Refactor/200/tf scenarios updated1 #215

JinLee794 · 2024-10-21T23:02:40Z

Description

Thank you for your contribution !

Please include a summary of the change and which issue is fixed.
Please also include the context.
List any dependencies that are required for this change.

Pipeline references

For module/pipeline changes, please create and attach the status badge of your successful run.

Pipeline

Type of Change

Please delete options that are not relevant.

Bugfix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
Update to documentation

Checklist

I'm sure there are no other open Pull Requests for the same update/change
My corresponding pipelines / checks run clean and green without any errors or warnings
My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation (readme)
I did format my code

…esting what-if flag

…oy action

…ermissions

github-actions · 2024-10-22T14:12:56Z

Terraform Plan failed

Plan Error Output



Error: Failed to read variables file

Given variables file _parameters/ase-multitenant.parameters.tfvars does not
exist.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

github-actions · 2024-10-22T21:46:21Z

Terraform Plan failed

Plan Error Output



Error: Retrieving group with object ID: "bda41c64-1493-4d8d-b4b5-7135159d4884"

  with module.spoke.module.sql_database[0].data.azuread_group.sql_admin_group,
  on ../../shared/terraform-modules/sql-database/module.tf line 13, in data "azuread_group" "sql_admin_group":
  13: data "azuread_group" "sql_admin_group" {

unexpected status 403 (403 Forbidden) with error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

ibersanoMS

Thanks so much for doing this refactoring! It looks great! Had a few questions and comments.

scenarios/secure-baseline-multitenant/terraform/hub/outputs.tf

scenarios/secure-baseline-multitenant/terraform/spoke/main.tf

scenarios/secure-baseline-multitenant/terraform/main.tf

scenarios/secure-baseline-multitenant/terraform/spoke/network.tf

deployment/bicep/main.bicep

deployment/bicep/shared/vm-nic.bicep

deployment/bicep/vnettest/vnetWithBastian.bicep

deployment/bicep/vnettest/vnetWithOutBastian.bicep

scenarios/secure-baseline-multitenant/terraform/hub/main.tf

scenarios/shared/terraform-modules/app-service/windows-web-app/module.tf

github-actions · 2024-11-12T15:45:23Z

Terraform Plan failed

Plan Error Output



Error: Retrieving user with object ID: "6f1b60ca-5362-4f06-bc90-0ab4bb178f8a"

  with module.spoke.module.sql_database[0].data.azuread_user.current_user,
  on ../../shared/terraform-modules/sql-database/module.tf line 15, in data "azuread_user" "current_user":
  15: data "azuread_user" "current_user" {

unexpected status 403 (403 Forbidden) with error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

github-actions · 2024-11-12T16:02:46Z

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output


Success! The configuration is valid.

Terraform Plan 📖`success`

Show Plan



Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.hub.azurecaf_name.caf_name_hub_rg will be created
  + resource "azurecaf_name" "caf_name_hub_rg" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_resource_group"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.hub.azurerm_resource_group.hub will be created
  + resource "azurerm_resource_group" "hub" {
      + id       = (known after apply)
      + location = "westus3"
      + name     = (known after apply)
      + tags     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
    }

  # module.spoke.azurecaf_name.appsvc_subnet will be created
  + resource "azurecaf_name" "appsvc_subnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "spoke",
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_subnet"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_asev3[0] will be created
  + resource "azurecaf_name" "caf_name_asev3" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_service_environment"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_id_contributor will be created
  + resource "azurecaf_name" "caf_name_id_contributor" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_user_assigned_identity"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "contributor",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_id_reader will be created
  + resource "azurecaf_name" "caf_name_id_reader" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_user_assigned_identity"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "reader",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_law will be created
  + resource "azurecaf_name" "caf_name_law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_spoke_rg will be created
  + resource "azurecaf_name" "caf_name_spoke_rg" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_resource_group"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.law will be created
  + resource "azurecaf_name" "law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurerm_app_service_environment_v3.this[0] will be created
  + resource "azurerm_app_service_environment_v3" "this" {
      + allow_new_private_endpoint_connections = true
      + dns_suffix                             = (known after apply)
      + external_inbound_ip_addresses          = (known after apply)
      + id                                     = (known after apply)
      + inbound_network_dependencies           = (known after apply)
      + internal_inbound_ip_addresses          = (known after apply)
      + internal_load_balancing_mode           = "Web, Publishing"
      + ip_ssl_address_count                   = (known after apply)
      + linux_outbound_ip_addresses            = (known after apply)
      + location                               = (known after apply)
      + name                                   = (known after apply)
      + pricing_tier                           = (known after apply)
      + remote_debugging_enabled               = false
      + resource_group_name                    = (known after apply)
      + subnet_id                              = (known after apply)
      + tags                                   = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
      + windows_outbound_ip_addresses          = (known after apply)
      + zone_redundant                         = true

      + cluster_setting {
          + name  = "DisableTls1.0"
          + value = "1"
        }
      + cluster_setting {
          + name  = "FrontEndSSLCipherSuiteOrder"
          + value = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        }
    }

  # module.spoke.azurerm_log_analytics_workspace.law will be created
  + resource "azurerm_log_analytics_workspace" "law" {
      + allow_resource_only_permissions = true
      + daily_quota_gb                  = -1
      + id                              = (known after apply)
      + internet_ingestion_enabled      = true
      + internet_query_enabled          = true
      + local_authentication_disabled   = false
      + location                        = "westus3"
      + name                            = (known after apply)
      + primary_shared_key              = (sensitive value)
      + resource_group_name             = (known after apply)
      + retention_in_days               = 30
      + secondary_shared_key            = (sensitive value)
      + sku                             = "PerGB2018"
      + tags                            = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
      + workspace_id                    = (known after apply)
    }

  # module.spoke.azurerm_resource_group.spoke will be created
  + resource "azurerm_resource_group" "spoke" {
      + id       = (known after apply)
      + location = "westus3"
      + name     = (known after apply)
      + tags     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
    }

  # module.spoke.azurerm_user_assigned_identity.contributor will be created
  + resource "azurerm_user_assigned_identity" "contributor" {
      + client_id           = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + principal_id        = (known after apply)
      + resource_group_name = (known after apply)
      + tenant_id           = (known after apply)
    }

  # module.spoke.azurerm_user_assigned_identity.reader will be created
  + resource "azurerm_user_assigned_identity" "reader" {
      + client_id           = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + principal_id        = (known after apply)
      + resource_group_name = (known after apply)
      + tenant_id           = (known after apply)
    }

  # module.spoke.random_integer.unique_id will be created
  + resource "random_integer" "unique_id" {
      + id     = (known after apply)
      + max    = 9999
      + min    = 1
      + result = (known after apply)
    }

  # module.hub.module.bastion[0].azurecaf_name.caf_name_bastion will be created
  + resource "azurecaf_name" "caf_name_bastion" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.bastion[0].azurecaf_name.caf_name_pip will be created
  + resource "azurecaf_name" "caf_name_pip" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest-bastion"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_public_ip"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.bastion[0].azurerm_bastion_host.bastion will be created
  + resource "azurerm_bastion_host" "bastion" {
      + copy_paste_enabled        = true
      + dns_name                  = (known after apply)
      + file_copy_enabled         = false
      + id                        = (known after apply)
      + ip_connect_enabled        = false
      + kerberos_enabled          = false
      + location                  = "westus3"
      + name                      = (known after apply)
      + resource_group_name       = (known after apply)
      + scale_units               = 2
      + session_recording_enabled = false
      + shareable_link_enabled    = false
      + sku                       = "Standard"
      + tags                      = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "bastion"
        }
      + tunneling_enabled         = true

      + ip_configuration {
          + name                 = "bastionHostIpConfiguration"
          + public_ip_address_id = (known after apply)
          + subnet_id            = (known after apply)
        }
    }

  # module.hub.module.bastion[0].azurerm_public_ip.bastion_pip will be created
  + resource "azurerm_public_ip" "bastion_pip" {
      + allocation_method       = "Static"
      + ddos_protection_mode    = "VirtualNetworkInherited"
      + fqdn                    = (known after apply)
      + id                      = (known after apply)
      + idle_timeout_in_minutes = 4
      + ip_address              = (known after apply)
      + ip_version              = "IPv4"
      + location                = "westus3"
      + name                    = (known after apply)
      + resource_group_name     = (known after apply)
      + sku                     = "Standard"
      + sku_tier                = "Regional"
      + tags                    = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "bastion"
        }
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_firewall will be created
  + resource "azurecaf_name" "caf_name_firewall" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_firewall"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_law[0] will be created
  + resource "azurecaf_name" "caf_name_law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_pip will be created
  + resource "azurecaf_name" "caf_name_pip" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest-fw"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_public_ip"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurerm_firewall.firewall will be created
  + resource "azurerm_firewall" "firewall" {
      + dns_proxy_enabled   = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + sku_name            = "AZFW_VNet"
      + sku_tier            = "Standard"
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "firewall"
        }
      + threat_intel_mode   = (known after apply)

      + ip_configuration {
          + name                 = "firewallIpConfiguration"
          + private_ip_address   = (known after apply)
          + public_ip_address_id = (known after apply)
          + subnet_id            = (known after apply)
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-entra-idS-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

  # module.hub.module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created
  + resource "azurerm_log_analytics_workspace" "law" {
      + allow_resource_only_permissions = true
      + daily_quota_gb                  = -1
      + id                              = (known after apply)
      + internet_ingestion_enabled      = true
      + internet_query_enabled          = true
      + local_authentication_disabled   = false
      + location                        = "westus3"
      + name                            = (known after apply)
      + primary_shared_key              = (sensitive value)
      + resource_group_name             = (known after apply)
      + retention_in_days               = (known after apply)
      + secondary_shared_key            = (sensitive value)
      + sku                             = "PerGB2018"
      + workspace_id                    = (known after apply)
    }

  # module.hub.module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created
  + resource "azurerm_monitor_diagnostic_setting" "this" {
      + id                             = (known after apply)
      + log_analytics_destination_type = (known after apply)
      + log_analytics_workspace_id     = (known after apply)
      + name                           = (known after apply)
      + target_resource_id             = (known after apply)

      + enabled_log {
          + category_group = "allLogs"
            # (1 unchanged attribute hidden)
        }

      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }
    }

  # module.hub.module.firewall[0].azurerm_public_ip.firewall_pip will be created
  + resource "azurerm_public_ip" "firewall_pip" {
      + allocation_method       = "Static"
      + ddos_protection_mode    = "VirtualNetworkInherited"
      + fqdn                    = (known after apply)
      + id                      = (known after apply)
      + idle_timeout_in_minutes = 4
      + ip_address              = (known after apply)
      + ip_version              = "IPv4"
      + location                = "westus3"
      + name                    = (known after apply)
      + resource_group_name     = (known after apply)
      + sku                     = "Standard"
      + sku_tier                = "Regional"
      + tags                    = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "firewall"
        }
    }

  # module.hub.module.network.azurecaf_name.caf_name_vnet will be created
  + resource "azurecaf_name" "caf_name_vnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.hub.module.network.azurerm_subnet.this["AzureBastionSubnet"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.242.0.64/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "AzureBastionSubnet"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.hub.module.network.azurerm_subnet.this["AzureFirewallSubnet"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.242.0.0/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "AzureFirewallSubnet"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.hub.module.network.azurerm_virtual_network.this will be created
  + resource "azurerm_virtual_network" "this" {
      + address_space       = [
          + "10.242.0.0/20",
        ]
      + dns_servers         = (known after apply)
      + guid                = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + subnet              = (known after apply)
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "network"
        }
    }

  # module.spoke.module.app_configuration[0].azurecaf_name.caf_name_appconf will be created
  + resource "azurecaf_name" "caf_name_appconf" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_configuration"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = (known after apply)
      + use_slug      = true
    }

  # module.spoke.module.app_configuration[0].azurecaf_name.private_endpoint will be created
  + resource "azurecaf_name" "private_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.app_configuration[0].azurerm_app_configuration.this will be created
  + resource "azurerm_app_configuration" "this" {
      + endpoint                   = (known after apply)
      + id                         = (known after apply)
      + local_auth_enabled         = false
      + location                   = "westus3"
      + name                       = (known after apply)
      + primary_read_key           = (known after apply)
      + primary_write_key          = (known after apply)
      + public_network_access      = "Disabled"
      + purge_protection_enabled   = true
      + resource_group_name        = (known after apply)
      + secondary_read_key         = (known after apply)
      + secondary_write_key        = (known after apply)
      + sku                        = "standard"
      + soft_delete_retention_days = 7
      + tags                       = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "app-configuration"
        }
    }

  # module.spoke.module.app_configuration[0].azurerm_private_dns_a_record.this will be created
  + resource "azurerm_private_dns_a_record" "this" {
      + fqdn                = (known after apply)
      + id                  = (known after apply)
      + name                = (known after apply)
      + records             = (known after apply)
      + resource_group_name = (known after apply)
      + ttl                 = 300
      + zone_name           = "privatelink.azconfig.io"
    }

  # module.spoke.module.app_configuration[0].azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = (known after apply)
      + subnet_id                = (known after apply)

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = "app-config-private-endpoint"
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "configurationStores",
            ]
        }
    }

  # module.spoke.module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created
  + resource "azurerm_role_assignment" "data_owners" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "App Configuration Data Owner"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created
  + resource "azurerm_role_assignment" "data_readers" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "App Configuration Data Reader"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.app_service.azurecaf_name.caf_name_appinsights will be created
  + resource "azurecaf_name" "caf_name_appinsights" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_application_insights"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.app_service.azurecaf_name.caf_name_asp will be created
  + resource "azurecaf_name" "caf_name_asp" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_service_plan"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.app_service.azurerm_application_insights.this will be created
  + resource "azurerm_application_insights" "this" {
      + app_id                              = (known after apply)
      + application_type                    = "web"
      + connection_string                   = (sensitive value)
      + daily_data_cap_in_gb                = 100
      + disable_ip_masking                  = false
      + force_customer_storage_for_profiler = false
      + id                                  = (known after apply)
      + instrumentation_key                 = (sensitive value)
      + internet_ingestion_enabled          = true
      + internet_query_enabled              = true
      + local_authentication_disabled       = false
      + location                            = "westus3"
      + name                                = (known after apply)
      + resource_group_name                 = (known after apply)
      + retention_in_days                   = 90
      + sampling_percentage                 = 100
      + workspace_id                        = (known after apply)
    }

  # module.spoke.module.app_service.azurerm_service_plan.this will be created
  + resource "azurerm_service_plan" "this" {
      + app_service_environment_id   = (known after apply)
      + id                           = (known after apply)
      + kind                         = (known after apply)
      + location                     = "westus3"
      + maximum_elastic_worker_count = (known after apply)
      + name                         = (known after apply)
      + os_type                      = "Windows"
      + per_site_scaling_enabled     = false
      + reserved                     = (known after apply)
      + resource_group_name          = (known after apply)
      + sku_name                     = "I1v2"
      + tags                         = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "app-service"
        }
      + worker_count                 = 3
      + zone_balancing_enabled       = (known after apply)
    }

  # module.spoke.module.frontdoor.azurecaf_name.caf_name_afd will be created
  + resource "azurecaf_name" "caf_name_afd" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_frontdoor"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created
  + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" {
      + enabled                    = true
      + frontend_endpoint_ids      = (known after apply)
      + id                         = (known after apply)
      + mode                       = "Prevention"
      + name                       = "wafpolicymicrosoftdefaultruleset21"
      + request_body_check_enabled = true
      + resource_group_name        = (known after apply)
      + sku_name                   = "Premium_AzureFrontDoor"

      + managed_rule {
          + action  = "Block"
          + type    = "Microsoft_DefaultRuleSet"
          + version = "2.1"
        }
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor will be created
  + resource "azurerm_cdn_frontdoor_profile" "frontdoor" {
      + id                       = (known after apply)
      + name                     = (known after apply)
      + resource_group_name      = (known after apply)
      + resource_guid            = (known after apply)
      + response_timeout_seconds = 120
      + sku_name                 = "Premium_AzureFrontDoor"
      + tags                     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "frontdoor"
        }
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created
  + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" {
      + cdn_frontdoor_profile_id = (known after apply)
      + id                       = (known after apply)
      + name                     = "WAF-Security-Policy"

      + security_policies {
          + firewall {
              + cdn_frontdoor_firewall_policy_id = (known after apply)

              + association {
                  + patterns_to_match = [
                      + "/*",
                    ]

                  + domain {
                      + active                  = (known after apply)
                      + cdn_frontdoor_domain_id = (known after apply)
                    }
                }
            }
        }
    }

  # module.spoke.module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be created
  + resource "azurerm_monitor_diagnostic_setting" "this" {
      + id                             = (known after apply)
      + log_analytics_destination_type = "AzureDiagnostics"
      + log_analytics_workspace_id     = (known after apply)
      + name                           = (known after apply)
      + target_resource_id             = (known after apply)

      + enabled_log {
          + category_group = "allLogs"
            # (1 unchanged attribute hidden)
        }

      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }
    }

  # module.spoke.module.key_vault.azurecaf_name.caf_name_akv will be created
  + resource "azurecaf_name" "caf_name_akv" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_key_vault"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = (known after apply)
      + use_slug      = true
    }

  # module.spoke.module.key_vault.azurecaf_name.private_endpoint will be created
  + resource "azurecaf_name" "private_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.key_vault.azurerm_key_vault.this will be created
  + resource "azurerm_key_vault" "this" {
      + access_policy                 = (known after apply)
      + enable_rbac_authorization     = true
      + enabled_for_disk_encryption   = true
      + id                            = (known after apply)
      + location                      = "westus3"
      + name                          = (known after apply)
      + public_network_access_enabled = false
      + purge_protection_enabled      = true
      + resource_group_name           = (known after apply)
      + sku_name                      = "standard"
      + soft_delete_retention_days    = 7
      + tags                          = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "key-vault"
        }
      + tenant_id                     = "449fbe1d-9c99-4509-9014-4fd5cf25b014"
      + vault_uri                     = (known after apply)

      + contact (known after apply)

      + network_acls {
          + bypass         = "AzureServices"
          + default_action = "Deny"
        }
    }

  # module.spoke.module.key_vault.azurerm_private_dns_a_record.this will be created
  + resource "azurerm_private_dns_a_record" "this" {
      + fqdn                = (known after apply)
      + id                  = (known after apply)
      + name                = (known after apply)
      + records             = (known after apply)
      + resource_group_name = (known after apply)
      + ttl                 = 300
      + zone_name           = "privatelink.vaultcore.azure.net"
    }

  # module.spoke.module.key_vault.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = (known after apply)
      + subnet_id                = (known after apply)

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "vault",
            ]
        }
    }

  # module.spoke.module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created
  + resource "azurerm_role_assignment" "secrets_officer" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Key Vault Secrets Officer"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.key_vault.azurerm_role_assignment.secrets_user[0] will be created
  + resource "azurerm_role_assignment" "secrets_user" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Key Vault Secrets User"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.network.azurecaf_name.caf_name_vnet will be created
  + resource "azurecaf_name" "caf_name_vnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.network.azurerm_subnet.this["devops"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.10.128/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "devops"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["hostingEnvironments"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.5.0/24",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "hostingEnvironments"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)

      + delegation {
          + name = "Microsoft.Web.hostingEnvironments"

          + service_delegation {
              + actions = [
                  + "Microsoft.Network/virtualNetworks/subnets/action",
                ]
              + name    = "Microsoft.Web/hostingEnvironments"
            }
        }
    }

  # module.spoke.module.network.azurerm_subnet.this["ingress"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.0.64/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "ingress"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["privateLink"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.11.0/24",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "privateLink"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["serverFarm"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.0.0/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "serverFarm"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)

      + delegation {
          + name = "Microsoft.Web/serverFarms"

          + service_delegation {
              + actions = [
                  + "Microsoft.Network/virtualNetworks/subnets/action",
                ]
              + name    = "Microsoft.Web/serverFarms"
            }
        }
    }

  # module.spoke.module.network.azurerm_virtual_network.this will be created
  + resource "azurerm_virtual_network" "this" {
      + address_space       = [
          + "10.240.0.0/20",
        ]
      + dns_servers         = (known after apply)
      + guid                = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + subnet              = (known after apply)
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "network"
        }
    }

  # module.spoke.module.network.azurerm_virtual_network_peering.target_to_this[0] will be created
  + resource "azurerm_virtual_network_peering" "target_to_this" {
      + allow_forwarded_traffic                = false
      + allow_gateway_transit                  = false
      + allow_virtual_network_access           = true
      + id                                     = (known after apply)
      + name                                   = "hub-to-spoke-eslztest"
      + peer_complete_virtual_networks_enabled = true
      + remote_virtual_network_id              = (known after apply)
      + resource_group_name                    = (known after apply)
      + use_remote_gateways                    = false
      + virtual_network_name                   = (known after apply)
    }

  # module.spoke.module.network.azurerm_virtual_network_peering.this_to_target[0] will be created
  + resource "azurerm_virtual_network_peering" "this_to_target" {
      + allow_forwarded_traffic                = false
      + allow_gateway_transit                  = false
      + allow_virtual_network_access           = true
      + id                                     = (known after apply)
      + name                                   = "spoke-to-hub-eslztest"
      + peer_complete_virtual_networks_enabled = true
      + remote_virtual_network_id              = (known after apply)
      + resource_group_name                    = (known after apply)
      + use_remote_gateways                    = false
      + virtual_network_name                   = (known after apply)
    }

  # module.spoke.module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
        name          = null
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
        name          = null
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = (known after apply)
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
        }
    }

  # module.spoke.module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + sku {
          + capacity = 1
          + name     = "Standard"
        }
    }

  # module.spoke.module.private_dns_zones[0].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.azurewebsites.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.azurewebsites.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[1].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.vaultcore.azure.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.vaultcore.azure.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[2].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.database.windows.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.database.windows.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[3].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.azconfig.io"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          +  ...

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

github-actions · 2024-11-12T18:22:16Z

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output


Success! The configuration is valid.

Terraform Plan 📖`success`

Show Plan



Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.hub.azurecaf_name.caf_name_hub_rg will be created
  + resource "azurecaf_name" "caf_name_hub_rg" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_resource_group"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.hub.azurerm_resource_group.hub will be created
  + resource "azurerm_resource_group" "hub" {
      + id       = (known after apply)
      + location = "westus3"
      + name     = (known after apply)
      + tags     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
    }

  # module.spoke.azurecaf_name.appsvc_subnet will be created
  + resource "azurecaf_name" "appsvc_subnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "spoke",
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_subnet"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_asev3[0] will be created
  + resource "azurecaf_name" "caf_name_asev3" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_service_environment"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_id_contributor will be created
  + resource "azurecaf_name" "caf_name_id_contributor" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_user_assigned_identity"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "contributor",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_id_reader will be created
  + resource "azurecaf_name" "caf_name_id_reader" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_user_assigned_identity"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "reader",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_law will be created
  + resource "azurecaf_name" "caf_name_law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_spoke_rg will be created
  + resource "azurecaf_name" "caf_name_spoke_rg" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_resource_group"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.law will be created
  + resource "azurecaf_name" "law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurerm_app_service_environment_v3.this[0] will be created
  + resource "azurerm_app_service_environment_v3" "this" {
      + allow_new_private_endpoint_connections = true
      + dns_suffix                             = (known after apply)
      + external_inbound_ip_addresses          = (known after apply)
      + id                                     = (known after apply)
      + inbound_network_dependencies           = (known after apply)
      + internal_inbound_ip_addresses          = (known after apply)
      + internal_load_balancing_mode           = "Web, Publishing"
      + ip_ssl_address_count                   = (known after apply)
      + linux_outbound_ip_addresses            = (known after apply)
      + location                               = (known after apply)
      + name                                   = (known after apply)
      + pricing_tier                           = (known after apply)
      + remote_debugging_enabled               = false
      + resource_group_name                    = (known after apply)
      + subnet_id                              = (known after apply)
      + tags                                   = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
      + windows_outbound_ip_addresses          = (known after apply)
      + zone_redundant                         = true

      + cluster_setting {
          + name  = "DisableTls1.0"
          + value = "1"
        }
      + cluster_setting {
          + name  = "FrontEndSSLCipherSuiteOrder"
          + value = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        }
    }

  # module.spoke.azurerm_log_analytics_workspace.law will be created
  + resource "azurerm_log_analytics_workspace" "law" {
      + allow_resource_only_permissions = true
      + daily_quota_gb                  = -1
      + id                              = (known after apply)
      + internet_ingestion_enabled      = true
      + internet_query_enabled          = true
      + local_authentication_disabled   = false
      + location                        = "westus3"
      + name                            = (known after apply)
      + primary_shared_key              = (sensitive value)
      + resource_group_name             = (known after apply)
      + retention_in_days               = 30
      + secondary_shared_key            = (sensitive value)
      + sku                             = "PerGB2018"
      + tags                            = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
      + workspace_id                    = (known after apply)
    }

  # module.spoke.azurerm_resource_group.spoke will be created
  + resource "azurerm_resource_group" "spoke" {
      + id       = (known after apply)
      + location = "westus3"
      + name     = (known after apply)
      + tags     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
    }

  # module.spoke.azurerm_user_assigned_identity.contributor will be created
  + resource "azurerm_user_assigned_identity" "contributor" {
      + client_id           = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + principal_id        = (known after apply)
      + resource_group_name = (known after apply)
      + tenant_id           = (known after apply)
    }

  # module.spoke.azurerm_user_assigned_identity.reader will be created
  + resource "azurerm_user_assigned_identity" "reader" {
      + client_id           = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + principal_id        = (known after apply)
      + resource_group_name = (known after apply)
      + tenant_id           = (known after apply)
    }

  # module.spoke.random_integer.unique_id will be created
  + resource "random_integer" "unique_id" {
      + id     = (known after apply)
      + max    = 9999
      + min    = 1
      + result = (known after apply)
    }

  # module.hub.module.bastion[0].azurecaf_name.caf_name_bastion will be created
  + resource "azurecaf_name" "caf_name_bastion" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.bastion[0].azurecaf_name.caf_name_pip will be created
  + resource "azurecaf_name" "caf_name_pip" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest-bastion"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_public_ip"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.bastion[0].azurerm_bastion_host.bastion will be created
  + resource "azurerm_bastion_host" "bastion" {
      + copy_paste_enabled        = true
      + dns_name                  = (known after apply)
      + file_copy_enabled         = false
      + id                        = (known after apply)
      + ip_connect_enabled        = false
      + kerberos_enabled          = false
      + location                  = "westus3"
      + name                      = (known after apply)
      + resource_group_name       = (known after apply)
      + scale_units               = 2
      + session_recording_enabled = false
      + shareable_link_enabled    = false
      + sku                       = "Standard"
      + tags                      = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "bastion"
        }
      + tunneling_enabled         = true

      + ip_configuration {
          + name                 = "bastionHostIpConfiguration"
          + public_ip_address_id = (known after apply)
          + subnet_id            = (known after apply)
        }
    }

  # module.hub.module.bastion[0].azurerm_public_ip.bastion_pip will be created
  + resource "azurerm_public_ip" "bastion_pip" {
      + allocation_method       = "Static"
      + ddos_protection_mode    = "VirtualNetworkInherited"
      + fqdn                    = (known after apply)
      + id                      = (known after apply)
      + idle_timeout_in_minutes = 4
      + ip_address              = (known after apply)
      + ip_version              = "IPv4"
      + location                = "westus3"
      + name                    = (known after apply)
      + resource_group_name     = (known after apply)
      + sku                     = "Standard"
      + sku_tier                = "Regional"
      + tags                    = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "bastion"
        }
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_firewall will be created
  + resource "azurecaf_name" "caf_name_firewall" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_firewall"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_law[0] will be created
  + resource "azurecaf_name" "caf_name_law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_pip will be created
  + resource "azurecaf_name" "caf_name_pip" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest-fw"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_public_ip"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurerm_firewall.firewall will be created
  + resource "azurerm_firewall" "firewall" {
      + dns_proxy_enabled   = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + sku_name            = "AZFW_VNet"
      + sku_tier            = "Standard"
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "firewall"
        }
      + threat_intel_mode   = (known after apply)

      + ip_configuration {
          + name                 = "firewallIpConfiguration"
          + private_ip_address   = (known after apply)
          + public_ip_address_id = (known after apply)
          + subnet_id            = (known after apply)
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-entra-idS-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

  # module.hub.module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created
  + resource "azurerm_log_analytics_workspace" "law" {
      + allow_resource_only_permissions = true
      + daily_quota_gb                  = -1
      + id                              = (known after apply)
      + internet_ingestion_enabled      = true
      + internet_query_enabled          = true
      + local_authentication_disabled   = false
      + location                        = "westus3"
      + name                            = (known after apply)
      + primary_shared_key              = (sensitive value)
      + resource_group_name             = (known after apply)
      + retention_in_days               = (known after apply)
      + secondary_shared_key            = (sensitive value)
      + sku                             = "PerGB2018"
      + workspace_id                    = (known after apply)
    }

  # module.hub.module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created
  + resource "azurerm_monitor_diagnostic_setting" "this" {
      + id                             = (known after apply)
      + log_analytics_destination_type = (known after apply)
      + log_analytics_workspace_id     = (known after apply)
      + name                           = (known after apply)
      + target_resource_id             = (known after apply)

      + enabled_log {
          + category_group = "allLogs"
            # (1 unchanged attribute hidden)
        }

      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }
    }

  # module.hub.module.firewall[0].azurerm_public_ip.firewall_pip will be created
  + resource "azurerm_public_ip" "firewall_pip" {
      + allocation_method       = "Static"
      + ddos_protection_mode    = "VirtualNetworkInherited"
      + fqdn                    = (known after apply)
      + id                      = (known after apply)
      + idle_timeout_in_minutes = 4
      + ip_address              = (known after apply)
      + ip_version              = "IPv4"
      + location                = "westus3"
      + name                    = (known after apply)
      + resource_group_name     = (known after apply)
      + sku                     = "Standard"
      + sku_tier                = "Regional"
      + tags                    = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "firewall"
        }
    }

  # module.hub.module.network.azurecaf_name.caf_name_vnet will be created
  + resource "azurecaf_name" "caf_name_vnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.hub.module.network.azurerm_subnet.this["AzureBastionSubnet"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.242.0.64/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "AzureBastionSubnet"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.hub.module.network.azurerm_subnet.this["AzureFirewallSubnet"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.242.0.0/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "AzureFirewallSubnet"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.hub.module.network.azurerm_virtual_network.this will be created
  + resource "azurerm_virtual_network" "this" {
      + address_space       = [
          + "10.242.0.0/20",
        ]
      + dns_servers         = (known after apply)
      + guid                = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + subnet              = (known after apply)
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "network"
        }
    }

  # module.spoke.module.app_configuration[0].azurecaf_name.caf_name_appconf will be created
  + resource "azurecaf_name" "caf_name_appconf" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_configuration"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = (known after apply)
      + use_slug      = true
    }

  # module.spoke.module.app_configuration[0].azurecaf_name.private_endpoint will be created
  + resource "azurecaf_name" "private_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.app_configuration[0].azurerm_app_configuration.this will be created
  + resource "azurerm_app_configuration" "this" {
      + endpoint                   = (known after apply)
      + id                         = (known after apply)
      + local_auth_enabled         = false
      + location                   = "westus3"
      + name                       = (known after apply)
      + primary_read_key           = (known after apply)
      + primary_write_key          = (known after apply)
      + public_network_access      = "Disabled"
      + purge_protection_enabled   = true
      + resource_group_name        = (known after apply)
      + secondary_read_key         = (known after apply)
      + secondary_write_key        = (known after apply)
      + sku                        = "standard"
      + soft_delete_retention_days = 7
      + tags                       = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "app-configuration"
        }
    }

  # module.spoke.module.app_configuration[0].azurerm_private_dns_a_record.this will be created
  + resource "azurerm_private_dns_a_record" "this" {
      + fqdn                = (known after apply)
      + id                  = (known after apply)
      + name                = (known after apply)
      + records             = (known after apply)
      + resource_group_name = (known after apply)
      + ttl                 = 300
      + zone_name           = "privatelink.azconfig.io"
    }

  # module.spoke.module.app_configuration[0].azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = (known after apply)
      + subnet_id                = (known after apply)

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = "app-config-private-endpoint"
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "configurationStores",
            ]
        }
    }

  # module.spoke.module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created
  + resource "azurerm_role_assignment" "data_owners" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "App Configuration Data Owner"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created
  + resource "azurerm_role_assignment" "data_readers" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "App Configuration Data Reader"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.app_service.azurecaf_name.caf_name_appinsights will be created
  + resource "azurecaf_name" "caf_name_appinsights" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_application_insights"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.app_service.azurecaf_name.caf_name_asp will be created
  + resource "azurecaf_name" "caf_name_asp" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_service_plan"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.app_service.azurerm_application_insights.this will be created
  + resource "azurerm_application_insights" "this" {
      + app_id                              = (known after apply)
      + application_type                    = "web"
      + connection_string                   = (sensitive value)
      + daily_data_cap_in_gb                = 100
      + disable_ip_masking                  = false
      + force_customer_storage_for_profiler = false
      + id                                  = (known after apply)
      + instrumentation_key                 = (sensitive value)
      + internet_ingestion_enabled          = true
      + internet_query_enabled              = true
      + local_authentication_disabled       = false
      + location                            = "westus3"
      + name                                = (known after apply)
      + resource_group_name                 = (known after apply)
      + retention_in_days                   = 90
      + sampling_percentage                 = 100
      + workspace_id                        = (known after apply)
    }

  # module.spoke.module.app_service.azurerm_service_plan.this will be created
  + resource "azurerm_service_plan" "this" {
      + app_service_environment_id   = (known after apply)
      + id                           = (known after apply)
      + kind                         = (known after apply)
      + location                     = "westus3"
      + maximum_elastic_worker_count = (known after apply)
      + name                         = (known after apply)
      + os_type                      = "Windows"
      + per_site_scaling_enabled     = false
      + reserved                     = (known after apply)
      + resource_group_name          = (known after apply)
      + sku_name                     = "I1v2"
      + tags                         = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "app-service"
        }
      + worker_count                 = 3
      + zone_balancing_enabled       = (known after apply)
    }

  # module.spoke.module.frontdoor.azurecaf_name.caf_name_afd will be created
  + resource "azurecaf_name" "caf_name_afd" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_frontdoor"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created
  + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" {
      + enabled                    = true
      + frontend_endpoint_ids      = (known after apply)
      + id                         = (known after apply)
      + mode                       = "Prevention"
      + name                       = "wafpolicymicrosoftdefaultruleset21"
      + request_body_check_enabled = true
      + resource_group_name        = (known after apply)
      + sku_name                   = "Premium_AzureFrontDoor"

      + managed_rule {
          + action  = "Block"
          + type    = "Microsoft_DefaultRuleSet"
          + version = "2.1"
        }
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor will be created
  + resource "azurerm_cdn_frontdoor_profile" "frontdoor" {
      + id                       = (known after apply)
      + name                     = (known after apply)
      + resource_group_name      = (known after apply)
      + resource_guid            = (known after apply)
      + response_timeout_seconds = 120
      + sku_name                 = "Premium_AzureFrontDoor"
      + tags                     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "frontdoor"
        }
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created
  + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" {
      + cdn_frontdoor_profile_id = (known after apply)
      + id                       = (known after apply)
      + name                     = "WAF-Security-Policy"

      + security_policies {
          + firewall {
              + cdn_frontdoor_firewall_policy_id = (known after apply)

              + association {
                  + patterns_to_match = [
                      + "/*",
                    ]

                  + domain {
                      + active                  = (known after apply)
                      + cdn_frontdoor_domain_id = (known after apply)
                    }
                }
            }
        }
    }

  # module.spoke.module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be created
  + resource "azurerm_monitor_diagnostic_setting" "this" {
      + id                             = (known after apply)
      + log_analytics_destination_type = "AzureDiagnostics"
      + log_analytics_workspace_id     = (known after apply)
      + name                           = (known after apply)
      + target_resource_id             = (known after apply)

      + enabled_log {
          + category_group = "allLogs"
            # (1 unchanged attribute hidden)
        }

      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }
    }

  # module.spoke.module.key_vault.azurecaf_name.caf_name_akv will be created
  + resource "azurecaf_name" "caf_name_akv" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_key_vault"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = (known after apply)
      + use_slug      = true
    }

  # module.spoke.module.key_vault.azurecaf_name.private_endpoint will be created
  + resource "azurecaf_name" "private_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.key_vault.azurerm_key_vault.this will be created
  + resource "azurerm_key_vault" "this" {
      + access_policy                 = (known after apply)
      + enable_rbac_authorization     = true
      + enabled_for_disk_encryption   = true
      + id                            = (known after apply)
      + location                      = "westus3"
      + name                          = (known after apply)
      + public_network_access_enabled = false
      + purge_protection_enabled      = true
      + resource_group_name           = (known after apply)
      + sku_name                      = "standard"
      + soft_delete_retention_days    = 7
      + tags                          = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "key-vault"
        }
      + tenant_id                     = "449fbe1d-9c99-4509-9014-4fd5cf25b014"
      + vault_uri                     = (known after apply)

      + contact (known after apply)

      + network_acls {
          + bypass         = "AzureServices"
          + default_action = "Deny"
        }
    }

  # module.spoke.module.key_vault.azurerm_private_dns_a_record.this will be created
  + resource "azurerm_private_dns_a_record" "this" {
      + fqdn                = (known after apply)
      + id                  = (known after apply)
      + name                = (known after apply)
      + records             = (known after apply)
      + resource_group_name = (known after apply)
      + ttl                 = 300
      + zone_name           = "privatelink.vaultcore.azure.net"
    }

  # module.spoke.module.key_vault.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = (known after apply)
      + subnet_id                = (known after apply)

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "vault",
            ]
        }
    }

  # module.spoke.module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created
  + resource "azurerm_role_assignment" "secrets_officer" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Key Vault Secrets Officer"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.key_vault.azurerm_role_assignment.secrets_user[0] will be created
  + resource "azurerm_role_assignment" "secrets_user" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Key Vault Secrets User"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.network.azurecaf_name.caf_name_vnet will be created
  + resource "azurecaf_name" "caf_name_vnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.network.azurerm_subnet.this["devops"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.10.128/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "devops"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["hostingEnvironments"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.5.0/24",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "hostingEnvironments"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)

      + delegation {
          + name = "Microsoft.Web.hostingEnvironments"

          + service_delegation {
              + actions = [
                  + "Microsoft.Network/virtualNetworks/subnets/action",
                ]
              + name    = "Microsoft.Web/hostingEnvironments"
            }
        }
    }

  # module.spoke.module.network.azurerm_subnet.this["ingress"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.0.64/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "ingress"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["privateLink"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.11.0/24",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "privateLink"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["serverFarm"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.0.0/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "serverFarm"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)

      + delegation {
          + name = "Microsoft.Web/serverFarms"

          + service_delegation {
              + actions = [
                  + "Microsoft.Network/virtualNetworks/subnets/action",
                ]
              + name    = "Microsoft.Web/serverFarms"
            }
        }
    }

  # module.spoke.module.network.azurerm_virtual_network.this will be created
  + resource "azurerm_virtual_network" "this" {
      + address_space       = [
          + "10.240.0.0/20",
        ]
      + dns_servers         = (known after apply)
      + guid                = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + subnet              = (known after apply)
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "network"
        }
    }

  # module.spoke.module.network.azurerm_virtual_network_peering.target_to_this[0] will be created
  + resource "azurerm_virtual_network_peering" "target_to_this" {
      + allow_forwarded_traffic                = false
      + allow_gateway_transit                  = false
      + allow_virtual_network_access           = true
      + id                                     = (known after apply)
      + name                                   = "hub-to-spoke-eslztest"
      + peer_complete_virtual_networks_enabled = true
      + remote_virtual_network_id              = (known after apply)
      + resource_group_name                    = (known after apply)
      + use_remote_gateways                    = false
      + virtual_network_name                   = (known after apply)
    }

  # module.spoke.module.network.azurerm_virtual_network_peering.this_to_target[0] will be created
  + resource "azurerm_virtual_network_peering" "this_to_target" {
      + allow_forwarded_traffic                = false
      + allow_gateway_transit                  = false
      + allow_virtual_network_access           = true
      + id                                     = (known after apply)
      + name                                   = "spoke-to-hub-eslztest"
      + peer_complete_virtual_networks_enabled = true
      + remote_virtual_network_id              = (known after apply)
      + resource_group_name                    = (known after apply)
      + use_remote_gateways                    = false
      + virtual_network_name                   = (known after apply)
    }

  # module.spoke.module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
        name          = null
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
        name          = null
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = (known after apply)
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
        }
    }

  # module.spoke.module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + sku {
          + capacity = 1
          + name     = "Standard"
        }
    }

  # module.spoke.module.private_dns_zones[0].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.azurewebsites.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.azurewebsites.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[1].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.vaultcore.azure.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.vaultcore.azure.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[2].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.database.windows.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.database.windows.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[3].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.azconfig.io"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          +  ...

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

github-actions · 2024-11-20T19:29:43Z

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output


Success! The configuration is valid.

Terraform Plan 📖`success`

Show Plan



Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.hub.azurecaf_name.caf_name_hub_rg will be created
  + resource "azurecaf_name" "caf_name_hub_rg" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_resource_group"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.hub.azurerm_resource_group.hub will be created
  + resource "azurerm_resource_group" "hub" {
      + id       = (known after apply)
      + location = "westus3"
      + name     = (known after apply)
      + tags     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
    }

  # module.spoke.azurecaf_name.appsvc_subnet will be created
  + resource "azurecaf_name" "appsvc_subnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "spoke",
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_subnet"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_asev3[0] will be created
  + resource "azurecaf_name" "caf_name_asev3" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_service_environment"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_id_contributor will be created
  + resource "azurecaf_name" "caf_name_id_contributor" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_user_assigned_identity"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "contributor",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_id_reader will be created
  + resource "azurecaf_name" "caf_name_id_reader" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_user_assigned_identity"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "reader",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_law will be created
  + resource "azurecaf_name" "caf_name_law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.caf_name_spoke_rg will be created
  + resource "azurecaf_name" "caf_name_spoke_rg" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_resource_group"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurecaf_name.law will be created
  + resource "azurecaf_name" "law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.azurerm_app_service_environment_v3.this[0] will be created
  + resource "azurerm_app_service_environment_v3" "this" {
      + allow_new_private_endpoint_connections = true
      + dns_suffix                             = (known after apply)
      + external_inbound_ip_addresses          = (known after apply)
      + id                                     = (known after apply)
      + inbound_network_dependencies           = (known after apply)
      + internal_inbound_ip_addresses          = (known after apply)
      + internal_load_balancing_mode           = "Web, Publishing"
      + ip_ssl_address_count                   = (known after apply)
      + linux_outbound_ip_addresses            = (known after apply)
      + location                               = (known after apply)
      + name                                   = (known after apply)
      + pricing_tier                           = (known after apply)
      + remote_debugging_enabled               = false
      + resource_group_name                    = (known after apply)
      + subnet_id                              = (known after apply)
      + tags                                   = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
      + windows_outbound_ip_addresses          = (known after apply)
      + zone_redundant                         = true

      + cluster_setting {
          + name  = "DisableTls1.0"
          + value = "1"
        }
      + cluster_setting {
          + name  = "FrontEndSSLCipherSuiteOrder"
          + value = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        }
    }

  # module.spoke.azurerm_log_analytics_workspace.law will be created
  + resource "azurerm_log_analytics_workspace" "law" {
      + allow_resource_only_permissions = true
      + daily_quota_gb                  = -1
      + id                              = (known after apply)
      + internet_ingestion_enabled      = true
      + internet_query_enabled          = true
      + local_authentication_disabled   = false
      + location                        = "westus3"
      + name                            = (known after apply)
      + primary_shared_key              = (sensitive value)
      + resource_group_name             = (known after apply)
      + retention_in_days               = 30
      + secondary_shared_key            = (sensitive value)
      + sku                             = "PerGB2018"
      + tags                            = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
      + workspace_id                    = (known after apply)
    }

  # module.spoke.azurerm_resource_group.spoke will be created
  + resource "azurerm_resource_group" "spoke" {
      + id       = (known after apply)
      + location = "westus3"
      + name     = (known after apply)
      + tags     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
        }
    }

  # module.spoke.azurerm_user_assigned_identity.contributor will be created
  + resource "azurerm_user_assigned_identity" "contributor" {
      + client_id           = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + principal_id        = (known after apply)
      + resource_group_name = (known after apply)
      + tenant_id           = (known after apply)
    }

  # module.spoke.azurerm_user_assigned_identity.reader will be created
  + resource "azurerm_user_assigned_identity" "reader" {
      + client_id           = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + principal_id        = (known after apply)
      + resource_group_name = (known after apply)
      + tenant_id           = (known after apply)
    }

  # module.spoke.random_integer.unique_id will be created
  + resource "random_integer" "unique_id" {
      + id     = (known after apply)
      + max    = 9999
      + min    = 1
      + result = (known after apply)
    }

  # module.hub.module.bastion[0].azurecaf_name.caf_name_bastion will be created
  + resource "azurecaf_name" "caf_name_bastion" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.bastion[0].azurecaf_name.caf_name_pip will be created
  + resource "azurecaf_name" "caf_name_pip" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest-bastion"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_public_ip"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.bastion[0].azurerm_bastion_host.bastion will be created
  + resource "azurerm_bastion_host" "bastion" {
      + copy_paste_enabled        = true
      + dns_name                  = (known after apply)
      + file_copy_enabled         = false
      + id                        = (known after apply)
      + ip_connect_enabled        = false
      + kerberos_enabled          = false
      + location                  = "westus3"
      + name                      = (known after apply)
      + resource_group_name       = (known after apply)
      + scale_units               = 2
      + session_recording_enabled = false
      + shareable_link_enabled    = false
      + sku                       = "Standard"
      + tags                      = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "bastion"
        }
      + tunneling_enabled         = true

      + ip_configuration {
          + name                 = "bastionHostIpConfiguration"
          + public_ip_address_id = (known after apply)
          + subnet_id            = (known after apply)
        }
    }

  # module.hub.module.bastion[0].azurerm_public_ip.bastion_pip will be created
  + resource "azurerm_public_ip" "bastion_pip" {
      + allocation_method       = "Static"
      + ddos_protection_mode    = "VirtualNetworkInherited"
      + fqdn                    = (known after apply)
      + id                      = (known after apply)
      + idle_timeout_in_minutes = 4
      + ip_address              = (known after apply)
      + ip_version              = "IPv4"
      + location                = "westus3"
      + name                    = (known after apply)
      + resource_group_name     = (known after apply)
      + sku                     = "Standard"
      + sku_tier                = "Regional"
      + tags                    = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "bastion"
        }
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_firewall will be created
  + resource "azurecaf_name" "caf_name_firewall" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_firewall"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_law[0] will be created
  + resource "azurecaf_name" "caf_name_law" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_log_analytics_workspace"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurecaf_name.caf_name_pip will be created
  + resource "azurecaf_name" "caf_name_pip" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest-fw"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_public_ip"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.hub.module.firewall[0].azurerm_firewall.firewall will be created
  + resource "azurerm_firewall" "firewall" {
      + dns_proxy_enabled   = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + sku_name            = "AZFW_VNet"
      + sku_tier            = "Standard"
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "firewall"
        }
      + threat_intel_mode   = (known after apply)

      + ip_configuration {
          + name                 = "firewallIpConfiguration"
          + private_ip_address   = (known after apply)
          + public_ip_address_id = (known after apply)
          + subnet_id            = (known after apply)
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created
  + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Azure-Monitor-FQDNs"
      + priority            = 201
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-azure-monitor"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "dc.applicationinsights.azure.com",
              + "dc.applicationinsights.microsoft.com",
              + "dc.services.visualstudio.com",
              + "*.in.applicationinsights.azure.com",
              + "live.applicationinsights.azure.com",
              + "rt.applicationinsights.microsoft.com",
              + "rt.services.visualstudio.com",
              + "*.livediagnostics.monitor.azure.com",
              + "*.monitoring.azure.com",
              + "agent.azureserviceprofiler.net",
              + "*.agent.azureserviceprofiler.net",
              + "*.monitor.azure.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.core will be created
  + resource "azurerm_firewall_application_rule_collection" "core" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Core-Dependencies-FQDNs"
      + priority            = 200
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-core-apis"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "management.azure.com",
              + "management.core.windows.net",
              + "login.microsoftonline.com",
              + "login.windows.net",
              + "login.live.com",
              + "graph.windows.net",
              + "graph.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-developer-services"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "github.com",
              + "*.github.com",
              + "*.nuget.org",
              + "*.blob.core.windows.net",
              + "*.githubusercontent.com",
              + "dev.azure.com",
              + "*.dev.azure.com",
              + "portal.azure.com",
              + "*.portal.azure.com",
              + "*.portal.azure.net",
              + "appservice.azureedge.net",
              + "*.azurewebsites.net",
              + "edge.management.azure.com",
              + "vstsagentpackage.azureedge.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-certificate-dependencies"
          + source_addresses = [
              + "10.242.0.0/20",
              + "10.240.0.0/20",
            ]
          + target_fqdns     = [
              + "*.delivery.mp.microsoft.com",
              + "ctldl.windowsupdate.com",
              + "download.windowsupdate.com",
              + "mscrl.microsoft.com",
              + "ocsp.msocsp.com",
              + "oneocsp.microsoft.com",
              + "crl.microsoft.com",
              + "www.microsoft.com",
              + "*.digicert.com",
              + "*.symantec.com",
              + "*.symcb.com",
              + "*.d-trust.net",
            ]

          + protocol {
              + port = 80
              + type = "Http"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Devops-VM-Dependencies-FQDNs"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + name             = "allow-entra-idS-join"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "enterpriseregistration.windows.net",
              + "pas.windows.net",
              + "login.microsoftonline.com",
              + "device.login.microsoftonline.com",
              + "autologon.microsoftazuread-sso.com",
              + "manage-beta.microsoft.com",
              + "manage.microsoft.com",
              + "aadcdn.msauth.net",
              + "aadcdn.msftauth.net",
              + "aadcdn.msftauthimages.net",
              + "*.wns.windows.com",
              + "*.sts.microsoft.com",
              + "*.manage-beta.microsoft.com",
              + "*.manage.microsoft.com",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
      + rule {
          + name             = "allow-vm-dependencies-and-tools"
          + source_addresses = [
              + "10.240.10.128/26",
            ]
          + target_fqdns     = [
              + "aka.ms",
              + "go.microsoft.com",
              + "download.microsoft.com",
              + "edge.microsoft.com",
              + "fs.microsoft.com",
              + "wdcp.microsoft.com",
              + "wdcpalt.microsoft.com",
              + "msedge.api.cdp.microsoft.com",
              + "winatp-gw-cane.microsoft.com",
              + "*.google.com",
              + "*.live.com",
              + "*.bing.com",
              + "*.msappproxy.net",
              + "*.delivery.mp.microsoft.com",
              + "*.data.microsoft.com",
              + "*.blob.storage.azure.net",
              + "*.blob.core.windows.net",
              + "*.dl.delivery.mp.microsoft.com",
              + "*.prod.do.dsp.mp.microsoft.com",
              + "*.update.microsoft.com",
              + "*.windowsupdate.com",
              + "*.apps.qualys.com",
              + "*.bootstrapcdn.com",
              + "*.jsdelivr.net",
              + "*.jquery.com",
              + "*.msecnd.net",
            ]

          + protocol {
              + port = 443
              + type = "Https"
            }
        }
    }

  # module.hub.module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created
  + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {
      + action              = "Allow"
      + azure_firewall_name = (known after apply)
      + id                  = (known after apply)
      + name                = "Windows-VM-Connectivity-Requirements"
      + priority            = 202
      + resource_group_name = (known after apply)

      + rule {
          + destination_addresses = [
              + "20.118.99.224",
              + "40.83.235.53",
              + "23.102.135.246",
              + "51.4.143.248",
              + "23.97.0.13",
              + "52.126.105.2",
            ]
          + destination_ports     = [
              + "*",
            ]
          + name                  = "allow-kms-activation"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
      + rule {
          + destination_addresses = [
              + "*",
            ]
          + destination_ports     = [
              + "123",
            ]
          + name                  = "allow-ntp"
          + protocols             = [
              + "TCP",
              + "UDP",
            ]
          + source_addresses      = [
              + "10.240.10.128/26",
            ]
        }
    }

  # module.hub.module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created
  + resource "azurerm_log_analytics_workspace" "law" {
      + allow_resource_only_permissions = true
      + daily_quota_gb                  = -1
      + id                              = (known after apply)
      + internet_ingestion_enabled      = true
      + internet_query_enabled          = true
      + local_authentication_disabled   = false
      + location                        = "westus3"
      + name                            = (known after apply)
      + primary_shared_key              = (sensitive value)
      + resource_group_name             = (known after apply)
      + retention_in_days               = (known after apply)
      + secondary_shared_key            = (sensitive value)
      + sku                             = "PerGB2018"
      + workspace_id                    = (known after apply)
    }

  # module.hub.module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created
  + resource "azurerm_monitor_diagnostic_setting" "this" {
      + id                             = (known after apply)
      + log_analytics_destination_type = (known after apply)
      + log_analytics_workspace_id     = (known after apply)
      + name                           = (known after apply)
      + target_resource_id             = (known after apply)

      + enabled_log {
          + category_group = "allLogs"
            # (1 unchanged attribute hidden)
        }

      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }
    }

  # module.hub.module.firewall[0].azurerm_public_ip.firewall_pip will be created
  + resource "azurerm_public_ip" "firewall_pip" {
      + allocation_method       = "Static"
      + ddos_protection_mode    = "VirtualNetworkInherited"
      + fqdn                    = (known after apply)
      + id                      = (known after apply)
      + idle_timeout_in_minutes = 4
      + ip_address              = (known after apply)
      + ip_version              = "IPv4"
      + location                = "westus3"
      + name                    = (known after apply)
      + resource_group_name     = (known after apply)
      + sku                     = "Standard"
      + sku_tier                = "Regional"
      + tags                    = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "firewall"
        }
    }

  # module.hub.module.network.azurecaf_name.caf_name_vnet will be created
  + resource "azurecaf_name" "caf_name_vnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-hub",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.hub.module.network.azurerm_subnet.this["AzureBastionSubnet"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.242.0.64/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "AzureBastionSubnet"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.hub.module.network.azurerm_subnet.this["AzureFirewallSubnet"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.242.0.0/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "AzureFirewallSubnet"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.hub.module.network.azurerm_virtual_network.this will be created
  + resource "azurerm_virtual_network" "this" {
      + address_space       = [
          + "10.242.0.0/20",
        ]
      + dns_servers         = (known after apply)
      + guid                = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + subnet              = (known after apply)
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: HUB] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "network"
        }
    }

  # module.spoke.module.app_configuration[0].azurecaf_name.caf_name_appconf will be created
  + resource "azurecaf_name" "caf_name_appconf" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_configuration"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = (known after apply)
      + use_slug      = true
    }

  # module.spoke.module.app_configuration[0].azurecaf_name.private_endpoint will be created
  + resource "azurecaf_name" "private_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.app_configuration[0].azurerm_app_configuration.this will be created
  + resource "azurerm_app_configuration" "this" {
      + endpoint                   = (known after apply)
      + id                         = (known after apply)
      + local_auth_enabled         = false
      + location                   = "westus3"
      + name                       = (known after apply)
      + primary_read_key           = (known after apply)
      + primary_write_key          = (known after apply)
      + public_network_access      = "Disabled"
      + purge_protection_enabled   = true
      + resource_group_name        = (known after apply)
      + secondary_read_key         = (known after apply)
      + secondary_write_key        = (known after apply)
      + sku                        = "standard"
      + soft_delete_retention_days = 7
      + tags                       = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "app-configuration"
        }
    }

  # module.spoke.module.app_configuration[0].azurerm_private_dns_a_record.this will be created
  + resource "azurerm_private_dns_a_record" "this" {
      + fqdn                = (known after apply)
      + id                  = (known after apply)
      + name                = (known after apply)
      + records             = (known after apply)
      + resource_group_name = (known after apply)
      + ttl                 = 300
      + zone_name           = "privatelink.azconfig.io"
    }

  # module.spoke.module.app_configuration[0].azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = (known after apply)
      + subnet_id                = (known after apply)

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = "app-config-private-endpoint"
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "configurationStores",
            ]
        }
    }

  # module.spoke.module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created
  + resource "azurerm_role_assignment" "data_owners" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "App Configuration Data Owner"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created
  + resource "azurerm_role_assignment" "data_readers" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "App Configuration Data Reader"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.app_service.azurecaf_name.caf_name_appinsights will be created
  + resource "azurecaf_name" "caf_name_appinsights" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_application_insights"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.app_service.azurecaf_name.caf_name_asp will be created
  + resource "azurecaf_name" "caf_name_asp" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_app_service_plan"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.app_service.azurerm_application_insights.this will be created
  + resource "azurerm_application_insights" "this" {
      + app_id                              = (known after apply)
      + application_type                    = "web"
      + connection_string                   = (sensitive value)
      + daily_data_cap_in_gb                = 100
      + disable_ip_masking                  = false
      + force_customer_storage_for_profiler = false
      + id                                  = (known after apply)
      + instrumentation_key                 = (sensitive value)
      + internet_ingestion_enabled          = true
      + internet_query_enabled              = true
      + local_authentication_disabled       = false
      + location                            = "westus3"
      + name                                = (known after apply)
      + resource_group_name                 = (known after apply)
      + retention_in_days                   = 90
      + sampling_percentage                 = 100
      + workspace_id                        = (known after apply)
    }

  # module.spoke.module.app_service.azurerm_service_plan.this will be created
  + resource "azurerm_service_plan" "this" {
      + app_service_environment_id   = (known after apply)
      + id                           = (known after apply)
      + kind                         = (known after apply)
      + location                     = "westus3"
      + maximum_elastic_worker_count = (known after apply)
      + name                         = (known after apply)
      + os_type                      = "Windows"
      + per_site_scaling_enabled     = false
      + reserved                     = (known after apply)
      + resource_group_name          = (known after apply)
      + sku_name                     = "I1v2"
      + tags                         = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "app-service"
        }
      + worker_count                 = 3
      + zone_balancing_enabled       = (known after apply)
    }

  # module.spoke.module.frontdoor.azurecaf_name.caf_name_afd will be created
  + resource "azurecaf_name" "caf_name_afd" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_frontdoor"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created
  + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" {
      + enabled                    = true
      + frontend_endpoint_ids      = (known after apply)
      + id                         = (known after apply)
      + mode                       = "Prevention"
      + name                       = "wafpolicymicrosoftdefaultruleset21"
      + request_body_check_enabled = true
      + resource_group_name        = (known after apply)
      + sku_name                   = "Premium_AzureFrontDoor"

      + managed_rule {
          + action  = "Block"
          + type    = "Microsoft_DefaultRuleSet"
          + version = "2.1"
        }
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor will be created
  + resource "azurerm_cdn_frontdoor_profile" "frontdoor" {
      + id                       = (known after apply)
      + name                     = (known after apply)
      + resource_group_name      = (known after apply)
      + resource_guid            = (known after apply)
      + response_timeout_seconds = 120
      + sku_name                 = "Premium_AzureFrontDoor"
      + tags                     = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "frontdoor"
        }
    }

  # module.spoke.module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created
  + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" {
      + cdn_frontdoor_profile_id = (known after apply)
      + id                       = (known after apply)
      + name                     = "WAF-Security-Policy"

      + security_policies {
          + firewall {
              + cdn_frontdoor_firewall_policy_id = (known after apply)

              + association {
                  + patterns_to_match = [
                      + "/*",
                    ]

                  + domain {
                      + active                  = (known after apply)
                      + cdn_frontdoor_domain_id = (known after apply)
                    }
                }
            }
        }
    }

  # module.spoke.module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be created
  + resource "azurerm_monitor_diagnostic_setting" "this" {
      + id                             = (known after apply)
      + log_analytics_destination_type = "AzureDiagnostics"
      + log_analytics_workspace_id     = (known after apply)
      + name                           = (known after apply)
      + target_resource_id             = (known after apply)

      + enabled_log {
          + category_group = "allLogs"
            # (1 unchanged attribute hidden)
        }

      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }
    }

  # module.spoke.module.key_vault.azurecaf_name.caf_name_akv will be created
  + resource "azurecaf_name" "caf_name_akv" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_key_vault"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = (known after apply)
      + use_slug      = true
    }

  # module.spoke.module.key_vault.azurecaf_name.private_endpoint will be created
  + resource "azurecaf_name" "private_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.key_vault.azurerm_key_vault.this will be created
  + resource "azurerm_key_vault" "this" {
      + access_policy                 = (known after apply)
      + enable_rbac_authorization     = true
      + enabled_for_disk_encryption   = true
      + id                            = (known after apply)
      + location                      = "westus3"
      + name                          = (known after apply)
      + public_network_access_enabled = false
      + purge_protection_enabled      = true
      + resource_group_name           = (known after apply)
      + sku_name                      = "standard"
      + soft_delete_retention_days    = 7
      + tags                          = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "key-vault"
        }
      + tenant_id                     = "449fbe1d-9c99-4509-9014-4fd5cf25b014"
      + vault_uri                     = (known after apply)

      + contact (known after apply)

      + network_acls {
          + bypass         = "AzureServices"
          + default_action = "Deny"
        }
    }

  # module.spoke.module.key_vault.azurerm_private_dns_a_record.this will be created
  + resource "azurerm_private_dns_a_record" "this" {
      + fqdn                = (known after apply)
      + id                  = (known after apply)
      + name                = (known after apply)
      + records             = (known after apply)
      + resource_group_name = (known after apply)
      + ttl                 = 300
      + zone_name           = "privatelink.vaultcore.azure.net"
    }

  # module.spoke.module.key_vault.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = (known after apply)
      + subnet_id                = (known after apply)

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "vault",
            ]
        }
    }

  # module.spoke.module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created
  + resource "azurerm_role_assignment" "secrets_officer" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Key Vault Secrets Officer"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.key_vault.azurerm_role_assignment.secrets_user[0] will be created
  + resource "azurerm_role_assignment" "secrets_user" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = (known after apply)
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Key Vault Secrets User"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.spoke.module.network.azurecaf_name.caf_name_vnet will be created
  + resource "azurecaf_name" "caf_name_vnet" {
      + clean_input   = true
      + id            = (known after apply)
      + name          = "eslztest"
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_virtual_network"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.network.azurerm_subnet.this["devops"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.10.128/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "devops"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["hostingEnvironments"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.5.0/24",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "hostingEnvironments"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)

      + delegation {
          + name = "Microsoft.Web.hostingEnvironments"

          + service_delegation {
              + actions = [
                  + "Microsoft.Network/virtualNetworks/subnets/action",
                ]
              + name    = "Microsoft.Web/hostingEnvironments"
            }
        }
    }

  # module.spoke.module.network.azurerm_subnet.this["ingress"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.0.64/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "ingress"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["privateLink"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.11.0/24",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "privateLink"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)
    }

  # module.spoke.module.network.azurerm_subnet.this["serverFarm"] will be created
  + resource "azurerm_subnet" "this" {
      + address_prefixes                              = [
          + "10.240.0.0/26",
        ]
      + default_outbound_access_enabled               = true
      + id                                            = (known after apply)
      + name                                          = "serverFarm"
      + private_endpoint_network_policies             = "Disabled"
      + private_link_service_network_policies_enabled = true
      + resource_group_name                           = (known after apply)
      + virtual_network_name                          = (known after apply)

      + delegation {
          + name = "Microsoft.Web/serverFarms"

          + service_delegation {
              + actions = [
                  + "Microsoft.Network/virtualNetworks/subnets/action",
                ]
              + name    = "Microsoft.Web/serverFarms"
            }
        }
    }

  # module.spoke.module.network.azurerm_virtual_network.this will be created
  + resource "azurerm_virtual_network" "this" {
      + address_space       = [
          + "10.240.0.0/20",
        ]
      + dns_servers         = (known after apply)
      + guid                = (known after apply)
      + id                  = (known after apply)
      + location            = "westus3"
      + name                = (known after apply)
      + resource_group_name = (known after apply)
      + subnet              = (known after apply)
      + tags                = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "network"
        }
    }

  # module.spoke.module.network.azurerm_virtual_network_peering.target_to_this[0] will be created
  + resource "azurerm_virtual_network_peering" "target_to_this" {
      + allow_forwarded_traffic                = false
      + allow_gateway_transit                  = false
      + allow_virtual_network_access           = true
      + id                                     = (known after apply)
      + name                                   = "hub-to-spoke-eslztest"
      + peer_complete_virtual_networks_enabled = true
      + remote_virtual_network_id              = (known after apply)
      + resource_group_name                    = (known after apply)
      + use_remote_gateways                    = false
      + virtual_network_name                   = (known after apply)
    }

  # module.spoke.module.network.azurerm_virtual_network_peering.this_to_target[0] will be created
  + resource "azurerm_virtual_network_peering" "this_to_target" {
      + allow_forwarded_traffic                = false
      + allow_gateway_transit                  = false
      + allow_virtual_network_access           = true
      + id                                     = (known after apply)
      + name                                   = "spoke-to-hub-eslztest"
      + peer_complete_virtual_networks_enabled = true
      + remote_virtual_network_id              = (known after apply)
      + resource_group_name                    = (known after apply)
      + use_remote_gateways                    = false
      + virtual_network_name                   = (known after apply)
    }

  # module.spoke.module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
        name          = null
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "dev",
        ]
      + use_slug      = true
    }

  # module.spoke.module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
        name          = null
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.spoke.module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = (known after apply)
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = (known after apply)
            }
        }
    }

  # module.spoke.module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + sku {
          + capacity = 1
          + name     = "Standard"
        }
    }

  # module.spoke.module.private_dns_zones[0].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.azurewebsites.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.azurewebsites.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[1].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.vaultcore.azure.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.vaultcore.azure.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[2].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.database.windows.net"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }

      + soa_record (known after apply)
    }

  # module.spoke.module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = (known after apply)
      + private_dns_zone_name = "privatelink.database.windows.net"
      + registration_enabled  = false
      + resource_group_name   = (known after apply)
      + virtual_network_id    = (known after apply)
    }

  # module.spoke.module.private_dns_zones[3].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.azconfig.io"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = (known after apply)
      + tags                                                  = {
          + "Environment" = "dev"
          + "Owner"       = "cloudops@contoso.com"
          +  ...

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

JinLee794 and others added 30 commits December 11, 2023 12:31

testing bicep cicd - added new oidc client id for read-only access, t…

41a3164

…esting what-if flag

Adding region into the bicep yml, env var and to the what-if arm-depl…

e33cbc3

…oy action

testing pipeline, adding puysh trigger for this branch

6899138

testing pipeline, adding puysh trigger for this branch

5da6adf

testing with prod id as the what-if scenario requires same level of p…

c977265

…ermissions

testing with prod id as the what-if scenario requires same level of p…

0a99802

…ermissions

testing the deployment

812241c

testing the deployment

e0288ff

testing cicd bicep templates

bd4f3ca

testing cicd

523fd50

testing cicd

a81b121

testing cicd

1363f0f

disabling psrule for now

78ca08a

disabling psrule for now

5781a02

consolidating tf scenario 1 workflows into a single cicd pipeline

4548519

consolidating tf scenario 1 workflows into a single cicd pipeline

b38a548

consolidating tf scenario 1 workflows into a single cicd pipeline

4c136dc

consolidating tf scenario 1 workflows into a single cicd pipeline

d7025ca

renaming consolidated scenario 1 tf pipeline

a4e7c33

Adding concurrency, removed redundant param files

8ad1d50

Adding concurrency, removed redundant param files

9d7e4d5

removing test branch trigger

38482c8

cleanup

15c32f5

cleanup

9a8dde9

Merge branch 'refactor/iac-cicd' into refactor/200/tf-scenarios

72d1fe8

wip

15fd916

Functional deployment, further testing required

f4a10d4

Spoke deployment fixes/cleanup

c554940

added backend.hcl file

0291efb

shared resource group

1f0769d

ahmeds and others added 9 commits May 29, 2024 10:59

cleaned up windows vm create and custom script

850eff1

Add files via upload

7265a08

Add files via upload

5b04875

pulling latest

66fdeb1

updating latest changes for terraform

b29b69d

Refactoring TF changes

f92945c

pre-commit formatting and docs

3c3bb13

Merge branch 'main' into refactor/200/tf-scenarios-updated1

0a62859

adding scenario deployment input file

34f1a75

JinLee794 requested a review from ibersanoMS October 21, 2024 23:02

fixing gha tf scenario deployment yaml

dbc4967

ibersanoMS reviewed Oct 29, 2024

View reviewed changes

JinLee794 added 4 commits November 12, 2024 09:25

fixed private endpoints for app svc slots

2d0fdd9

fixed private endpoints for app svc slots

5092dc2

fixed private endpoints for app svc slots

622d570

fixed private endpoints for app svc slots

3991d7c

JinLee794 added 3 commits November 12, 2024 09:55

removing entra data lookups for sql server

25129ac

removing entra data lookups for sql server

143d2d0

removing entra data lookups for sql server

2bbaa10

removing /deployment dir

eafa28d

ibersanoMS approved these changes Nov 20, 2024

View reviewed changes

constraining deployment to azurerm versions 4.5.0 - 5.0.0

3d7e760

ibersanoMS merged commit 5153a9a into main Nov 20, 2024
4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Refactor/200/tf scenarios updated1 #215

Refactor/200/tf scenarios updated1 #215

JinLee794 commented Oct 21, 2024

github-actions bot commented Oct 22, 2024

github-actions bot commented Oct 22, 2024

ibersanoMS left a comment

github-actions bot commented Nov 12, 2024

github-actions bot commented Nov 12, 2024

github-actions bot commented Nov 12, 2024

github-actions bot commented Nov 20, 2024

Refactor/200/tf scenarios updated1 #215

Refactor/200/tf scenarios updated1 #215

Conversation

JinLee794 commented Oct 21, 2024

Description

Pipeline references

Type of Change

Checklist

github-actions bot commented Oct 22, 2024

Terraform Plan failed

github-actions bot commented Oct 22, 2024

Terraform Plan failed

ibersanoMS left a comment

Choose a reason for hiding this comment

github-actions bot commented Nov 12, 2024

Terraform Plan failed

github-actions bot commented Nov 12, 2024

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

github-actions bot commented Nov 12, 2024

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

github-actions bot commented Nov 20, 2024

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`