Coalfire created reference architecture for FedRAMP Azure builds. This repository is used as a parent directory to deploy Coalfire-CF/terraform-azurerm-<service> modules.
Learn more at Coalfire OpenSource.
Get our SSP Templates and Reference Architecture Design Document Template
- Azure Commercial or Government Subscription
- Azure Tenant Provisioning
- az cli is installed
- User with, at minimum,
contributorsubscription access - Terraform is installed and in PATH.
| Directory | Purpose |
|---|---|
shellscripts/ |
Deployment and VM Extension scripts |
terraform/prod/us-tx/ |
Disaster Recovery region terraform files |
terraform/prod/us-va/ |
Primary region terraform files |
terraform/prod/global-vars.tf |
Global variables |
terraform/prod/us-va/app/ |
Application plane terraform files |
terraform/prod/us-va/mgmt/ |
Management plane terraform files |
terraform/prod/us-va/region-setup/ |
Management plane region-setup terraform files |
terraform/prod/us-va/mgmt/security-core |
Management plane security-core terraform files |
terraform/prod/us-va/regional-vars.tf |
Regional variables |
terraform/prod/us-va/remote-data.tf |
Remote Data from state files. Uncomment as more infrastructure is deployed |
- Update
terraform/prod/global-vars.tfvariables - Update
terraform/prod/us-va/regional-vars.tfvariables, if applicable
- Login to the azure cli,
az login. You may have to change the cloud if you receive an error.az cloud set --name AzureUSGovernment - Navigate to
terraform/prod/us-va/security-coreand runterraform initandterraform plan. If everything looks good runterraform apply. - Navigate to
terraform/prod/us-va/region-setupand runterraform initandterraform plan. If everything looks good runterraform apply. - Deploy
mgmtandappresources in a similar fashion. Order of deployment is below.
- Azure Tenant Provisioning
- Security Core (terraform/prod/us-va/security-core)
- Region Setup (terraform/prod/us-va/region-setup)
- Management VNet (terraform/prod/us-va/mgmt/mgmt-network)
- Application VNet (terraform/prod/us-va/app/app-network)
- Management/Application VNet Peering (terraform/prod/us-va/mgmt/vnet-peering)
- Key Vaults (terraform/prod/us-va/mgmt/key-vault)
- Azure Automation (terraform/prod/us-va/mgmt/azure-automation)
- Bastion (terraform/prod/us-va/mgmt/bastion)
- Backup (terraform/prod/us-va/mgmt/backup)
- Sentinel (terraform/prod/us-va/mgmt/sentinel)
- Other tooling/Application Plane
Each module, e.g. region-setup, has a README file that provides deployment steps, dependencies, and other notes on each component in the environment.
-
Add their PIP or use VPN IP CIDR to access and deploy resources, otherwise the user cannot access Key Vaults, storage account with the state files or the bastion hosts.
-
Re-run
terraform applyon the bastion folder to add the new PIP to the bastion NSG. -
Re-run
terraform applyon the key-vault, security-core, and region-setup folder to add the new admin's GUID to the Admin roles
For Azure Government cloud
az cloud set --name AzureUSGovernment
By default, AZCLI is configured for commercial cloud. If you need to switch back from another selection:
az cloud set --name AzureCloud
Log into the Azure Tenant with your Azure Active Directory (AAD) credentials.
az login
Follow the instructions in the terminal to log in via web portal with your credentials.
Upon a successful login you should see output similar to this.
[
{
"cloudName": "AzureCloud",
"id": "REDACTED",
"isDefault": true,
"name": "Azure subscription 1",
"state": "Enabled",
"tenantId": "REDACTED",
"user": {
"name": "engineer1@example.com",
"type": "user"
}
}
]Set a specific subscription
az account set --subscription {GUID}
No requirements.
No providers.
No modules.
No resources.
No inputs.
No outputs.
If you're interested in contributing to our projects, please review the Contributing Guidelines. And send an email to our team to receive a copy of our CLA and start the onboarding process.
Copyright © 2023 Coalfire Systems Inc.