diff --git a/.github/workflows/.template.bicep.yml b/.github/workflows/.template.bicep.yml new file mode 100644 index 00000000..f6e0e979 --- /dev/null +++ b/.github/workflows/.template.bicep.yml @@ -0,0 +1,107 @@ +name: '.Template - Bicep Deployment' + +on: + workflow_call: + inputs: + # bicepVersion: + # type: string + # description: 'Bicep version' + # required: true + # default: 'v0.24.24' + modulePath: + type: string + description: 'Path to the Bicep module' + required: true + default: 'scenarios/secure-baseline-multitenant/bicep' + deployStackName: + type: string + description: 'Name of the subscription scoped stack to deploy' + required: false + default: 'secure-baseline-multitenant' + bicepParamPath: + type: string + description: 'Path to the Bicep variables' + required: true + bicepAdditionalParams: + type: string + description: 'Optional parameters to pass to Bicep in string format' + required: false + default: --deny-settings-mode 'none' + destroy: + type: boolean + description: 'Destroy resources?' + default: false + region: + type: string + description: 'Azure region' + required: true + default: 'westus2' + +jobs: + validate: + name: "Validate Bicep files" + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v4 + + # Log into Azure via OIDC + - uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }} + + - name: Run Bicep linter + run: az bicep build --file ${{ inputs.modulePath }} + # working-directory: ${{ inputs.modulePath }} + + # TODO: Buildout PSRule policies + # - name: Run PSRule analysis + # uses: microsoft/ps-rule@v2.9.0 + # with: + # modules: PSRule.Rules.Azure + + deploy: + if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' + name: 'Deploy' + environment: production + needs: validate + timeout-minutes: 360 + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@main + + # Log into Azure via OIDC + - uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }} + + - name: Deploy Bicep Scenario + run: | + # If Destroy flag is set, delete the stack + if ${{ inputs.destroy }}; then + echo "Destroying stack ${{ inputs.deployStackName }}" + + # Possible flags for delete: --delete-all, --delete-resource-groups, --delete-resources + az stack delete --name ${{ inputs.deployStackName }} --delete-all --yes + + exit 0 # Exit successfully + fi + + az stack sub create --name ${{ inputs.deployStackName }} \ + --location ${{ inputs.region }} \ + --template-file ${{ inputs.modulePath }} \ + --parameters ${{ inputs.bicepParamPath }} \ + ${{ inputs.bicepAdditionalParams }} + + # Potential Deny Settings + # ----------------------------- + # deny-settings-mode: Defines the operations that are prohibited on the managed resources to safeguard against unauthorized security principals attempting to delete or update them. This restriction applies to everyone unless explicitly granted access. The values include: none, denyDelete, and denyWriteAndDelete. + # deny-settings-apply-to-child-scopes: Deny settings are applied to child Azure management scopes. + # deny-settings-excluded-actions: List of role-based access control (RBAC) management operations excluded from the deny settings. Up to 200 actions are allowed. + # deny-settings-excluded-principals: List of Microsoft Entra principal IDs excluded from the lock. Up to five principals are allowed. + diff --git a/.github/workflows/scenario1.bicep.yml b/.github/workflows/scenario1.bicep.yml new file mode 100644 index 00000000..2b9c40d9 --- /dev/null +++ b/.github/workflows/scenario1.bicep.yml @@ -0,0 +1,73 @@ +name: 'Scenario 1: Bicep Multi-Tenant ASEv3 Secure Baseline' + +# This workflow tests the ASEv3 Secure Baseline Multi-Tenant scenario deployment. +# This will use the default parameter file (main.parameters.jsonc) with an overridden +# SKU to deploy ASEv3 + +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false + +on: + workflow_dispatch: + + push: + branches: + - main + paths: + - '.github/workflows/_template.bicep.yml' + - '.github/workflows/scenario1.bicep.yml' + - 'scenarios/secure-baseline-multitenant/bicep/**.bicep' + - 'scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc' + - '!scenarios/secure-baseline-multitenant/**.md' + + pull_request: + branches: + - main + paths: + - '.github/workflows/_template.bicep.yml' + - '.github/workflows/scenario1.bicep.yml' + - 'scenarios/secure-baseline-multitenant/bicep/**.bicep' + - 'scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc' + - '!scenarios/secure-baseline-multitenant/**.md' + +permissions: + id-token: write + contents: read + +env: + deployStackName: 'Scenario1-ASEv3-Secure-Baseline-MultiTenant' + deploymentPath: 'scenarios/secure-baseline-multitenant/bicep/main.bicep' + scenarioName: 'ase-multitenant' + region: 'westus2' + # webAppPlanSKU is the only parameter that is overridden for ASEv3 + webAppPlanSku: 'ASE_I3V2_AZ' + +jobs: + prepare-environment: + name: 'Prepare CICD Environment for Bicep Workflow' + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@main + outputs: + deployStackName: ${{ env.deployStackName }} + region: ${{ env.region }} + modulePath: ${{ env.deploymentPath }} + bicepParamPath: ${{ env.deploymentPath }}/main.parameters.jsonc + bicepAdditionalParams: -p webAppPlanSku=${{ env.webAppPlanSku }} --deny-settings-mode 'none' + + call-workflow-passing-data: + name: 'Bicep CICD' + needs: + - prepare-environment + uses: ./.github/workflows/.template.bicep.yml + with: + deployStackName: ${{ needs.prepare-environment.outputs.deployStackName }} + region: ${{ needs.prepare-environment.outputs.region }} + modulePath: ${{ needs.prepare-environment.outputs.modulePath }} + bicepParamPath: ${{ needs.prepare-environment.outputs.bicepParamPath }} + bicepAdditionalParams: ${{ needs.prepare-environment.outputs.bicepAdditionalParams }} + # Ensure this value is a boolean + destroy: ${{ github.event.inputs.destroy == 'true' }} + secrets: inherit diff --git a/.github/workflows/scenario1.terraform.hub.yml b/.github/workflows/scenario1.terraform.hub.yml deleted file mode 100644 index dc3fab25..00000000 --- a/.github/workflows/scenario1.terraform.hub.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: 'Scenario 1: Terraform HUB Multi-tenant Secure Baseline' - -on: - workflow_dispatch: - inputs: - destroy: - description: 'Destroy resources?' - required: true - type: boolean - default: false - - push: - branches: - - main - paths: - - '.github/workflows/scenario1.terraform.hub.yml' - - '.github/workflows/_template.terraform.yml' - - 'scenarios/secure-baseline-multitenant/terraform/hub/**' - - '!scenarios/secure-baseline-multitenant/terraform/hub/**.md' - - pull_request: - branches: - - main - paths: - - '.github/workflows/scenario1.terraform.hub.yml' - - '.github/workflows/_template.terraform.yml' - - 'scenarios/secure-baseline-multitenant/terraform/hub/**' - - '!scenarios/secure-baseline-multitenant/terraform/hub/**.md' - -permissions: - id-token: write - contents: read - pull-requests: write - -env: - modulePath: 'scenarios/secure-baseline-multitenant/terraform/hub' - terraformVersion: 1.5.2 # must be greater than or equal to 1.2 for OIDC - backendStateKey: 'scenario1.hub.tfstate' - tfvarPath: 'Parameters/uat.tfvars' - -jobs: - prepare-environment: - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@main - outputs: - modulePath: ${{ env.modulePath }} - terraformVersion: ${{ env.terraformVersion }} - backendStateKey: ${{ env.backendStateKey }} - tfvarPath: ${{ env.tfvarPath }} - - call-workflow-passing-data: - name: 'Terraform CICD' - needs: - - prepare-environment - uses: ./.github/workflows/.template.terraform.yml - with: - modulePath: ${{ needs.prepare-environment.outputs.modulePath }} - terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }} - backendStateKey: ${{ needs.prepare-environment.outputs.backendStateKey }} - tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }} - # Ensure this value is a boolean - destroy: ${{ github.event.inputs.destroy == 'true' }} - secrets: inherit diff --git a/.github/workflows/scenario1.terraform.spoke.yml b/.github/workflows/scenario1.terraform.spoke.yml deleted file mode 100644 index ac59f261..00000000 --- a/.github/workflows/scenario1.terraform.spoke.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: 'Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline' - -on: - workflow_dispatch: - inputs: - destroy: - description: 'Destroy resources?' - required: true - type: boolean - default: false - - push: - branches: - - main - paths: - - '.github/workflows/scenario1.terraform.spoke.yml' - - '.github/workflows/_template.terraform.yml' - - 'scenarios/secure-baseline-multitenant/terraform/spoke/**' - - '!scenarios/secure-baseline-multitenant/terraform/spoke/**.md' - - pull_request: - branches: - - main - paths: - - '.github/workflows/scenario1.terraform.spoke.yml' - - '.github/workflows/_template.terraform.yml' - - 'scenarios/secure-baseline-multitenant/terraform/spoke/**' - - '!scenarios/secure-baseline-multitenant/terraform/spoke/**.md' - -permissions: - id-token: write - contents: read - pull-requests: write - -env: - modulePath: 'scenarios/secure-baseline-multitenant/terraform/spoke' - terraformVersion: 1.5.2 # must be greater than or equal to 1.2 for OIDC - backendStateKey: 'scenario1.spoke.tfstate' - tfvarPath: 'Parameters/uat.tfvars' - -jobs: - prepare-environment: - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@main - outputs: - modulePath: ${{ env.modulePath }} - terraformVersion: ${{ env.terraformVersion }} - backendStateKey: ${{ env.backendStateKey }} - tfvarPath: ${{ env.tfvarPath }} - - call-workflow-passing-data: - name: 'Terraform CICD test' - needs: - - prepare-environment - uses: ./.github/workflows/.template.terraform.yml - with: - modulePath: ${{ needs.prepare-environment.outputs.modulePath }} - terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }} - backendStateKey: ${{ needs.prepare-environment.outputs.backendStateKey }} - tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }} - # Ensure this value is a boolean - destroy: ${{ github.event.inputs.destroy == 'true' }} - secrets: inherit diff --git a/.github/workflows/scenario1.terraform.yml b/.github/workflows/scenario1.terraform.yml new file mode 100644 index 00000000..0acf68af --- /dev/null +++ b/.github/workflows/scenario1.terraform.yml @@ -0,0 +1,86 @@ +name: 'Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline' + +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false + +on: + workflow_dispatch: + inputs: + destroy: + description: 'Destroy resources?' + required: true + type: boolean + default: false + + push: + branches: + - main + paths: + - '.github/workflows/scenario1.terraform.yml' + - '.github/workflows/_template.terraform.yml' + - 'scenarios/secure-baseline-multitenant/terraform/**.tf' + - 'scenarios/secure-baseline-multitenant/terraform/**/parameters/ase-multitenant.parameters.tfvars' + - '!scenarios/secure-baseline-multitenant/terraform/**.md' + + pull_request: + branches: + - main + paths: + - '.github/workflows/scenario1.terraform.yml' + - '.github/workflows/_template.terraform.yml' + - 'scenarios/secure-baseline-multitenant/terraform/**' + - 'scenarios/secure-baseline-multitenant/terraform/**/parameters/ase-multitenant.parameters.tfvars' + - '!scenarios/secure-baseline-multitenant/terraform/**.md' + +permissions: + id-token: write + contents: read + pull-requests: write + +env: + modulePath: 'scenarios/secure-baseline-multitenant/terraform' + terraformVersion: 1.5.2 # must be greater than or equal to 1.2 for OIDC + backendStateKey: 'scenario1.hub.tfstate' + tfvarPath: 'parameters/ase-multitenant.parameters.tfvars' + +jobs: + prepare-environment: + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@main + outputs: + modulePath: ${{ env.modulePath }} + terraformVersion: ${{ env.terraformVersion }} + backendStateKey: ${{ env.backendStateKey }} + tfvarPath: ${{ env.tfvarPath }} + + terraform-deploy-hub: + name: 'Terraform CICD (Hub Multi-tenant Secure Baseline)' + needs: + - prepare-environment + uses: ./.github/workflows/.template.terraform.yml + with: + modulePath: ${{ needs.prepare-environment.outputs.modulePath }}/hub + terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }} + backendStateKey: 'scenario1.hub.tfstate' + tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }} + # Ensure this value is a boolean + destroy: ${{ github.event.inputs.destroy == 'true' }} + secrets: inherit + + terraform-deploy-spoke: + name: 'Terraform CICD (Spoke Multi-tenant Secure Baseline)' + needs: + - prepare-environment + - terraform-deploy-hub + uses: ./.github/workflows/.template.terraform.yml + with: + modulePath: ${{ needs.prepare-environment.outputs.modulePath }}/spoke + terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }} + backendStateKey: 'scenario1.spoke.tfstate' + tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }} + # Ensure this value is a boolean + destroy: ${{ github.event.inputs.destroy == 'true' }} + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/scenario2.bicep.yml b/.github/workflows/scenario2.bicep.yml deleted file mode 100644 index 96c7f12d..00000000 --- a/.github/workflows/scenario2.bicep.yml +++ /dev/null @@ -1,102 +0,0 @@ -name: 'Scenario 2: Bicep Single-tenant ASEv3 Secure Baseline' - -on: - workflow_dispatch: - - # push: - # branches: - # - main - # paths: - # - '.github/workflows/bicep.scenario2.yml' - # - 'scenarios/secure-baseline-ase/bicep/**' - # - '!scenarios/secure-baseline-ase/**.md' - - # pull_request: - # branches: - # - main - # paths: - # - '.github/workflows/bicep.scenario2.yml' - # - 'scenarios/secure-baseline-ase/bicep/**' - # - '!scenarios/secure-baseline-ase/**.md' - -permissions: - id-token: write - contents: read - -env: - modulePath: 'scenarios/secure-baseline-ase/bicep' - -jobs: - validate_bicep: - name: "Validate Bicep files" - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v4 - - - name: Validate that bicep builds - run: az bicep build -f main.bicep - working-directory: ${{ env.modulePath }} - - build-and-deploy: - timeout-minutes: 360 - name: "Deploy Bicep templates" - needs: validate_bicep - runs-on: ubuntu-latest - environment: production - steps: - # Checkout code - - name: Checkout the code - uses: actions/checkout@main - - - name: Variable substitution - uses: microsoft/variable-substitution@v1 - with: - files: ${{ env.modulePath }}/config.yml - env: - ACCOUNT_NAME: ${{ secrets.AZURE_SUBSCRIPTION }} - - - name: Install yq to parse yaml file - run: | - sudo wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.5.0/yq_linux_amd64 - sudo chmod +x /usr/local/bin/yq - - - name: Parse config.yaml as output to GitHub Actions matrix - run: | - echo "config=$(yq e ${{ env.modulePath }}/config.yml -j -I=0)" >> $GITHUB_ENV - - - name: Write deployment information to log - run: | - echo "Deploying to ${{ fromJson(env.config).AZURE_LOCATION }} with name prefix ${{ fromJson(env.config).RESOURCE_NAME_PREFIX }}" - - # Log into Azure via OIDC - - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }} - - - name: Run Preflight Validation - working-directory: ${{ env.modulePath }} - run: | - az deployment sub validate \ - --location ${{ fromJson(env.config).AZURE_LOCATION }} \ - --parameters workloadName=${{ fromJson(env.config).RESOURCE_NAME_PREFIX }} environment=${{ fromJson(env.config).ENVIRONMENT_TAG }} \ - vmUsername=${{ fromJson(env.config).VM_USERNAME }} vmPassword=${{ secrets.VM_PW }} location=${{ fromJson(env.config).AZURE_LOCATION }}\ - accountName=${{ secrets.ACCOUNT_NAME }} personalAccessToken=${{ secrets.PAT }} CICDAgentType=${{ fromJson(env.config).CICD_AGENT_TYPE}} \ - createRedisResource=${{ fromJson(env.config).CREATE_REDIS_RESOURCE }} redisTier=${{ fromJson(env.config).REDIS_TIER }} --template-file main.bicep - - # Deploy Bicep file, need to point parameters to the main.parameters.json location - - name: deploy - uses: azure/arm-deploy@v1 - with: - subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }} - scope: subscription - region: ${{ fromJson(env.config).AZURE_LOCATION }} - deploymentName: "${{ fromJson(env.config).DEPLOYMENT_NAME }}-${{ fromJson(env.config).AZURE_LOCATION }}" - template: ${{ env.modulePath }}/main.bicep - parameters: > - workloadName=${{ fromJson(env.config).RESOURCE_NAME_PREFIX }} environment=${{ fromJson(env.config).ENVIRONMENT_TAG }} - vmUsername=${{ fromJson(env.config).VM_USERNAME }} vmPassword=${{ secrets.VM_PW }} location=${{ fromJson(env.config).AZURE_LOCATION }} - accountName=${{ secrets.ACCOUNT_NAME }} personalAccessToken=${{ secrets.PAT }} CICDAgentType=${{ fromJson(env.config).CICD_AGENT_TYPE}} - createRedisResource=${{ fromJson(env.config).CREATE_REDIS_RESOURCE }} redisTier=${{ fromJson(env.config).REDIS_TIER }} \ No newline at end of file diff --git a/.gitignore b/.gitignore index 91f49915..53e3c7a8 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,7 @@ deployment/bicep/main.json **/.vscode/* # Local .terraform directories +.terraform **/.terraform/* *.lock.hcl # .tfstate files @@ -24,6 +25,7 @@ crash.*.log # to change depending on the environment. # *.tfvars +!*.parameters.tfvars !uat.tfvars # Ignore override files as they are usually used to override resources locally and so diff --git a/.psrule/ps-rule.yaml b/.psrule/ps-rule.yaml new file mode 100644 index 00000000..8126c0be --- /dev/null +++ b/.psrule/ps-rule.yaml @@ -0,0 +1,19 @@ + +# Require a minimum version of PSRule for Azure. +requires: + PSRule.Rules.Azure: '>=1.29.0' + +# Automatically use rules for Azure. +include: + module: + - PSRule.Rules.Azure + +# Ignore all files except .bicepparam files. +input: + pathIgnore: + - '**' + - '!**/*.bicepparam' + +# YAML: Enable expansion for Bicep source files. +configuration: + AZURE_BICEP_FILE_EXPANSION: true \ No newline at end of file diff --git a/README.md b/README.md index ea1fd2de..68d51993 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ In this project, we currently have the following reference implementations: | Scenario | Description | Documentation | Pipeline Status | | -------- | ----------- | ------------- | --------------- | -| :arrow_forward: [Scenario 1: App Service Secure Baseline Multi-Tenant](scenarios/secure-baseline-multitenant/README.md) | This scenario deploys a multi-tenant App Service environment with a Hub and Spoke network topology. | [README](scenarios/secure-baseline-multitenant/README.md) | [![Scenario 1: Terraform HUB Multi-tenant Secure Baseline](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.hub.yml/badge.svg?branch=main)](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.hub.yml) [![Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml/badge.svg)](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml) | +| :arrow_forward: [Scenario 1: App Service Secure Baseline Multi-Tenant](scenarios/secure-baseline-multitenant/README.md) | This scenario deploys a multi-tenant App Service environment with a Hub and Spoke network topology. | [README](scenarios/secure-baseline-multitenant/README.md) | [![Scenario 1: Terraform HUB Multi-tenant Secure Baseline](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.hub.yml/badge.svg?branch=main)](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.hub.yml) [![Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml/badge.svg)](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml) [![Scenario 1: Bicep Multi-Tenant ASEv3 Secure Baseline](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/ase-multitenant.bicep.yml/badge.svg?branch=main)](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/ase-multitenant.bicep.yml) | > **Note** Currently, the App Service Secure Baseline Multi-Tenant is the only reference implementation available. However, both the Terraform and Bicep configuration files have feature flags available to accommodate additional scenarios. More reference input files will be provided to accommodate additional reference implementations in the future. diff --git a/scenarios/secure-baseline-multitenant/terraform/hub/README.md b/scenarios/secure-baseline-multitenant/terraform/hub/README.md index 61b41470..5745f2a8 100644 --- a/scenarios/secure-baseline-multitenant/terraform/hub/README.md +++ b/scenarios/secure-baseline-multitenant/terraform/hub/README.md @@ -14,7 +14,7 @@ | Name | Version | |------|---------| | [azurecaf](#provider\_azurecaf) | 1.2.26 | -| [azurerm](#provider\_azurerm) | 3.67.0 | +| [azurerm](#provider\_azurerm) | 3.85.0 | ## Modules diff --git a/scenarios/secure-baseline-multitenant/terraform/hub/main.tf b/scenarios/secure-baseline-multitenant/terraform/hub/main.tf index 869e5262..822b642b 100644 --- a/scenarios/secure-baseline-multitenant/terraform/hub/main.tf +++ b/scenarios/secure-baseline-multitenant/terraform/hub/main.tf @@ -11,12 +11,7 @@ terraform { version = ">=1.2.23" } } - backend "azurerm" { - resource_group_name = "backend-appsrvc-dev-westus2-001" - storage_account_name = "stbackendappsrwestus2001" - container_name = "tfstate" - key = "scenario1.hub.tfstate" - } + backend "azurerm" {} } provider "azurerm" { diff --git a/scenarios/secure-baseline-multitenant/terraform/hub/Parameters/uat.tfvars b/scenarios/secure-baseline-multitenant/terraform/hub/parameters/ase-multitenant.parameters.tfvars similarity index 100% rename from scenarios/secure-baseline-multitenant/terraform/hub/Parameters/uat.tfvars rename to scenarios/secure-baseline-multitenant/terraform/hub/parameters/ase-multitenant.parameters.tfvars diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/README.md b/scenarios/secure-baseline-multitenant/terraform/spoke/README.md index 7d8c2631..6326e594 100644 --- a/scenarios/secure-baseline-multitenant/terraform/spoke/README.md +++ b/scenarios/secure-baseline-multitenant/terraform/spoke/README.md @@ -14,8 +14,8 @@ | Name | Version | |------|---------| | [azurecaf](#provider\_azurecaf) | 1.2.26 | -| [azurerm](#provider\_azurerm) | 3.75.0 | -| [random](#provider\_random) | 3.5.1 | +| [azurerm](#provider\_azurerm) | 3.85.0 | +| [random](#provider\_random) | 3.6.0 | | [terraform](#provider\_terraform) | n/a | ## Modules @@ -71,6 +71,7 @@ | [firewall\_subnet\_name](#input\_firewall\_subnet\_name) | [Optional] Name of the subnet for firewall resources. Defaults to 'AzureFirewallSubnet' | `string` | `"AzureFirewallSubnet"` | no | | [front\_door\_subnet\_cidr](#input\_front\_door\_subnet\_cidr) | The CIDR block for the subnet. | `list(string)` |
[| no | | [global\_settings](#input\_global\_settings) | [Optional] Global settings to configure each module with the appropriate naming standards. | `map(any)` | `{}` | no | +| [hub\_settings](#input\_hub\_settings) | The settings for the hub virtual network. |
"10.240.0.64/26"
]
object({| `null` | no | | [hub\_state\_container\_name](#input\_hub\_state\_container\_name) | The name of the container that holds the Terraform state for the hub | `string` | n/a | yes | | [hub\_state\_key](#input\_hub\_state\_key) | The key of the Terraform state for the hub | `string` | n/a | yes | | [hub\_state\_resource\_group\_name](#input\_hub\_state\_resource\_group\_name) | The name of the resource group that holds the Terraform state for the hub | `string` | n/a | yes | diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/main.tf b/scenarios/secure-baseline-multitenant/terraform/spoke/main.tf index 405f87f4..11ab98f5 100644 --- a/scenarios/secure-baseline-multitenant/terraform/spoke/main.tf +++ b/scenarios/secure-baseline-multitenant/terraform/spoke/main.tf @@ -13,12 +13,7 @@ terraform { version = ">=1.2.23" } } - backend "azurerm" { - resource_group_name = "backend-appsrvc-dev-westus2-001" - storage_account_name = "stbackendappsrwestus2001" - container_name = "tfstate" - key = "scenario1.spoke.tfstate" - } + backend "azurerm" {} } provider "azurerm" { diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/Parameters/uat.tfvars b/scenarios/secure-baseline-multitenant/terraform/spoke/parameters/ase-multitenant.parameters.tfvars similarity index 100% rename from scenarios/secure-baseline-multitenant/terraform/spoke/Parameters/uat.tfvars rename to scenarios/secure-baseline-multitenant/terraform/spoke/parameters/ase-multitenant.parameters.tfvars
rg_name = string
vnet_name = string
firewall = object({
private_ip = optional(string)
})
})