[0].object_id + principal_id = var.entra_admin_object_id != null ? var.entra_admin_object_id : data.azuread_user.vm_admin[0].object_id } \ No newline at end of file diff --git a/scenarios/shared/terraform-modules/windows-vm/variables.tf b/scenarios/shared/terraform-modules/windows-vm/variables.tf index 7c6c705e..213bd502 100644 --- a/scenarios/shared/terraform-modules/windows-vm/variables.tf +++ b/scenarios/shared/terraform-modules/windows-vm/variables.tf @@ -47,15 +47,15 @@ variable "admin_password" { default = null } -variable "aad_admin_username" { +variable "entra_admin_username" { type = string - description = "[Optional] The Azure AD username for the VM admin account. If aad_admin_object_id is not specified, this value will be used." + description = "[Optional] The Microsoft Entra ID username for the VM admin account. If entra_admin_object_id is not specified, this value will be used." default = null } -variable "aad_admin_object_id" { +variable "entra_admin_object_id" { type = string - description = "The Azure AD object ID for the VM admin user/group. If aad_admin_username is not specified, this value will be used." + description = "The Microsoft Entra ID for the VM admin user/group. If entra_admin_username is not specified, this value will be used." default = null }