Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/terraform refactor for Scenarios 1 and 2 #178

Merged
merged 77 commits into from
Aug 11, 2023
Merged

Feature/terraform refactor for Scenarios 1 and 2 #178

merged 77 commits into from
Aug 11, 2023

Conversation

JinLee794
Copy link
Contributor

@JinLee794 JinLee794 commented Jul 31, 2023
edited
Loading

Description

#106

  • Refactored the modules to align to CAF module design.
  • Refactored the solution deployments to deploy via said modules
  • Restructured directories to share the TF modules across scenarios
  • Updated documentation to incorporate deployment instructions for Terraform as well as how to configure OIDC for the actions pipelines.

Pipeline references

For module/pipeline changes, please create and attach the status badge of your successful run.

Pipeline
https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.hub.yml
https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml
https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml

Type of Change

Please delete options that are not relevant.

  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Update to documentation

Checklist

  • I'm sure there are no other open Pull Requests for the same update/change
  • My corresponding pipelines / checks run clean and green without any errors or warnings
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (readme)
  • I did format my code

JinLee794 added 30 commits March 31, 2023 09:41
@JinLee794
testing module pipeline
d2daa83
@JinLee794
testing module pipeline
f9cf46f
@JinLee794
testing module pipeline
3e98989
@JinLee794
testing module pipeline
29b54ab
@JinLee794
testing module pipeline
eb63fe5
@JinLee794
testing module pipeline
28380a6
@JinLee794
testing module pipeline
7b60935
@JinLee794
testing module pipeline
2c4afc1
@JinLee794
testing module pipeline
c9a918c
@JinLee794
testing module pipeline
a3095b2
@JinLee794
testing module pipeline
9b7336c
@JinLee794
testing module pipeline
59e740f
@JinLee794
testing module pipeline
d700041
@JinLee794
testing module pipeline
ec0b05d
@JinLee794
testing module pipeline
f997951
@JinLee794
testing module pipeline
ebbc10c
@JinLee794
testing module pipeline
963c708
@JinLee794
testing module pipeline
60107c9
@JinLee794
testing module pipeline
1ec3690
@JinLee794
testing module pipeline
23b06ae
@JinLee794
testing module pipeline
e26c545
@JinLee794
testing module pipeline
6c1ad3d
@JinLee794
testing module pipeline
813a439
@JinLee794
testing module pipeline
8fe8f1d
@JinLee794
testing module pipeline
f735722
@JinLee794
testing module pipeline
97a6382
@JinLee794
testing module pipeline
a809bef
@JinLee794
minor cleanup
f5ddab0
@JinLee794
minor cleanup
c312d6e
@JinLee794
minor cleanup
4d18c01
@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/e988bc5b-e51e-4ae2-a06d-4b84c6f2d008/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted
  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null
        name                = "Azure-Monitor-FQDNs"
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted
  - resource "azurerm_firewall_application_rule_collection" "core" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null
        name                = "Core-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null
        name                = "Devops-VM-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null
        name                = "Windows-VM-Connectivity-Requirements"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-azure-ad-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ firewall_rules      = {
      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)
      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)
    }
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A        name                = "Azure-Monitor-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "core" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A        name                = "Core-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (3 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A        name                = "Devops-VM-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A        name                = "Windows-VM-Connectivity-Requirements"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A%0ATerraform will perform the following actions:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Azure-Monitor-FQDNs"%0A      + priority            = 201%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-azure-monitor"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "dc.applicationinsights.azure.com",%0A              + "dc.applicationinsights.microsoft.com",%0A              + "dc.services.visualstudio.com",%0A              + "*.in.applicationinsights.azure.com",%0A              + "live.applicationinsights.azure.com",%0A              + "rt.applicationinsights.microsoft.com",%0A              + "rt.services.visualstudio.com",%0A              + "*.livediagnostics.monitor.azure.com",%0A              + "*.monitoring.azure.com",%0A              + "agent.azureserviceprofiler.net",%0A              + "*.agent.azureserviceprofiler.net",%0A              + "*.monitor.azure.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A  + resource "azurerm_firewall_application_rule_collection" "core" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Core-Dependencies-FQDNs"%0A      + priority            = 200%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-core-apis"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "management.azure.com",%0A              + "management.core.windows.net",%0A              + "login.microsoftonline.com",%0A              + "login.windows.net",%0A              + "login.live.com",%0A              + "graph.windows.net",%0A              + "graph.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-developer-services"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "github.com",%0A              + "*.github.com",%0A              + "*.nuget.org",%0A              + "*.blob.core.windows.net",%0A              + "*.githubusercontent.com",%0A              + "dev.azure.com",%0A              + "*.dev.azure.com",%0A              + "portal.azure.com",%0A              + "*.portal.azure.com",%0A              + "*.portal.azure.net",%0A              + "appservice.azureedge.net",%0A              + "*.azurewebsites.net",%0A              + "edge.management.azure.com",%0A              + "vstsagentpackage.azureedge.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-certificate-dependencies"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "*.delivery.mp.microsoft.com",%0A              + "ctldl.windowsupdate.com",%0A              + "download.windowsupdate.com",%0A              + "mscrl.microsoft.com",%0A              + "ocsp.msocsp.com",%0A              + "oneocsp.microsoft.com",%0A              + "crl.microsoft.com",%0A              + "www.microsoft.com",%0A              + "*.digicert.com",%0A              + "*.symantec.com",%0A              + "*.symcb.com",%0A              + "*.d-trust.net",%0A            ]%0A%0A          + protocol {%0A              + port = 80%0A              + type = "Http"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Devops-VM-Dependencies-FQDNs"%0A      + priority            = 202%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-azure-ad-join"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "enterpriseregistration.windows.net",%0A              + "pas.windows.net",%0A              + "login.microsoftonline.com",%0A              + "device.login.microsoftonline.com",%0A              + "autologon.microsoftazuread-sso.com",%0A              + "manage-beta.microsoft.com",%0A              + "manage.microsoft.com",%0A              + "aadcdn.msauth.net",%0A              + "aadcdn.msftauth.net",%0A              + "aadcdn.msftauthimages.net",%0A              + "*.wns.windows.com",%0A              + "*.sts.microsoft.com",%0A              + "*.manage-beta.microsoft.com",%0A              + "*.manage.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-vm-dependencies-and-tools"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "aka.ms",%0A              + "go.microsoft.com",%0A              + "download.microsoft.com",%0A              + "edge.microsoft.com",%0A              + "fs.microsoft.com",%0A              + "wdcp.microsoft.com",%0A              + "wdcpalt.microsoft.com",%0A              + "msedge.api.cdp.microsoft.com",%0A              + "winatp-gw-cane.microsoft.com",%0A              + "*.google.com",%0A              + "*.live.com",%0A              + "*.bing.com",%0A              + "*.msappproxy.net",%0A              + "*.delivery.mp.microsoft.com",%0A              + "*.data.microsoft.com",%0A              + "*.blob.storage.azure.net",%0A              + "*.blob.core.windows.net",%0A              + "*.dl.delivery.mp.microsoft.com",%0A              + "*.prod.do.dsp.mp.microsoft.com",%0A              + "*.update.microsoft.com",%0A              + "*.windowsupdate.com",%0A              + "*.apps.qualys.com",%0A              + "*.bootstrapcdn.com",%0A              + "*.jsdelivr.net",%0A              + "*.jquery.com",%0A              + "*.msecnd.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Windows-VM-Connectivity-Requirements"%0A      + priority            = 202%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + destination_addresses = [%0A              + "20.118.99.224",%0A              + "40.83.235.53",%0A              + "23.102.135.246",%0A              + "51.4.143.248",%0A              + "23.97.0.13",%0A              + "52.126.105.2",%0A            ]%0A          + destination_ports     = [%0A              + "*",%0A            ]%0A          + name                  = "allow-kms-activation"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A      + rule {%0A          + destination_addresses = [%0A              + "*",%0A            ]%0A          + destination_ports     = [%0A              + "123",%0A            ]%0A          + name                  = "allow-ntp"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A    }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A  ~ firewall_rules      = {%0A      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A    }%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/2c4a420f-fd26-4da7-9db9-65cbf0e1cf88/terraform-bin show -no-color tfplan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.bastion[0].azurecaf_name.caf_name_pip must be replaced
-/+ resource "azurecaf_name" "caf_name_pip" {
      ~ id            = "fjjblixfamhcidbf" -> (known after apply)
      ~ name          = "lzademo" -> "lzademo-bastion" # forces replacement
      ~ result        = "secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.bastion[0].azurerm_bastion_host.bastion must be replaced
-/+ resource "azurerm_bastion_host" "bastion" {
      ~ dns_name               = "bst-a8088446-d9ec-40d0-9170-011026643819.bastion.azure.com" -> (known after apply)
      ~ id                     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/bastionHosts/secure-baseline-2-ase-wus2-vnet-lzademo" -> (known after apply)
        name                   = "secure-baseline-2-ase-wus2-vnet-lzademo"
        tags                   = {
            "Environment" = "dev"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 2] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "bastion"
        }
        # (9 unchanged attributes hidden)

      ~ ip_configuration {
            name                 = "bastionHostIpConfiguration"
          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement
            # (1 unchanged attribute hidden)
        }
    }

  # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced
-/+ resource "azurerm_public_ip" "bastion_pip" {
      + fqdn                    = (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply)
      ~ ip_address              = "172.171.114.221" -> (known after apply)
      - ip_tags                 = {} -> null
      ~ name                    = "secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement
        tags                    = {
            "Environment" = "dev"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 2] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "bastion"
        }
      - zones                   = [] -> null
        # (8 unchanged attributes hidden)
    }

  # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place
  ~ resource "azurerm_subnet" "this" {
        id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment"
        name                                           = "hostingEnvironment"
        # (9 unchanged attributes hidden)

      ~ delegation {
            name = "Microsoft.Web/serverFarms"

          ~ service_delegation {
              ~ actions = [
                  - "Microsoft.Network/virtualNetworks/subnets/action",
                  + "Microsoft.Network/virtualNetworks/subnets/join/action",
                  + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
                ]
                name    = "Microsoft.Web/hostingEnvironments"
            }
        }
    }

Plan: 3 to add, 1 to change, 3 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A      ~ id            = "fjjblixfamhcidbf" -> (known after apply)%0A      ~ name          = "lzademo" -> "lzademo-bastion" # forces replacement%0A      ~ result        = "secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (7 unchanged attributes hidden)%0A    }%0A%0A  # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A      ~ dns_name               = "bst-a8088446-d9ec-40d0-9170-011026643819.bastion.azure.com" -> (known after apply)%0A      ~ id                     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/bastionHosts/secure-baseline-2-ase-wus2-vnet-lzademo" -> (known after apply)%0A        name                   = "secure-baseline-2-ase-wus2-vnet-lzademo"%0A        tags                   = {%0A            "Environment" = "dev"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 2] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "bastion"%0A        }%0A        # (9 unchanged attributes hidden)%0A%0A      ~ ip_configuration {%0A            name                 = "bastionHostIpConfiguration"%0A          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement%0A            # (1 unchanged attribute hidden)%0A        }%0A    }%0A%0A  # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A      + fqdn                    = (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply)%0A      ~ ip_address              = "172.171.114.221" -> (known after apply)%0A      - ip_tags                 = {} -> null%0A      ~ name                    = "secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement%0A        tags                    = {%0A            "Environment" = "dev"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 2] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "bastion"%0A        }%0A      - zones                   = [] -> null%0A        # (8 unchanged attributes hidden)%0A    }%0A%0A  # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place%0A  ~ resource "azurerm_subnet" "this" {%0A        id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment"%0A        name                                           = "hostingEnvironment"%0A        # (9 unchanged attributes hidden)%0A%0A      ~ delegation {%0A            name = "Microsoft.Web/serverFarms"%0A%0A          ~ service_delegation {%0A              ~ actions = [%0A                  - "Microsoft.Network/virtualNetworks/subnets/action",%0A                  + "Microsoft.Network/virtualNetworks/subnets/join/action",%0A                  + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",%0A                ]%0A                name    = "Microsoft.Web/hostingEnvironments"%0A            }%0A        }%0A    }%0A%0APlan: 3 to add, 1 to change, 3 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/913c9e99-f748-46c8-8cb6-170309df7c76/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.network.azurerm_virtual_network.this has changed
  ~ resource "azurerm_virtual_network" "this" {
        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
      ~ subnet                  = [
          + {
              + address_prefix = "10.240.0.0/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              + name           = "serverFarm"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.0.64/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              + name           = "ingress"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.10.128/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              + name           = "devops"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.11.0/24"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              + name           = "privateLink"
              + security_group = ""
            },
        ]
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (6 unchanged attributes hidden)
    }

  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
        name                                                  = "privatelink.azurewebsites.net"
      ~ number_of_record_sets                                 = 1 -> 5
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
        name                                                  = "privatelink.database.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
        name                                                  = "privatelink.azconfig.io"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
        name                                                  = "privatelink.vaultcore.azure.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"
        name                                                  = "privatelink.redis.cache.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.network.azurerm_virtual_network.this has changed%0A  ~ resource "azurerm_virtual_network" "this" {%0A        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A      ~ subnet                  = [%0A          + {%0A              + address_prefix = "10.240.0.0/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A              + name           = "serverFarm"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.0.64/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A              + name           = "ingress"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.10.128/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A              + name           = "devops"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.11.0/24"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A              + name           = "privateLink"%0A              + security_group = ""%0A            },%0A        ]%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "network"%0A        }%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A        name                                                  = "privatelink.azurewebsites.net"%0A      ~ number_of_record_sets                                 = 1 -> 5%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A        name                                                  = "privatelink.database.windows.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A        name                                                  = "privatelink.azconfig.io"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A        name                                                  = "privatelink.vaultcore.azure.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A        name                                                  = "privatelink.redis.cache.windows.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@kunalbabre kunalbabre requested a review from adrianhall August 2, 2023 15:39
@github-actions
Copy link

github-actions bot commented Aug 2, 2023

Terraform Plan failed

Plan Error Output 


Error: Finding user with UPN: "jinle_microsoft.com#EXT#@customersuccessunit.onmicrosoft.com"

  with module.devops_vm[0].data.azuread_user.vm_admin,
  on ../../shared/terraform-modules/windows-vm/module.tf line 88, in data "azuread_user" "vm_admin":
  88: data "azuread_user" "vm_admin" {

UsersClient.BaseClient.Get(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

Error: Finding user with UPN: "jinle_microsoft.com#EXT#@customersuccessunit.onmicrosoft.com"

  with module.jumpbox_vm[0].data.azuread_user.vm_admin,
  on ../../shared/terraform-modules/windows-vm/module.tf line 88, in data "azuread_user" "vm_admin":
  88: data "azuread_user" "vm_admin" {

UsersClient.BaseClient.Get(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

@github-actions
Copy link

github-actions bot commented Aug 2, 2023

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/3645858d-f180-4fea-bfc2-3ac41f944f0b/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted
  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null
        name                = "Azure-Monitor-FQDNs"
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted
  - resource "azurerm_firewall_application_rule_collection" "core" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null
        name                = "Core-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null
        name                = "Devops-VM-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null
        name                = "Windows-VM-Connectivity-Requirements"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-azure-ad-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ firewall_rules      = {
      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)
      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)
    }
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A        name                = "Azure-Monitor-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "core" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A        name                = "Core-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (3 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A        name                = "Devops-VM-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A        name                = "Windows-VM-Connectivity-Requirements"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A%0ATerraform will perform the following actions:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Azure-Monitor-FQDNs"%0A      + priority            = 201%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-azure-monitor"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "dc.applicationinsights.azure.com",%0A              + "dc.applicationinsights.microsoft.com",%0A              + "dc.services.visualstudio.com",%0A              + "*.in.applicationinsights.azure.com",%0A              + "live.applicationinsights.azure.com",%0A              + "rt.applicationinsights.microsoft.com",%0A              + "rt.services.visualstudio.com",%0A              + "*.livediagnostics.monitor.azure.com",%0A              + "*.monitoring.azure.com",%0A              + "agent.azureserviceprofiler.net",%0A              + "*.agent.azureserviceprofiler.net",%0A              + "*.monitor.azure.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A  + resource "azurerm_firewall_application_rule_collection" "core" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Core-Dependencies-FQDNs"%0A      + priority            = 200%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-core-apis"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "management.azure.com",%0A              + "management.core.windows.net",%0A              + "login.microsoftonline.com",%0A              + "login.windows.net",%0A              + "login.live.com",%0A              + "graph.windows.net",%0A              + "graph.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-developer-services"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "github.com",%0A              + "*.github.com",%0A              + "*.nuget.org",%0A              + "*.blob.core.windows.net",%0A              + "*.githubusercontent.com",%0A              + "dev.azure.com",%0A              + "*.dev.azure.com",%0A              + "portal.azure.com",%0A              + "*.portal.azure.com",%0A              + "*.portal.azure.net",%0A              + "appservice.azureedge.net",%0A              + "*.azurewebsites.net",%0A              + "edge.management.azure.com",%0A              + "vstsagentpackage.azureedge.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-certificate-dependencies"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "*.delivery.mp.microsoft.com",%0A              + "ctldl.windowsupdate.com",%0A              + "download.windowsupdate.com",%0A              + "mscrl.microsoft.com",%0A              + "ocsp.msocsp.com",%0A              + "oneocsp.microsoft.com",%0A              + "crl.microsoft.com",%0A              + "www.microsoft.com",%0A              + "*.digicert.com",%0A              + "*.symantec.com",%0A              + "*.symcb.com",%0A              + "*.d-trust.net",%0A            ]%0A%0A          + protocol {%0A              + port = 80%0A              + type = "Http"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Devops-VM-Dependencies-FQDNs"%0A      + priority            = 202%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-azure-ad-join"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "enterpriseregistration.windows.net",%0A              + "pas.windows.net",%0A              + "login.microsoftonline.com",%0A              + "device.login.microsoftonline.com",%0A              + "autologon.microsoftazuread-sso.com",%0A              + "manage-beta.microsoft.com",%0A              + "manage.microsoft.com",%0A              + "aadcdn.msauth.net",%0A              + "aadcdn.msftauth.net",%0A              + "aadcdn.msftauthimages.net",%0A              + "*.wns.windows.com",%0A              + "*.sts.microsoft.com",%0A              + "*.manage-beta.microsoft.com",%0A              + "*.manage.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-vm-dependencies-and-tools"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "aka.ms",%0A              + "go.microsoft.com",%0A              + "download.microsoft.com",%0A              + "edge.microsoft.com",%0A              + "fs.microsoft.com",%0A              + "wdcp.microsoft.com",%0A              + "wdcpalt.microsoft.com",%0A              + "msedge.api.cdp.microsoft.com",%0A              + "winatp-gw-cane.microsoft.com",%0A              + "*.google.com",%0A              + "*.live.com",%0A              + "*.bing.com",%0A              + "*.msappproxy.net",%0A              + "*.delivery.mp.microsoft.com",%0A              + "*.data.microsoft.com",%0A              + "*.blob.storage.azure.net",%0A              + "*.blob.core.windows.net",%0A              + "*.dl.delivery.mp.microsoft.com",%0A              + "*.prod.do.dsp.mp.microsoft.com",%0A              + "*.update.microsoft.com",%0A              + "*.windowsupdate.com",%0A              + "*.apps.qualys.com",%0A              + "*.bootstrapcdn.com",%0A              + "*.jsdelivr.net",%0A              + "*.jquery.com",%0A              + "*.msecnd.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Windows-VM-Connectivity-Requirements"%0A      + priority            = 202%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + destination_addresses = [%0A              + "20.118.99.224",%0A              + "40.83.235.53",%0A              + "23.102.135.246",%0A              + "51.4.143.248",%0A              + "23.97.0.13",%0A              + "52.126.105.2",%0A            ]%0A          + destination_ports     = [%0A              + "*",%0A            ]%0A          + name                  = "allow-kms-activation"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A      + rule {%0A          + destination_addresses = [%0A              + "*",%0A            ]%0A          + destination_ports     = [%0A              + "123",%0A            ]%0A          + name                  = "allow-ntp"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A    }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A  ~ firewall_rules      = {%0A      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A    }%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

github-actions bot commented Aug 2, 2023

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/a5f78226-09e1-4238-9d14-5a558326d8b4/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.network.azurerm_virtual_network.this has changed
  ~ resource "azurerm_virtual_network" "this" {
        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
      ~ subnet                  = [
          + {
              + address_prefix = "10.240.0.0/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              + name           = "serverFarm"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.0.64/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              + name           = "ingress"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.10.128/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              + name           = "devops"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.11.0/24"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              + name           = "privateLink"
              + security_group = ""
            },
        ]
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (6 unchanged attributes hidden)
    }

  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
        name                                                  = "privatelink.azurewebsites.net"
      ~ number_of_record_sets                                 = 1 -> 5
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
        name                                                  = "privatelink.database.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
        name                                                  = "privatelink.azconfig.io"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
        name                                                  = "privatelink.vaultcore.azure.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"
        name                                                  = "privatelink.redis.cache.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.network.azurerm_virtual_network.this has changed%0A  ~ resource "azurerm_virtual_network" "this" {%0A        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A      ~ subnet                  = [%0A          + {%0A              + address_prefix = "10.240.0.0/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A              + name           = "serverFarm"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.0.64/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A              + name           = "ingress"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.10.128/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A              + name           = "devops"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.11.0/24"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A              + name           = "privateLink"%0A              + security_group = ""%0A            },%0A        ]%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "network"%0A        }%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A        name                                                  = "privatelink.azurewebsites.net"%0A      ~ number_of_record_sets                                 = 1 -> 5%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A        name                                                  = "privatelink.database.windows.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A        name                                                  = "privatelink.azconfig.io"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A        name                                                  = "privatelink.vaultcore.azure.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A        name                                                  = "privatelink.redis.cache.windows.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions
Copy link

github-actions bot commented Aug 7, 2023

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/1a0f5212-0e99-4421-943d-57131bdcc73e/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted
  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null
        name                = "Azure-Monitor-FQDNs"
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted
  - resource "azurerm_firewall_application_rule_collection" "core" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null
        name                = "Core-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null
        name                = "Devops-VM-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null
        name                = "Windows-VM-Connectivity-Requirements"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-azure-ad-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ firewall_rules      = {
      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)
      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)
    }
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A        name                = "Azure-Monitor-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "core" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A        name                = "Core-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (3 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A        name                = "Devops-VM-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A        name                = "Windows-VM-Connectivity-Requirements"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A%0ATerraform will perform the following actions:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Azure-Monitor-FQDNs"%0A      + priority            = 201%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-azure-monitor"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "dc.applicationinsights.azure.com",%0A              + "dc.applicationinsights.microsoft.com",%0A              + "dc.services.visualstudio.com",%0A              + "*.in.applicationinsights.azure.com",%0A              + "live.applicationinsights.azure.com",%0A              + "rt.applicationinsights.microsoft.com",%0A              + "rt.services.visualstudio.com",%0A              + "*.livediagnostics.monitor.azure.com",%0A              + "*.monitoring.azure.com",%0A              + "agent.azureserviceprofiler.net",%0A              + "*.agent.azureserviceprofiler.net",%0A              + "*.monitor.azure.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A  + resource "azurerm_firewall_application_rule_collection" "core" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Core-Dependencies-FQDNs"%0A      + priority            = 200%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-core-apis"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "management.azure.com",%0A              + "management.core.windows.net",%0A              + "login.microsoftonline.com",%0A              + "login.windows.net",%0A              + "login.live.com",%0A              + "graph.windows.net",%0A              + "graph.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-developer-services"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "github.com",%0A              + "*.github.com",%0A              + "*.nuget.org",%0A              + "*.blob.core.windows.net",%0A              + "*.githubusercontent.com",%0A              + "dev.azure.com",%0A              + "*.dev.azure.com",%0A              + "portal.azure.com",%0A              + "*.portal.azure.com",%0A              + "*.portal.azure.net",%0A              + "appservice.azureedge.net",%0A              + "*.azurewebsites.net",%0A              + "edge.management.azure.com",%0A              + "vstsagentpackage.azureedge.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-certificate-dependencies"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "*.delivery.mp.microsoft.com",%0A              + "ctldl.windowsupdate.com",%0A              + "download.windowsupdate.com",%0A              + "mscrl.microsoft.com",%0A              + "ocsp.msocsp.com",%0A              + "oneocsp.microsoft.com",%0A              + "crl.microsoft.com",%0A              + "www.microsoft.com",%0A              + "*.digicert.com",%0A              + "*.symantec.com",%0A              + "*.symcb.com",%0A              + "*.d-trust.net",%0A            ]%0A%0A          + protocol {%0A              + port = 80%0A              + type = "Http"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Devops-VM-Dependencies-FQDNs"%0A      + priority            = 202%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-azure-ad-join"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "enterpriseregistration.windows.net",%0A              + "pas.windows.net",%0A              + "login.microsoftonline.com",%0A              + "device.login.microsoftonline.com",%0A              + "autologon.microsoftazuread-sso.com",%0A              + "manage-beta.microsoft.com",%0A              + "manage.microsoft.com",%0A              + "aadcdn.msauth.net",%0A              + "aadcdn.msftauth.net",%0A              + "aadcdn.msftauthimages.net",%0A              + "*.wns.windows.com",%0A              + "*.sts.microsoft.com",%0A              + "*.manage-beta.microsoft.com",%0A              + "*.manage.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-vm-dependencies-and-tools"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "aka.ms",%0A              + "go.microsoft.com",%0A              + "download.microsoft.com",%0A              + "edge.microsoft.com",%0A              + "fs.microsoft.com",%0A              + "wdcp.microsoft.com",%0A              + "wdcpalt.microsoft.com",%0A              + "msedge.api.cdp.microsoft.com",%0A              + "winatp-gw-cane.microsoft.com",%0A              + "*.google.com",%0A              + "*.live.com",%0A              + "*.bing.com",%0A              + "*.msappproxy.net",%0A              + "*.delivery.mp.microsoft.com",%0A              + "*.data.microsoft.com",%0A              + "*.blob.storage.azure.net",%0A              + "*.blob.core.windows.net",%0A              + "*.dl.delivery.mp.microsoft.com",%0A              + "*.prod.do.dsp.mp.microsoft.com",%0A              + "*.update.microsoft.com",%0A              + "*.windowsupdate.com",%0A              + "*.apps.qualys.com",%0A              + "*.bootstrapcdn.com",%0A              + "*.jsdelivr.net",%0A              + "*.jquery.com",%0A              + "*.msecnd.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Windows-VM-Connectivity-Requirements"%0A      + priority            = 202%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + destination_addresses = [%0A              + "20.118.99.224",%0A              + "40.83.235.53",%0A              + "23.102.135.246",%0A              + "51.4.143.248",%0A              + "23.97.0.13",%0A              + "52.126.105.2",%0A            ]%0A          + destination_ports     = [%0A              + "*",%0A            ]%0A          + name                  = "allow-kms-activation"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A      + rule {%0A          + destination_addresses = [%0A              + "*",%0A            ]%0A          + destination_ports     = [%0A              + "123",%0A            ]%0A          + name                  = "allow-ntp"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A    }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A  ~ firewall_rules      = {%0A      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A    }%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

github-actions bot commented Aug 7, 2023

Terraform Plan failed

Plan Error Output 


Error: Finding user with UPN: "AppSvcLZA Azure AD SQL Admins"

  with module.devops_vm[0].data.azuread_user.vm_admin,
  on ../../shared/terraform-modules/windows-vm/module.tf line 88, in data "azuread_user" "vm_admin":
  88: data "azuread_user" "vm_admin" {

UsersClient.BaseClient.Get(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

Error: Finding user with UPN: "AppSvcLZA Azure AD SQL Admins"

  with module.jumpbox_vm[0].data.azuread_user.vm_admin,
  on ../../shared/terraform-modules/windows-vm/module.tf line 88, in data "azuread_user" "vm_admin":
  88: data "azuread_user" "vm_admin" {

UsersClient.BaseClient.Get(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

@github-actions
Copy link

github-actions bot commented Aug 7, 2023

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/d55352ed-ef08-403a-ad47-b0ac1ce05f42/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.network.azurerm_virtual_network.this has changed
  ~ resource "azurerm_virtual_network" "this" {
        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
      ~ subnet                  = [
          + {
              + address_prefix = "10.240.0.0/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              + name           = "serverFarm"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.0.64/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              + name           = "ingress"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.10.128/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              + name           = "devops"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.11.0/24"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              + name           = "privateLink"
              + security_group = ""
            },
        ]
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (6 unchanged attributes hidden)
    }

  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
        name                                                  = "privatelink.azurewebsites.net"
      ~ number_of_record_sets                                 = 1 -> 5
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
        name                                                  = "privatelink.database.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
        name                                                  = "privatelink.azconfig.io"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
        name                                                  = "privatelink.vaultcore.azure.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"
        name                                                  = "privatelink.redis.cache.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.network.azurerm_virtual_network.this has changed%0A  ~ resource "azurerm_virtual_network" "this" {%0A        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A      ~ subnet                  = [%0A          + {%0A              + address_prefix = "10.240.0.0/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A              + name           = "serverFarm"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.0.64/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A              + name           = "ingress"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.10.128/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A              + name           = "devops"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.11.0/24"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A              + name           = "privateLink"%0A              + security_group = ""%0A            },%0A        ]%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "network"%0A        }%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A        name                                                  = "privatelink.azurewebsites.net"%0A      ~ number_of_record_sets                                 = 1 -> 5%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A        name                                                  = "privatelink.database.windows.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A        name                                                  = "privatelink.azconfig.io"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A        name                                                  = "privatelink.vaultcore.azure.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A        name                                                  = "privatelink.redis.cache.windows.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions
Copy link

github-actions bot commented Aug 7, 2023

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/9d8d857b-a39e-4bb7-9f13-86746012d79f/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted
  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null
        name                = "Azure-Monitor-FQDNs"
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted
  - resource "azurerm_firewall_application_rule_collection" "core" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null
        name                = "Core-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null
        name                = "Devops-VM-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null
        name                = "Windows-VM-Connectivity-Requirements"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + name             = "allow-azure-ad-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ firewall_rules      = {
      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)
      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)
    }
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A        name                = "Azure-Monitor-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "core" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A        name                = "Core-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (3 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A        name                = "Devops-VM-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A        name                = "Windows-VM-Connectivity-Requirements"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A%0ATerraform will perform the following actions:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Azure-Monitor-FQDNs"%0A      + priority            = 201%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-azure-monitor"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "dc.applicationinsights.azure.com",%0A              + "dc.applicationinsights.microsoft.com",%0A              + "dc.services.visualstudio.com",%0A              + "*.in.applicationinsights.azure.com",%0A              + "live.applicationinsights.azure.com",%0A              + "rt.applicationinsights.microsoft.com",%0A              + "rt.services.visualstudio.com",%0A              + "*.livediagnostics.monitor.azure.com",%0A              + "*.monitoring.azure.com",%0A              + "agent.azureserviceprofiler.net",%0A              + "*.agent.azureserviceprofiler.net",%0A              + "*.monitor.azure.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A  + resource "azurerm_firewall_application_rule_collection" "core" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Core-Dependencies-FQDNs"%0A      + priority            = 200%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-core-apis"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "management.azure.com",%0A              + "management.core.windows.net",%0A              + "login.microsoftonline.com",%0A              + "login.windows.net",%0A              + "login.live.com",%0A              + "graph.windows.net",%0A              + "graph.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-developer-services"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "github.com",%0A              + "*.github.com",%0A              + "*.nuget.org",%0A              + "*.blob.core.windows.net",%0A              + "*.githubusercontent.com",%0A              + "dev.azure.com",%0A              + "*.dev.azure.com",%0A              + "portal.azure.com",%0A              + "*.portal.azure.com",%0A              + "*.portal.azure.net",%0A              + "appservice.azureedge.net",%0A              + "*.azurewebsites.net",%0A              + "edge.management.azure.com",%0A              + "vstsagentpackage.azureedge.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-certificate-dependencies"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "*.delivery.mp.microsoft.com",%0A              + "ctldl.windowsupdate.com",%0A              + "download.windowsupdate.com",%0A              + "mscrl.microsoft.com",%0A              + "ocsp.msocsp.com",%0A              + "oneocsp.microsoft.com",%0A              + "crl.microsoft.com",%0A              + "www.microsoft.com",%0A              + "*.digicert.com",%0A              + "*.symantec.com",%0A              + "*.symcb.com",%0A              + "*.d-trust.net",%0A            ]%0A%0A          + protocol {%0A              + port = 80%0A              + type = "Http"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Devops-VM-Dependencies-FQDNs"%0A      + priority            = 202%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + name             = "allow-azure-ad-join"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "enterpriseregistration.windows.net",%0A              + "pas.windows.net",%0A              + "login.microsoftonline.com",%0A              + "device.login.microsoftonline.com",%0A              + "autologon.microsoftazuread-sso.com",%0A              + "manage-beta.microsoft.com",%0A              + "manage.microsoft.com",%0A              + "aadcdn.msauth.net",%0A              + "aadcdn.msftauth.net",%0A              + "aadcdn.msftauthimages.net",%0A              + "*.wns.windows.com",%0A              + "*.sts.microsoft.com",%0A              + "*.manage-beta.microsoft.com",%0A              + "*.manage.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-vm-dependencies-and-tools"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "aka.ms",%0A              + "go.microsoft.com",%0A              + "download.microsoft.com",%0A              + "edge.microsoft.com",%0A              + "fs.microsoft.com",%0A              + "wdcp.microsoft.com",%0A              + "wdcpalt.microsoft.com",%0A              + "msedge.api.cdp.microsoft.com",%0A              + "winatp-gw-cane.microsoft.com",%0A              + "*.google.com",%0A              + "*.live.com",%0A              + "*.bing.com",%0A              + "*.msappproxy.net",%0A              + "*.delivery.mp.microsoft.com",%0A              + "*.data.microsoft.com",%0A              + "*.blob.storage.azure.net",%0A              + "*.blob.core.windows.net",%0A              + "*.dl.delivery.mp.microsoft.com",%0A              + "*.prod.do.dsp.mp.microsoft.com",%0A              + "*.update.microsoft.com",%0A              + "*.windowsupdate.com",%0A              + "*.apps.qualys.com",%0A              + "*.bootstrapcdn.com",%0A              + "*.jsdelivr.net",%0A              + "*.jquery.com",%0A              + "*.msecnd.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A      + id                  = (known after apply)%0A      + name                = "Windows-VM-Connectivity-Requirements"%0A      + priority            = 202%0A      + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A      + rule {%0A          + destination_addresses = [%0A              + "20.118.99.224",%0A              + "40.83.235.53",%0A              + "23.102.135.246",%0A              + "51.4.143.248",%0A              + "23.97.0.13",%0A              + "52.126.105.2",%0A            ]%0A          + destination_ports     = [%0A              + "*",%0A            ]%0A          + name                  = "allow-kms-activation"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A      + rule {%0A          + destination_addresses = [%0A              + "*",%0A            ]%0A          + destination_ports     = [%0A              + "123",%0A            ]%0A          + name                  = "allow-ntp"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A    }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A  ~ firewall_rules      = {%0A      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A    }%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

github-actions bot commented Aug 7, 2023

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/c14153a7-332a-44a0-bfc7-33d8260583e7/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.network.azurerm_virtual_network.this has changed
  ~ resource "azurerm_virtual_network" "this" {
        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
      ~ subnet                  = [
          + {
              + address_prefix = "10.240.0.0/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              + name           = "serverFarm"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.0.64/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              + name           = "ingress"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.10.128/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              + name           = "devops"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.11.0/24"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              + name           = "privateLink"
              + security_group = ""
            },
        ]
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (6 unchanged attributes hidden)
    }

  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
        name                                                  = "privatelink.azurewebsites.net"
      ~ number_of_record_sets                                 = 1 -> 5
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
        name                                                  = "privatelink.database.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
        name                                                  = "privatelink.azconfig.io"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
        name                                                  = "privatelink.vaultcore.azure.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"
        name                                                  = "privatelink.redis.cache.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.network.azurerm_virtual_network.this has changed%0A  ~ resource "azurerm_virtual_network" "this" {%0A        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A      ~ subnet                  = [%0A          + {%0A              + address_prefix = "10.240.0.0/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A              + name           = "serverFarm"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.0.64/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A              + name           = "ingress"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.10.128/26"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A              + name           = "devops"%0A              + security_group = ""%0A            },%0A          + {%0A              + address_prefix = "10.240.11.0/24"%0A              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A              + name           = "privateLink"%0A              + security_group = ""%0A            },%0A        ]%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "network"%0A        }%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A        name                                                  = "privatelink.azurewebsites.net"%0A      ~ number_of_record_sets                                 = 1 -> 5%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A        name                                                  = "privatelink.database.windows.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A        name                                                  = "privatelink.azconfig.io"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A        name                                                  = "privatelink.vaultcore.azure.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A  ~ resource "azurerm_private_dns_zone" "this" {%0A        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A        name                                                  = "privatelink.redis.cache.windows.net"%0A      ~ number_of_record_sets                                 = 1 -> 2%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

ibersanoMS
ibersanoMS approved these changes Aug 9, 2023
View reviewed changes
Copy link
Contributor

@ibersanoMS ibersanoMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, great job restructuring. Some of my comments are repeats bc I found the same thing in a couple of areas (location consistency, removing commented out code, etc.).

scenarios/secure-baseline-ase/terraform/Parameters/uat.tfvars
owner = "[email protected]"

vm_aad_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Azure AD SQL Admins"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be hard coded here? I'm assuming this corresponds to a group created pre-deployment

.github/actions/templates/tfValidatePlan/action.yml Outdated
run: terraform validate -no-color
run: |
terraform validate -no-color
echo "::set-output name=stdout::$(terraform validate -no-color)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

set-output is deprecated. You'll need to do:
echo stdout=$(terraform validate -no-color) >> $GITHUB_OUTPUT

scenarios/secure-baseline-ase/terraform/network.tf Outdated
}


# locals {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest removing any commented out code once you're committed to the module format

scenarios/secure-baseline-ase/terraform/variables.tf Outdated
}
variable "vm_aad_admin_object_id" {
type = string
description = "The Azure AD username for the VM admin account. If aad_admin_username is not specified, this value will be used."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Description needs review

scenarios/secure-baseline-ase/terraform/variables.tf Outdated

variable "vm_aad_admin_username" {
type = string
description = "[Optional] The Azure AD username for the VM admin account. If aad_admin_object_id is not specified, this value will be used."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Description needs review

scenarios/shared/terraform-modules/app-service/variables.tf Outdated
variable "location" {
type = string
description = "The Azure region where all resources in this example should be created"
default = "westeurope"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Location consistency

scenarios/shared/terraform-modules/app-service/variables.tf
error_message = "Please, choose among one of the following operating systems: Windows or Linux."
}

# validation {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed here?

scenarios/shared/terraform-modules/app-service/windows-web-app/module.tf Outdated
lower("${azurerm_windows_web_app.this.name}-${azurerm_windows_web_app_slot.slot.name}.scm")
]

depends_on = [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency implied by ref above

scenarios/shared/terraform-modules/app-service/windows-web-app/variables.tf Outdated
variable "location" {
type = string
description = "The Azure region where all resources in this example should be created"
default = "westeurope"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Location consistency

scenarios/shared/terraform-modules/bastion/variables.tf Outdated
variable "location" {
type = string
description = "The Azure region where all resources in this example should be created"
default = "westeurope"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Location consistency

@JinLee794
Addressing PR comments, made all llocation defaults westus2, changed …
e83138a 
…scenario 2 input param for location to westus2 from westus3
@github-actions
Copy link

github-actions bot commented Aug 9, 2023

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/91195bd7-a6a1-4e71-bad7-1b678f0918a4/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted
  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null
        name                = "Azure-Monitor-FQDNs"
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted
  - resource "azurerm_firewall_application_rule_collection" "core" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null
        name                = "Core-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null
        name                = "Devops-VM-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null
        name                = "Windows-VM-Connectivity-Requirements"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurecaf_name.caf_name_hub_rg must be replaced
-/+ resource "azurecaf_name" "caf_name_hub_rg" {
      ~ id            = "akckvaegwemunepv" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurerm_resource_group.hub must be replaced
-/+ resource "azurerm_resource_group" "hub" {
      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
      ~ location = "westus3" -> "westus2" # forces replacement
      ~ name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
    }

  # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced
-/+ resource "azurecaf_name" "caf_name_bastion" {
      ~ id            = "wbujomtsfcqdpxod" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.bastion[0].azurecaf_name.caf_name_pip must be replaced
-/+ resource "azurecaf_name" "caf_name_pip" {
      ~ id            = "paqdxwmbugcxjhhq" -> (known after apply)
        name          = "eslz2-bastion"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.bastion[0].azurerm_bastion_host.bastion must be replaced
-/+ resource "azurerm_bastion_host" "bastion" {
      ~ dns_name               = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)
      ~ id                     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
      ~ location               = "westus3" -> "westus2" # forces replacement
      ~ name                   = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name    = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                   = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "bastion"
        }
        # (7 unchanged attributes hidden)

      ~ ip_configuration {
            name                 = "bastionHostIpConfiguration"
          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement
          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement
        }
    }

  # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced
-/+ resource "azurerm_public_ip" "bastion_pip" {
      + fqdn                    = (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)
      ~ ip_address              = "20.163.49.112" -> (known after apply)
      - ip_tags                 = {} -> null
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "bastion"
        }
      - zones                   = [] -> null
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced
-/+ resource "azurecaf_name" "caf_name_firewall" {
      ~ id            = "dtqvqxowbnalaruk" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced
-/+ resource "azurecaf_name" "caf_name_law" {
      ~ id            = "lofxpwfygywepldl" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_pip must be replaced
-/+ resource "azurecaf_name" "caf_name_pip" {
      ~ id            = "ofhucdctoijllhdb" -> (known after apply)
        name          = "eslz2-fw"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurerm_firewall.firewall must be replaced
-/+ resource "azurerm_firewall" "firewall" {
      - dns_servers         = [] -> null
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement
      - private_ip_ranges   = [] -> null
      ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "firewall"
        }
      ~ threat_intel_mode   = "Alert" -> (known after apply)
      - zones               = [] -> null
        # (2 unchanged attributes hidden)

      ~ ip_configuration {
            name                 = "firewallIpConfiguration"
          ~ private_ip_address   = "10.242.0.4" -> (known after apply)
          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-ad-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

  # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced
-/+ resource "azurerm_log_analytics_workspace" "law" {
      - cmk_for_query_forced               = false -> null
      ~ id                                 = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ location                           = "westus3" -> "westus2" # forces replacement
      ~ name                               = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ primary_shared_key                 = (sensitive value)
      + reservation_capacity_in_gb_per_day = (known after apply)
      ~ resource_group_name                = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ retention_in_days                  = 30 -> (known after apply)
      ~ secondary_shared_key               = (sensitive value)
      - tags                               = {} -> null
      ~ workspace_id                       = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced
-/+ resource "azurerm_monitor_diagnostic_setting" "this" {
      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)
      ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)
      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ name                           = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement
      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement

      - log {
          - category_group = "allLogs" -> null
          - enabled        = true -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced
-/+ resource "azurerm_public_ip" "firewall_pip" {
      + fqdn                    = (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
      ~ ip_address              = "20.25.176.182" -> (known after apply)
      - ip_tags                 = {} -> null
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "firewall"
        }
      - zones                   = [] -> null
        # (6 unchanged attributes hidden)
    }

  # module.network.azurecaf_name.caf_name_vnet must be replaced
-/+ resource "azurecaf_name" "caf_name_vnet" {
      ~ id            = "pvwuveykntdcxsyc" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.network.azurerm_subnet.this[0] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)
        name                                           = "AzureFirewallSubnet"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[1] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)
        name                                           = "AzureBastionSubnet"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network.this must be replaced
-/+ resource "azurerm_virtual_network" "this" {
      ~ dns_servers             = [] -> (known after apply)
      - flow_timeout_in_minutes = 0 -> null
      ~ guid                    = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ subnet                  = [
          - {
              - address_prefix = "10.242.0.0/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"
              - name           = "AzureFirewallSubnet"
              - security_group = ""
            },
          - {
              - address_prefix = "10.242.0.64/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"
              - name           = "AzureBastionSubnet"
              - security_group = ""
            },
        ] -> (known after apply)
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (1 unchanged attribute hidden)
    }

Plan: 21 to add, 0 to change, 17 to destroy.

Changes to Outputs:
  ~ bastion_name        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
  ~ firewall_private_ip = "10.242.0.4" -> (known after apply)
  ~ firewall_rules      = {
      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)
      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)
    }
  ~ rg_name             = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
  ~ vnet_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
  ~ vnet_name           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A        name                = "Azure-Monitor-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "core" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A        name                = "Core-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (3 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A        name                = "Devops-VM-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A        name                = "Windows-VM-Connectivity-Requirements"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # azurecaf_name.caf_name_hub_rg must be replaced%0A-/+ resource "azurecaf_name" "caf_name_hub_rg" {%0A      ~ id            = "akckvaegwemunepv" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A      ~ location = "westus3" -> "westus2" # forces replacement%0A      ~ name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags     = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A        }%0A    }%0A%0A  # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced%0A-/+ resource "azurecaf_name" "caf_name_bastion" {%0A      ~ id            = "wbujomtsfcqdpxod" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A      ~ id            = "paqdxwmbugcxjhhq" -> (known after apply)%0A        name          = "eslz2-bastion"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A      ~ dns_name               = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)%0A      ~ id                     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A      ~ location               = "westus3" -> "westus2" # forces replacement%0A      ~ name                   = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name    = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                   = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "bastion"%0A        }%0A        # (7 unchanged attributes hidden)%0A%0A      ~ ip_configuration {%0A            name                 = "bastionHostIpConfiguration"%0A          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A        }%0A    }%0A%0A  # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A      + fqdn                    = (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A      ~ ip_address              = "20.163.49.112" -> (known after apply)%0A      - ip_tags                 = {} -> null%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "bastion"%0A        }%0A      - zones                   = [] -> null%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced%0A-/+ resource "azurecaf_name" "caf_name_firewall" {%0A      ~ id            = "dtqvqxowbnalaruk" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced%0A-/+ resource "azurecaf_name" "caf_name_law" {%0A      ~ id            = "lofxpwfygywepldl" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A      ~ id            = "ofhucdctoijllhdb" -> (known after apply)%0A        name          = "eslz2-fw"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A      - dns_servers         = [] -> null%0A      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A      ~ location            = "westus3" -> "westus2" # forces replacement%0A      ~ name                = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - private_ip_ranges   = [] -> null%0A      ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "firewall"%0A        }%0A      ~ threat_intel_mode   = "Alert" -> (known after apply)%0A      - zones               = [] -> null%0A        # (2 unchanged attributes hidden)%0A%0A      ~ ip_configuration {%0A            name                 = "firewallIpConfiguration"%0A          ~ private_ip_address   = "10.242.0.4" -> (known after apply)%0A          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Azure-Monitor-FQDNs"%0A      + priority            = 201%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-azure-monitor"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "dc.applicationinsights.azure.com",%0A              + "dc.applicationinsights.microsoft.com",%0A              + "dc.services.visualstudio.com",%0A              + "*.in.applicationinsights.azure.com",%0A              + "live.applicationinsights.azure.com",%0A              + "rt.applicationinsights.microsoft.com",%0A              + "rt.services.visualstudio.com",%0A              + "*.livediagnostics.monitor.azure.com",%0A              + "*.monitoring.azure.com",%0A              + "agent.azureserviceprofiler.net",%0A              + "*.agent.azureserviceprofiler.net",%0A              + "*.monitor.azure.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A  + resource "azurerm_firewall_application_rule_collection" "core" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Core-Dependencies-FQDNs"%0A      + priority            = 200%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-core-apis"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "management.azure.com",%0A              + "management.core.windows.net",%0A              + "login.microsoftonline.com",%0A              + "login.windows.net",%0A              + "login.live.com",%0A              + "graph.windows.net",%0A              + "graph.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-developer-services"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "github.com",%0A              + "*.github.com",%0A              + "*.nuget.org",%0A              + "*.blob.core.windows.net",%0A              + "*.githubusercontent.com",%0A              + "dev.azure.com",%0A              + "*.dev.azure.com",%0A              + "portal.azure.com",%0A              + "*.portal.azure.com",%0A              + "*.portal.azure.net",%0A              + "appservice.azureedge.net",%0A              + "*.azurewebsites.net",%0A              + "edge.management.azure.com",%0A              + "vstsagentpackage.azureedge.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-certificate-dependencies"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "*.delivery.mp.microsoft.com",%0A              + "ctldl.windowsupdate.com",%0A              + "download.windowsupdate.com",%0A              + "mscrl.microsoft.com",%0A              + "ocsp.msocsp.com",%0A              + "oneocsp.microsoft.com",%0A              + "crl.microsoft.com",%0A              + "www.microsoft.com",%0A              + "*.digicert.com",%0A              + "*.symantec.com",%0A              + "*.symcb.com",%0A              + "*.d-trust.net",%0A            ]%0A%0A          + protocol {%0A              + port = 80%0A              + type = "Http"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Devops-VM-Dependencies-FQDNs"%0A      + priority            = 202%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-azure-ad-join"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "enterpriseregistration.windows.net",%0A              + "pas.windows.net",%0A              + "login.microsoftonline.com",%0A              + "device.login.microsoftonline.com",%0A              + "autologon.microsoftazuread-sso.com",%0A              + "manage-beta.microsoft.com",%0A              + "manage.microsoft.com",%0A              + "aadcdn.msauth.net",%0A              + "aadcdn.msftauth.net",%0A              + "aadcdn.msftauthimages.net",%0A              + "*.wns.windows.com",%0A              + "*.sts.microsoft.com",%0A              + "*.manage-beta.microsoft.com",%0A              + "*.manage.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-vm-dependencies-and-tools"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "aka.ms",%0A              + "go.microsoft.com",%0A              + "download.microsoft.com",%0A              + "edge.microsoft.com",%0A              + "fs.microsoft.com",%0A              + "wdcp.microsoft.com",%0A              + "wdcpalt.microsoft.com",%0A              + "msedge.api.cdp.microsoft.com",%0A              + "winatp-gw-cane.microsoft.com",%0A              + "*.google.com",%0A              + "*.live.com",%0A              + "*.bing.com",%0A              + "*.msappproxy.net",%0A              + "*.delivery.mp.microsoft.com",%0A              + "*.data.microsoft.com",%0A              + "*.blob.storage.azure.net",%0A              + "*.blob.core.windows.net",%0A              + "*.dl.delivery.mp.microsoft.com",%0A              + "*.prod.do.dsp.mp.microsoft.com",%0A              + "*.update.microsoft.com",%0A              + "*.windowsupdate.com",%0A              + "*.apps.qualys.com",%0A              + "*.bootstrapcdn.com",%0A              + "*.jsdelivr.net",%0A              + "*.jquery.com",%0A              + "*.msecnd.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Windows-VM-Connectivity-Requirements"%0A      + priority            = 202%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + destination_addresses = [%0A              + "20.118.99.224",%0A              + "40.83.235.53",%0A              + "23.102.135.246",%0A              + "51.4.143.248",%0A              + "23.97.0.13",%0A              + "52.126.105.2",%0A            ]%0A          + destination_ports     = [%0A              + "*",%0A            ]%0A          + name                  = "allow-kms-activation"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A      + rule {%0A          + destination_addresses = [%0A              + "*",%0A            ]%0A          + destination_ports     = [%0A              + "123",%0A            ]%0A          + name                  = "allow-ntp"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced%0A-/+ resource "azurerm_log_analytics_workspace" "law" {%0A      - cmk_for_query_forced               = false -> null%0A      ~ id                                 = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ location                           = "westus3" -> "westus2" # forces replacement%0A      ~ name                               = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ primary_shared_key                 = (sensitive value)%0A      + reservation_capacity_in_gb_per_day = (known after apply)%0A      ~ resource_group_name                = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ retention_in_days                  = 30 -> (known after apply)%0A      ~ secondary_shared_key               = (sensitive value)%0A      - tags                               = {} -> null%0A      ~ workspace_id                       = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)%0A      ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ name                           = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A%0A      - log {%0A          - category_group = "allLogs" -> null%0A          - enabled        = true -> null%0A%0A          - retention_policy {%0A              - days    = 0 -> null%0A              - enabled = false -> null%0A            }%0A        }%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A      + fqdn                    = (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A      ~ ip_address              = "20.25.176.182" -> (known after apply)%0A      - ip_tags                 = {} -> null%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "firewall"%0A        }%0A      - zones                   = [] -> null%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.network.azurecaf_name.caf_name_vnet must be replaced%0A-/+ resource "azurecaf_name" "caf_name_vnet" {%0A      ~ id            = "pvwuveykntdcxsyc" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (7 unchanged attributes hidden)%0A    }%0A%0A  # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A      ~ enforce_private_link_service_network_policies  = false -> (known after apply)%0A      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)%0A        name                                           = "AzureFirewallSubnet"%0A      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)%0A      ~ private_link_service_network_policies_enabled  = true -> (known after apply)%0A      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - service_endpoint_policy_ids                    = [] -> null%0A      - service_endpoints                              = [] -> null%0A      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A        # (1 unchanged attribute hidden)%0A    }%0A%0A  # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A      ~ enforce_private_link_service_network_policies  = false -> (known after apply)%0A      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)%0A        name                                           = "AzureBastionSubnet"%0A      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)%0A      ~ private_link_service_network_policies_enabled  = true -> (known after apply)%0A      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - service_endpoint_policy_ids                    = [] -> null%0A      - service_endpoints                              = [] -> null%0A      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A        # (1 unchanged attribute hidden)%0A    }%0A%0A  # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A      ~ dns_servers             = [] -> (known after apply)%0A      - flow_timeout_in_minutes = 0 -> null%0A      ~ guid                    = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ subnet                  = [%0A          - {%0A              - address_prefix = "10.242.0.0/26"%0A              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"%0A              - name           = "AzureFirewallSubnet"%0A              - security_group = ""%0A            },%0A          - {%0A              - address_prefix = "10.242.0.64/26"%0A              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"%0A              - name           = "AzureBastionSubnet"%0A              - security_group = ""%0A            },%0A        ] -> (known after apply)%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "network"%0A        }%0A        # (1 unchanged attribute hidden)%0A    }%0A%0APlan: 21 to add, 0 to change, 17 to destroy.%0A%0AChanges to Outputs:%0A  ~ bastion_name        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A  ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A  ~ firewall_rules      = {%0A      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A    }%0A  ~ rg_name             = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A  ~ vnet_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A  ~ vnet_name           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

github-actions bot commented Aug 9, 2023

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/cd5ef368-4558-4c19-b57e-79b1ee5120eb/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.network.azurerm_virtual_network.this has changed
  ~ resource "azurerm_virtual_network" "this" {
        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
      ~ subnet                  = [
          + {
              + address_prefix = "10.240.0.0/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              + name           = "serverFarm"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.0.64/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              + name           = "ingress"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.10.128/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              + name           = "devops"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.11.0/24"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              + name           = "privateLink"
              + security_group = ""
            },
        ]
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (6 unchanged attributes hidden)
    }

  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
        name                                                  = "privatelink.azurewebsites.net"
      ~ number_of_record_sets                                 = 1 -> 5
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
        name                                                  = "privatelink.database.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
        name                                                  = "privatelink.azconfig.io"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
        name                                                  = "privatelink.vaultcore.azure.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"
        name                                                  = "privatelink.redis.cache.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurecaf_name.appsvc_subnet must be replaced
-/+ resource "azurecaf_name" "appsvc_subnet" {
      ~ id            = "bhvjbwlscqphkcyx" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            # (1 unchanged element hidden)
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "spoke-sec-baseline-1-spoke-westus3-snet-eslz1" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_id_contributor must be replaced
-/+ resource "azurecaf_name" "caf_name_id_contributor" {
      ~ id            = "dnlsksyhpkhsnwdj" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_id_reader must be replaced
-/+ resource "azurecaf_name" "caf_name_id_reader" {
      ~ id            = "jvaiptpdjdabmpiw" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_law must be replaced
-/+ resource "azurecaf_name" "caf_name_law" {
      ~ id            = "dmgjkgiqpambjtxs" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-log-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_spoke_rg must be replaced
-/+ resource "azurecaf_name" "caf_name_spoke_rg" {
      ~ id            = "yhpfxpcghfwqecxw" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            # (1 unchanged element hidden)
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurecaf_name.law must be replaced
-/+ resource "azurecaf_name" "law" {
      ~ id            = "deeavlehsaejricp" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ result        = "log-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurerm_log_analytics_workspace.law must be replaced
-/+ resource "azurerm_log_analytics_workspace" "law" {
      - cmk_for_query_forced               = false -> null
      ~ id                                 = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
      ~ location                           = "westus3" -> "westus2" # forces replacement
      ~ name                               = "log-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ primary_shared_key                 = (sensitive value)
      + reservation_capacity_in_gb_per_day = (known after apply)
      ~ resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_shared_key               = (sensitive value)
        tags                               = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
      ~ workspace_id                       = "d011dd81-1237-42e0-9c8b-79b15170a2e9" -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurerm_resource_group.spoke must be replaced
-/+ resource "azurerm_resource_group" "spoke" {
      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply)
      ~ location = "westus3" -> "westus2" # forces replacement
      ~ name     = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
    }

  # azurerm_user_assigned_identity.contributor must be replaced
-/+ resource "azurerm_user_assigned_identity" "contributor" {
      ~ client_id           = "5b6d3e0a-cb5f-469c-8a03-5e84c1cbf762" -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" # forces replacement -> (known after apply) # forces replacement
      ~ principal_id        = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" -> (known after apply)
      ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                = {} -> null
      ~ tenant_id           = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply)
    }

  # azurerm_user_assigned_identity.reader must be replaced
-/+ resource "azurerm_user_assigned_identity" "reader" {
      ~ client_id           = "3efaf752-dfe8-4940-ac81-66b619bb3745" -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" # forces replacement -> (known after apply) # forces replacement
      ~ principal_id        = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" -> (known after apply)
      ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                = {} -> null
      ~ tenant_id           = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply)
    }

  # module.app_configuration[0].azurecaf_name.caf_name_appconf must be replaced
-/+ resource "azurecaf_name" "caf_name_appconf" {
      ~ id            = "tvaqutjmtrvbvety" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "jxmdskntabkbvfia" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_app_configuration.this must be replaced
-/+ resource "azurerm_app_configuration" "this" {
      ~ endpoint                   = "https://sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" -> (known after apply)
      ~ id                         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ location                   = "westus3" -> "westus2" # forces replacement
      ~ name                       = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ primary_read_key           = [] -> (known after apply)
      ~ primary_write_key          = [] -> (known after apply)
      ~ resource_group_name        = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_read_key         = [] -> (known after apply)
      ~ secondary_write_key        = [] -> (known after apply)
        tags                       = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "app-configuration"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.privatelink.azconfig.io." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/A/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ name                = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.4",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io"
              - ip_addresses = [
                  - "10.240.11.4",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec"
              - name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
            name                           = "app-config-private-endpoint"
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.4" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.app_configuration[0].azurerm_role_assignment.data_owners[0] must be replaced
-/+ resource "azurerm_role_assignment" "data_owners" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply)
      ~ name                             = "af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply)
      ~ principal_id                     = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.app_configuration[0].azurerm_role_assignment.data_readers[0] must be replaced
-/+ resource "azurerm_role_assignment" "data_readers" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/d67f6551-6738-e975-af28-77f05976002a" -> (known after apply)
      ~ name                             = "d67f6551-6738-e975-af28-77f05976002a" -> (known after apply)
      ~ principal_id                     = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.app_service.azurecaf_name.caf_name_appinsights must be replaced
-/+ resource "azurecaf_name" "caf_name_appinsights" {
      ~ id            = "xcdytgfueolnctqo" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_service.azurecaf_name.caf_name_asp must be replaced
-/+ resource "azurecaf_name" "caf_name_asp" {
      ~ id            = "xqnjrrtjgoabvuke" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "westus3-plan-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_service.azurerm_application_insights.this must be replaced
-/+ resource "azurerm_application_insights" "this" {
      ~ app_id                                = "4bb411f1-e975-444a-b559-823aa404d4ff" -> (known after apply)
      ~ connection_string                     = (sensitive value)
      ~ daily_data_cap_in_gb                  = 100 -> (known after apply)
      ~ daily_data_cap_notifications_disabled = false -> (known after apply)
      ~ id                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply)
      ~ instrumentation_key                   = (sensitive value)
      ~ location                              = "westus3" -> "westus2" # forces replacement
      ~ name                                  = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name                   = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                                  = {} -> null
      ~ workspace_id                          = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
        # (8 unchanged attributes hidden)
    }

  # module.app_service.azurerm_service_plan.this must be replaced
-/+ resource "azurerm_service_plan" "this" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Web/serverfarms/westus3-plan-eslz1-prod" -> (known after apply)
      ~ kind                         = "app" -> (known after apply)
      ~ location                     = "westus3" -> "westus2" # forces replacement
      ~ maximum_elastic_worker_count = 1 -> (known after apply)
      ~ name                         = "westus3-plan-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ reserved                     = false -> (known after apply)
      ~ resource_group_name          = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags                         = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "app-service"
        }
        # (5 unchanged attributes hidden)
    }

  # module.frontdoor.azurecaf_name.caf_name_afd must be replaced
-/+ resource "azurecaf_name" "caf_name_afd" {
      ~ id            = "vjxqvtjmemddjsyg" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] must be replaced
-/+ resource "azurerm_cdn_frontdoor_firewall_policy" "waf" {
      - custom_block_response_status_code = 0 -> null
      ~ frontend_endpoint_ids             = [] -> (known after apply)
      ~ id                                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> (known after apply)
        name                              = "wafpolicymicrosoftdefaultruleset21"
      ~ resource_group_name               = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                              = {} -> null
        # (3 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor must be replaced
-/+ resource "azurerm_cdn_frontdoor_profile" "frontdoor" {
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply)
      ~ name                     = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ resource_guid            = "a1cefc33-bf49-4155-a28a-d253ba7f23cd" -> (known after apply)
        tags                     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "frontdoor"
        }
        # (2 unchanged attributes hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] must be replaced
-/+ resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" {
      ~ cdn_frontdoor_profile_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/securityPolicies/WAF-Security-Policy" -> (known after apply)
        name                     = "WAF-Security-Policy"

      ~ security_policies {
          ~ firewall {
              ~ cdn_frontdoor_firewall_policy_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" # forces replacement -> (known after apply) # forces replacement

              ~ association {
                    # (1 unchanged attribute hidden)

                  ~ domain {
                      ~ active                  = true -> (known after apply)
                      ~ cdn_frontdoor_domain_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/afdEndpoints/eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
                    }
                }
            }
        }
    }

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] must be replaced
-/+ resource "azurerm_monitor_diagnostic_setting" "this" {
      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" -> (known after apply)
      + log_analytics_destination_type = "AzureDiagnostics"
      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
      ~ name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # forces replacement -> (known after apply) # forces replacement
      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement

      - log {
          - category_group = "allLogs" -> null
          - enabled        = true -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      - log {
          - category_group = "audit" -> null
          - enabled        = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }

        # (2 unchanged blocks hidden)
    }

  # module.key_vault.azurecaf_name.caf_name_akv must be replaced
-/+ resource "azurecaf_name" "caf_name_akv" {
      ~ id            = "rfuhnmjbhvbivisd" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "kv-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.key_vault.azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "lbivgljqkjfyetww" -> (known after apply)
      ~ name          = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-kv-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.key_vault.azurerm_key_vault.this must be replaced
-/+ resource "azurerm_key_vault" "this" {
      ~ access_policy                   = [] -> (known after apply)
      - enabled_for_deployment          = false -> null
      - enabled_for_template_deployment = false -> null
      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" -> (known after apply)
      ~ location                        = "westus3" -> "westus2" # forces replacement
      ~ name                            = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name             = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags                            = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "key-vault"
        }
      ~ vault_uri                       = "https://kv-eslz1-prod-5461.vault.azure.net/" -> (known after apply)
        # (7 unchanged attributes hidden)

      ~ network_acls {
          - ip_rules                   = [] -> null
          - virtual_network_subnet_ids = [] -> null
            # (2 unchanged attributes hidden)
        }
    }

  # module.key_vault.azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "kv-eslz1-prod-5461.privatelink.vaultcore.azure.net." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/A/kv-eslz1-prod-5461" -> (known after apply)
      ~ name                = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.6",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.key_vault.azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "kv-eslz1-prod-5461.vault.azure.net"
              - ip_addresses = [
                  - "10.240.11.6",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443"
              - name = "pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
          ~ name                           = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.6" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.key_vault.azurerm_role_assignment.secrets_officer[0] must be replaced
-/+ resource "azurerm_role_assignment" "secrets_officer" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply)
      ~ name                             = "914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply)
      ~ principal_id                     = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.key_vault.azurerm_role_assignment.secrets_user[0] must be replaced
-/+ resource "azurerm_role_assignment" "secrets_user" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply)
      ~ name                             = "f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply)
      ~ principal_id                     = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.network.azurecaf_name.caf_name_vnet must be replaced
-/+ resource "azurecaf_name" "caf_name_vnet" {
      ~ id            = "wrcubxisxkppqukq" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.network.azurerm_subnet.this[0] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" -> (known after apply)
        name                                           = "serverFarm"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

  # module.network.azurerm_subnet.this[1] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" -> (known after apply)
        name                                           = "ingress"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[2] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" -> (known after apply)
        name                                           = "devops"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[3] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" -> (known after apply)
        name                                           = "privateLink"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network.this must be replaced
-/+ resource "azurerm_virtual_network" "this" {
      ~ dns_servers             = [] -> (known after apply)
      - flow_timeout_in_minutes = 0 -> null
      ~ guid                    = "26abb02b-d37e-4084-9af0-8956b86e48ba" -> (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply)
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet                  = [
          - {
              - address_prefix = "10.240.0.0/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              - name           = "serverFarm"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.0.64/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              - name           = "ingress"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.10.128/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              - name           = "devops"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.11.0/24"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              - name           = "privateLink"
              - security_group = ""
            },
        ] -> (known after apply)
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network_peering.target_to_this[0] must be replaced
-/+ resource "azurerm_virtual_network_peering" "target_to_this" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/virtualNetworkPeerings/hub-to-spoke-eslz1" -> (known after apply)
      ~ name                         = "hub-to-spoke-eslz1" -> "hub-to-spoke-eslz2" # forces replacement
      ~ remote_virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (6 unchanged attributes hidden)
    }

  # module.network.azurerm_virtual_network_peering.this_to_target[0] must be replaced
-/+ resource "azurerm_virtual_network_peering" "this_to_target" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/virtualNetworkPeerings/spoke-to-hub-eslz1" -> (known after apply)
      ~ name                         = "spoke-to-hub-eslz1" -> "spoke-to-hub-eslz2" # forces replacement
      ~ resource_group_name          = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ virtual_network_name         = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (5 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurecaf_name.caf_name_redis must be replaced
-/+ resource "azurecaf_name" "caf_name_redis" {
      ~ id            = "qmdwakptsqrwgxse" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "arfqxqwlltqcwxqo" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.privatelink.redis.cache.windows.net." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net/A/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ name                = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.7",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net"
              - ip_addresses = [
                  - "10.240.11.7",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e"
              - name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
          ~ name                           = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.7" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.redis_cache[0].azurerm_redis_cache.this must be replaced
-/+ resource "azurerm_redis_cache" "this" {
      ~ hostname                      = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" -> (known after apply)
      ~ id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ location                      = "westus3" -> "westus2" # forces replacement
      ~ name                          = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ port                          = 6379 -> (known after apply)
      ~ primary_access_key            = (sensitive value)
      ~ primary_connection_string     = (sensitive value)
      + private_static_ip_address     = (known after apply)
      ~ redis_version                 = "6.0" -> (known after apply)
      ~ replicas_per_master           = 0 -> (known after apply)
      ~ replicas_per_primary          = 0 -> (known after apply)
      ~ resource_group_name           = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_access_key          = (sensitive value)
      ~ secondary_connection_string   = (sensitive value)
      - shard_count                   = 0 -> null
      ~ ssl_port                      = 6380 -> (known after apply)
        tags                          = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "redis"
        }
      - tenant_settings               = {} -> null
      - zones                         = [] -> null
        # (6 unchanged attributes hidden)

      ~ redis_configuration {
          - aof_backup_enabled              = false -> null
          ~ maxclients                      = 2000 -> (known after apply)
          ~ maxfragmentationmemory_reserved = 299 -> (known after apply)
          ~ maxmemory_delta                 = 299 -> (known after apply)
          ~ maxmemory_reserved              = 299 -> (known after apply)
          - rdb_backup_enabled              = false -> null
          - rdb_backup_frequency            = 0 -> null
          - rdb_backup_max_snapshot_count   = 0 -> null
            # (2 unchanged attributes hidden)
        }
    }

  # module.sql_database[0].azurecaf_name.caf_name_sqlserver must be replaced
-/+ resource "azurecaf_name" "caf_name_sqlserver" {
      ~ id            = "pmnternummrbgqpv" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.sql_database[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "eiedeunwqohdpaah" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.sql_database[0].azurerm_mssql_database.this[0] must be replaced
-/+ resource "azurerm_mssql_database" "this" {
      ~ auto_pause_delay_in_minutes         = 0 -> (known after apply)
      ~ collation                           = "SQL_Latin1_General_CP1_CI_AS" -> (known after apply)
      + creation_source_database_id         = (known after apply)
      ~ id                                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461/databases/sample-db" -> (known after apply)
      ~ ledger_enabled                      = false -> (known after apply)
      + license_type                        = (known after apply)
      ~ maintenance_configuration_name      = "SQL_Default" -> (known after apply)
      ~ max_size_gb                         = 250 -> (known after apply)
      ~ min_capacity                        = 0 -> (known after apply)
        name                                = "sample-db"
      ~ read_replica_count                  = 0 -> (known after apply)
      ~ read_scale                          = false -> (known after apply)
      + restore_point_in_time               = (known after apply)
      + sample_name                         = (known after apply)
      ~ server_id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      - tags                                = {} -> null
      ~ zone_redundant                      = false -> (known after apply)
        # (5 unchanged attributes hidden)

      - long_term_retention_policy {
          - monthly_retention = "PT0S" -> null
          - week_of_year      = 1 -> null
          - weekly_retention  = "PT0S" -> null
          - yearly_retention  = "PT0S" -> null
        }

      - short_term_retention_policy {
          - backup_interval_in_hours = 24 -> null
          - retention_days           = 7 -> null
        }

      - threat_detection_policy {
          - disabled_alerts      = [] -> null
          - email_account_admins = "Disabled" -> null
          - email_addresses      = [] -> null
          - retention_days       = 0 -> null
          - state                = "Disabled" -> null
        }
    }

  # module.sql_database[0].azurerm_mssql_server.this must be replaced
-/+ resource "azurerm_mssql_server" " ...
Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/a82f3bda-ba6d-465a-97ce-7979caf5c477/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted
  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null
        name                = "Azure-Monitor-FQDNs"
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted
  - resource "azurerm_firewall_application_rule_collection" "core" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null
        name                = "Core-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null
        name                = "Devops-VM-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null
        name                = "Windows-VM-Connectivity-Requirements"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurecaf_name.caf_name_hub_rg must be replaced
-/+ resource "azurecaf_name" "caf_name_hub_rg" {
      ~ id            = "akckvaegwemunepv" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurerm_resource_group.hub must be replaced
-/+ resource "azurerm_resource_group" "hub" {
      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
      ~ location = "westus3" -> "westus2" # forces replacement
      ~ name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
    }

  # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced
-/+ resource "azurecaf_name" "caf_name_bastion" {
      ~ id            = "wbujomtsfcqdpxod" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.bastion[0].azurecaf_name.caf_name_pip must be replaced
-/+ resource "azurecaf_name" "caf_name_pip" {
      ~ id            = "paqdxwmbugcxjhhq" -> (known after apply)
        name          = "eslz2-bastion"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.bastion[0].azurerm_bastion_host.bastion must be replaced
-/+ resource "azurerm_bastion_host" "bastion" {
      ~ dns_name               = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)
      ~ id                     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
      ~ location               = "westus3" -> "westus2" # forces replacement
      ~ name                   = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name    = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                   = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "bastion"
        }
        # (7 unchanged attributes hidden)

      ~ ip_configuration {
            name                 = "bastionHostIpConfiguration"
          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement
          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement
        }
    }

  # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced
-/+ resource "azurerm_public_ip" "bastion_pip" {
      + fqdn                    = (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)
      ~ ip_address              = "20.163.49.112" -> (known after apply)
      - ip_tags                 = {} -> null
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "bastion"
        }
      - zones                   = [] -> null
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced
-/+ resource "azurecaf_name" "caf_name_firewall" {
      ~ id            = "dtqvqxowbnalaruk" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced
-/+ resource "azurecaf_name" "caf_name_law" {
      ~ id            = "lofxpwfygywepldl" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_pip must be replaced
-/+ resource "azurecaf_name" "caf_name_pip" {
      ~ id            = "ofhucdctoijllhdb" -> (known after apply)
        name          = "eslz2-fw"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurerm_firewall.firewall must be replaced
-/+ resource "azurerm_firewall" "firewall" {
      - dns_servers         = [] -> null
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement
      - private_ip_ranges   = [] -> null
      ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "firewall"
        }
      ~ threat_intel_mode   = "Alert" -> (known after apply)
      - zones               = [] -> null
        # (2 unchanged attributes hidden)

      ~ ip_configuration {
            name                 = "firewallIpConfiguration"
          ~ private_ip_address   = "10.242.0.4" -> (known after apply)
          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-ad-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

  # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced
-/+ resource "azurerm_log_analytics_workspace" "law" {
      - cmk_for_query_forced            = false -> null
      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ location                        = "westus3" -> "westus2" # forces replacement
      ~ name                            = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ primary_shared_key              = (sensitive value)
      ~ resource_group_name             = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ retention_in_days               = 30 -> (known after apply)
      ~ secondary_shared_key            = (sensitive value)
      - tags                            = {} -> null
      ~ workspace_id                    = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced
-/+ resource "azurerm_monitor_diagnostic_setting" "this" {
      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)
      ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)
      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ name                           = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement
      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement

      - log {
          - category_group = "allLogs" -> null
          - enabled        = true -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced
-/+ resource "azurerm_public_ip" "firewall_pip" {
      + fqdn                    = (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
      ~ ip_address              = "20.25.176.182" -> (known after apply)
      - ip_tags                 = {} -> null
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "firewall"
        }
      - zones                   = [] -> null
        # (6 unchanged attributes hidden)
    }

  # module.network.azurecaf_name.caf_name_vnet must be replaced
-/+ resource "azurecaf_name" "caf_name_vnet" {
      ~ id            = "pvwuveykntdcxsyc" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.network.azurerm_subnet.this[0] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)
        name                                           = "AzureFirewallSubnet"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[1] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)
        name                                           = "AzureBastionSubnet"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network.this must be replaced
-/+ resource "azurerm_virtual_network" "this" {
      ~ dns_servers             = [] -> (known after apply)
      - flow_timeout_in_minutes = 0 -> null
      ~ guid                    = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ subnet                  = [
          - {
              - address_prefix = "10.242.0.0/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"
              - name           = "AzureFirewallSubnet"
              - security_group = ""
            },
          - {
              - address_prefix = "10.242.0.64/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"
              - name           = "AzureBastionSubnet"
              - security_group = ""
            },
        ] -> (known after apply)
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (1 unchanged attribute hidden)
    }

Plan: 21 to add, 0 to change, 17 to destroy.

Changes to Outputs:
  ~ bastion_name        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
  ~ firewall_private_ip = "10.242.0.4" -> (known after apply)
  ~ firewall_rules      = {
      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)
      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)
    }
  ~ rg_name             = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
  ~ vnet_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
  ~ vnet_name           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A        name                = "Azure-Monitor-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "core" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A        name                = "Core-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (3 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A        name                = "Devops-VM-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A        name                = "Windows-VM-Connectivity-Requirements"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # azurecaf_name.caf_name_hub_rg must be replaced%0A-/+ resource "azurecaf_name" "caf_name_hub_rg" {%0A      ~ id            = "akckvaegwemunepv" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A      ~ location = "westus3" -> "westus2" # forces replacement%0A      ~ name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags     = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A        }%0A    }%0A%0A  # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced%0A-/+ resource "azurecaf_name" "caf_name_bastion" {%0A      ~ id            = "wbujomtsfcqdpxod" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A      ~ id            = "paqdxwmbugcxjhhq" -> (known after apply)%0A        name          = "eslz2-bastion"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A      ~ dns_name               = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)%0A      ~ id                     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A      ~ location               = "westus3" -> "westus2" # forces replacement%0A      ~ name                   = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name    = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                   = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "bastion"%0A        }%0A        # (7 unchanged attributes hidden)%0A%0A      ~ ip_configuration {%0A            name                 = "bastionHostIpConfiguration"%0A          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A        }%0A    }%0A%0A  # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A      + fqdn                    = (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A      ~ ip_address              = "20.163.49.112" -> (known after apply)%0A      - ip_tags                 = {} -> null%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "bastion"%0A        }%0A      - zones                   = [] -> null%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced%0A-/+ resource "azurecaf_name" "caf_name_firewall" {%0A      ~ id            = "dtqvqxowbnalaruk" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced%0A-/+ resource "azurecaf_name" "caf_name_law" {%0A      ~ id            = "lofxpwfygywepldl" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A      ~ id            = "ofhucdctoijllhdb" -> (known after apply)%0A        name          = "eslz2-fw"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A      - dns_servers         = [] -> null%0A      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A      ~ location            = "westus3" -> "westus2" # forces replacement%0A      ~ name                = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - private_ip_ranges   = [] -> null%0A      ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "firewall"%0A        }%0A      ~ threat_intel_mode   = "Alert" -> (known after apply)%0A      - zones               = [] -> null%0A        # (2 unchanged attributes hidden)%0A%0A      ~ ip_configuration {%0A            name                 = "firewallIpConfiguration"%0A          ~ private_ip_address   = "10.242.0.4" -> (known after apply)%0A          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Azure-Monitor-FQDNs"%0A      + priority            = 201%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-azure-monitor"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "dc.applicationinsights.azure.com",%0A              + "dc.applicationinsights.microsoft.com",%0A              + "dc.services.visualstudio.com",%0A              + "*.in.applicationinsights.azure.com",%0A              + "live.applicationinsights.azure.com",%0A              + "rt.applicationinsights.microsoft.com",%0A              + "rt.services.visualstudio.com",%0A              + "*.livediagnostics.monitor.azure.com",%0A              + "*.monitoring.azure.com",%0A              + "agent.azureserviceprofiler.net",%0A              + "*.agent.azureserviceprofiler.net",%0A              + "*.monitor.azure.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A  + resource "azurerm_firewall_application_rule_collection" "core" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Core-Dependencies-FQDNs"%0A      + priority            = 200%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-core-apis"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "management.azure.com",%0A              + "management.core.windows.net",%0A              + "login.microsoftonline.com",%0A              + "login.windows.net",%0A              + "login.live.com",%0A              + "graph.windows.net",%0A              + "graph.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-developer-services"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "github.com",%0A              + "*.github.com",%0A              + "*.nuget.org",%0A              + "*.blob.core.windows.net",%0A              + "*.githubusercontent.com",%0A              + "dev.azure.com",%0A              + "*.dev.azure.com",%0A              + "portal.azure.com",%0A              + "*.portal.azure.com",%0A              + "*.portal.azure.net",%0A              + "appservice.azureedge.net",%0A              + "*.azurewebsites.net",%0A              + "edge.management.azure.com",%0A              + "vstsagentpackage.azureedge.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-certificate-dependencies"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "*.delivery.mp.microsoft.com",%0A              + "ctldl.windowsupdate.com",%0A              + "download.windowsupdate.com",%0A              + "mscrl.microsoft.com",%0A              + "ocsp.msocsp.com",%0A              + "oneocsp.microsoft.com",%0A              + "crl.microsoft.com",%0A              + "www.microsoft.com",%0A              + "*.digicert.com",%0A              + "*.symantec.com",%0A              + "*.symcb.com",%0A              + "*.d-trust.net",%0A            ]%0A%0A          + protocol {%0A              + port = 80%0A              + type = "Http"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Devops-VM-Dependencies-FQDNs"%0A      + priority            = 202%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-azure-ad-join"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "enterpriseregistration.windows.net",%0A              + "pas.windows.net",%0A              + "login.microsoftonline.com",%0A              + "device.login.microsoftonline.com",%0A              + "autologon.microsoftazuread-sso.com",%0A              + "manage-beta.microsoft.com",%0A              + "manage.microsoft.com",%0A              + "aadcdn.msauth.net",%0A              + "aadcdn.msftauth.net",%0A              + "aadcdn.msftauthimages.net",%0A              + "*.wns.windows.com",%0A              + "*.sts.microsoft.com",%0A              + "*.manage-beta.microsoft.com",%0A              + "*.manage.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-vm-dependencies-and-tools"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "aka.ms",%0A              + "go.microsoft.com",%0A              + "download.microsoft.com",%0A              + "edge.microsoft.com",%0A              + "fs.microsoft.com",%0A              + "wdcp.microsoft.com",%0A              + "wdcpalt.microsoft.com",%0A              + "msedge.api.cdp.microsoft.com",%0A              + "winatp-gw-cane.microsoft.com",%0A              + "*.google.com",%0A              + "*.live.com",%0A              + "*.bing.com",%0A              + "*.msappproxy.net",%0A              + "*.delivery.mp.microsoft.com",%0A              + "*.data.microsoft.com",%0A              + "*.blob.storage.azure.net",%0A              + "*.blob.core.windows.net",%0A              + "*.dl.delivery.mp.microsoft.com",%0A              + "*.prod.do.dsp.mp.microsoft.com",%0A              + "*.update.microsoft.com",%0A              + "*.windowsupdate.com",%0A              + "*.apps.qualys.com",%0A              + "*.bootstrapcdn.com",%0A              + "*.jsdelivr.net",%0A              + "*.jquery.com",%0A              + "*.msecnd.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Windows-VM-Connectivity-Requirements"%0A      + priority            = 202%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + destination_addresses = [%0A              + "20.118.99.224",%0A              + "40.83.235.53",%0A              + "23.102.135.246",%0A              + "51.4.143.248",%0A              + "23.97.0.13",%0A              + "52.126.105.2",%0A            ]%0A          + destination_ports     = [%0A              + "*",%0A            ]%0A          + name                  = "allow-kms-activation"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A      + rule {%0A          + destination_addresses = [%0A              + "*",%0A            ]%0A          + destination_ports     = [%0A              + "123",%0A            ]%0A          + name                  = "allow-ntp"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced%0A-/+ resource "azurerm_log_analytics_workspace" "law" {%0A      - cmk_for_query_forced            = false -> null%0A      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ location                        = "westus3" -> "westus2" # forces replacement%0A      ~ name                            = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ primary_shared_key              = (sensitive value)%0A      ~ resource_group_name             = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ retention_in_days               = 30 -> (known after apply)%0A      ~ secondary_shared_key            = (sensitive value)%0A      - tags                            = {} -> null%0A      ~ workspace_id                    = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)%0A      ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ name                           = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A%0A      - log {%0A          - category_group = "allLogs" -> null%0A          - enabled        = true -> null%0A%0A          - retention_policy {%0A              - days    = 0 -> null%0A              - enabled = false -> null%0A            }%0A        }%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A      + fqdn                    = (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A      ~ ip_address              = "20.25.176.182" -> (known after apply)%0A      - ip_tags                 = {} -> null%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "firewall"%0A        }%0A      - zones                   = [] -> null%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.network.azurecaf_name.caf_name_vnet must be replaced%0A-/+ resource "azurecaf_name" "caf_name_vnet" {%0A      ~ id            = "pvwuveykntdcxsyc" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (7 unchanged attributes hidden)%0A    }%0A%0A  # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A      ~ enforce_private_link_service_network_policies  = false -> (known after apply)%0A      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)%0A        name                                           = "AzureFirewallSubnet"%0A      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)%0A      ~ private_link_service_network_policies_enabled  = true -> (known after apply)%0A      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - service_endpoint_policy_ids                    = [] -> null%0A      - service_endpoints                              = [] -> null%0A      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A        # (1 unchanged attribute hidden)%0A    }%0A%0A  # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A      ~ enforce_private_link_service_network_policies  = false -> (known after apply)%0A      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)%0A        name                                           = "AzureBastionSubnet"%0A      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)%0A      ~ private_link_service_network_policies_enabled  = true -> (known after apply)%0A      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - service_endpoint_policy_ids                    = [] -> null%0A      - service_endpoints                              = [] -> null%0A      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A        # (1 unchanged attribute hidden)%0A    }%0A%0A  # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A      ~ dns_servers             = [] -> (known after apply)%0A      - flow_timeout_in_minutes = 0 -> null%0A      ~ guid                    = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ subnet                  = [%0A          - {%0A              - address_prefix = "10.242.0.0/26"%0A              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"%0A              - name           = "AzureFirewallSubnet"%0A              - security_group = ""%0A            },%0A          - {%0A              - address_prefix = "10.242.0.64/26"%0A              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"%0A              - name           = "AzureBastionSubnet"%0A              - security_group = ""%0A            },%0A        ] -> (known after apply)%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "network"%0A        }%0A        # (1 unchanged attribute hidden)%0A    }%0A%0APlan: 21 to add, 0 to change, 17 to destroy.%0A%0AChanges to Outputs:%0A  ~ bastion_name        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A  ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A  ~ firewall_rules      = {%0A      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A    }%0A  ~ rg_name             = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A  ~ vnet_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A  ~ vnet_name           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/7063c579-eb0c-48cb-adb0-e6ed300dd53a/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.network.azurerm_virtual_network.this has changed
  ~ resource "azurerm_virtual_network" "this" {
        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
      ~ subnet                  = [
          + {
              + address_prefix = "10.240.0.0/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              + name           = "serverFarm"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.0.64/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              + name           = "ingress"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.10.128/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              + name           = "devops"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.11.0/24"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              + name           = "privateLink"
              + security_group = ""
            },
        ]
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (6 unchanged attributes hidden)
    }

  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
        name                                                  = "privatelink.azurewebsites.net"
      ~ number_of_record_sets                                 = 1 -> 5
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
        name                                                  = "privatelink.database.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
        name                                                  = "privatelink.azconfig.io"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
        name                                                  = "privatelink.vaultcore.azure.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"
        name                                                  = "privatelink.redis.cache.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurecaf_name.appsvc_subnet must be replaced
-/+ resource "azurecaf_name" "appsvc_subnet" {
      ~ id            = "bhvjbwlscqphkcyx" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            # (1 unchanged element hidden)
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "spoke-sec-baseline-1-spoke-westus3-snet-eslz1" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_id_contributor must be replaced
-/+ resource "azurecaf_name" "caf_name_id_contributor" {
      ~ id            = "dnlsksyhpkhsnwdj" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_id_reader must be replaced
-/+ resource "azurecaf_name" "caf_name_id_reader" {
      ~ id            = "jvaiptpdjdabmpiw" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_law must be replaced
-/+ resource "azurecaf_name" "caf_name_law" {
      ~ id            = "dmgjkgiqpambjtxs" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-log-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_spoke_rg must be replaced
-/+ resource "azurecaf_name" "caf_name_spoke_rg" {
      ~ id            = "yhpfxpcghfwqecxw" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            # (1 unchanged element hidden)
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurecaf_name.law must be replaced
-/+ resource "azurecaf_name" "law" {
      ~ id            = "deeavlehsaejricp" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ result        = "log-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurerm_log_analytics_workspace.law must be replaced
-/+ resource "azurerm_log_analytics_workspace" "law" {
      - cmk_for_query_forced            = false -> null
      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
      ~ location                        = "westus3" -> "westus2" # forces replacement
      ~ name                            = "log-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ primary_shared_key              = (sensitive value)
      ~ resource_group_name             = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_shared_key            = (sensitive value)
        tags                            = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
      ~ workspace_id                    = "d011dd81-1237-42e0-9c8b-79b15170a2e9" -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurerm_resource_group.spoke must be replaced
-/+ resource "azurerm_resource_group" "spoke" {
      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply)
      ~ location = "westus3" -> "westus2" # forces replacement
      ~ name     = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
    }

  # azurerm_user_assigned_identity.contributor must be replaced
-/+ resource "azurerm_user_assigned_identity" "contributor" {
      ~ client_id           = "5b6d3e0a-cb5f-469c-8a03-5e84c1cbf762" -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" # forces replacement -> (known after apply) # forces replacement
      ~ principal_id        = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" -> (known after apply)
      ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                = {} -> null
      ~ tenant_id           = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply)
    }

  # azurerm_user_assigned_identity.reader must be replaced
-/+ resource "azurerm_user_assigned_identity" "reader" {
      ~ client_id           = "3efaf752-dfe8-4940-ac81-66b619bb3745" -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" # forces replacement -> (known after apply) # forces replacement
      ~ principal_id        = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" -> (known after apply)
      ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                = {} -> null
      ~ tenant_id           = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply)
    }

  # module.app_configuration[0].azurecaf_name.caf_name_appconf must be replaced
-/+ resource "azurecaf_name" "caf_name_appconf" {
      ~ id            = "tvaqutjmtrvbvety" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "jxmdskntabkbvfia" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_app_configuration.this must be replaced
-/+ resource "azurerm_app_configuration" "this" {
      ~ endpoint                   = "https://sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" -> (known after apply)
      ~ id                         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ location                   = "westus3" -> "westus2" # forces replacement
      ~ name                       = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ primary_read_key           = [] -> (known after apply)
      ~ primary_write_key          = [] -> (known after apply)
      ~ resource_group_name        = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_read_key         = [] -> (known after apply)
      ~ secondary_write_key        = [] -> (known after apply)
        tags                       = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "app-configuration"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.privatelink.azconfig.io." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/A/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ name                = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.4",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io"
              - ip_addresses = [
                  - "10.240.11.4",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec"
              - name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
            name                           = "app-config-private-endpoint"
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.4" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.app_configuration[0].azurerm_role_assignment.data_owners[0] must be replaced
-/+ resource "azurerm_role_assignment" "data_owners" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply)
      ~ name                             = "af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply)
      ~ principal_id                     = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.app_configuration[0].azurerm_role_assignment.data_readers[0] must be replaced
-/+ resource "azurerm_role_assignment" "data_readers" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/d67f6551-6738-e975-af28-77f05976002a" -> (known after apply)
      ~ name                             = "d67f6551-6738-e975-af28-77f05976002a" -> (known after apply)
      ~ principal_id                     = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.app_service.azurecaf_name.caf_name_appinsights must be replaced
-/+ resource "azurecaf_name" "caf_name_appinsights" {
      ~ id            = "xcdytgfueolnctqo" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_service.azurecaf_name.caf_name_asp must be replaced
-/+ resource "azurecaf_name" "caf_name_asp" {
      ~ id            = "xqnjrrtjgoabvuke" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "westus3-plan-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_service.azurerm_application_insights.this must be replaced
-/+ resource "azurerm_application_insights" "this" {
      ~ app_id                                = "4bb411f1-e975-444a-b559-823aa404d4ff" -> (known after apply)
      ~ connection_string                     = (sensitive value)
      ~ daily_data_cap_in_gb                  = 100 -> (known after apply)
      ~ daily_data_cap_notifications_disabled = false -> (known after apply)
      ~ id                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply)
      ~ instrumentation_key                   = (sensitive value)
      ~ location                              = "westus3" -> "westus2" # forces replacement
      ~ name                                  = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name                   = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                                  = {} -> null
      ~ workspace_id                          = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
        # (8 unchanged attributes hidden)
    }

  # module.app_service.azurerm_service_plan.this must be replaced
-/+ resource "azurerm_service_plan" "this" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Web/serverfarms/westus3-plan-eslz1-prod" -> (known after apply)
      ~ kind                         = "app" -> (known after apply)
      ~ location                     = "westus3" -> "westus2" # forces replacement
      ~ maximum_elastic_worker_count = 1 -> (known after apply)
      ~ name                         = "westus3-plan-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ reserved                     = false -> (known after apply)
      ~ resource_group_name          = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags                         = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "app-service"
        }
        # (5 unchanged attributes hidden)
    }

  # module.frontdoor.azurecaf_name.caf_name_afd must be replaced
-/+ resource "azurecaf_name" "caf_name_afd" {
      ~ id            = "vjxqvtjmemddjsyg" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] must be replaced
-/+ resource "azurerm_cdn_frontdoor_firewall_policy" "waf" {
      - custom_block_response_status_code = 0 -> null
      ~ frontend_endpoint_ids             = [] -> (known after apply)
      ~ id                                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> (known after apply)
        name                              = "wafpolicymicrosoftdefaultruleset21"
      ~ resource_group_name               = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                              = {} -> null
        # (3 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor must be replaced
-/+ resource "azurerm_cdn_frontdoor_profile" "frontdoor" {
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply)
      ~ name                     = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ resource_guid            = "a1cefc33-bf49-4155-a28a-d253ba7f23cd" -> (known after apply)
        tags                     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "frontdoor"
        }
        # (2 unchanged attributes hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] must be replaced
-/+ resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" {
      ~ cdn_frontdoor_profile_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/securityPolicies/WAF-Security-Policy" -> (known after apply)
        name                     = "WAF-Security-Policy"

      ~ security_policies {
          ~ firewall {
              ~ cdn_frontdoor_firewall_policy_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" # forces replacement -> (known after apply) # forces replacement

              ~ association {
                    # (1 unchanged attribute hidden)

                  ~ domain {
                      ~ active                  = true -> (known after apply)
                      ~ cdn_frontdoor_domain_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/afdEndpoints/eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
                    }
                }
            }
        }
    }

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] must be replaced
-/+ resource "azurerm_monitor_diagnostic_setting" "this" {
      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" -> (known after apply)
      + log_analytics_destination_type = "AzureDiagnostics"
      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
      ~ name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # forces replacement -> (known after apply) # forces replacement
      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement

      - log {
          - category_group = "allLogs" -> null
          - enabled        = true -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      - log {
          - category_group = "audit" -> null
          - enabled        = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }

        # (2 unchanged blocks hidden)
    }

  # module.key_vault.azurecaf_name.caf_name_akv must be replaced
-/+ resource "azurecaf_name" "caf_name_akv" {
      ~ id            = "rfuhnmjbhvbivisd" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "kv-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.key_vault.azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "lbivgljqkjfyetww" -> (known after apply)
      ~ name          = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-kv-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.key_vault.azurerm_key_vault.this must be replaced
-/+ resource "azurerm_key_vault" "this" {
      ~ access_policy                   = [] -> (known after apply)
      - enabled_for_deployment          = false -> null
      - enabled_for_template_deployment = false -> null
      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" -> (known after apply)
      ~ location                        = "westus3" -> "westus2" # forces replacement
      ~ name                            = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name             = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags                            = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "key-vault"
        }
      ~ vault_uri                       = "https://kv-eslz1-prod-5461.vault.azure.net/" -> (known after apply)
        # (7 unchanged attributes hidden)

      ~ network_acls {
          - ip_rules                   = [] -> null
          - virtual_network_subnet_ids = [] -> null
            # (2 unchanged attributes hidden)
        }
    }

  # module.key_vault.azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "kv-eslz1-prod-5461.privatelink.vaultcore.azure.net." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/A/kv-eslz1-prod-5461" -> (known after apply)
      ~ name                = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.6",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.key_vault.azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "kv-eslz1-prod-5461.vault.azure.net"
              - ip_addresses = [
                  - "10.240.11.6",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443"
              - name = "pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
          ~ name                           = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.6" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.key_vault.azurerm_role_assignment.secrets_officer[0] must be replaced
-/+ resource "azurerm_role_assignment" "secrets_officer" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply)
      ~ name                             = "914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply)
      ~ principal_id                     = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.key_vault.azurerm_role_assignment.secrets_user[0] must be replaced
-/+ resource "azurerm_role_assignment" "secrets_user" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply)
      ~ name                             = "f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply)
      ~ principal_id                     = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.network.azurecaf_name.caf_name_vnet must be replaced
-/+ resource "azurecaf_name" "caf_name_vnet" {
      ~ id            = "wrcubxisxkppqukq" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.network.azurerm_subnet.this[0] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" -> (known after apply)
        name                                           = "serverFarm"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

  # module.network.azurerm_subnet.this[1] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" -> (known after apply)
        name                                           = "ingress"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[2] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" -> (known after apply)
        name                                           = "devops"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[3] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" -> (known after apply)
        name                                           = "privateLink"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network.this must be replaced
-/+ resource "azurerm_virtual_network" "this" {
      ~ dns_servers             = [] -> (known after apply)
      - flow_timeout_in_minutes = 0 -> null
      ~ guid                    = "26abb02b-d37e-4084-9af0-8956b86e48ba" -> (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply)
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet                  = [
          - {
              - address_prefix = "10.240.0.0/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              - name           = "serverFarm"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.0.64/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              - name           = "ingress"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.10.128/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              - name           = "devops"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.11.0/24"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              - name           = "privateLink"
              - security_group = ""
            },
        ] -> (known after apply)
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network_peering.target_to_this[0] must be replaced
-/+ resource "azurerm_virtual_network_peering" "target_to_this" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/virtualNetworkPeerings/hub-to-spoke-eslz1" -> (known after apply)
      ~ name                         = "hub-to-spoke-eslz1" -> "hub-to-spoke-eslz2" # forces replacement
      ~ remote_virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (6 unchanged attributes hidden)
    }

  # module.network.azurerm_virtual_network_peering.this_to_target[0] must be replaced
-/+ resource "azurerm_virtual_network_peering" "this_to_target" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/virtualNetworkPeerings/spoke-to-hub-eslz1" -> (known after apply)
      ~ name                         = "spoke-to-hub-eslz1" -> "spoke-to-hub-eslz2" # forces replacement
      ~ resource_group_name          = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ virtual_network_name         = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (5 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurecaf_name.caf_name_redis must be replaced
-/+ resource "azurecaf_name" "caf_name_redis" {
      ~ id            = "qmdwakptsqrwgxse" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "arfqxqwlltqcwxqo" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.privatelink.redis.cache.windows.net." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net/A/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ name                = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.7",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net"
              - ip_addresses = [
                  - "10.240.11.7",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e"
              - name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
          ~ name                           = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.7" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.redis_cache[0].azurerm_redis_cache.this must be replaced
-/+ resource "azurerm_redis_cache" "this" {
      ~ hostname                      = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" -> (known after apply)
      ~ id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ location                      = "westus3" -> "westus2" # forces replacement
      ~ name                          = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ port                          = 6379 -> (known after apply)
      ~ primary_access_key            = (sensitive value)
      ~ primary_connection_string     = (sensitive value)
      + private_static_ip_address     = (known after apply)
      ~ redis_version                 = "6.0" -> (known after apply)
      ~ replicas_per_master           = 0 -> (known after apply)
      ~ replicas_per_primary          = 0 -> (known after apply)
      ~ resource_group_name           = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_access_key          = (sensitive value)
      ~ secondary_connection_string   = (sensitive value)
      - shard_count                   = 0 -> null
      ~ ssl_port                      = 6380 -> (known after apply)
        tags                          = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "redis"
        }
      - tenant_settings               = {} -> null
      - zones                         = [] -> null
        # (6 unchanged attributes hidden)

      ~ redis_configuration {
          - aof_backup_enabled              = false -> null
          ~ maxclients                      = 2000 -> (known after apply)
          ~ maxfragmentationmemory_reserved = 299 -> (known after apply)
          ~ maxmemory_delta                 = 299 -> (known after apply)
          ~ maxmemory_reserved              = 299 -> (known after apply)
          - rdb_backup_enabled              = false -> null
          - rdb_backup_frequency            = 0 -> null
          - rdb_backup_max_snapshot_count   = 0 -> null
            # (2 unchanged attributes hidden)
        }
    }

  # module.sql_database[0].azurecaf_name.caf_name_sqlserver must be replaced
-/+ resource "azurecaf_name" "caf_name_sqlserver" {
      ~ id            = "pmnternummrbgqpv" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.sql_database[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "eiedeunwqohdpaah" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.sql_database[0].azurerm_mssql_database.this[0] must be replaced
-/+ resource "azurerm_mssql_database" "this" {
      ~ auto_pause_delay_in_minutes         = 0 -> (known after apply)
      ~ collation                           = "SQL_Latin1_General_CP1_CI_AS" -> (known after apply)
      + creation_source_database_id         = (known after apply)
      ~ id                                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461/databases/sample-db" -> (known after apply)
      ~ ledger_enabled                      = false -> (known after apply)
      + license_type                        = (known after apply)
      ~ maintenance_configuration_name      = "SQL_Default" -> (known after apply)
      ~ max_size_gb                         = 250 -> (known after apply)
      ~ min_capacity                        = 0 -> (known after apply)
        name                                = "sample-db"
      ~ read_replica_count                  = 0 -> (known after apply)
      ~ read_scale                          = false -> (known after apply)
      + restore_point_in_time               = (known after apply)
      + sample_name                         = (known after apply)
      ~ server_id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      - tags                                = {} -> null
      ~ zone_redundant                      = false -> (known after apply)
        # (5 unchanged attributes hidden)

      - long_term_retention_policy {
          - monthly_retention = "PT0S" -> null
          - week_of_year      = 1 -> null
          - weekly_retention  = "PT0S" -> null
          - yearly_retention  = "PT0S" -> null
        }

      - short_term_retention_policy {
          - backup_interval_in_hours = 24 -> null
          - retention_days           = 7 -> null
        }

      - threat_detection_policy {
          - disabled_alerts      = [] -> null
          - email_account_admins = "Disabled" -> null
          - email_addresses      = [] -> null
          - retention_days       = 0 -> null
          - state                = "Disabled" -> null
        }
    }

  # module.sql_database[0].azurerm_mssql_server.this must be replaced
-/+ resource "azurerm_mssql_server" "this" {
      ~ administrator_login                  = "CloudSA637969e7" -> (known after app ...
Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/54a6b927-f8e1-4238-8642-f64fbdd2d9f1/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.network.azurerm_virtual_network.this has changed
  ~ resource "azurerm_virtual_network" "this" {
        id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
        name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"
      ~ subnet                  = [
          + {
              + address_prefix = "10.240.0.0/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              + name           = "serverFarm"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.0.64/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              + name           = "ingress"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.10.128/26"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              + name           = "devops"
              + security_group = ""
            },
          + {
              + address_prefix = "10.240.11.0/24"
              + id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              + name           = "privateLink"
              + security_group = ""
            },
        ]
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (6 unchanged attributes hidden)
    }

  # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
        name                                                  = "privatelink.azurewebsites.net"
      ~ number_of_record_sets                                 = 1 -> 5
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
        name                                                  = "privatelink.database.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
        name                                                  = "privatelink.azconfig.io"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
        name                                                  = "privatelink.vaultcore.azure.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed
  ~ resource "azurerm_private_dns_zone" "this" {
        id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"
        name                                                  = "privatelink.redis.cache.windows.net"
      ~ number_of_record_sets                                 = 1 -> 2
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurecaf_name.appsvc_subnet must be replaced
-/+ resource "azurecaf_name" "appsvc_subnet" {
      ~ id            = "bhvjbwlscqphkcyx" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            # (1 unchanged element hidden)
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "spoke-sec-baseline-1-spoke-westus3-snet-eslz1" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_id_contributor must be replaced
-/+ resource "azurecaf_name" "caf_name_id_contributor" {
      ~ id            = "dnlsksyhpkhsnwdj" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_id_reader must be replaced
-/+ resource "azurecaf_name" "caf_name_id_reader" {
      ~ id            = "jvaiptpdjdabmpiw" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_law must be replaced
-/+ resource "azurecaf_name" "caf_name_law" {
      ~ id            = "dmgjkgiqpambjtxs" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-log-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurecaf_name.caf_name_spoke_rg must be replaced
-/+ resource "azurecaf_name" "caf_name_spoke_rg" {
      ~ id            = "yhpfxpcghfwqecxw" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            # (1 unchanged element hidden)
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurecaf_name.law must be replaced
-/+ resource "azurecaf_name" "law" {
      ~ id            = "deeavlehsaejricp" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ result        = "log-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurerm_log_analytics_workspace.law must be replaced
-/+ resource "azurerm_log_analytics_workspace" "law" {
      - cmk_for_query_forced            = false -> null
      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
      ~ location                        = "westus3" -> "westus2" # forces replacement
      ~ name                            = "log-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ primary_shared_key              = (sensitive value)
      ~ resource_group_name             = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_shared_key            = (sensitive value)
        tags                            = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
      ~ workspace_id                    = "d011dd81-1237-42e0-9c8b-79b15170a2e9" -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # azurerm_resource_group.spoke must be replaced
-/+ resource "azurerm_resource_group" "spoke" {
      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply)
      ~ location = "westus3" -> "westus2" # forces replacement
      ~ name     = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
    }

  # azurerm_user_assigned_identity.contributor must be replaced
-/+ resource "azurerm_user_assigned_identity" "contributor" {
      ~ client_id           = "5b6d3e0a-cb5f-469c-8a03-5e84c1cbf762" -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" # forces replacement -> (known after apply) # forces replacement
      ~ principal_id        = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" -> (known after apply)
      ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                = {} -> null
      ~ tenant_id           = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply)
    }

  # azurerm_user_assigned_identity.reader must be replaced
-/+ resource "azurerm_user_assigned_identity" "reader" {
      ~ client_id           = "3efaf752-dfe8-4940-ac81-66b619bb3745" -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" # forces replacement -> (known after apply) # forces replacement
      ~ principal_id        = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" -> (known after apply)
      ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                = {} -> null
      ~ tenant_id           = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply)
    }

  # module.app_configuration[0].azurecaf_name.caf_name_appconf must be replaced
-/+ resource "azurecaf_name" "caf_name_appconf" {
      ~ id            = "tvaqutjmtrvbvety" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "jxmdskntabkbvfia" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_app_configuration.this must be replaced
-/+ resource "azurerm_app_configuration" "this" {
      ~ endpoint                   = "https://sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" -> (known after apply)
      ~ id                         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ location                   = "westus3" -> "westus2" # forces replacement
      ~ name                       = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ primary_read_key           = [] -> (known after apply)
      ~ primary_write_key          = [] -> (known after apply)
      ~ resource_group_name        = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_read_key         = [] -> (known after apply)
      ~ secondary_write_key        = [] -> (known after apply)
        tags                       = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "app-configuration"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.privatelink.azconfig.io." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/A/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ name                = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.4",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.app_configuration[0].azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io"
              - ip_addresses = [
                  - "10.240.11.4",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec"
              - name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
            name                           = "app-config-private-endpoint"
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.4" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.app_configuration[0].azurerm_role_assignment.data_owners[0] must be replaced
-/+ resource "azurerm_role_assignment" "data_owners" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply)
      ~ name                             = "af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply)
      ~ principal_id                     = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.app_configuration[0].azurerm_role_assignment.data_readers[0] must be replaced
-/+ resource "azurerm_role_assignment" "data_readers" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/d67f6551-6738-e975-af28-77f05976002a" -> (known after apply)
      ~ name                             = "d67f6551-6738-e975-af28-77f05976002a" -> (known after apply)
      ~ principal_id                     = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.app_service.azurecaf_name.caf_name_appinsights must be replaced
-/+ resource "azurecaf_name" "caf_name_appinsights" {
      ~ id            = "xcdytgfueolnctqo" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_service.azurecaf_name.caf_name_asp must be replaced
-/+ resource "azurecaf_name" "caf_name_asp" {
      ~ id            = "xqnjrrtjgoabvuke" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "westus3-plan-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.app_service.azurerm_application_insights.this must be replaced
-/+ resource "azurerm_application_insights" "this" {
      ~ app_id                                = "4bb411f1-e975-444a-b559-823aa404d4ff" -> (known after apply)
      ~ connection_string                     = (sensitive value)
      ~ daily_data_cap_in_gb                  = 100 -> (known after apply)
      ~ daily_data_cap_notifications_disabled = false -> (known after apply)
      ~ id                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply)
      ~ instrumentation_key                   = (sensitive value)
      ~ location                              = "westus3" -> "westus2" # forces replacement
      ~ name                                  = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name                   = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                                  = {} -> null
      ~ workspace_id                          = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
        # (8 unchanged attributes hidden)
    }

  # module.app_service.azurerm_service_plan.this must be replaced
-/+ resource "azurerm_service_plan" "this" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Web/serverfarms/westus3-plan-eslz1-prod" -> (known after apply)
      ~ kind                         = "app" -> (known after apply)
      ~ location                     = "westus3" -> "westus2" # forces replacement
      ~ maximum_elastic_worker_count = 1 -> (known after apply)
      ~ name                         = "westus3-plan-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ reserved                     = false -> (known after apply)
      ~ resource_group_name          = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags                         = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "app-service"
        }
        # (5 unchanged attributes hidden)
    }

  # module.frontdoor.azurecaf_name.caf_name_afd must be replaced
-/+ resource "azurecaf_name" "caf_name_afd" {
      ~ id            = "vjxqvtjmemddjsyg" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] must be replaced
-/+ resource "azurerm_cdn_frontdoor_firewall_policy" "waf" {
      - custom_block_response_status_code = 0 -> null
      ~ frontend_endpoint_ids             = [] -> (known after apply)
      ~ id                                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> (known after apply)
        name                              = "wafpolicymicrosoftdefaultruleset21"
      ~ resource_group_name               = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - tags                              = {} -> null
        # (3 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor must be replaced
-/+ resource "azurerm_cdn_frontdoor_profile" "frontdoor" {
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply)
      ~ name                     = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ resource_guid            = "a1cefc33-bf49-4155-a28a-d253ba7f23cd" -> (known after apply)
        tags                     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "frontdoor"
        }
        # (2 unchanged attributes hidden)
    }

  # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] must be replaced
-/+ resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" {
      ~ cdn_frontdoor_profile_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/securityPolicies/WAF-Security-Policy" -> (known after apply)
        name                     = "WAF-Security-Policy"

      ~ security_policies {
          ~ firewall {
              ~ cdn_frontdoor_firewall_policy_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" # forces replacement -> (known after apply) # forces replacement

              ~ association {
                    # (1 unchanged attribute hidden)

                  ~ domain {
                      ~ active                  = true -> (known after apply)
                      ~ cdn_frontdoor_domain_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/afdEndpoints/eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
                    }
                }
            }
        }
    }

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] must be replaced
-/+ resource "azurerm_monitor_diagnostic_setting" "this" {
      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" -> (known after apply)
      + log_analytics_destination_type = "AzureDiagnostics"
      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply)
      ~ name                           = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # forces replacement -> (known after apply) # forces replacement
      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement

      - log {
          - category_group = "allLogs" -> null
          - enabled        = true -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      - log {
          - category_group = "audit" -> null
          - enabled        = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }

        # (2 unchanged blocks hidden)
    }

  # module.key_vault.azurecaf_name.caf_name_akv must be replaced
-/+ resource "azurecaf_name" "caf_name_akv" {
      ~ id            = "rfuhnmjbhvbivisd" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "kv-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.key_vault.azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "lbivgljqkjfyetww" -> (known after apply)
      ~ name          = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-kv-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.key_vault.azurerm_key_vault.this must be replaced
-/+ resource "azurerm_key_vault" "this" {
      ~ access_policy                   = [] -> (known after apply)
      - enabled_for_deployment          = false -> null
      - enabled_for_template_deployment = false -> null
      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" -> (known after apply)
      ~ location                        = "westus3" -> "westus2" # forces replacement
      ~ name                            = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name             = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
        tags                            = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "key-vault"
        }
      ~ vault_uri                       = "https://kv-eslz1-prod-5461.vault.azure.net/" -> (known after apply)
        # (7 unchanged attributes hidden)

      ~ network_acls {
          - ip_rules                   = [] -> null
          - virtual_network_subnet_ids = [] -> null
            # (2 unchanged attributes hidden)
        }
    }

  # module.key_vault.azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "kv-eslz1-prod-5461.privatelink.vaultcore.azure.net." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/A/kv-eslz1-prod-5461" -> (known after apply)
      ~ name                = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.6",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.key_vault.azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "kv-eslz1-prod-5461.vault.azure.net"
              - ip_addresses = [
                  - "10.240.11.6",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443"
              - name = "pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
          ~ name                           = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.6" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.key_vault.azurerm_role_assignment.secrets_officer[0] must be replaced
-/+ resource "azurerm_role_assignment" "secrets_officer" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply)
      ~ name                             = "914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply)
      ~ principal_id                     = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.key_vault.azurerm_role_assignment.secrets_user[0] must be replaced
-/+ resource "azurerm_role_assignment" "secrets_user" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply)
      ~ name                             = "f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply)
      ~ principal_id                     = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6" -> (known after apply)
      ~ scope                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.network.azurecaf_name.caf_name_vnet must be replaced
-/+ resource "azurecaf_name" "caf_name_vnet" {
      ~ id            = "wrcubxisxkppqukq" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.network.azurerm_subnet.this[0] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" -> (known after apply)
        name                                           = "serverFarm"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

  # module.network.azurerm_subnet.this[1] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" -> (known after apply)
        name                                           = "ingress"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[2] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" -> (known after apply)
        name                                           = "devops"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[3] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" -> (known after apply)
        name                                           = "privateLink"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network.this must be replaced
-/+ resource "azurerm_virtual_network" "this" {
      ~ dns_servers             = [] -> (known after apply)
      - flow_timeout_in_minutes = 0 -> null
      ~ guid                    = "26abb02b-d37e-4084-9af0-8956b86e48ba" -> (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply)
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet                  = [
          - {
              - address_prefix = "10.240.0.0/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"
              - name           = "serverFarm"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.0.64/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"
              - name           = "ingress"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.10.128/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"
              - name           = "devops"
              - security_group = ""
            },
          - {
              - address_prefix = "10.240.11.0/24"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"
              - name           = "privateLink"
              - security_group = ""
            },
        ] -> (known after apply)
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network_peering.target_to_this[0] must be replaced
-/+ resource "azurerm_virtual_network_peering" "target_to_this" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/virtualNetworkPeerings/hub-to-spoke-eslz1" -> (known after apply)
      ~ name                         = "hub-to-spoke-eslz1" -> "hub-to-spoke-eslz2" # forces replacement
      ~ remote_virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (6 unchanged attributes hidden)
    }

  # module.network.azurerm_virtual_network_peering.this_to_target[0] must be replaced
-/+ resource "azurerm_virtual_network_peering" "this_to_target" {
      ~ id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/virtualNetworkPeerings/spoke-to-hub-eslz1" -> (known after apply)
      ~ name                         = "spoke-to-hub-eslz1" -> "spoke-to-hub-eslz2" # forces replacement
      ~ resource_group_name          = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ virtual_network_name         = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement
        # (5 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurecaf_name.caf_name_redis must be replaced
-/+ resource "azurecaf_name" "caf_name_redis" {
      ~ id            = "qmdwakptsqrwgxse" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "arfqxqwlltqcwxqo" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurerm_private_dns_a_record.this must be replaced
-/+ resource "azurerm_private_dns_a_record" "this" {
      ~ fqdn                = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.privatelink.redis.cache.windows.net." -> (known after apply)
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net/A/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ name                = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ records             = [
          - "10.240.11.7",
        ] -> (known after apply)
      - tags                = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.redis_cache[0].azurerm_private_endpoint.this must be replaced
-/+ resource "azurerm_private_endpoint" "this" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net"
              - ip_addresses = [
                  - "10.240.11.7",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ location                 = "westus3" -> "westus2" # forces replacement
      ~ name                     = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e"
              - name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement
      - tags                     = {} -> null

      ~ private_service_connection {
          ~ name                           = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
          ~ private_ip_address             = "10.240.11.7" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

  # module.redis_cache[0].azurerm_redis_cache.this must be replaced
-/+ resource "azurerm_redis_cache" "this" {
      ~ hostname                      = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" -> (known after apply)
      ~ id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply)
      ~ location                      = "westus3" -> "westus2" # forces replacement
      ~ name                          = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ port                          = 6379 -> (known after apply)
      ~ primary_access_key            = (sensitive value)
      ~ primary_connection_string     = (sensitive value)
      + private_static_ip_address     = (known after apply)
      ~ redis_version                 = "6.0" -> (known after apply)
      ~ replicas_per_master           = 0 -> (known after apply)
      ~ replicas_per_primary          = 0 -> (known after apply)
      ~ resource_group_name           = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement
      ~ secondary_access_key          = (sensitive value)
      ~ secondary_connection_string   = (sensitive value)
      - shard_count                   = 0 -> null
      ~ ssl_port                      = 6380 -> (known after apply)
        tags                          = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "redis"
        }
      - tenant_settings               = {} -> null
      - zones                         = [] -> null
        # (6 unchanged attributes hidden)

      ~ redis_configuration {
          - aof_backup_enabled              = false -> null
          ~ maxclients                      = 2000 -> (known after apply)
          ~ maxfragmentationmemory_reserved = 299 -> (known after apply)
          ~ maxmemory_delta                 = 299 -> (known after apply)
          ~ maxmemory_reserved              = 299 -> (known after apply)
          - rdb_backup_enabled              = false -> null
          - rdb_backup_frequency            = 0 -> null
          - rdb_backup_max_snapshot_count   = 0 -> null
            # (2 unchanged attributes hidden)
        }
    }

  # module.sql_database[0].azurecaf_name.caf_name_sqlserver must be replaced
-/+ resource "azurecaf_name" "caf_name_sqlserver" {
      ~ id            = "pmnternummrbgqpv" -> (known after apply)
      ~ name          = "eslz1" -> "eslz2" # forces replacement
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-spoke",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.sql_database[0].azurecaf_name.private_endpoint must be replaced
-/+ resource "azurecaf_name" "private_endpoint" {
      ~ id            = "eiedeunwqohdpaah" -> (known after apply)
      ~ name          = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      ~ result        = "pe-sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.sql_database[0].azurerm_mssql_database.this[0] must be replaced
-/+ resource "azurerm_mssql_database" "this" {
      ~ auto_pause_delay_in_minutes         = 0 -> (known after apply)
      ~ collation                           = "SQL_Latin1_General_CP1_CI_AS" -> (known after apply)
      + creation_source_database_id         = (known after apply)
      ~ id                                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461/databases/sample-db" -> (known after apply)
      ~ ledger_enabled                      = false -> (known after apply)
      + license_type                        = (known after apply)
      ~ maintenance_configuration_name      = "SQL_Default" -> (known after apply)
      ~ max_size_gb                         = 250 -> (known after apply)
      ~ min_capacity                        = 0 -> (known after apply)
        name                                = "sample-db"
      ~ read_replica_count                  = 0 -> (known after apply)
      ~ read_scale                          = false -> (known after apply)
      + restore_point_in_time               = (known after apply)
      + sample_name                         = (known after apply)
      ~ server_id                           = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement
      - tags                                = {} -> null
      ~ zone_redundant                      = false -> (known after apply)
        # (5 unchanged attributes hidden)

      - long_term_retention_policy {
          - monthly_retention = "PT0S" -> null
          - week_of_year      = 1 -> null
          - weekly_retention  = "PT0S" -> null
          - yearly_retention  = "PT0S" -> null
        }

      - short_term_retention_policy {
          - backup_interval_in_hours = 24 -> null
          - retention_days           = 7 -> null
        }

      - threat_detection_policy {
          - disabled_alerts      = [] -> null
          - email_account_admins = "Disabled" -> null
          - email_addresses      = [] -> null
          - retention_days       = 0 -> null
          - state                = "Disabled" -> null
        }
    }

  # module.sql_database[0].azurerm_mssql_server.this must be replaced
-/+ resource "azurerm_mssql_server" "this" {
      ~ administrator_login                  = "CloudSA637969e7" -> (known after app ...
Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/906e514e-cd8a-41ff-a9d8-78535aa51e7f/terraform-bin show -no-color tfplan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted
  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null
        name                = "Azure-Monitor-FQDNs"
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted
  - resource "azurerm_firewall_application_rule_collection" "core" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null
        name                = "Core-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null
        name                = "Devops-VM-Dependencies-FQDNs"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted
  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null
        name                = "Windows-VM-Connectivity-Requirements"
        # (4 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurecaf_name.caf_name_hub_rg must be replaced
-/+ resource "azurecaf_name" "caf_name_hub_rg" {
      ~ id            = "akckvaegwemunepv" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # azurerm_resource_group.hub must be replaced
-/+ resource "azurerm_resource_group" "hub" {
      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
      ~ location = "westus3" -> "westus2" # forces replacement
      ~ name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags     = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
        }
    }

  # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced
-/+ resource "azurecaf_name" "caf_name_bastion" {
      ~ id            = "wbujomtsfcqdpxod" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.bastion[0].azurecaf_name.caf_name_pip must be replaced
-/+ resource "azurecaf_name" "caf_name_pip" {
      ~ id            = "paqdxwmbugcxjhhq" -> (known after apply)
        name          = "eslz2-bastion"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.bastion[0].azurerm_bastion_host.bastion must be replaced
-/+ resource "azurerm_bastion_host" "bastion" {
      ~ dns_name               = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)
      ~ id                     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
      ~ location               = "westus3" -> "westus2" # forces replacement
      ~ name                   = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name    = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                   = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "bastion"
        }
        # (7 unchanged attributes hidden)

      ~ ip_configuration {
            name                 = "bastionHostIpConfiguration"
          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement
          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement
        }
    }

  # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced
-/+ resource "azurerm_public_ip" "bastion_pip" {
      + fqdn                    = (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)
      ~ ip_address              = "20.163.49.112" -> (known after apply)
      - ip_tags                 = {} -> null
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "bastion"
        }
      - zones                   = [] -> null
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced
-/+ resource "azurecaf_name" "caf_name_firewall" {
      ~ id            = "dtqvqxowbnalaruk" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced
-/+ resource "azurecaf_name" "caf_name_law" {
      ~ id            = "lofxpwfygywepldl" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurecaf_name.caf_name_pip must be replaced
-/+ resource "azurecaf_name" "caf_name_pip" {
      ~ id            = "ofhucdctoijllhdb" -> (known after apply)
        name          = "eslz2-fw"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurerm_firewall.firewall must be replaced
-/+ resource "azurerm_firewall" "firewall" {
      - dns_servers         = [] -> null
      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)
      ~ location            = "westus3" -> "westus2" # forces replacement
      ~ name                = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement
      - private_ip_ranges   = [] -> null
      ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "firewall"
        }
      ~ threat_intel_mode   = "Alert" -> (known after apply)
      - zones               = [] -> null
        # (2 unchanged attributes hidden)

      ~ ip_configuration {
            name                 = "firewallIpConfiguration"
          ~ private_ip_address   = "10.242.0.4" -> (known after apply)
          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-ad-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

  # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced
-/+ resource "azurerm_log_analytics_workspace" "law" {
      - cmk_for_query_forced            = false -> null
      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ location                        = "westus3" -> "westus2" # forces replacement
      ~ name                            = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ primary_shared_key              = (sensitive value)
      ~ resource_group_name             = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ retention_in_days               = 30 -> (known after apply)
      ~ secondary_shared_key            = (sensitive value)
      - tags                            = {} -> null
      ~ workspace_id                    = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)
        # (6 unchanged attributes hidden)
    }

  # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced
-/+ resource "azurerm_monitor_diagnostic_setting" "this" {
      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)
      ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)
      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)
      ~ name                           = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement
      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement

      - log {
          - category_group = "allLogs" -> null
          - enabled        = true -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }

        # (2 unchanged blocks hidden)
    }

  # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced
-/+ resource "azurerm_public_ip" "firewall_pip" {
      + fqdn                    = (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)
      ~ ip_address              = "20.25.176.182" -> (known after apply)
      - ip_tags                 = {} -> null
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "firewall"
        }
      - zones                   = [] -> null
        # (6 unchanged attributes hidden)
    }

  # module.network.azurecaf_name.caf_name_vnet must be replaced
-/+ resource "azurecaf_name" "caf_name_vnet" {
      ~ id            = "pvwuveykntdcxsyc" -> (known after apply)
        name          = "eslz2"
      ~ prefixes      = [ # forces replacement
            "sec-baseline-1-hub",
          - "westus3",
          + "wus2",
        ]
      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
      ~ results       = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.network.azurerm_subnet.this[0] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)
        name                                           = "AzureFirewallSubnet"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_subnet.this[1] must be replaced
-/+ resource "azurerm_subnet" "this" {
      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)
      ~ enforce_private_link_service_network_policies  = false -> (known after apply)
      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)
        name                                           = "AzureBastionSubnet"
      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)
      ~ private_link_service_network_policies_enabled  = true -> (known after apply)
      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      - service_endpoint_policy_ids                    = [] -> null
      - service_endpoints                              = [] -> null
      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.network.azurerm_virtual_network.this must be replaced
-/+ resource "azurerm_virtual_network" "this" {
      ~ dns_servers             = [] -> (known after apply)
      - flow_timeout_in_minutes = 0 -> null
      ~ guid                    = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)
      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
      ~ location                = "westus3" -> "westus2" # forces replacement
      ~ name                    = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement
      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement
      ~ subnet                  = [
          - {
              - address_prefix = "10.242.0.0/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"
              - name           = "AzureFirewallSubnet"
              - security_group = ""
            },
          - {
              - address_prefix = "10.242.0.64/26"
              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"
              - name           = "AzureBastionSubnet"
              - security_group = ""
            },
        ] -> (known after apply)
        tags                    = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "network"
        }
        # (1 unchanged attribute hidden)
    }

Plan: 21 to add, 0 to change, 17 to destroy.

Changes to Outputs:
  ~ bastion_name        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)
  ~ firewall_private_ip = "10.242.0.4" -> (known after apply)
  ~ firewall_rules      = {
      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)
      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)
      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)
    }
  ~ rg_name             = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)
  ~ vnet_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
  ~ vnet_name           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)
::debug::Terraform exited with code 0.
::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A        name                = "Azure-Monitor-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "core" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A        name                = "Core-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (3 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A        name                = "Devops-VM-Dependencies-FQDNs"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A  - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      - id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A        name                = "Windows-VM-Connectivity-Requirements"%0A        # (4 unchanged attributes hidden)%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # azurecaf_name.caf_name_hub_rg must be replaced%0A-/+ resource "azurecaf_name" "caf_name_hub_rg" {%0A      ~ id            = "akckvaegwemunepv" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A      ~ id       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A      ~ location = "westus3" -> "westus2" # forces replacement%0A      ~ name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags     = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A        }%0A    }%0A%0A  # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced%0A-/+ resource "azurecaf_name" "caf_name_bastion" {%0A      ~ id            = "wbujomtsfcqdpxod" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A      ~ id            = "paqdxwmbugcxjhhq" -> (known after apply)%0A        name          = "eslz2-bastion"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A      ~ dns_name               = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)%0A      ~ id                     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A      ~ location               = "westus3" -> "westus2" # forces replacement%0A      ~ name                   = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name    = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                   = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "bastion"%0A        }%0A        # (7 unchanged attributes hidden)%0A%0A      ~ ip_configuration {%0A            name                 = "bastionHostIpConfiguration"%0A          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A        }%0A    }%0A%0A  # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A      + fqdn                    = (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A      ~ ip_address              = "20.163.49.112" -> (known after apply)%0A      - ip_tags                 = {} -> null%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "bastion"%0A        }%0A      - zones                   = [] -> null%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced%0A-/+ resource "azurecaf_name" "caf_name_firewall" {%0A      ~ id            = "dtqvqxowbnalaruk" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced%0A-/+ resource "azurecaf_name" "caf_name_law" {%0A      ~ id            = "lofxpwfygywepldl" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A      ~ id            = "ofhucdctoijllhdb" -> (known after apply)%0A        name          = "eslz2-fw"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A      - dns_servers         = [] -> null%0A      ~ id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A      ~ location            = "westus3" -> "westus2" # forces replacement%0A      ~ name                = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - private_ip_ranges   = [] -> null%0A      ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "firewall"%0A        }%0A      ~ threat_intel_mode   = "Alert" -> (known after apply)%0A      - zones               = [] -> null%0A        # (2 unchanged attributes hidden)%0A%0A      ~ ip_configuration {%0A            name                 = "firewallIpConfiguration"%0A          ~ private_ip_address   = "10.242.0.4" -> (known after apply)%0A          ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A          ~ subnet_id            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Azure-Monitor-FQDNs"%0A      + priority            = 201%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-azure-monitor"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "dc.applicationinsights.azure.com",%0A              + "dc.applicationinsights.microsoft.com",%0A              + "dc.services.visualstudio.com",%0A              + "*.in.applicationinsights.azure.com",%0A              + "live.applicationinsights.azure.com",%0A              + "rt.applicationinsights.microsoft.com",%0A              + "rt.services.visualstudio.com",%0A              + "*.livediagnostics.monitor.azure.com",%0A              + "*.monitoring.azure.com",%0A              + "agent.azureserviceprofiler.net",%0A              + "*.agent.azureserviceprofiler.net",%0A              + "*.monitor.azure.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A  + resource "azurerm_firewall_application_rule_collection" "core" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Core-Dependencies-FQDNs"%0A      + priority            = 200%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-core-apis"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "management.azure.com",%0A              + "management.core.windows.net",%0A              + "login.microsoftonline.com",%0A              + "login.windows.net",%0A              + "login.live.com",%0A              + "graph.windows.net",%0A              + "graph.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-developer-services"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "github.com",%0A              + "*.github.com",%0A              + "*.nuget.org",%0A              + "*.blob.core.windows.net",%0A              + "*.githubusercontent.com",%0A              + "dev.azure.com",%0A              + "*.dev.azure.com",%0A              + "portal.azure.com",%0A              + "*.portal.azure.com",%0A              + "*.portal.azure.net",%0A              + "appservice.azureedge.net",%0A              + "*.azurewebsites.net",%0A              + "edge.management.azure.com",%0A              + "vstsagentpackage.azureedge.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-certificate-dependencies"%0A          + source_addresses = [%0A              + "10.242.0.0/20",%0A              + "10.240.0.0/20",%0A            ]%0A          + target_fqdns     = [%0A              + "*.delivery.mp.microsoft.com",%0A              + "ctldl.windowsupdate.com",%0A              + "download.windowsupdate.com",%0A              + "mscrl.microsoft.com",%0A              + "ocsp.msocsp.com",%0A              + "oneocsp.microsoft.com",%0A              + "crl.microsoft.com",%0A              + "www.microsoft.com",%0A              + "*.digicert.com",%0A              + "*.symantec.com",%0A              + "*.symcb.com",%0A              + "*.d-trust.net",%0A            ]%0A%0A          + protocol {%0A              + port = 80%0A              + type = "Http"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Devops-VM-Dependencies-FQDNs"%0A      + priority            = 202%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + name             = "allow-azure-ad-join"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "enterpriseregistration.windows.net",%0A              + "pas.windows.net",%0A              + "login.microsoftonline.com",%0A              + "device.login.microsoftonline.com",%0A              + "autologon.microsoftazuread-sso.com",%0A              + "manage-beta.microsoft.com",%0A              + "manage.microsoft.com",%0A              + "aadcdn.msauth.net",%0A              + "aadcdn.msftauth.net",%0A              + "aadcdn.msftauthimages.net",%0A              + "*.wns.windows.com",%0A              + "*.sts.microsoft.com",%0A              + "*.manage-beta.microsoft.com",%0A              + "*.manage.microsoft.com",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A      + rule {%0A          + name             = "allow-vm-dependencies-and-tools"%0A          + source_addresses = [%0A              + "10.240.10.128/26",%0A            ]%0A          + target_fqdns     = [%0A              + "aka.ms",%0A              + "go.microsoft.com",%0A              + "download.microsoft.com",%0A              + "edge.microsoft.com",%0A              + "fs.microsoft.com",%0A              + "wdcp.microsoft.com",%0A              + "wdcpalt.microsoft.com",%0A              + "msedge.api.cdp.microsoft.com",%0A              + "winatp-gw-cane.microsoft.com",%0A              + "*.google.com",%0A              + "*.live.com",%0A              + "*.bing.com",%0A              + "*.msappproxy.net",%0A              + "*.delivery.mp.microsoft.com",%0A              + "*.data.microsoft.com",%0A              + "*.blob.storage.azure.net",%0A              + "*.blob.core.windows.net",%0A              + "*.dl.delivery.mp.microsoft.com",%0A              + "*.prod.do.dsp.mp.microsoft.com",%0A              + "*.update.microsoft.com",%0A              + "*.windowsupdate.com",%0A              + "*.apps.qualys.com",%0A              + "*.bootstrapcdn.com",%0A              + "*.jsdelivr.net",%0A              + "*.jquery.com",%0A              + "*.msecnd.net",%0A            ]%0A%0A          + protocol {%0A              + port = 443%0A              + type = "Https"%0A            }%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A      + action              = "Allow"%0A      + azure_firewall_name = (known after apply)%0A      + id                  = (known after apply)%0A      + name                = "Windows-VM-Connectivity-Requirements"%0A      + priority            = 202%0A      + resource_group_name = (known after apply)%0A%0A      + rule {%0A          + destination_addresses = [%0A              + "20.118.99.224",%0A              + "40.83.235.53",%0A              + "23.102.135.246",%0A              + "51.4.143.248",%0A              + "23.97.0.13",%0A              + "52.126.105.2",%0A            ]%0A          + destination_ports     = [%0A              + "*",%0A            ]%0A          + name                  = "allow-kms-activation"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A      + rule {%0A          + destination_addresses = [%0A              + "*",%0A            ]%0A          + destination_ports     = [%0A              + "123",%0A            ]%0A          + name                  = "allow-ntp"%0A          + protocols             = [%0A              + "TCP",%0A              + "UDP",%0A            ]%0A          + source_addresses      = [%0A              + "10.240.10.128/26",%0A            ]%0A        }%0A    }%0A%0A  # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced%0A-/+ resource "azurerm_log_analytics_workspace" "law" {%0A      - cmk_for_query_forced            = false -> null%0A      ~ id                              = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ location                        = "westus3" -> "westus2" # forces replacement%0A      ~ name                            = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ primary_shared_key              = (sensitive value)%0A      ~ resource_group_name             = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ retention_in_days               = 30 -> (known after apply)%0A      ~ secondary_shared_key            = (sensitive value)%0A      - tags                            = {} -> null%0A      ~ workspace_id                    = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A      ~ id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)%0A      ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A      ~ log_analytics_workspace_id     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A      ~ name                           = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A      ~ target_resource_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A%0A      - log {%0A          - category_group = "allLogs" -> null%0A          - enabled        = true -> null%0A%0A          - retention_policy {%0A              - days    = 0 -> null%0A              - enabled = false -> null%0A            }%0A        }%0A%0A        # (2 unchanged blocks hidden)%0A    }%0A%0A  # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A      + fqdn                    = (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A      ~ ip_address              = "20.25.176.182" -> (known after apply)%0A      - ip_tags                 = {} -> null%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "firewall"%0A        }%0A      - zones                   = [] -> null%0A        # (6 unchanged attributes hidden)%0A    }%0A%0A  # module.network.azurecaf_name.caf_name_vnet must be replaced%0A-/+ resource "azurecaf_name" "caf_name_vnet" {%0A      ~ id            = "pvwuveykntdcxsyc" -> (known after apply)%0A        name          = "eslz2"%0A      ~ prefixes      = [ # forces replacement%0A            "sec-baseline-1-hub",%0A          - "westus3",%0A          + "wus2",%0A        ]%0A      ~ result        = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A      ~ results       = {} -> (known after apply)%0A        # (7 unchanged attributes hidden)%0A    }%0A%0A  # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A      ~ enforce_private_link_service_network_policies  = false -> (known after apply)%0A      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)%0A        name                                           = "AzureFirewallSubnet"%0A      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)%0A      ~ private_link_service_network_policies_enabled  = true -> (known after apply)%0A      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - service_endpoint_policy_ids                    = [] -> null%0A      - service_endpoints                              = [] -> null%0A      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A        # (1 unchanged attribute hidden)%0A    }%0A%0A  # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A      ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A      ~ enforce_private_link_service_network_policies  = false -> (known after apply)%0A      ~ id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)%0A        name                                           = "AzureBastionSubnet"%0A      ~ private_endpoint_network_policies_enabled      = true -> (known after apply)%0A      ~ private_link_service_network_policies_enabled  = true -> (known after apply)%0A      ~ resource_group_name                            = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      - service_endpoint_policy_ids                    = [] -> null%0A      - service_endpoints                              = [] -> null%0A      ~ virtual_network_name                           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A        # (1 unchanged attribute hidden)%0A    }%0A%0A  # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A      ~ dns_servers             = [] -> (known after apply)%0A      - flow_timeout_in_minutes = 0 -> null%0A      ~ guid                    = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)%0A      ~ id                      = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A      ~ location                = "westus3" -> "westus2" # forces replacement%0A      ~ name                    = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A      ~ resource_group_name     = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A      ~ subnet                  = [%0A          - {%0A              - address_prefix = "10.242.0.0/26"%0A              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"%0A              - name           = "AzureFirewallSubnet"%0A              - security_group = ""%0A            },%0A          - {%0A              - address_prefix = "10.242.0.64/26"%0A              - id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"%0A              - name           = "AzureBastionSubnet"%0A              - security_group = ""%0A            },%0A        ] -> (known after apply)%0A        tags                    = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "network"%0A        }%0A        # (1 unchanged attribute hidden)%0A    }%0A%0APlan: 21 to add, 0 to change, 17 to destroy.%0A%0AChanges to Outputs:%0A  ~ bastion_name        = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A  ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A  ~ firewall_rules      = {%0A      ~ azure_monitor         = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A      ~ core                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops     = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A      ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A    }%0A  ~ rg_name             = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A  ~ vnet_id             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A  ~ vnet_name           = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/abcea004-0e83-4518-a1e1-5bcfbb0c7e79/terraform-bin show -no-color tfplan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment must be replaced
-/+ resource "azurerm_role_assignment" "vm_admin_role_assignment" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-devops-dev/providers/Microsoft.Authorization/roleAssignments/f2e026d0-363c-61bf-9b76-6f4fc5f99763" -> (known after apply)
      ~ name                             = "f2e026d0-363c-61bf-9b76-6f4fc5f99763" -> (known after apply)
      ~ principal_id                     = "d3acf0ca-d629-423b-a06b-7fab838e7c5d" -> "bda41c64-1493-4d8d-b4b5-7135159d4884" # forces replacement
      ~ principal_type                   = "User" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4" -> (known after apply)
      + skip_service_principal_aad_check = (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.jumpbox_vm[0].azurerm_role_assignment.vm_admin_role_assignment must be replaced
-/+ resource "azurerm_role_assignment" "vm_admin_role_assignment" {
      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-jumpbox-dev/providers/Microsoft.Authorization/roleAssignments/2092f264-8305-4a03-fe8c-f0881043467c" -> (known after apply)
      ~ name                             = "2092f264-8305-4a03-fe8c-f0881043467c" -> (known after apply)
      ~ principal_id                     = "d3acf0ca-d629-423b-a06b-7fab838e7c5d" -> "bda41c64-1493-4d8d-b4b5-7135159d4884" # forces replacement
      ~ principal_type                   = "User" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4" -> (known after apply)
      + skip_service_principal_aad_check = (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place
  ~ resource "azurerm_subnet" "this" {
        id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment"
        name                                           = "hostingEnvironment"
        # (9 unchanged attributes hidden)

      ~ delegation {
            name = "Microsoft.Web/serverFarms"

          ~ service_delegation {
              ~ actions = [
                  - "Microsoft.Network/virtualNetworks/subnets/action",
                  + "Microsoft.Network/virtualNetworks/subnets/join/action",
                  + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
                ]
                name    = "Microsoft.Web/hostingEnvironments"
            }
        }
    }

Plan: 2 to add, 1 to change, 2 to destroy.

Changes to Outputs:
  + shared-vms                   = {
      + devops  = {
          + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-devops-dev"
          + ip = "10.0.2.4"
        }
      + jumpbox = {
          + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-jumpbox-dev"
          + ip = "10.0.3.4"
        }
    }
::debug::Terraform exited with code 0.
::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment must be replaced%0A-/+ resource "azurerm_role_assignment" "vm_admin_role_assignment" {%0A      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-devops-dev/providers/Microsoft.Authorization/roleAssignments/f2e026d0-363c-61bf-9b76-6f4fc5f99763" -> (known after apply)%0A      ~ name                             = "f2e026d0-363c-61bf-9b76-6f4fc5f99763" -> (known after apply)%0A      ~ principal_id                     = "d3acf0ca-d629-423b-a06b-7fab838e7c5d" -> "bda41c64-1493-4d8d-b4b5-7135159d4884" # forces replacement%0A      ~ principal_type                   = "User" -> (known after apply)%0A      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4" -> (known after apply)%0A      + skip_service_principal_aad_check = (known after apply)%0A        # (2 unchanged attributes hidden)%0A    }%0A%0A  # module.jumpbox_vm[0].azurerm_role_assignment.vm_admin_role_assignment must be replaced%0A-/+ resource "azurerm_role_assignment" "vm_admin_role_assignment" {%0A      ~ id                               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-jumpbox-dev/providers/Microsoft.Authorization/roleAssignments/2092f264-8305-4a03-fe8c-f0881043467c" -> (known after apply)%0A      ~ name                             = "2092f264-8305-4a03-fe8c-f0881043467c" -> (known after apply)%0A      ~ principal_id                     = "d3acf0ca-d629-423b-a06b-7fab838e7c5d" -> "bda41c64-1493-4d8d-b4b5-7135159d4884" # forces replacement%0A      ~ principal_type                   = "User" -> (known after apply)%0A      ~ role_definition_id               = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4" -> (known after apply)%0A      + skip_service_principal_aad_check = (known after apply)%0A        # (2 unchanged attributes hidden)%0A    }%0A%0A  # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place%0A  ~ resource "azurerm_subnet" "this" {%0A        id                                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment"%0A        name                                           = "hostingEnvironment"%0A        # (9 unchanged attributes hidden)%0A%0A      ~ delegation {%0A            name = "Microsoft.Web/serverFarms"%0A%0A          ~ service_delegation {%0A              ~ actions = [%0A                  - "Microsoft.Network/virtualNetworks/subnets/action",%0A                  + "Microsoft.Network/virtualNetworks/subnets/join/action",%0A                  + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",%0A                ]%0A                name    = "Microsoft.Web/hostingEnvironments"%0A            }%0A        }%0A    }%0A%0APlan: 2 to add, 1 to change, 2 to destroy.%0A%0AChanges to Outputs:%0A  + shared-vms                   = {%0A      + devops  = {%0A          + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-devops-dev"%0A          + ip = "10.0.2.4"%0A        }%0A      + jumpbox = {%0A          + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-jumpbox-dev"%0A          + ip = "10.0.3.4"%0A        }%0A    }%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

@JinLee794 JinLee794 merged commit d84892b into main Aug 11, 2023
@JinLee794 JinLee794 deleted the feature/terraform_refactor branch August 11, 2023 14:15
jonlester pushed a commit that referenced this pull request May 20, 2024
@JinLee794
Feature/terraform refactor for Scenarios 1 and 2 (#178)
734a54e
ibersanoMS pushed a commit that referenced this pull request Oct 1, 2024
@JinLee794
Feature/terraform refactor for Scenarios 1 and 2 (#178)
db86b1e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ibersanoMS ibersanoMS ibersanoMS approved these changes

@kunalbabre kunalbabre Awaiting requested review from kunalbabre

@thotheod thotheod Awaiting requested review from thotheod

@adrianhall adrianhall Awaiting requested review from adrianhall

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JinLee794 @ibersanoMS @brocc0lee