From 51d9a705db1a4fd103a145876bc06760630a454e Mon Sep 17 00:00:00 2001
From: Jin Lee <94473824+JinLee794@users.noreply.github.com>
Date: Wed, 31 Jan 2024 09:39:38 -0600
Subject: [PATCH] =?UTF-8?q?testing=20bicep=20cicd=20-=20added=20new=20oidc?=
=?UTF-8?q?=20client=20id=20for=20read-only=20access,=20t=E2=80=A6=20(#199?=
=?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* testing bicep cicd - added new oidc client id for read-only access, testing what-if flag
* Adding region into the bicep yml, env var and to the what-if arm-deploy action
* testing pipeline, adding puysh trigger for this branch
* testing pipeline, adding puysh trigger for this branch
* testing with prod id as the what-if scenario requires same level of permissions
* testing with prod id as the what-if scenario requires same level of permissions
* testing the deployment
* testing the deployment
* testing cicd bicep templates
* testing cicd
* testing cicd
* testing cicd
* disabling psrule for now
* disabling psrule for now
* consolidating tf scenario 1 workflows into a single cicd pipeline
* consolidating tf scenario 1 workflows into a single cicd pipeline
* consolidating tf scenario 1 workflows into a single cicd pipeline
* consolidating tf scenario 1 workflows into a single cicd pipeline
* renaming consolidated scenario 1 tf pipeline
* Adding concurrency, removed redundant param files
* Adding concurrency, removed redundant param files
* removing test branch trigger
* cleanup
* cleanup
---
.github/workflows/.template.bicep.yml | 107 ++++++++++++++++++
.github/workflows/scenario1.bicep.yml | 73 ++++++++++++
.github/workflows/scenario1.terraform.hub.yml | 65 -----------
.../workflows/scenario1.terraform.spoke.yml | 65 -----------
.github/workflows/scenario1.terraform.yml | 86 ++++++++++++++
.github/workflows/scenario2.bicep.yml | 102 -----------------
.gitignore | 2 +
.psrule/ps-rule.yaml | 19 ++++
README.md | 2 +-
.../terraform/hub/README.md | 2 +-
.../terraform/hub/main.tf | 7 +-
.../ase-multitenant.parameters.tfvars} | 0
.../terraform/spoke/README.md | 5 +-
.../terraform/spoke/main.tf | 7 +-
.../ase-multitenant.parameters.tfvars} | 0
15 files changed, 294 insertions(+), 248 deletions(-)
create mode 100644 .github/workflows/.template.bicep.yml
create mode 100644 .github/workflows/scenario1.bicep.yml
delete mode 100644 .github/workflows/scenario1.terraform.hub.yml
delete mode 100644 .github/workflows/scenario1.terraform.spoke.yml
create mode 100644 .github/workflows/scenario1.terraform.yml
delete mode 100644 .github/workflows/scenario2.bicep.yml
create mode 100644 .psrule/ps-rule.yaml
rename scenarios/secure-baseline-multitenant/terraform/hub/{Parameters/uat.tfvars => parameters/ase-multitenant.parameters.tfvars} (100%)
rename scenarios/secure-baseline-multitenant/terraform/spoke/{Parameters/uat.tfvars => parameters/ase-multitenant.parameters.tfvars} (100%)
diff --git a/.github/workflows/.template.bicep.yml b/.github/workflows/.template.bicep.yml
new file mode 100644
index 00000000..f6e0e979
--- /dev/null
+++ b/.github/workflows/.template.bicep.yml
@@ -0,0 +1,107 @@
+name: '.Template - Bicep Deployment'
+
+on:
+ workflow_call:
+ inputs:
+ # bicepVersion:
+ # type: string
+ # description: 'Bicep version'
+ # required: true
+ # default: 'v0.24.24'
+ modulePath:
+ type: string
+ description: 'Path to the Bicep module'
+ required: true
+ default: 'scenarios/secure-baseline-multitenant/bicep'
+ deployStackName:
+ type: string
+ description: 'Name of the subscription scoped stack to deploy'
+ required: false
+ default: 'secure-baseline-multitenant'
+ bicepParamPath:
+ type: string
+ description: 'Path to the Bicep variables'
+ required: true
+ bicepAdditionalParams:
+ type: string
+ description: 'Optional parameters to pass to Bicep in string format'
+ required: false
+ default: --deny-settings-mode 'none'
+ destroy:
+ type: boolean
+ description: 'Destroy resources?'
+ default: false
+ region:
+ type: string
+ description: 'Azure region'
+ required: true
+ default: 'westus2'
+
+jobs:
+ validate:
+ name: "Validate Bicep files"
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout the code
+ uses: actions/checkout@v4
+
+ # Log into Azure via OIDC
+ - uses: azure/login@v1
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }}
+
+ - name: Run Bicep linter
+ run: az bicep build --file ${{ inputs.modulePath }}
+ # working-directory: ${{ inputs.modulePath }}
+
+ # TODO: Buildout PSRule policies
+ # - name: Run PSRule analysis
+ # uses: microsoft/ps-rule@v2.9.0
+ # with:
+ # modules: PSRule.Rules.Azure
+
+ deploy:
+ if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+ name: 'Deploy'
+ environment: production
+ needs: validate
+ timeout-minutes: 360
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout the code
+ uses: actions/checkout@main
+
+ # Log into Azure via OIDC
+ - uses: azure/login@v1
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }}
+
+ - name: Deploy Bicep Scenario
+ run: |
+ # If Destroy flag is set, delete the stack
+ if ${{ inputs.destroy }}; then
+ echo "Destroying stack ${{ inputs.deployStackName }}"
+
+ # Possible flags for delete: --delete-all, --delete-resource-groups, --delete-resources
+ az stack delete --name ${{ inputs.deployStackName }} --delete-all --yes
+
+ exit 0 # Exit successfully
+ fi
+
+ az stack sub create --name ${{ inputs.deployStackName }} \
+ --location ${{ inputs.region }} \
+ --template-file ${{ inputs.modulePath }} \
+ --parameters ${{ inputs.bicepParamPath }} \
+ ${{ inputs.bicepAdditionalParams }}
+
+ # Potential Deny Settings
+ # -----------------------------
+ # deny-settings-mode: Defines the operations that are prohibited on the managed resources to safeguard against unauthorized security principals attempting to delete or update them. This restriction applies to everyone unless explicitly granted access. The values include: none, denyDelete, and denyWriteAndDelete.
+ # deny-settings-apply-to-child-scopes: Deny settings are applied to child Azure management scopes.
+ # deny-settings-excluded-actions: List of role-based access control (RBAC) management operations excluded from the deny settings. Up to 200 actions are allowed.
+ # deny-settings-excluded-principals: List of Microsoft Entra principal IDs excluded from the lock. Up to five principals are allowed.
+
diff --git a/.github/workflows/scenario1.bicep.yml b/.github/workflows/scenario1.bicep.yml
new file mode 100644
index 00000000..2b9c40d9
--- /dev/null
+++ b/.github/workflows/scenario1.bicep.yml
@@ -0,0 +1,73 @@
+name: 'Scenario 1: Bicep Multi-Tenant ASEv3 Secure Baseline'
+
+# This workflow tests the ASEv3 Secure Baseline Multi-Tenant scenario deployment.
+# This will use the default parameter file (main.parameters.jsonc) with an overridden
+# SKU to deploy ASEv3
+
+concurrency:
+ group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+ cancel-in-progress: false
+
+on:
+ workflow_dispatch:
+
+ push:
+ branches:
+ - main
+ paths:
+ - '.github/workflows/_template.bicep.yml'
+ - '.github/workflows/scenario1.bicep.yml'
+ - 'scenarios/secure-baseline-multitenant/bicep/**.bicep'
+ - 'scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc'
+ - '!scenarios/secure-baseline-multitenant/**.md'
+
+ pull_request:
+ branches:
+ - main
+ paths:
+ - '.github/workflows/_template.bicep.yml'
+ - '.github/workflows/scenario1.bicep.yml'
+ - 'scenarios/secure-baseline-multitenant/bicep/**.bicep'
+ - 'scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc'
+ - '!scenarios/secure-baseline-multitenant/**.md'
+
+permissions:
+ id-token: write
+ contents: read
+
+env:
+ deployStackName: 'Scenario1-ASEv3-Secure-Baseline-MultiTenant'
+ deploymentPath: 'scenarios/secure-baseline-multitenant/bicep/main.bicep'
+ scenarioName: 'ase-multitenant'
+ region: 'westus2'
+ # webAppPlanSKU is the only parameter that is overridden for ASEv3
+ webAppPlanSku: 'ASE_I3V2_AZ'
+
+jobs:
+ prepare-environment:
+ name: 'Prepare CICD Environment for Bicep Workflow'
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout the code
+ uses: actions/checkout@main
+ outputs:
+ deployStackName: ${{ env.deployStackName }}
+ region: ${{ env.region }}
+ modulePath: ${{ env.deploymentPath }}
+ bicepParamPath: ${{ env.deploymentPath }}/main.parameters.jsonc
+ bicepAdditionalParams: -p webAppPlanSku=${{ env.webAppPlanSku }} --deny-settings-mode 'none'
+
+ call-workflow-passing-data:
+ name: 'Bicep CICD'
+ needs:
+ - prepare-environment
+ uses: ./.github/workflows/.template.bicep.yml
+ with:
+ deployStackName: ${{ needs.prepare-environment.outputs.deployStackName }}
+ region: ${{ needs.prepare-environment.outputs.region }}
+ modulePath: ${{ needs.prepare-environment.outputs.modulePath }}
+ bicepParamPath: ${{ needs.prepare-environment.outputs.bicepParamPath }}
+ bicepAdditionalParams: ${{ needs.prepare-environment.outputs.bicepAdditionalParams }}
+ # Ensure this value is a boolean
+ destroy: ${{ github.event.inputs.destroy == 'true' }}
+ secrets: inherit
diff --git a/.github/workflows/scenario1.terraform.hub.yml b/.github/workflows/scenario1.terraform.hub.yml
deleted file mode 100644
index dc3fab25..00000000
--- a/.github/workflows/scenario1.terraform.hub.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-name: 'Scenario 1: Terraform HUB Multi-tenant Secure Baseline'
-
-on:
- workflow_dispatch:
- inputs:
- destroy:
- description: 'Destroy resources?'
- required: true
- type: boolean
- default: false
-
- push:
- branches:
- - main
- paths:
- - '.github/workflows/scenario1.terraform.hub.yml'
- - '.github/workflows/_template.terraform.yml'
- - 'scenarios/secure-baseline-multitenant/terraform/hub/**'
- - '!scenarios/secure-baseline-multitenant/terraform/hub/**.md'
-
- pull_request:
- branches:
- - main
- paths:
- - '.github/workflows/scenario1.terraform.hub.yml'
- - '.github/workflows/_template.terraform.yml'
- - 'scenarios/secure-baseline-multitenant/terraform/hub/**'
- - '!scenarios/secure-baseline-multitenant/terraform/hub/**.md'
-
-permissions:
- id-token: write
- contents: read
- pull-requests: write
-
-env:
- modulePath: 'scenarios/secure-baseline-multitenant/terraform/hub'
- terraformVersion: 1.5.2 # must be greater than or equal to 1.2 for OIDC
- backendStateKey: 'scenario1.hub.tfstate'
- tfvarPath: 'Parameters/uat.tfvars'
-
-jobs:
- prepare-environment:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout the code
- uses: actions/checkout@main
- outputs:
- modulePath: ${{ env.modulePath }}
- terraformVersion: ${{ env.terraformVersion }}
- backendStateKey: ${{ env.backendStateKey }}
- tfvarPath: ${{ env.tfvarPath }}
-
- call-workflow-passing-data:
- name: 'Terraform CICD'
- needs:
- - prepare-environment
- uses: ./.github/workflows/.template.terraform.yml
- with:
- modulePath: ${{ needs.prepare-environment.outputs.modulePath }}
- terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }}
- backendStateKey: ${{ needs.prepare-environment.outputs.backendStateKey }}
- tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }}
- # Ensure this value is a boolean
- destroy: ${{ github.event.inputs.destroy == 'true' }}
- secrets: inherit
diff --git a/.github/workflows/scenario1.terraform.spoke.yml b/.github/workflows/scenario1.terraform.spoke.yml
deleted file mode 100644
index ac59f261..00000000
--- a/.github/workflows/scenario1.terraform.spoke.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-name: 'Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline'
-
-on:
- workflow_dispatch:
- inputs:
- destroy:
- description: 'Destroy resources?'
- required: true
- type: boolean
- default: false
-
- push:
- branches:
- - main
- paths:
- - '.github/workflows/scenario1.terraform.spoke.yml'
- - '.github/workflows/_template.terraform.yml'
- - 'scenarios/secure-baseline-multitenant/terraform/spoke/**'
- - '!scenarios/secure-baseline-multitenant/terraform/spoke/**.md'
-
- pull_request:
- branches:
- - main
- paths:
- - '.github/workflows/scenario1.terraform.spoke.yml'
- - '.github/workflows/_template.terraform.yml'
- - 'scenarios/secure-baseline-multitenant/terraform/spoke/**'
- - '!scenarios/secure-baseline-multitenant/terraform/spoke/**.md'
-
-permissions:
- id-token: write
- contents: read
- pull-requests: write
-
-env:
- modulePath: 'scenarios/secure-baseline-multitenant/terraform/spoke'
- terraformVersion: 1.5.2 # must be greater than or equal to 1.2 for OIDC
- backendStateKey: 'scenario1.spoke.tfstate'
- tfvarPath: 'Parameters/uat.tfvars'
-
-jobs:
- prepare-environment:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout the code
- uses: actions/checkout@main
- outputs:
- modulePath: ${{ env.modulePath }}
- terraformVersion: ${{ env.terraformVersion }}
- backendStateKey: ${{ env.backendStateKey }}
- tfvarPath: ${{ env.tfvarPath }}
-
- call-workflow-passing-data:
- name: 'Terraform CICD test'
- needs:
- - prepare-environment
- uses: ./.github/workflows/.template.terraform.yml
- with:
- modulePath: ${{ needs.prepare-environment.outputs.modulePath }}
- terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }}
- backendStateKey: ${{ needs.prepare-environment.outputs.backendStateKey }}
- tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }}
- # Ensure this value is a boolean
- destroy: ${{ github.event.inputs.destroy == 'true' }}
- secrets: inherit
diff --git a/.github/workflows/scenario1.terraform.yml b/.github/workflows/scenario1.terraform.yml
new file mode 100644
index 00000000..0acf68af
--- /dev/null
+++ b/.github/workflows/scenario1.terraform.yml
@@ -0,0 +1,86 @@
+name: 'Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline'
+
+concurrency:
+ group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+ cancel-in-progress: false
+
+on:
+ workflow_dispatch:
+ inputs:
+ destroy:
+ description: 'Destroy resources?'
+ required: true
+ type: boolean
+ default: false
+
+ push:
+ branches:
+ - main
+ paths:
+ - '.github/workflows/scenario1.terraform.yml'
+ - '.github/workflows/_template.terraform.yml'
+ - 'scenarios/secure-baseline-multitenant/terraform/**.tf'
+ - 'scenarios/secure-baseline-multitenant/terraform/**/parameters/ase-multitenant.parameters.tfvars'
+ - '!scenarios/secure-baseline-multitenant/terraform/**.md'
+
+ pull_request:
+ branches:
+ - main
+ paths:
+ - '.github/workflows/scenario1.terraform.yml'
+ - '.github/workflows/_template.terraform.yml'
+ - 'scenarios/secure-baseline-multitenant/terraform/**'
+ - 'scenarios/secure-baseline-multitenant/terraform/**/parameters/ase-multitenant.parameters.tfvars'
+ - '!scenarios/secure-baseline-multitenant/terraform/**.md'
+
+permissions:
+ id-token: write
+ contents: read
+ pull-requests: write
+
+env:
+ modulePath: 'scenarios/secure-baseline-multitenant/terraform'
+ terraformVersion: 1.5.2 # must be greater than or equal to 1.2 for OIDC
+ backendStateKey: 'scenario1.hub.tfstate'
+ tfvarPath: 'parameters/ase-multitenant.parameters.tfvars'
+
+jobs:
+ prepare-environment:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout the code
+ uses: actions/checkout@main
+ outputs:
+ modulePath: ${{ env.modulePath }}
+ terraformVersion: ${{ env.terraformVersion }}
+ backendStateKey: ${{ env.backendStateKey }}
+ tfvarPath: ${{ env.tfvarPath }}
+
+ terraform-deploy-hub:
+ name: 'Terraform CICD (Hub Multi-tenant Secure Baseline)'
+ needs:
+ - prepare-environment
+ uses: ./.github/workflows/.template.terraform.yml
+ with:
+ modulePath: ${{ needs.prepare-environment.outputs.modulePath }}/hub
+ terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }}
+ backendStateKey: 'scenario1.hub.tfstate'
+ tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }}
+ # Ensure this value is a boolean
+ destroy: ${{ github.event.inputs.destroy == 'true' }}
+ secrets: inherit
+
+ terraform-deploy-spoke:
+ name: 'Terraform CICD (Spoke Multi-tenant Secure Baseline)'
+ needs:
+ - prepare-environment
+ - terraform-deploy-hub
+ uses: ./.github/workflows/.template.terraform.yml
+ with:
+ modulePath: ${{ needs.prepare-environment.outputs.modulePath }}/spoke
+ terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }}
+ backendStateKey: 'scenario1.spoke.tfstate'
+ tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }}
+ # Ensure this value is a boolean
+ destroy: ${{ github.event.inputs.destroy == 'true' }}
+ secrets: inherit
\ No newline at end of file
diff --git a/.github/workflows/scenario2.bicep.yml b/.github/workflows/scenario2.bicep.yml
deleted file mode 100644
index 96c7f12d..00000000
--- a/.github/workflows/scenario2.bicep.yml
+++ /dev/null
@@ -1,102 +0,0 @@
-name: 'Scenario 2: Bicep Single-tenant ASEv3 Secure Baseline'
-
-on:
- workflow_dispatch:
-
- # push:
- # branches:
- # - main
- # paths:
- # - '.github/workflows/bicep.scenario2.yml'
- # - 'scenarios/secure-baseline-ase/bicep/**'
- # - '!scenarios/secure-baseline-ase/**.md'
-
- # pull_request:
- # branches:
- # - main
- # paths:
- # - '.github/workflows/bicep.scenario2.yml'
- # - 'scenarios/secure-baseline-ase/bicep/**'
- # - '!scenarios/secure-baseline-ase/**.md'
-
-permissions:
- id-token: write
- contents: read
-
-env:
- modulePath: 'scenarios/secure-baseline-ase/bicep'
-
-jobs:
- validate_bicep:
- name: "Validate Bicep files"
- runs-on: ubuntu-latest
- steps:
- - name: Checkout the code
- uses: actions/checkout@v4
-
- - name: Validate that bicep builds
- run: az bicep build -f main.bicep
- working-directory: ${{ env.modulePath }}
-
- build-and-deploy:
- timeout-minutes: 360
- name: "Deploy Bicep templates"
- needs: validate_bicep
- runs-on: ubuntu-latest
- environment: production
- steps:
- # Checkout code
- - name: Checkout the code
- uses: actions/checkout@main
-
- - name: Variable substitution
- uses: microsoft/variable-substitution@v1
- with:
- files: ${{ env.modulePath }}/config.yml
- env:
- ACCOUNT_NAME: ${{ secrets.AZURE_SUBSCRIPTION }}
-
- - name: Install yq to parse yaml file
- run: |
- sudo wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.5.0/yq_linux_amd64
- sudo chmod +x /usr/local/bin/yq
-
- - name: Parse config.yaml as output to GitHub Actions matrix
- run: |
- echo "config=$(yq e ${{ env.modulePath }}/config.yml -j -I=0)" >> $GITHUB_ENV
-
- - name: Write deployment information to log
- run: |
- echo "Deploying to ${{ fromJson(env.config).AZURE_LOCATION }} with name prefix ${{ fromJson(env.config).RESOURCE_NAME_PREFIX }}"
-
- # Log into Azure via OIDC
- - uses: azure/login@v1
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }}
-
- - name: Run Preflight Validation
- working-directory: ${{ env.modulePath }}
- run: |
- az deployment sub validate \
- --location ${{ fromJson(env.config).AZURE_LOCATION }} \
- --parameters workloadName=${{ fromJson(env.config).RESOURCE_NAME_PREFIX }} environment=${{ fromJson(env.config).ENVIRONMENT_TAG }} \
- vmUsername=${{ fromJson(env.config).VM_USERNAME }} vmPassword=${{ secrets.VM_PW }} location=${{ fromJson(env.config).AZURE_LOCATION }}\
- accountName=${{ secrets.ACCOUNT_NAME }} personalAccessToken=${{ secrets.PAT }} CICDAgentType=${{ fromJson(env.config).CICD_AGENT_TYPE}} \
- createRedisResource=${{ fromJson(env.config).CREATE_REDIS_RESOURCE }} redisTier=${{ fromJson(env.config).REDIS_TIER }} --template-file main.bicep
-
- # Deploy Bicep file, need to point parameters to the main.parameters.json location
- - name: deploy
- uses: azure/arm-deploy@v1
- with:
- subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
- scope: subscription
- region: ${{ fromJson(env.config).AZURE_LOCATION }}
- deploymentName: "${{ fromJson(env.config).DEPLOYMENT_NAME }}-${{ fromJson(env.config).AZURE_LOCATION }}"
- template: ${{ env.modulePath }}/main.bicep
- parameters: >
- workloadName=${{ fromJson(env.config).RESOURCE_NAME_PREFIX }} environment=${{ fromJson(env.config).ENVIRONMENT_TAG }}
- vmUsername=${{ fromJson(env.config).VM_USERNAME }} vmPassword=${{ secrets.VM_PW }} location=${{ fromJson(env.config).AZURE_LOCATION }}
- accountName=${{ secrets.ACCOUNT_NAME }} personalAccessToken=${{ secrets.PAT }} CICDAgentType=${{ fromJson(env.config).CICD_AGENT_TYPE}}
- createRedisResource=${{ fromJson(env.config).CREATE_REDIS_RESOURCE }} redisTier=${{ fromJson(env.config).REDIS_TIER }}
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 91f49915..53e3c7a8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@ deployment/bicep/main.json
**/.vscode/*
# Local .terraform directories
+.terraform
**/.terraform/*
*.lock.hcl
# .tfstate files
@@ -24,6 +25,7 @@ crash.*.log
# to change depending on the environment.
#
*.tfvars
+!*.parameters.tfvars
!uat.tfvars
# Ignore override files as they are usually used to override resources locally and so
diff --git a/.psrule/ps-rule.yaml b/.psrule/ps-rule.yaml
new file mode 100644
index 00000000..8126c0be
--- /dev/null
+++ b/.psrule/ps-rule.yaml
@@ -0,0 +1,19 @@
+
+# Require a minimum version of PSRule for Azure.
+requires:
+ PSRule.Rules.Azure: '>=1.29.0'
+
+# Automatically use rules for Azure.
+include:
+ module:
+ - PSRule.Rules.Azure
+
+# Ignore all files except .bicepparam files.
+input:
+ pathIgnore:
+ - '**'
+ - '!**/*.bicepparam'
+
+# YAML: Enable expansion for Bicep source files.
+configuration:
+ AZURE_BICEP_FILE_EXPANSION: true
\ No newline at end of file
diff --git a/README.md b/README.md
index ea1fd2de..68d51993 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ In this project, we currently have the following reference implementations:
| Scenario | Description | Documentation | Pipeline Status |
| -------- | ----------- | ------------- | --------------- |
-| :arrow_forward: [Scenario 1: App Service Secure Baseline Multi-Tenant](scenarios/secure-baseline-multitenant/README.md) | This scenario deploys a multi-tenant App Service environment with a Hub and Spoke network topology. | [README](scenarios/secure-baseline-multitenant/README.md) | [](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.hub.yml) [](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml) |
+| :arrow_forward: [Scenario 1: App Service Secure Baseline Multi-Tenant](scenarios/secure-baseline-multitenant/README.md) | This scenario deploys a multi-tenant App Service environment with a Hub and Spoke network topology. | [README](scenarios/secure-baseline-multitenant/README.md) | [](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.hub.yml) [](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml) [](https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/ase-multitenant.bicep.yml) |
> **Note**
Currently, the App Service Secure Baseline Multi-Tenant is the only reference implementation available. However, both the Terraform and Bicep configuration files have feature flags available to accommodate additional scenarios. More reference input files will be provided to accommodate additional reference implementations in the future.
diff --git a/scenarios/secure-baseline-multitenant/terraform/hub/README.md b/scenarios/secure-baseline-multitenant/terraform/hub/README.md
index 61b41470..5745f2a8 100644
--- a/scenarios/secure-baseline-multitenant/terraform/hub/README.md
+++ b/scenarios/secure-baseline-multitenant/terraform/hub/README.md
@@ -14,7 +14,7 @@
| Name | Version |
|------|---------|
| [azurecaf](#provider\_azurecaf) | 1.2.26 |
-| [azurerm](#provider\_azurerm) | 3.67.0 |
+| [azurerm](#provider\_azurerm) | 3.85.0 |
## Modules
diff --git a/scenarios/secure-baseline-multitenant/terraform/hub/main.tf b/scenarios/secure-baseline-multitenant/terraform/hub/main.tf
index 869e5262..822b642b 100644
--- a/scenarios/secure-baseline-multitenant/terraform/hub/main.tf
+++ b/scenarios/secure-baseline-multitenant/terraform/hub/main.tf
@@ -11,12 +11,7 @@ terraform {
version = ">=1.2.23"
}
}
- backend "azurerm" {
- resource_group_name = "backend-appsrvc-dev-westus2-001"
- storage_account_name = "stbackendappsrwestus2001"
- container_name = "tfstate"
- key = "scenario1.hub.tfstate"
- }
+ backend "azurerm" {}
}
provider "azurerm" {
diff --git a/scenarios/secure-baseline-multitenant/terraform/hub/Parameters/uat.tfvars b/scenarios/secure-baseline-multitenant/terraform/hub/parameters/ase-multitenant.parameters.tfvars
similarity index 100%
rename from scenarios/secure-baseline-multitenant/terraform/hub/Parameters/uat.tfvars
rename to scenarios/secure-baseline-multitenant/terraform/hub/parameters/ase-multitenant.parameters.tfvars
diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/README.md b/scenarios/secure-baseline-multitenant/terraform/spoke/README.md
index 7d8c2631..6326e594 100644
--- a/scenarios/secure-baseline-multitenant/terraform/spoke/README.md
+++ b/scenarios/secure-baseline-multitenant/terraform/spoke/README.md
@@ -14,8 +14,8 @@
| Name | Version |
|------|---------|
| [azurecaf](#provider\_azurecaf) | 1.2.26 |
-| [azurerm](#provider\_azurerm) | 3.75.0 |
-| [random](#provider\_random) | 3.5.1 |
+| [azurerm](#provider\_azurerm) | 3.85.0 |
+| [random](#provider\_random) | 3.6.0 |
| [terraform](#provider\_terraform) | n/a |
## Modules
@@ -71,6 +71,7 @@
| [firewall\_subnet\_name](#input\_firewall\_subnet\_name) | [Optional] Name of the subnet for firewall resources. Defaults to 'AzureFirewallSubnet' | `string` | `"AzureFirewallSubnet"` | no |
| [front\_door\_subnet\_cidr](#input\_front\_door\_subnet\_cidr) | The CIDR block for the subnet. | `list(string)` | [
"10.240.0.64/26"
]
| no |
| [global\_settings](#input\_global\_settings) | [Optional] Global settings to configure each module with the appropriate naming standards. | `map(any)` | `{}` | no |
+| [hub\_settings](#input\_hub\_settings) | The settings for the hub virtual network. | object({
rg_name = string
vnet_name = string
firewall = object({
private_ip = optional(string)
})
}) | `null` | no |
| [hub\_state\_container\_name](#input\_hub\_state\_container\_name) | The name of the container that holds the Terraform state for the hub | `string` | n/a | yes |
| [hub\_state\_key](#input\_hub\_state\_key) | The key of the Terraform state for the hub | `string` | n/a | yes |
| [hub\_state\_resource\_group\_name](#input\_hub\_state\_resource\_group\_name) | The name of the resource group that holds the Terraform state for the hub | `string` | n/a | yes |
diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/main.tf b/scenarios/secure-baseline-multitenant/terraform/spoke/main.tf
index 405f87f4..11ab98f5 100644
--- a/scenarios/secure-baseline-multitenant/terraform/spoke/main.tf
+++ b/scenarios/secure-baseline-multitenant/terraform/spoke/main.tf
@@ -13,12 +13,7 @@ terraform {
version = ">=1.2.23"
}
}
- backend "azurerm" {
- resource_group_name = "backend-appsrvc-dev-westus2-001"
- storage_account_name = "stbackendappsrwestus2001"
- container_name = "tfstate"
- key = "scenario1.spoke.tfstate"
- }
+ backend "azurerm" {}
}
provider "azurerm" {
diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/Parameters/uat.tfvars b/scenarios/secure-baseline-multitenant/terraform/spoke/parameters/ase-multitenant.parameters.tfvars
similarity index 100%
rename from scenarios/secure-baseline-multitenant/terraform/spoke/Parameters/uat.tfvars
rename to scenarios/secure-baseline-multitenant/terraform/spoke/parameters/ase-multitenant.parameters.tfvars