Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added OpenAI module to multitenant spoke deployment #190

Merged
merged 5 commits into from
Oct 25, 2023
Merged

Added OpenAI module to multitenant spoke deployment #190

merged 5 commits into from
Oct 25, 2023

Conversation

JinLee794
Copy link
Contributor

Description

#175
Added OpenAI module code to terraform-modules/cognitive-services/openai

Currently added the deployment config on the Multi-tenant spoke scenario @ scenarios/secure-baseline-multitenant/terraform/spoke/ai.tf

The Secure-Baseline-ASE scenario currently has some networking configs that are missing, will look into addressing this by consolidating both scenarios into a single Terraform deployment (Issue #189)

Type of Change

Please delete options that are not relevant.

  • New feature (non-breaking change which adds functionality)

Checklist

  • I'm sure there are no other open Pull Requests for the same update/change
  • My corresponding pipelines / checks run clean and green without any errors or warnings
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (readme)
  • I did format my code

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/e2622110-a429-4339-9000-e7aebbe59d3c/terraform-bin show -no-color tfplan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "[email protected]"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "gpt-35-turbo"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "text-embedding-ada-002"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "[email protected]"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A  ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0A  # module.openai[0].azurecaf_name.caf_name_oai will be created%0A  + resource "azurecaf_name" "caf_name_oai" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + prefixes      = [%0A          + "sec-baseline-1-spoke",%0A          + "westus3",%0A        ]%0A      + random_length = 0%0A      + resource_type = "azurerm_cognitive_account"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + suffixes      = [%0A          + "prod",%0A        ]%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurecaf_name.priv_endpoint will be created%0A  + resource "azurecaf_name" "priv_endpoint" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + random_length = 0%0A      + resource_type = "azurerm_private_endpoint"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_account.this will be created%0A  + resource "azurerm_cognitive_account" "this" {%0A      + custom_subdomain_name              = (known after apply)%0A      + endpoint                           = (known after apply)%0A      + id                                 = (known after apply)%0A      + kind                               = "OpenAI"%0A      + local_auth_enabled                 = true%0A      + location                           = "westus3"%0A      + name                               = (known after apply)%0A      + outbound_network_access_restricted = false%0A      + primary_access_key                 = (sensitive value)%0A      + public_network_access_enabled      = false%0A      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + secondary_access_key               = (sensitive value)%0A      + sku_name                           = "S0"%0A      + tags                               = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "[email protected]"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "openai"%0A        }%0A%0A      + identity {%0A          + principal_id = (known after apply)%0A          + tenant_id    = (known after apply)%0A          + type         = "SystemAssigned"%0A        }%0A%0A      + network_acls {%0A          + default_action = "Deny"%0A%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"%0A            }%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "gpt-35-turbo"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "gpt-35-turbo"%0A          + version = "0613"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "text-embedding-ada-002"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "text-embedding-ada-002"%0A          + version = "2"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.database.windows.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.azconfig.io." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.vaultcore.azure.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created%0A  + resource "azurerm_private_dns_zone" "this" {%0A      + id                                                    = (known after apply)%0A      + max_number_of_record_sets                             = (known after apply)%0A      + max_number_of_virtual_network_links                   = (known after apply)%0A      + max_number_of_virtual_network_links_with_registration = (known after apply)%0A      + name                                                  = "privatelink.openai.azure.com"%0A      + number_of_record_sets                                 = (known after apply)%0A      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + tags                                                  = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "[email protected]"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "private-dns-zone"%0A        }%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created%0A  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      + id                    = (known after apply)%0A      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      + private_dns_zone_name = "privatelink.openai.azure.com"%0A      + registration_enabled  = false%0A      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A    }%0A%0A  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created%0A  + resource "azurerm_private_endpoint" "this" {%0A      + custom_dns_configs       = (known after apply)%0A      + id                       = (known after apply)%0A      + location                 = "westus3"%0A      + name                     = (known after apply)%0A      + network_interface        = (known after apply)%0A      + private_dns_zone_configs = (known after apply)%0A      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A      + tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A%0A      + private_service_connection {%0A          + is_manual_connection           = false%0A          + name                           = (known after apply)%0A          + private_connection_resource_id = (known after apply)%0A          + private_ip_address             = (known after apply)%0A          + subresource_names              = [%0A              + "account",%0A            ]%0A        }%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"%0A        name                = "eslz2"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"%0A        name                = "eslz2.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"%0A        name                     = "pe-eslz2"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"%0A        name                = "eslz2-staging"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"%0A        name                = "eslz2-staging.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"%0A        name                     = "pe-eslz2-staging"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0APlan: 14 to add, 7 to change, 6 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@kunalbabre kunalbabre requested a review from thotheod October 18, 2023 15:51
@thotheod
fix: variable hub_settings
e7dc56c 
We have that in the documentation
we need it for tfvars, to connect to existing hub
@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/7f964d9f-c035-4365-9da1-60fb31121612/terraform-bin show -no-color tfplan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "[email protected]"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "gpt-35-turbo"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "text-embedding-ada-002"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "[email protected]"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A  ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0A  # module.openai[0].azurecaf_name.caf_name_oai will be created%0A  + resource "azurecaf_name" "caf_name_oai" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + prefixes      = [%0A          + "sec-baseline-1-spoke",%0A          + "westus3",%0A        ]%0A      + random_length = 0%0A      + resource_type = "azurerm_cognitive_account"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + suffixes      = [%0A          + "prod",%0A        ]%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurecaf_name.priv_endpoint will be created%0A  + resource "azurecaf_name" "priv_endpoint" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + random_length = 0%0A      + resource_type = "azurerm_private_endpoint"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_account.this will be created%0A  + resource "azurerm_cognitive_account" "this" {%0A      + custom_subdomain_name              = (known after apply)%0A      + endpoint                           = (known after apply)%0A      + id                                 = (known after apply)%0A      + kind                               = "OpenAI"%0A      + local_auth_enabled                 = true%0A      + location                           = "westus3"%0A      + name                               = (known after apply)%0A      + outbound_network_access_restricted = false%0A      + primary_access_key                 = (sensitive value)%0A      + public_network_access_enabled      = false%0A      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + secondary_access_key               = (sensitive value)%0A      + sku_name                           = "S0"%0A      + tags                               = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "[email protected]"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "openai"%0A        }%0A%0A      + identity {%0A          + principal_id = (known after apply)%0A          + tenant_id    = (known after apply)%0A          + type         = "SystemAssigned"%0A        }%0A%0A      + network_acls {%0A          + default_action = "Deny"%0A%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"%0A            }%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "gpt-35-turbo"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "gpt-35-turbo"%0A          + version = "0613"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "text-embedding-ada-002"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "text-embedding-ada-002"%0A          + version = "2"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.database.windows.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.azconfig.io." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.vaultcore.azure.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created%0A  + resource "azurerm_private_dns_zone" "this" {%0A      + id                                                    = (known after apply)%0A      + max_number_of_record_sets                             = (known after apply)%0A      + max_number_of_virtual_network_links                   = (known after apply)%0A      + max_number_of_virtual_network_links_with_registration = (known after apply)%0A      + name                                                  = "privatelink.openai.azure.com"%0A      + number_of_record_sets                                 = (known after apply)%0A      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + tags                                                  = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "[email protected]"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "private-dns-zone"%0A        }%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created%0A  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      + id                    = (known after apply)%0A      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      + private_dns_zone_name = "privatelink.openai.azure.com"%0A      + registration_enabled  = false%0A      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A    }%0A%0A  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created%0A  + resource "azurerm_private_endpoint" "this" {%0A      + custom_dns_configs       = (known after apply)%0A      + id                       = (known after apply)%0A      + location                 = "westus3"%0A      + name                     = (known after apply)%0A      + network_interface        = (known after apply)%0A      + private_dns_zone_configs = (known after apply)%0A      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A      + tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A%0A      + private_service_connection {%0A          + is_manual_connection           = false%0A          + name                           = (known after apply)%0A          + private_connection_resource_id = (known after apply)%0A          + private_ip_address             = (known after apply)%0A          + subresource_names              = [%0A              + "account",%0A            ]%0A        }%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"%0A        name                = "eslz2"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"%0A        name                = "eslz2.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"%0A        name                     = "pe-eslz2"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"%0A        name                = "eslz2-staging"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"%0A        name                = "eslz2-staging.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"%0A        name                     = "pe-eslz2-staging"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0APlan: 14 to add, 7 to change, 6 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/3bd04294-739e-4f24-b0ba-230fa88c71c0/terraform-bin show -no-color tfplan

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
::debug::Terraform exited with code 0.
::debug::stdout: %0ANo changes. Your infrastructure matches the configuration.%0A%0ATerraform has compared your real infrastructure against your configuration%0Aand found no differences, so no changes are needed.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/e01f445c-968e-4daa-a67c-1dc4be9ed7c3/terraform-bin show -no-color tfplan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "[email protected]"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "gpt-35-turbo"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "text-embedding-ada-002"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "[email protected]"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "[email protected]"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A  ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0A  # module.openai[0].azurecaf_name.caf_name_oai will be created%0A  + resource "azurecaf_name" "caf_name_oai" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + prefixes      = [%0A          + "sec-baseline-1-spoke",%0A          + "westus3",%0A        ]%0A      + random_length = 0%0A      + resource_type = "azurerm_cognitive_account"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + suffixes      = [%0A          + "prod",%0A        ]%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurecaf_name.priv_endpoint will be created%0A  + resource "azurecaf_name" "priv_endpoint" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + random_length = 0%0A      + resource_type = "azurerm_private_endpoint"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_account.this will be created%0A  + resource "azurerm_cognitive_account" "this" {%0A      + custom_subdomain_name              = (known after apply)%0A      + endpoint                           = (known after apply)%0A      + id                                 = (known after apply)%0A      + kind                               = "OpenAI"%0A      + local_auth_enabled                 = true%0A      + location                           = "westus3"%0A      + name                               = (known after apply)%0A      + outbound_network_access_restricted = false%0A      + primary_access_key                 = (sensitive value)%0A      + public_network_access_enabled      = false%0A      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + secondary_access_key               = (sensitive value)%0A      + sku_name                           = "S0"%0A      + tags                               = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "[email protected]"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "openai"%0A        }%0A%0A      + identity {%0A          + principal_id = (known after apply)%0A          + tenant_id    = (known after apply)%0A          + type         = "SystemAssigned"%0A        }%0A%0A      + network_acls {%0A          + default_action = "Deny"%0A%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"%0A            }%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "gpt-35-turbo"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "gpt-35-turbo"%0A          + version = "0613"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "text-embedding-ada-002"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "text-embedding-ada-002"%0A          + version = "2"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.database.windows.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.azconfig.io." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "[email protected]"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.vaultcore.azure.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created%0A  + resource "azurerm_private_dns_zone" "this" {%0A      + id                                                    = (known after apply)%0A      + max_number_of_record_sets                             = (known after apply)%0A      + max_number_of_virtual_network_links                   = (known after apply)%0A      + max_number_of_virtual_network_links_with_registration = (known after apply)%0A      + name                                                  = "privatelink.openai.azure.com"%0A      + number_of_record_sets                                 = (known after apply)%0A      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + tags                                                  = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "[email protected]"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "private-dns-zone"%0A        }%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created%0A  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      + id                    = (known after apply)%0A      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      + private_dns_zone_name = "privatelink.openai.azure.com"%0A      + registration_enabled  = false%0A      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A    }%0A%0A  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created%0A  + resource "azurerm_private_endpoint" "this" {%0A      + custom_dns_configs       = (known after apply)%0A      + id                       = (known after apply)%0A      + location                 = "westus3"%0A      + name                     = (known after apply)%0A      + network_interface        = (known after apply)%0A      + private_dns_zone_configs = (known after apply)%0A      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A      + tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A%0A      + private_service_connection {%0A          + is_manual_connection           = false%0A          + name                           = (known after apply)%0A          + private_connection_resource_id = (known after apply)%0A          + private_ip_address             = (known after apply)%0A          + subresource_names              = [%0A              + "account",%0A            ]%0A        }%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"%0A        name                = "eslz2"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"%0A        name                = "eslz2.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"%0A        name                     = "pe-eslz2"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"%0A        name                = "eslz2-staging"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"%0A        name                = "eslz2-staging.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"%0A        name                     = "pe-eslz2-staging"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0APlan: 14 to add, 7 to change, 6 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

thotheod
thotheod approved these changes Oct 24, 2023
View reviewed changes
Copy link
Contributor

@thotheod thotheod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added some minor changes in the documentation.
Two strange changes I needed to do, other wise the deployment was failing:

  • In file spoke/variables.tf the variable "hub_settings" was commented. I needed to uncomment
  • in file [/terraform/spoke/shared.tf] I had to change the value vm_subnet_id = module.network.subnets[index(module.network.subnets.*.name, "devops")].id to the simpler vm_subnet_id = module.network.subnets["devops"].id

Other than that, all looks good

@thotheod thotheod marked this pull request as draft October 24, 2023 15:33
@thotheod thotheod marked this pull request as ready for review October 24, 2023 15:34
@kunalbabre kunalbabre merged commit a06d5e0 into main Oct 25, 2023
7 checks passed
@kunalbabre kunalbabre deleted the feature/175/tf-oai-modules branch October 25, 2023 15:34
jonlester pushed a commit that referenced this pull request May 20, 2024
@JinLee794 @thotheod
Added OpenAI module to multitenant spoke deployment (#190)
6ff5580 
* Added AI module to multitenant spoke

* OpenAI module added to multitenant scenario with private networking config.

* fixing bug with repeat go_version definition on appsvc_options

* fix: variable hub_settings
We have that in the documentation
we need it for tfvars, to connect to existing hub

* fixed something that didn't work for me

---------

Co-authored-by: Thodoris Theodorou <[email protected]>
ibersanoMS pushed a commit that referenced this pull request Oct 1, 2024
@JinLee794 @thotheod
Added OpenAI module to multitenant spoke deployment (#190)
4b64a0d 
* Added AI module to multitenant spoke

* OpenAI module added to multitenant scenario with private networking config.

* fixing bug with repeat go_version definition on appsvc_options

* fix: variable hub_settings
We have that in the documentation
we need it for tfvars, to connect to existing hub

* fixed something that didn't work for me

---------

Co-authored-by: Thodoris Theodorou <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thotheod thotheod thotheod approved these changes

@kunalbabre kunalbabre Awaiting requested review from kunalbabre

@ibersanoMS ibersanoMS Awaiting requested review from ibersanoMS

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JinLee794 @thotheod @kunalbabre