Ezdeploy (#99)

User interface

.github/workflows/apply-and-destroy-terraform.yml

@@ -27,17 +27,17 @@ jobs:
 
  - name: get vars
  run : |
- cd build
+ cd src/build
  ./get_vars.sh
 
  - name: login
  run : |
- cd build
+ cd src/build
  ./login_azcli.sh vars/mlz_tf_cfg.var
 
  - name: apply terraform
  run : |
- cd build
+ cd src/build
  ./apply_tf.sh \
  vars/mlz_tf_cfg.var \
  vars/globals.tfvars \
@@ -49,7 +49,7 @@ jobs:
 
  - name: destroy terraform
  run : |
- cd build
+ cd src/build
  ./destroy_tf.sh \
  vars/mlz_tf_cfg.var \
  vars/globals.tfvars \

.github/workflows/validate-terraform.yml

@@ -21,4 +21,4 @@ jobs:
  - shell: bash
  name: validate and lint terraform
  run: |
- build/validate_tf.sh
+ src/build/validate_tf.sh

.gitignore

@@ -7,9 +7,15 @@
 *.tfstate.backup
 terraform-provider-azurerm_v*
 terraform-provider-random_v*
+*.terraform.lock.hcl
 
 # Setup config variables file
 mlz_tf_cfg.var
+saca-hub.tfvars.json
+tier-0.tfvars.json
+tier-1.tfvars.json
+tier-2.tfvars.json
+globals.tfvars.json
 
 # Bash artifacts
 *.vars
@@ -37,4 +43,7 @@ artifacts/
 
 # Python Tools for Visual Studio (PTVS)
 __pycache__/
-*.pyc
+*.pyc
+**/.idea/
+**/config_output/
+**/exec_output

NOTICE

@@ -0,0 +1,61 @@
+NOTICES
+
+This repository incorporates material as listed below or described in the code.
+
+Component: Bootstrap
+Bootstrap Reboot v4.5.3 (https://getbootstrap.com/)
+Copyright 2011-2020 The Bootstrap Authors
+Copyright 2011-2020 Twitter, Inc.
+Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
+Forked from Normalize.css, licensed MIT (https://github.com/necolas/normalize.css/blob/master/LICENSE.md)
+
+The MIT License (MIT)
+
+Copyright (c) 2011-2021 Twitter, Inc.
+Copyright (c) 2011-2021 The Bootstrap Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+
+Component: jQuery v3.5.1 (c) JS Foundation and other contributors
+https://jquery.org/license 
+Note: The license text for jquery redirects to https://tldrlegal.com/license/mit-license#fulltext
+which is reproduced below, including placeholders for year and copyright holders.
+
+The MIT License (MIT)
+
+Copyright (c) <year> <copyright holders>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
+copies of the Software, and to permit persons to whom the Software is 
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 
+IN THE SOFTWARE.

README.md

@@ -1,138 +1,76 @@
 # Mission LZ
 
-Terraform resources to deploy Tier 0, 1, and 2, and the components of a [SACA hub](https://docs.microsoft.com/en-us/azure/azure-government/compliance/secure-azure-computing-architecture).
+Mission Landing Zone is a highly opinionated template which IT oversight organizations can use to create a cloud management system to deploy Azure environments for their teams. It addresses a narrowly scoped, specific need for an SCCA compliant hub and spoke infrastructure.
 
-## Getting Started
+Mission LZ is:
 
-1. Log in using the Azure CLI
+- Designed for US Gov mission customers​
+- Implements [SCCA](https://docs.microsoft.com/en-us/azure/azure-government/compliance/secure-azure-computing-architecture) requirements following Microsoft's [SACA](https://aka.ms/saca) implementation guidance
+- Deployable in commercial, government, and air-gapped Azure clouds
+- A narrow scope for a specific common need​
+- A simple solution with low configuration​
+- Written in Terraform and Linux shell scripts
 
- ```BASH
- az login
- ```
+Mission Landing Zone is the right solution when:
 
-1. [Configure the Terraform Backend](#Configure-the-Terraform-Backend)
-1. [Set Terraform Configuration Variables](#Set-Terraform-Configuration-Variables)
-1. [Deploy Terraform Configuration](#Deploy-Terraform-Configuration)
+- A simple, secure, and scalable hub and spoke infrastructure is needed
+- Various teams need separate, secure cloud environments administered by a central IT team
+- There is a need to implement SCCA
+- Hosting any workload requiring a secure environment, for example: data warehousing, AI/ML, and containerized applications 
 
-### Configure the Terraform Backend
+Design goals include:
 
-The MLZ deployment architecture uses a single Service Principal whose credentials are stored in a central "config" Key Vault. Terraform state storage is distributed into a separate storage account for each tier. When deploying the MLZ architecture, all tiers can be deployed into a single subscription or each tier can be deployed into its own subscription.
+- A simple, minimal set of code that is easy to configure
+- Good defaults that allow experimentation and testing in a single subscription
+- Deployment via command line or with a user interface
+- Uses Azure PaaS products
 
-1. Create the `mlz_tf_cfg.var` file using the `mlz_tf_cfg.var.sample` as a template.
+Our intent is to enable IT Admins to use this software to:
 
- The information in the `mlz_tf_cfg.var` file, will be used by `mlz_tf_setup.sh` to create and populate a `config.vars` file for each tier and saved inside the deployment folder for each tier (example: \src\core\tier-0\config.vars).
+- Test and evaluate the landing zone using a single Azure subscription
+- Develop a known good configuration that can be used for production with multiple Azure subscriptions
+- Optionally, customize the Terraform deployment configuration to suit specific needs
+- Deploy multiple customer workloads in production
 
- For example:
+## Scope
 
- ```plaintext
- mlz_env_name="{MLZ_ENV_NAME}"
- mlz_config_location="{MLZ_CONFIG_LOCATION}"
- ```
+Mission LZ has the following scope:
 
- Would become:
+- Hub and spoke networking intended to comply with SCCA controls
+- Remote access
+- Shared services, i.e., services available to all workloads via the networking hub
+- Ability to create multiple workloads or team subscriptions
+- Compatibility with SCCA compliance (and other compliance frameworks)
+- Security using standard Azure tools with sensible defaults
 
- ```plaintext
- mlz_env_name="dev"
- mlz_config_location="eastus"
- ```
+<!-- markdownlint-disable MD033 -->
+<!-- allow html for images so that they can be sized -->
+<img src="src/docs/images/scope.png" alt="Mission LZ Scope" width="600" />
+<!-- markdownlint-enable MD033 -->
 
-1. Run `mlz_tf_setup.sh` at [src/scripts/mlz_tf_setup.sh](src/scripts/mlz_tf_setup.sh) to create:
+## Networking
 
- - A config Resource Group to store the Key Vault
- - Resource Groups for each tier to store the Terraform state Storage Account
- - A Service Principal to execute terraform commands
- - An Azure Key Vault to store the Service Principal's client ID and client secret
- - A Storage Account and Container for each tier to store tier Terraform state files
- - Tier specific Terraform backend config files
+Networking is set up in a hub and spoke design, separated by tiers: T0, T1, T2, and multiple T3s. Security can be configured to allow separation of duties between all tiers. Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required.
 
- ```bash
- # usage mlz_tf_setup.sh: <mlz_tf_cfg.var path>
+<!-- markdownlint-disable MD033 -->
+<img src="src/docs/images/networking.png" alt="Mission LZ Networking" width="600" />
+<!-- markdownlint-enable MD033 -->
 
- chmod u+x src/scripts/mlz_tf_setup.sh
+## Getting Started using Mission LZ
 
- src/scripts/mlz_tf_setup.sh src/core/mlz_tf_cfg.var
- ```
+See our [Getting Started Guide](src/docs/getting-started.md) in the docs.
 
-### Set Terraform Configuration Variables
+## Product Roadmap
 
-First, clone the *.tfvars.sample file for the global Terraform configuration (e.g. [src/core/globals.tfvars.sample](src/core/globals.tfvars.sample)) and substitute placeholders marked by curly braces "{" and "}" with the values of your choosing.
-
-Then, repeat this process, cloning the *.tfvars.sample file for the Terraform configuration(s) you are deploying and substitute placeholders marked by curly braces "{" and "}" with the values of your choosing.
-
-For example:
-
-```plaintext
-location="{MLZ_LOCATION}" # the templated value in src/core/globals.tfvars.sample
-```
-
-Would become:
-
-```plaintext
-location="eastus" # the value used by Terraform in src/core/globals.tfvars
-```
-
-### Deploy Terraform Configuration
-
-You can use `apply_terraform.sh` at [src/scripts/apply_terraform.sh](src/scripts/apply_terraform.sh) to both initialize Terraform and apply a Terraform configuration based on the backend environment variables and Terraform variables you've setup in previous steps.
-
-The script `destroy_terraform.sh` at [src/scripts/destroy_terraform.sh](src/scripts/destroy_terraform.sh) is helpful during testing. This script is exactly like the
-`apply_terraform.sh` except it destroys resources defined in the target state file
-
-`apply_terraform.sh` and `destroy_terraform.sh` take two arguments:
-
- 1. The Global variables file
- 1. The directory that contains the main.tf and *.tfvars variables file of the configuration to apply
-
-For example, from the root of this repository, you could apply Tier 0 with a command like:
-
-```bash
-src/scripts/apply_terraform.sh \
- src/core/globals.tfvars \
- src/core/tier-0
-```
-
-To apply Tier 1, you could then change the target directory:
-
-```bash
-src/scripts/apply_terraform.sh \
- src/core/globals.tfvars \
- src/core/tier-1
-```
-
-Repeating this same pattern, for whatever configuration you wanted to apply and reuse in some automated pipeline.
-
-Use `init_terraform.sh` at [src/scripts/init_terraform.sh](src/scripts/init_terraform.sh) to perform just an initialization of the Terraform environment
-
-To initialize Terraform for Tier 1, you could then change the target directory:
-
-```bash
-src/scripts/init_terraform.sh \
- src/core/tier-1
-```
-
-### Terraform Providers
-
-The development container definition downloads the required Terraform plugin providers during the container build so that the container can be transported to an air-gapped network for use. The container also sets the `TF_PLUGIN_CACHE_DIR` environment variable, which Terraform uses as the search location for locally installed providers. If you are not using the container to deploy or if the `TF_PLUGIN_CACHE_DIR` environment variable is not set, Terraform will automatically attempt to download the provider from the internet when you execute the `terraform init` command.
-
-See the development container [README](.devcontainer/README.md) for more details on building and running the container.
-
-## Helpful Links
-
-For more endpoint mappings between AzureCloud and AzureUsGovernment: <https://docs.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure#guidance-for-developers/>
+See the [Projects](https://github.com/Azure/missionlz/projects) page for the release timeline and feature areas.
 
 ## Contributing
 
-This project welcomes contributions and suggestions. Most contributions require you to agree to a
-Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
-the rights to use your contribution. For details, visit <https://cla.opensource.microsoft.com/>.
+This project welcomes contributions and suggestions. See our [Contributing Guide](CONTRIBUTING.md) for details.
 
-When you submit a pull request, a CLA bot will automatically determine whether you need to provide
-a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
-provided by the bot. You will only need to do this once across all repos using our CLA.
+## Feedback, Support, and How to Contact Us
 
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
-contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+Please see the [Support and Feedback Guide](SUPPORT.md). To report a security issue please see our [security guidance](./SECURITY.md).
 
 ## Trademarks
 

SUPPORT.md

@@ -1,12 +1,16 @@
-# Support
+# Support and Feedback
 
 ## How to file issues and get help 
 
-This project uses GitHub Issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates.
+We welcome feedback of all types.
 
-For new issues, file your bug or feature request as a new [issue](https://github.com/Azure/missionlz/issues).
+This project uses GitHub issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates.
 
-For help and questions about using this project, please submit a question as a new [issue](https://github.com/Azure/missionlz/issues) using the question template.
+For new issues, file your bug or feature request as a new [issue](https://github.com/Azure/missionlz/issues), [bug](https://github.com/Azure/missionlz/issues), or [feature request](https://github.com/Azure/missionlz/issues).
+
+For help and questions about using this project, please submit a [question](https://github.com/Azure/missionlz/issues).
+
+To report a security issue please see our [security guidance](./SECURITY.md).
 
 ## Microsoft Support Policy