Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updated module version to 6.1.0 #29

Merged
merged 1 commit into from
Sep 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
version: 2
# ---
# version: 2

updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: daily
# updates:
# - package-ecosystem: "github-actions"
# directory: "/"
# schedule:
# interval: daily
62 changes: 31 additions & 31 deletions .github/workflows/update-policy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,35 +97,35 @@ jobs:
echo "changes=${#CHECK_GIT_STATUS[@]}" >> "$GITHUB_OUTPUT"
working-directory: ${{ github.repository }}

- name: Add files, commit and push
if: steps.git_status.outputs.changes > 0
run: |
echo "Pushing changes to origin..."
git add modules/archetypes/lib
git commit -m '${{ env.pr_title }}'
git push origin ${{ env.branch_name }}
working-directory: ${{ github.repository }}
# - name: Add files, commit and push
# if: steps.git_status.outputs.changes > 0
# run: |
# echo "Pushing changes to origin..."
# git add modules/archetypes/lib
# git commit -m '${{ env.pr_title }}'
# git push origin ${{ env.branch_name }}
# working-directory: ${{ github.repository }}

- name: Create pull request
if: steps.git_status.outputs.changes > 0
run: |
HEAD_LABEL="${{ github.repository_owner }}:${{ env.branch_name }}"
BASE_LABEL="${{ github.repository_owner }}:$(echo '${{ github.ref }}' | sed 's:refs/heads/::')"
PULL_REQUEST_URL="repos/${{ github.repository }}/pulls"
JQ_FILTER=".[] | select(.head.label == \"$HEAD_LABEL\") | select(.base.label == \"$BASE_LABEL\") | .url"
CHECK_PULL_REQUEST_URL=$(gh api $PULL_REQUEST_URL | jq -r "$JQ_FILTER")
if [ -z "$CHECK_PULL_REQUEST_URL" ]
then
CHECK_PULL_REQUEST_URL=$(gh pr create \
--title "${{ env.pr_title }}" \
--body "${{ env.pr_body }}" \
--base "${{ github.ref }}" \
--head "${{ env.branch_name }}" \
--draft)
echo "Created new PR: $CHECK_PULL_REQUEST_URL"
else
echo "Existing PR found: $CHECK_PULL_REQUEST_URL"
fi
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
# - name: Create pull request
# if: steps.git_status.outputs.changes > 0
# run: |
# HEAD_LABEL="${{ github.repository_owner }}:${{ env.branch_name }}"
# BASE_LABEL="${{ github.repository_owner }}:$(echo '${{ github.ref }}' | sed 's:refs/heads/::')"
# PULL_REQUEST_URL="repos/${{ github.repository }}/pulls"
# JQ_FILTER=".[] | select(.head.label == \"$HEAD_LABEL\") | select(.base.label == \"$BASE_LABEL\") | .url"
# CHECK_PULL_REQUEST_URL=$(gh api $PULL_REQUEST_URL | jq -r "$JQ_FILTER")
# if [ -z "$CHECK_PULL_REQUEST_URL" ]
# then
# CHECK_PULL_REQUEST_URL=$(gh pr create \
# --title "${{ env.pr_title }}" \
# --body "${{ env.pr_body }}" \
# --base "${{ github.ref }}" \
# --head "${{ env.branch_name }}" \
# --draft)
# echo "Created new PR: $CHECK_PULL_REQUEST_URL"
# else
# echo "Existing PR found: $CHECK_PULL_REQUEST_URL"
# fi
# working-directory: ${{ github.repository }}
# env:
# GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
15 changes: 10 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -654,11 +654,14 @@ object({
log_analytics = optional(object({
enabled = optional(bool, true)
config = optional(object({
retention_in_days = optional(number, 30)
enable_monitoring_for_vm = optional(bool, true)
enable_monitoring_for_vmss = optional(bool, true)
enable_sentinel = optional(bool, true)
enable_change_tracking = optional(bool, true)
retention_in_days = optional(number, 30)
enable_monitoring_for_vm = optional(bool, true)
enable_monitoring_for_vmss = optional(bool, true)
enable_sentinel = optional(bool, true)
enable_change_tracking = optional(bool, true)
enable_solution_for_vm_insights = optional(bool, true)
enable_solution_for_container_insights = optional(bool, true)
sentinel_customer_managed_key_enabled = optional(bool, false) # not used at this time
}), {})
}), {})
security_center = optional(object({
Expand Down Expand Up @@ -1103,6 +1106,8 @@ The following resources are used by this module:
- [azurerm_resource_group.connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
- [azurerm_resource_group.management](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
- [azurerm_resource_group.virtual_wan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
- [azurerm_role_assignment.ama_managed_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.ama_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.enterprise_scale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
- [azurerm_role_assignment.private_dns_zone_contributor_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -162,23 +162,21 @@ This helps to keep the module block clean, whilst providing clear separation bet
locals {
configure_management_resources = {
settings = {
ama = {
enable_uami = true
enable_vminsights_dcr = true
enable_change_tracking_dcr = true
enable_mdfc_defender_for_sql_dcr = false
enable_mdfc_defender_for_sql_query_collection_for_security_research = false
}
log_analytics = {
enabled = true
config = {
retention_in_days = var.log_retention_in_days
enable_monitoring_for_vm = true
enable_monitoring_for_vmss = true
enable_solution_for_agent_health_assessment = true
enable_solution_for_anti_malware = true
enable_solution_for_change_tracking = true
enable_solution_for_service_map = false
enable_solution_for_sql_assessment = false
enable_solution_for_sql_vulnerability_assessment = false
enable_solution_for_sql_advanced_threat_detection = false
enable_solution_for_updates = true
enable_solution_for_vm_insights = true
enable_solution_for_container_insights = true
enable_sentinel = true
retention_in_days = var.log_retention_in_days
enable_monitoring_for_vm = true
enable_monitoring_for_vmss = true
enable_sentinel = true
enable_change_tracking = true
}
}
security_center = {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!-- markdownlint-disable first-line-h1 -->
## Overview

This page describes how to deploy Azure landing zones with connectivity resources based on the [Traditional Azure networking topology (hub and spoke)][wiki_connectivity_resources_hub_and_spoke] created in the current Subscription context, using custom configuration settings.
This page describes how to deploy a multi-region Azure landing zone with connectivity resources based on the [Traditional Azure networking topology (hub and spoke)][wiki_connectivity_resources_hub_and_spoke] created in the current Subscription context, using custom configuration settings.

> **NOTE:**
> If you need to deploy a network based on Virtual WAN, please see our [Deploy Connectivity Resources With Custom Settings (Virtual WAN)][wiki_deploy_virtual_wan_resources_custom] example.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!-- markdownlint-disable first-line-h1 -->
## Overview

This page describes how to deploy Azure landing zones with connectivity resources based on the [Virtual WAN network topology (Microsoft-managed)][wiki_connectivity_resources_virtual_wan] created in the current Subscription context, using custom configuration settings.
This page describes how to deploy a multi-region Azure landing zone with connectivity resources based on the [Virtual WAN network topology (Microsoft-managed)][wiki_connectivity_resources_virtual_wan] created in the current Subscription context, using custom configuration settings.

> **NOTE:**
> If you need to deploy a network based on traditional virtual networks, please see our [Deploy Connectivity Resources With Custom Settings (Hub and Spoke)][wiki_deploy_connectivity_resources_custom] example.
Expand Down
2 changes: 1 addition & 1 deletion docs/wiki/[User-Guide]-Upgrade-from-v5.2.1-to-v6.0.0.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ See: <https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies>

## Azure Monitor Agent

The Microsoft Monitoring Agent is deprecated and all assignments have been removed, howwver the policy definitions remain.
The Microsoft Monitoring Agent is deprecated and all assignments have been removed, however the policy definitions remain.
We now assign polices that deploy the Azure Monitor Agent (AMA) instead of the Microsoft Monitoring Agent (MMA).
We deploy AMA resources using the new `configure_management_resources` variable.

Expand Down
8 changes: 4 additions & 4 deletions docs/wiki/_Sidebar.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@
- [Create and assign custom RBAC roles][wiki_create_and_assign_custom_rbac_roles]
- [Set parameter values for Policy Assignments][wiki_set_parameter_values_for_policy_assignments]
- [Level 300][wiki_examples_level_300]
- [Deploy connectivity resources with custom settings (Hub and Spoke)][wiki_deploy_connectivity_resources_custom]
- [Deploy connectivity resources with custom settings (Virtual WAN)][wiki_deploy_virtual_wan_resources_custom]
- [Deploy multi region networking with custom settings (Hub and Spoke)][wiki_deploy_connectivity_resources_custom]
- [Deploy multi region networking with custom settings (Virtual WAN)][wiki_deploy_virtual_wan_resources_custom]
- [Deploy with Zero Trust network principles (Hub and Spoke)][wiki_deploy_ZT_network]
- [Deploy identity resources with custom settings][wiki_deploy_identity_resources_custom]
- [Deploy management resources with custom settings][wiki_deploy_management_resources_custom]
Expand Down Expand Up @@ -84,9 +84,9 @@
[wiki_deploy_management_resources]: %5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy management resources"
[wiki_deploy_management_resources_custom]: %5BExamples%5D-Deploy-Management-Resources-With-Custom-Settings "Wiki - Deploy management resources with custom settings"
[wiki_deploy_connectivity_resources]: %5BExamples%5D-Deploy-Connectivity-Resources "Wiki - Deploy connectivity resources (Hub and Spoke)"
[wiki_deploy_connectivity_resources_custom]: %5BExamples%5D-Deploy-Connectivity-Resources-With-Custom-Settings "Wiki - Deploy connectivity resources with custom settings (Hub and Spoke)"
[wiki_deploy_connectivity_resources_custom]: %5BExamples%5D-Deploy-Multi-Region-Networking-With-Custom-Settings "Wiki - Deploy multi region networking with custom settings (Hub and Spoke)"
[wiki_deploy_virtual_wan_resources]: %5BExamples%5D-Deploy-Virtual-WAN-Resources "Wiki - Deploy connectivity resources (Virtual WAN)"
[wiki_deploy_virtual_wan_resources_custom]: %5BExamples%5D-Deploy-Virtual-WAN-Resources-With-Custom-Settings "Wiki - Deploy connectivity resources with custom settings (Virtual WAN)"
[wiki_deploy_virtual_wan_resources_custom]: %5BExamples%5D-Deploy-Virtual-WAN-Multi-Region-With-Custom-Settings "Wiki - Deploy multi region networking with custom settings (Virtual WAN)"
[wiki_deploy_identity_resources]: %5BExamples%5D-Deploy-Identity-Resources "Wiki - Deploy identity resources"
[wiki_deploy_identity_resources_custom]: %5BExamples%5D-Deploy-Identity-Resources-With-Custom-Settings "Wiki - Deploy identity resources with custom settings"
[wiki_deploy_using_module_nesting]: %5BExamples%5D-Deploy-Using-Module-Nesting "Wiki - Deploy using module nesting"
Expand Down
1 change: 1 addition & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ data "azurerm_client_config" "core" {}


module "enterprise_scale" {
# source = "clouddrove/landingzone/azure"
source = "../../"
# version = "5.0.3" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints

Expand Down
8 changes: 8 additions & 0 deletions locals.management.tf
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,11 @@ locals {
if resource.managed_by_module
}
}

# locals {
# azapi_sentinel_onboarding = {
# for resource in module.management_resources.configuration.azapi_sentinel_onboarding :
# resource.resource_id => resource
# if resource.managed_by_module
# }
# }
3 changes: 2 additions & 1 deletion locals.role_assignments.tf
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,5 @@ locals {

locals {
connectivity_mg_exists = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-connectivity")]) > 0
}
platform_mg_exists = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-platform")]) > 0
}
17 changes: 9 additions & 8 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,13 @@ module "connectivity_resources" {
tags = local.connectivity_resources_tags

# Optional input variables (advanced configuration)
resource_prefix = lookup(local.connectivity_resources_advanced, "resource_prefix", local.empty_string)
resource_suffix = lookup(local.connectivity_resources_advanced, "resource_suffix", local.empty_string)
existing_ddos_protection_plan_resource_id = lookup(local.connectivity_resources_advanced, "existing_ddos_protection_plan_resource_id", local.empty_string)
existing_virtual_wan_resource_id = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_id", local.empty_string)
existing_virtual_wan_resource_group_name = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_group_name", local.empty_string)
resource_group_per_virtual_hub_location = lookup(local.connectivity_resources_advanced, "resource_group_per_virtual_hub_location", false)
custom_azure_backup_geo_codes = lookup(local.connectivity_resources_advanced, "custom_azure_backup_geo_codes", local.empty_map)
custom_settings_by_resource_type = lookup(local.connectivity_resources_advanced, "custom_settings_by_resource_type", local.empty_map)
resource_prefix = lookup(local.connectivity_resources_advanced, "resource_prefix", local.empty_string)
resource_suffix = lookup(local.connectivity_resources_advanced, "resource_suffix", local.empty_string)
existing_ddos_protection_plan_resource_id = lookup(local.connectivity_resources_advanced, "existing_ddos_protection_plan_resource_id", local.empty_string)
existing_virtual_wan_resource_id = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_id", local.empty_string)
existing_virtual_wan_resource_group_name = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_group_name", local.empty_string)
resource_group_per_virtual_hub_location = lookup(local.connectivity_resources_advanced, "resource_group_per_virtual_hub_location", false)
custom_azure_backup_geo_codes = lookup(local.connectivity_resources_advanced, "custom_azure_backup_geo_codes", local.empty_map)
custom_privatelink_azurestaticapps_partitionids = lookup(local.connectivity_resources_advanced, "custom_privatelink_azurestaticapps_partitionids", null)
custom_settings_by_resource_type = lookup(local.connectivity_resources_advanced, "custom_settings_by_resource_type", local.empty_map)
}
Original file line number Diff line number Diff line change
Expand Up @@ -1430,13 +1430,13 @@
"policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9",
"parameters": {
"privateDnsZoneIdForGuestConfiguration": {
"privateDnsZoneIDForGuestConfiguration": {
"value": "[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]"
},
"privateDnsZoneIdForHybridResourceProvider": {
"privateDnsZoneIDForHybridResourceProvider": {
"value": "[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]"
},
"privateDnsZoneIdForKubernetesConfiguration": {
"privateDnsZoneIDForKubernetesConfiguration": {
"value": "[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]"
},
"effect": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
"effect": {
"value": "[parameters('effect')]"
},
"CheckLockedImmutabiltyOnly": {
"checkLockedImmutabiltyOnly": {
"value": "[parameters('checkLockedImmutabilityOnly')]"
}
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"displayName": "Enforce recommended guardrails for Azure Key Vault",
"description": "Enforce recommended guardrails for Azure Key Vault.",
"metadata": {
"version": "2.0.0",
"version": "2.1.0",
"category": "Key Vault",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -236,8 +236,11 @@
"type": "string",
"defaultValue": "Disabled",
"allowedValues": [
"audit",
"Audit",
"deny",
"Deny",
"disabled",
"Disabled"
]
},
Expand Down
Loading