From b5a0cc141a62eaaccc370f123ce6b7ca30f7b452 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Thu, 2 Nov 2023 18:14:37 +0000 Subject: [PATCH 01/12] First iteration of modular starter --- templates/complete_modular/config.yaml | 90 +++++++++++++++++++++++++ templates/complete_modular/data.tf | 1 + templates/complete_modular/locals.tf | 47 +++++++++++++ templates/complete_modular/main.tf | 68 +++++++++++++++++++ templates/complete_modular/variables.tf | 24 +++++++ templates/complete_modular/versions.tf | 23 +++++++ 6 files changed, 253 insertions(+) create mode 100644 templates/complete_modular/config.yaml create mode 100644 templates/complete_modular/data.tf create mode 100644 templates/complete_modular/locals.tf create mode 100644 templates/complete_modular/main.tf create mode 100644 templates/complete_modular/variables.tf create mode 100644 templates/complete_modular/versions.tf diff --git a/templates/complete_modular/config.yaml b/templates/complete_modular/config.yaml new file mode 100644 index 00000000..5ff8af5b --- /dev/null +++ b/templates/complete_modular/config.yaml @@ -0,0 +1,90 @@ +management: + automation_account_name: aa-${default_postfix} + location: uksouth + log_analytics_workspace_name: law-${default_postfix} + resource_group_name: rg-management-${default_postfix} + +management_groups: + root: + - id: root-${default_postfix} + - display_name: root + - parent_id: ${tenant_id} + - base_archtype: root + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + landing_zones: + - id: landing-zones-${default_postfix} + - display_name: landing-zones + - parent_id: root-${default_postfix} + - base_archtype: landing_zones + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + platform: + - id: platform-${default_postfix} + - display_name: platform + - parent_id: root-${default_postfix} + - base_archtype: platform + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + identity: + - id: identity-${default_postfix} + - display_name: identity + - parent_id: platform-${default_postfix} + - base_archtype: identity + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + connectivity: + - id: connectivity-${default_postfix} + - display_name: connectivity + - parent_id: platform-${default_postfix} + - base_archtype: connectivity + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + management: + - id: management-${default_postfix} + - display_name: management + - parent_id: landing-zones-${default_postfix} + - base_archtype: management + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + corp: + - id: corp-${default_postfix} + - display_name: corp + - parent_id: landing-zones-${default_postfix} + - base_archtype: corp + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + online: + - id: online-${default_postfix} + - display_name: online + - parent_id: landing-zones-${default_postfix} + - base_archtype: online + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + sandboxes: + - id: sandboxes-${default_postfix} + - display_name: sandboxes + - parent_id: root-${default_postfix} + - base_archtype: sandboxes + - default_location: ${default_location} + - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + +connectivity: + hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. + hub_virtual_networks: + primary: + name: vnet-hub-${default_postfix} + resource_group_name: rg-connectivity-${default_postfix} + location: ${default_location} + address_space: + - 10.0.0.0/16 + firewall: + name: fw-hub-${default_postfix} + sku_name: AZFW_VNet + sku_tier: Standard + subnet_address_prefix: 10.0.1.0/24 + virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary. + name: vgw-hub-${default_postfix} + sku: VpnGw1 + type: Vpn + subnet_address_prefix: 10.0.2.0/24 diff --git a/templates/complete_modular/data.tf b/templates/complete_modular/data.tf new file mode 100644 index 00000000..d5783ec3 --- /dev/null +++ b/templates/complete_modular/data.tf @@ -0,0 +1 @@ +data "azurerm_client_config" "core" {} diff --git a/templates/complete_modular/locals.tf b/templates/complete_modular/locals.tf new file mode 100644 index 00000000..15c78c80 --- /dev/null +++ b/templates/complete_modular/locals.tf @@ -0,0 +1,47 @@ +data "azurerm_client_config" "current" {} + +locals { + base_config_replacements = { + default_location = var.default_location + default_postfix = var.default_postfix + tenant_id = data.azurerm_client_config.current.tenant_id + } + + initial_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) + + management = local.initial_config.management +} + +locals { + post_management_config_replacements = merge(local.base_config_replacements, { + management_log_analytics_workspace_id = module.alz_management_resources.log_analytics_workspace.id + }) + + post_management_config = yamldecode(templatefile("${path.module}/config.yaml", local.post_management_config_replacements)) + + management_groups = local.post_management_config.management.management_groups + + hub_virtual_networks = { + for k, v in local.config.connectivity.hubnetworking.hub_virtual_networks : k => { + for k2, v2 in v : k2 => v2 if k2 != "virtual_network_gateway" + } + } + vritual_network_gateways = { + for k, v in local.config.connectivity.hubnetworking.hub_virtual_networks : k => merge( + v.virtual_network_gateway, + { + location = v.location + virtual_network_name = v.name + virtual_network_resource_group_name = v.resource_group_name + } + ) + } + dummy_hub_virtual_network = { + hub = { + name = "dummy" + address_space = ["0.0.0.0/0"] + location = "dummy" + resource_group_name = "dummy" + } + } +} diff --git a/templates/complete_modular/main.tf b/templates/complete_modular/main.tf new file mode 100644 index 00000000..981dca81 --- /dev/null +++ b/templates/complete_modular/main.tf @@ -0,0 +1,68 @@ +module "alz_management_resources" { + source = "Azure/alz-management/azurerm" + version = "~> 0.1.0" + + automation_account_name = try(local.management.automation_account_name, "") + location = try(local.management.location, "") + log_analytics_workspace_name = try(local.management.log_analytics_workspace_name, "") + resource_group_name = try(local.management.resource_group_name, "") +} + +module "alz_archetype_root" { + source = "Azure/avm-ptn-alz/azurerm" + version = "~> 0.3.3" + for_each = local.management_groups + id = try(each.value.id, "") + display_name = try(each.value.display_name, "") + parent_id = try(each.value.parent_id, "") + base_archetype = try(each.value.base_archetype, "") + default_location = try(each.value.default_location, var.default_location) + default_log_analytics_workspace_id = try(each.value.default_log_analytics_workspace_id, "") +} + +module "hubnetworking" { + source = "Azure/hubnetworking/azurerm" + version = "1.1.0" + count = length(local.hub_virtual_networks) > 0 ? 1 : 0 + + hub_virtual_networks = length(local.hub_virtual_networks) > 0 ? local.hub_virtual_networks : local.dummy_hub_virtual_network + + providers = { + azurerm = azurerm.connectivity + } +} + +module "vnet-gateway" { + source = "Azure/vnet-gateway/azurerm" + version = "0.1.2" + + for_each = local.vritual_network_gateways + + location = each.value.location + name = each.value.name + sku = each.value.sku + subnet_address_prefix = each.value.subnet_address_prefix + type = each.value.type + virtual_network_name = each.value.virtual_network_name + virtual_network_resource_group_name = each.value.virtual_network_resource_group_name + default_tags = try(each.value.default_tags, null) + edge_zone = try(each.value.edge_zone, null) + express_route_circuits = try(each.value.express_route_circuits, null) + ip_configurations = try(each.value.ip_configurations, null) + local_network_gateways = try(each.value.local_network_gateways, null) + tags = try(each.value.tags, null) + vpn_active_active_enabled = try(each.value.vpn_active_active_enabled, null) + vpn_bgp_enabled = try(each.value.vpn_bgp_enabled, null) + vpn_bgp_settings = try(each.value.vpn_bgp_settings, null) + vpn_generation = try(each.value.vpn_generation, null) + vpn_point_to_site = try(each.value.vpn_point_to_site, null) + vpn_type = try(each.value.vpn_type, null) + + providers = { + azurerm = azurerm.connectivity + } + + depends_on = [ + module.hubnetworking + ] +} diff --git a/templates/complete_modular/variables.tf b/templates/complete_modular/variables.tf new file mode 100644 index 00000000..0dd5ae58 --- /dev/null +++ b/templates/complete_modular/variables.tf @@ -0,0 +1,24 @@ +variable "default_location" { + description = "The location for Azure resources. (e.g 'uksouth')|1|azure_location" + type = string +} + +variable "default_postfix" { + description = "The default postfix for Azure resources. (e.g 'landing-zone')|2|azure_name" + type = string +} + +variable "subscription_id_connectivity" { + description = "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_subscription_id" + type = string +} + +variable "subscription_id_identity" { + description = "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|4|azure_subscription_id" + type = string +} + +variable "subscription_id_management" { + description = "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)|5|azure_subscription_id" + type = string +} diff --git a/templates/complete_modular/versions.tf b/templates/complete_modular/versions.tf new file mode 100644 index 00000000..c4051532 --- /dev/null +++ b/templates/complete_modular/versions.tf @@ -0,0 +1,23 @@ +terraform { + required_version = ">= 0.12" + required_providers { + azurerm = ">= 3.0.0" + } + # backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +provider "azurerm" { + alias = "management" + subscription_id = var.subscription_id_management + features {} +} + +provider "azurerm" { + alias = "connectivity" + subscription_id = var.subscription_id_connectivity + features {} +} From 6892d01b8efb607b131e4d3af79020d103098646 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 3 Nov 2023 08:52:57 +0000 Subject: [PATCH 02/12] Add subscription placement config --- templates/complete_modular/config.yaml | 6 ++++++ templates/complete_modular/locals.tf | 3 +++ templates/complete_modular/main.tf | 14 +++++++------- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/templates/complete_modular/config.yaml b/templates/complete_modular/config.yaml index 5ff8af5b..8ecc7f6c 100644 --- a/templates/complete_modular/config.yaml +++ b/templates/complete_modular/config.yaml @@ -33,6 +33,8 @@ management_groups: - base_archtype: identity - default_location: ${default_location} - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + - subscriptions: + - ${subscription_id_identity} connectivity: - id: connectivity-${default_postfix} - display_name: connectivity @@ -40,6 +42,8 @@ management_groups: - base_archtype: connectivity - default_location: ${default_location} - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + - subscriptions: + - ${subscription_id_connectivity} management: - id: management-${default_postfix} - display_name: management @@ -47,6 +51,8 @@ management_groups: - base_archtype: management - default_location: ${default_location} - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + - subscriptions: + - ${subscription_id_management} corp: - id: corp-${default_postfix} - display_name: corp diff --git a/templates/complete_modular/locals.tf b/templates/complete_modular/locals.tf index 15c78c80..86401aa6 100644 --- a/templates/complete_modular/locals.tf +++ b/templates/complete_modular/locals.tf @@ -5,6 +5,9 @@ locals { default_location = var.default_location default_postfix = var.default_postfix tenant_id = data.azurerm_client_config.current.tenant_id + subscription_id_connectivity = var.subscription_id_connectivity + subscription_id_identity = var.subscription_id_identity + subscription_id_management = var.subscription_id_management } initial_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) diff --git a/templates/complete_modular/main.tf b/templates/complete_modular/main.tf index 981dca81..8bc21a3b 100644 --- a/templates/complete_modular/main.tf +++ b/templates/complete_modular/main.tf @@ -1,4 +1,4 @@ -module "alz_management_resources" { +module "management_resources" { source = "Azure/alz-management/azurerm" version = "~> 0.1.0" @@ -8,19 +8,19 @@ module "alz_management_resources" { resource_group_name = try(local.management.resource_group_name, "") } -module "alz_archetype_root" { +module "management_groups" { source = "Azure/avm-ptn-alz/azurerm" version = "~> 0.3.3" for_each = local.management_groups - id = try(each.value.id, "") - display_name = try(each.value.display_name, "") - parent_id = try(each.value.parent_id, "") + id = each.value.id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent_id base_archetype = try(each.value.base_archetype, "") default_location = try(each.value.default_location, var.default_location) default_log_analytics_workspace_id = try(each.value.default_log_analytics_workspace_id, "") } -module "hubnetworking" { +module "hub_networking" { source = "Azure/hubnetworking/azurerm" version = "1.1.0" count = length(local.hub_virtual_networks) > 0 ? 1 : 0 @@ -32,7 +32,7 @@ module "hubnetworking" { } } -module "vnet-gateway" { +module "vnet_gateway" { source = "Azure/vnet-gateway/azurerm" version = "0.1.2" From 23887652ed7bdfc1bddc87ab3446a66c4540cffd Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 3 Nov 2023 08:58:11 +0000 Subject: [PATCH 03/12] Fix linting --- templates/complete_modular/data.tf | 2 +- templates/complete_modular/locals.tf | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/templates/complete_modular/data.tf b/templates/complete_modular/data.tf index d5783ec3..cee07df2 100644 --- a/templates/complete_modular/data.tf +++ b/templates/complete_modular/data.tf @@ -1 +1 @@ -data "azurerm_client_config" "core" {} +data "azurerm_client_config" "current" {} diff --git a/templates/complete_modular/locals.tf b/templates/complete_modular/locals.tf index 86401aa6..b84019ce 100644 --- a/templates/complete_modular/locals.tf +++ b/templates/complete_modular/locals.tf @@ -1,5 +1,3 @@ -data "azurerm_client_config" "current" {} - locals { base_config_replacements = { default_location = var.default_location From 7b47ac698eba4c5723887711c92a92639be485d2 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 6 Nov 2023 17:14:01 +0000 Subject: [PATCH 04/12] Updates to complete_modular --- templates/complete_modular/config.yaml | 113 +++++++++++------------- templates/complete_modular/locals.tf | 26 ++---- templates/complete_modular/main.tf | 39 ++++---- templates/complete_modular/variables.tf | 1 + templates/complete_modular/versions.tf | 4 +- templates/hubnetworking/versions.tf | 6 ++ 6 files changed, 88 insertions(+), 101 deletions(-) diff --git a/templates/complete_modular/config.yaml b/templates/complete_modular/config.yaml index 8ecc7f6c..329780fd 100644 --- a/templates/complete_modular/config.yaml +++ b/templates/complete_modular/config.yaml @@ -1,3 +1,12 @@ +# This file contains templated variables to avoid repeating the same hard-coded values. +# Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use: +# `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency. +# `default_location`: This is an Azure location sourced from the `default_location` variable. This can be used to set the location of resources. +# `tenant_id`: This is the tenant ID of the Entra ID tenant based on your connection. This is primarily used to set the root management group `parent_id`. +# `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`. +# `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`. +# `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`. + management: automation_account_name: aa-${default_postfix} location: uksouth @@ -6,77 +15,59 @@ management: management_groups: root: - - id: root-${default_postfix} - - display_name: root - - parent_id: ${tenant_id} - - base_archtype: root - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + id: root-${default_postfix} + display_name: root + parent_id: ${tenant_id} + base_archetype: root landing_zones: - - id: landing-zones-${default_postfix} - - display_name: landing-zones - - parent_id: root-${default_postfix} - - base_archtype: landing_zones - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + id: landing-zones-${default_postfix} + display_name: landing-zones + parent_id: root-${default_postfix} + base_archetype: landing_zones platform: - - id: platform-${default_postfix} - - display_name: platform - - parent_id: root-${default_postfix} - - base_archtype: platform - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + id: platform-${default_postfix} + display_name: platform + parent_id: root-${default_postfix} + base_archetype: platform identity: - - id: identity-${default_postfix} - - display_name: identity - - parent_id: platform-${default_postfix} - - base_archtype: identity - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} - - subscriptions: - - ${subscription_id_identity} + id: identity-${default_postfix} + display_name: identity + parent_id: platform-${default_postfix} + base_archetype: identity + subscriptions: + - ${subscription_id_identity} connectivity: - - id: connectivity-${default_postfix} - - display_name: connectivity - - parent_id: platform-${default_postfix} - - base_archtype: connectivity - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} - - subscriptions: - - ${subscription_id_connectivity} + id: connectivity-${default_postfix} + display_name: connectivity + parent_id: platform-${default_postfix} + base_archetype: connectivity + subscriptions: + - ${subscription_id_connectivity} management: - - id: management-${default_postfix} - - display_name: management - - parent_id: landing-zones-${default_postfix} - - base_archtype: management - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} - - subscriptions: - - ${subscription_id_management} + id: management-${default_postfix} + display_name: management + parent_id: landing-zones-${default_postfix} + base_archetype: management + subscriptions: + - ${subscription_id_management} corp: - - id: corp-${default_postfix} - - display_name: corp - - parent_id: landing-zones-${default_postfix} - - base_archtype: corp - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + id: corp-${default_postfix} + display_name: corp + parent_id: landing-zones-${default_postfix} + base_archetype: corp online: - - id: online-${default_postfix} - - display_name: online - - parent_id: landing-zones-${default_postfix} - - base_archtype: online - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + id: online-${default_postfix} + display_name: online + parent_id: landing-zones-${default_postfix} + base_archetype: online sandboxes: - - id: sandboxes-${default_postfix} - - display_name: sandboxes - - parent_id: root-${default_postfix} - - base_archtype: sandboxes - - default_location: ${default_location} - - default_log_analytics_workspace_id: ${management_log_analytics_workspace_id} + id: sandboxes-${default_postfix} + display_name: sandboxes + parent_id: root-${default_postfix} + base_archetype: sandboxes connectivity: - hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. + hub_networking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. hub_virtual_networks: primary: name: vnet-hub-${default_postfix} diff --git a/templates/complete_modular/locals.tf b/templates/complete_modular/locals.tf index b84019ce..4ab01448 100644 --- a/templates/complete_modular/locals.tf +++ b/templates/complete_modular/locals.tf @@ -11,24 +11,16 @@ locals { initial_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) management = local.initial_config.management -} - -locals { - post_management_config_replacements = merge(local.base_config_replacements, { - management_log_analytics_workspace_id = module.alz_management_resources.log_analytics_workspace.id - }) - - post_management_config = yamldecode(templatefile("${path.module}/config.yaml", local.post_management_config_replacements)) - - management_groups = local.post_management_config.management.management_groups + management_groups = local.initial_config.management_groups + connectivity = local.initial_config.connectivity hub_virtual_networks = { - for k, v in local.config.connectivity.hubnetworking.hub_virtual_networks : k => { + for k, v in local.connectivity.hub_networking.hub_virtual_networks : k => { for k2, v2 in v : k2 => v2 if k2 != "virtual_network_gateway" } } - vritual_network_gateways = { - for k, v in local.config.connectivity.hubnetworking.hub_virtual_networks : k => merge( + virtual_network_gateways = { + for k, v in local.connectivity.hub_networking.hub_virtual_networks : k => merge( v.virtual_network_gateway, { location = v.location @@ -37,12 +29,4 @@ locals { } ) } - dummy_hub_virtual_network = { - hub = { - name = "dummy" - address_space = ["0.0.0.0/0"] - location = "dummy" - resource_group_name = "dummy" - } - } } diff --git a/templates/complete_modular/main.tf b/templates/complete_modular/main.tf index 8bc21a3b..225edb11 100644 --- a/templates/complete_modular/main.tf +++ b/templates/complete_modular/main.tf @@ -1,13 +1,19 @@ module "management_resources" { source = "Azure/alz-management/azurerm" - version = "~> 0.1.0" - + version = "~> 0.1.5" + providers = { + azurerm = azurerm.management + } automation_account_name = try(local.management.automation_account_name, "") location = try(local.management.location, "") log_analytics_workspace_name = try(local.management.log_analytics_workspace_name, "") resource_group_name = try(local.management.resource_group_name, "") } +output "test" { + value = local.management_groups +} + module "management_groups" { source = "Azure/avm-ptn-alz/azurerm" version = "~> 0.3.3" @@ -15,28 +21,31 @@ module "management_groups" { id = each.value.id display_name = try(each.value.display_name, each.value.id) parent_id = each.value.parent_id - base_archetype = try(each.value.base_archetype, "") - default_location = try(each.value.default_location, var.default_location) - default_log_analytics_workspace_id = try(each.value.default_log_analytics_workspace_id, "") + base_archetype = each.value.base_archetype + default_location = var.default_location + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + #subscription_ids = try(each.value.subscription_ids, []) } module "hub_networking" { source = "Azure/hubnetworking/azurerm" - version = "1.1.0" - count = length(local.hub_virtual_networks) > 0 ? 1 : 0 - - hub_virtual_networks = length(local.hub_virtual_networks) > 0 ? local.hub_virtual_networks : local.dummy_hub_virtual_network - + version = "~> 1.1.0" providers = { azurerm = azurerm.connectivity } + count = length(local.hub_virtual_networks) > 0 ? 1 : 0 + + hub_virtual_networks = length(local.hub_virtual_networks) > 0 ? local.hub_virtual_networks : null } module "vnet_gateway" { source = "Azure/vnet-gateway/azurerm" - version = "0.1.2" + version = "~> 0.1.2" + providers = { + azurerm = azurerm.connectivity + } - for_each = local.vritual_network_gateways + for_each = local.virtual_network_gateways location = each.value.location name = each.value.name @@ -58,11 +67,7 @@ module "vnet_gateway" { vpn_point_to_site = try(each.value.vpn_point_to_site, null) vpn_type = try(each.value.vpn_type, null) - providers = { - azurerm = azurerm.connectivity - } - depends_on = [ - module.hubnetworking + module.hub_networking ] } diff --git a/templates/complete_modular/variables.tf b/templates/complete_modular/variables.tf index 0dd5ae58..b317c2f4 100644 --- a/templates/complete_modular/variables.tf +++ b/templates/complete_modular/variables.tf @@ -6,6 +6,7 @@ variable "default_location" { variable "default_postfix" { description = "The default postfix for Azure resources. (e.g 'landing-zone')|2|azure_name" type = string + default = "landing-zone" } variable "subscription_id_connectivity" { diff --git a/templates/complete_modular/versions.tf b/templates/complete_modular/versions.tf index c4051532..ad1242b2 100644 --- a/templates/complete_modular/versions.tf +++ b/templates/complete_modular/versions.tf @@ -1,7 +1,7 @@ terraform { - required_version = ">= 0.12" + required_version = ">= 1.5" required_providers { - azurerm = ">= 3.0.0" + azurerm = ">= 3.79.0" } # backend "azurerm" {} } diff --git a/templates/hubnetworking/versions.tf b/templates/hubnetworking/versions.tf index 42ac4482..a2b0ab44 100644 --- a/templates/hubnetworking/versions.tf +++ b/templates/hubnetworking/versions.tf @@ -24,3 +24,9 @@ provider "azurerm" { subscription_id = var.subscription_id_connectivity features {} } + +provider "azurerm" { + alias = "identity" + subscription_id = var.subscription_id_identity + features {} +} From d33372574470c0a7295fac77c822dc9d4ef648e9 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 6 Nov 2023 20:20:14 +0000 Subject: [PATCH 05/12] Fix hierarchy ordering issue --- templates/complete_modular/config.yaml | 4 +- templates/complete_modular/locals.tf | 26 +++-- templates/complete_modular/main.tf | 15 +-- .../complete_modular/management_groups.tf | 96 +++++++++++++++++++ templates/complete_modular/variables.tf | 12 ++- 5 files changed, 127 insertions(+), 26 deletions(-) create mode 100644 templates/complete_modular/management_groups.tf diff --git a/templates/complete_modular/config.yaml b/templates/complete_modular/config.yaml index 329780fd..4fe3f96e 100644 --- a/templates/complete_modular/config.yaml +++ b/templates/complete_modular/config.yaml @@ -2,7 +2,7 @@ # Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use: # `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency. # `default_location`: This is an Azure location sourced from the `default_location` variable. This can be used to set the location of resources. -# `tenant_id`: This is the tenant ID of the Entra ID tenant based on your connection. This is primarily used to set the root management group `parent_id`. +# `tenant_root_management_group_id`: This is ID of the top level managemrnt group that you will build your hierarchy under. This is primarily used to set the root management group `parent_id`. # `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`. # `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`. # `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`. @@ -17,7 +17,7 @@ management_groups: root: id: root-${default_postfix} display_name: root - parent_id: ${tenant_id} + parent_id: ${tenant_root_management_group_id} base_archetype: root landing_zones: id: landing-zones-${default_postfix} diff --git a/templates/complete_modular/locals.tf b/templates/complete_modular/locals.tf index 4ab01448..a890514d 100644 --- a/templates/complete_modular/locals.tf +++ b/templates/complete_modular/locals.tf @@ -1,17 +1,29 @@ locals { + + tenant_root_management_group_id = var.tenant_root_management_group_id == "" ? data.azurerm_client_config.current.tenant_id : var.tenant_root_management_group_id + base_config_replacements = { - default_location = var.default_location - default_postfix = var.default_postfix - tenant_id = data.azurerm_client_config.current.tenant_id - subscription_id_connectivity = var.subscription_id_connectivity - subscription_id_identity = var.subscription_id_identity - subscription_id_management = var.subscription_id_management + default_location = var.default_location + default_postfix = var.default_postfix + tenant_root_management_group_id = local.tenant_root_management_group_id + subscription_id_connectivity = var.subscription_id_connectivity + subscription_id_identity = var.subscription_id_identity + subscription_id_management = var.subscription_id_management } initial_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) - management = local.initial_config.management + management = local.initial_config.management management_groups = local.initial_config.management_groups + + management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.parent_id == local.tenant_root_management_group_id } + management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_1), v.parent_id) } + management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_2), v.parent_id) } + management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_3), v.parent_id) } + management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_4), v.parent_id) } + management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_5), v.parent_id) } + management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_6), v.parent_id) } + connectivity = local.initial_config.connectivity hub_virtual_networks = { diff --git a/templates/complete_modular/main.tf b/templates/complete_modular/main.tf index 225edb11..dd7ece11 100644 --- a/templates/complete_modular/main.tf +++ b/templates/complete_modular/main.tf @@ -14,26 +14,13 @@ output "test" { value = local.management_groups } -module "management_groups" { - source = "Azure/avm-ptn-alz/azurerm" - version = "~> 0.3.3" - for_each = local.management_groups - id = each.value.id - display_name = try(each.value.display_name, each.value.id) - parent_id = each.value.parent_id - base_archetype = each.value.base_archetype - default_location = var.default_location - default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - #subscription_ids = try(each.value.subscription_ids, []) -} - module "hub_networking" { source = "Azure/hubnetworking/azurerm" version = "~> 1.1.0" providers = { azurerm = azurerm.connectivity } - count = length(local.hub_virtual_networks) > 0 ? 1 : 0 + count = length(local.hub_virtual_networks) > 0 ? 1 : 0 hub_virtual_networks = length(local.hub_virtual_networks) > 0 ? local.hub_virtual_networks : null } diff --git a/templates/complete_modular/management_groups.tf b/templates/complete_modular/management_groups.tf new file mode 100644 index 00000000..9e6ea5cf --- /dev/null +++ b/templates/complete_modular/management_groups.tf @@ -0,0 +1,96 @@ +module "management_groups_layer_1" { + source = "Azure/avm-ptn-alz/azurerm" + version = "~> 0.3.3" + for_each = local.management_groups_layer_1 + id = each.value.id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent_id + base_archetype = each.value.base_archetype + default_location = var.default_location + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + #subscription_ids = try(each.value.subscription_ids, []) +} + +module "management_groups_layer_2" { + source = "Azure/avm-ptn-alz/azurerm" + version = "~> 0.3.3" + for_each = local.management_groups_layer_2 + id = each.value.id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent_id + base_archetype = each.value.base_archetype + default_location = var.default_location + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + #subscription_ids = try(each.value.subscription_ids, []) + depends_on = [module.management_groups_layer_1] +} + +module "management_groups_layer_3" { + source = "Azure/avm-ptn-alz/azurerm" + version = "~> 0.3.3" + for_each = local.management_groups_layer_3 + id = each.value.id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent_id + base_archetype = each.value.base_archetype + default_location = var.default_location + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + #subscription_ids = try(each.value.subscription_ids, []) + depends_on = [module.management_groups_layer_2] +} + +module "management_groups_layer_4" { + source = "Azure/avm-ptn-alz/azurerm" + version = "~> 0.3.3" + for_each = local.management_groups_layer_4 + id = each.value.id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent_id + base_archetype = each.value.base_archetype + default_location = var.default_location + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + #subscription_ids = try(each.value.subscription_ids, []) + depends_on = [module.management_groups_layer_3] +} + +module "management_groups_layer_5" { + source = "Azure/avm-ptn-alz/azurerm" + version = "~> 0.3.3" + for_each = local.management_groups_layer_5 + id = each.value.id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent_id + base_archetype = each.value.base_archetype + default_location = var.default_location + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + #subscription_ids = try(each.value.subscription_ids, []) + depends_on = [module.management_groups_layer_4] +} + +module "management_groups_layer_6" { + source = "Azure/avm-ptn-alz/azurerm" + version = "~> 0.3.3" + for_each = local.management_groups_layer_6 + id = each.value.id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent_id + base_archetype = each.value.base_archetype + default_location = var.default_location + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + #subscription_ids = try(each.value.subscription_ids, []) + depends_on = [module.management_groups_layer_5] +} + +module "management_groups_layer_7" { + source = "Azure/avm-ptn-alz/azurerm" + version = "~> 0.3.3" + for_each = local.management_groups_layer_7 + id = each.value.id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent_id + base_archetype = each.value.base_archetype + default_location = var.default_location + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + #subscription_ids = try(each.value.subscription_ids, []) + depends_on = [module.management_groups_layer_6] +} diff --git a/templates/complete_modular/variables.tf b/templates/complete_modular/variables.tf index b317c2f4..5bb91cbe 100644 --- a/templates/complete_modular/variables.tf +++ b/templates/complete_modular/variables.tf @@ -9,17 +9,23 @@ variable "default_postfix" { default = "landing-zone" } +variable "tenant_root_management_group_id" { + description = "The identifier of the Tenant Root Management Group. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_name" + type = string + default = "" +} + variable "subscription_id_connectivity" { - description = "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_subscription_id" + description = "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|4|azure_subscription_id" type = string } variable "subscription_id_identity" { - description = "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|4|azure_subscription_id" + description = "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')|5|azure_subscription_id" type = string } variable "subscription_id_management" { - description = "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)|5|azure_subscription_id" + description = "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)|6|azure_subscription_id" type = string } From a23f4178d7de4646c019db9abe907a80212d0fd0 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 7 Nov 2023 08:36:54 +0000 Subject: [PATCH 06/12] Add subscription placement --- .../complete_modular/management_groups.tf | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/templates/complete_modular/management_groups.tf b/templates/complete_modular/management_groups.tf index 9e6ea5cf..8219888c 100644 --- a/templates/complete_modular/management_groups.tf +++ b/templates/complete_modular/management_groups.tf @@ -1,6 +1,6 @@ module "management_groups_layer_1" { source = "Azure/avm-ptn-alz/azurerm" - version = "~> 0.3.3" + version = "~> 0.4.1" for_each = local.management_groups_layer_1 id = each.value.id display_name = try(each.value.display_name, each.value.id) @@ -8,12 +8,12 @@ module "management_groups_layer_1" { base_archetype = each.value.base_archetype default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - #subscription_ids = try(each.value.subscription_ids, []) + subscription_ids = try(each.value.subscription_ids, []) } module "management_groups_layer_2" { source = "Azure/avm-ptn-alz/azurerm" - version = "~> 0.3.3" + version = "~> 0.4.1" for_each = local.management_groups_layer_2 id = each.value.id display_name = try(each.value.display_name, each.value.id) @@ -21,13 +21,13 @@ module "management_groups_layer_2" { base_archetype = each.value.base_archetype default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - #subscription_ids = try(each.value.subscription_ids, []) + subscription_ids = try(each.value.subscription_ids, []) depends_on = [module.management_groups_layer_1] } module "management_groups_layer_3" { source = "Azure/avm-ptn-alz/azurerm" - version = "~> 0.3.3" + version = "~> 0.4.1" for_each = local.management_groups_layer_3 id = each.value.id display_name = try(each.value.display_name, each.value.id) @@ -35,13 +35,13 @@ module "management_groups_layer_3" { base_archetype = each.value.base_archetype default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - #subscription_ids = try(each.value.subscription_ids, []) + subscription_ids = try(each.value.subscription_ids, []) depends_on = [module.management_groups_layer_2] } module "management_groups_layer_4" { source = "Azure/avm-ptn-alz/azurerm" - version = "~> 0.3.3" + version = "~> 0.4.1" for_each = local.management_groups_layer_4 id = each.value.id display_name = try(each.value.display_name, each.value.id) @@ -49,13 +49,13 @@ module "management_groups_layer_4" { base_archetype = each.value.base_archetype default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - #subscription_ids = try(each.value.subscription_ids, []) + subscription_ids = try(each.value.subscription_ids, []) depends_on = [module.management_groups_layer_3] } module "management_groups_layer_5" { source = "Azure/avm-ptn-alz/azurerm" - version = "~> 0.3.3" + version = "~> 0.4.1" for_each = local.management_groups_layer_5 id = each.value.id display_name = try(each.value.display_name, each.value.id) @@ -63,13 +63,13 @@ module "management_groups_layer_5" { base_archetype = each.value.base_archetype default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - #subscription_ids = try(each.value.subscription_ids, []) + subscription_ids = try(each.value.subscription_ids, []) depends_on = [module.management_groups_layer_4] } module "management_groups_layer_6" { source = "Azure/avm-ptn-alz/azurerm" - version = "~> 0.3.3" + version = "~> 0.4.1" for_each = local.management_groups_layer_6 id = each.value.id display_name = try(each.value.display_name, each.value.id) @@ -77,13 +77,13 @@ module "management_groups_layer_6" { base_archetype = each.value.base_archetype default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - #subscription_ids = try(each.value.subscription_ids, []) + subscription_ids = try(each.value.subscription_ids, []) depends_on = [module.management_groups_layer_5] } module "management_groups_layer_7" { source = "Azure/avm-ptn-alz/azurerm" - version = "~> 0.3.3" + version = "~> 0.4.1" for_each = local.management_groups_layer_7 id = each.value.id display_name = try(each.value.display_name, each.value.id) @@ -91,6 +91,6 @@ module "management_groups_layer_7" { base_archetype = each.value.base_archetype default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - #subscription_ids = try(each.value.subscription_ids, []) + subscription_ids = try(each.value.subscription_ids, []) depends_on = [module.management_groups_layer_6] } From 26220931e3aba57e95f6c83776cdf48d67cef66f Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 7 Nov 2023 10:55:57 +0000 Subject: [PATCH 07/12] Try fix layer logic --- templates/complete_modular/locals.tf | 26 ++++++++++++++++++++------ templates/complete_modular/main.tf | 4 ---- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/templates/complete_modular/locals.tf b/templates/complete_modular/locals.tf index a890514d..28ad23c7 100644 --- a/templates/complete_modular/locals.tf +++ b/templates/complete_modular/locals.tf @@ -17,12 +17,14 @@ locals { management_groups = local.initial_config.management_groups management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.parent_id == local.tenant_root_management_group_id } - management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_1), v.parent_id) } - management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_2), v.parent_id) } - management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_3), v.parent_id) } - management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_4), v.parent_id) } - management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_5), v.parent_id) } - management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_6), v.parent_id) } + management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_1)[*].id, v.parent_id) } + management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_2)[*].id, v.parent_id) } + management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_3)[*].id, v.parent_id) } + management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_4)[*].id, v.parent_id) } + management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_5)[*].id, v.parent_id) } + management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_6)[*].id, v.parent_id) } + + connectivity = local.initial_config.connectivity @@ -42,3 +44,15 @@ locals { ) } } + + output "test" { + value = { + management_groups_layer_1 = local.management_groups_layer_1 + management_groups_layer_2 = local.management_groups_layer_2 + management_groups_layer_3 = local.management_groups_layer_3 + management_groups_layer_4 = local.management_groups_layer_4 + management_groups_layer_5 = local.management_groups_layer_5 + management_groups_layer_6 = local.management_groups_layer_6 + management_groups_layer_7 = local.management_groups_layer_7 + } + } \ No newline at end of file diff --git a/templates/complete_modular/main.tf b/templates/complete_modular/main.tf index dd7ece11..29cbb129 100644 --- a/templates/complete_modular/main.tf +++ b/templates/complete_modular/main.tf @@ -10,10 +10,6 @@ module "management_resources" { resource_group_name = try(local.management.resource_group_name, "") } -output "test" { - value = local.management_groups -} - module "hub_networking" { source = "Azure/hubnetworking/azurerm" version = "~> 1.1.0" From 4ad078e43e1a3b3a1dd4857ccb879ff530f3ac7f Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 7 Nov 2023 20:08:39 +0000 Subject: [PATCH 08/12] Fix linting issues --- templates/complete_modular/config.yaml | 12 +++++----- templates/complete_modular/locals.tf | 22 +++++++++---------- .../complete_modular/management_groups.tf | 12 +++++----- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/templates/complete_modular/config.yaml b/templates/complete_modular/config.yaml index 4fe3f96e..3d1294e8 100644 --- a/templates/complete_modular/config.yaml +++ b/templates/complete_modular/config.yaml @@ -6,7 +6,7 @@ # `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`. # `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`. # `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`. - +--- management: automation_account_name: aa-${default_postfix} location: uksouth @@ -35,21 +35,21 @@ management_groups: parent_id: platform-${default_postfix} base_archetype: identity subscriptions: - - ${subscription_id_identity} + - ${subscription_id_identity} connectivity: id: connectivity-${default_postfix} display_name: connectivity parent_id: platform-${default_postfix} base_archetype: connectivity subscriptions: - - ${subscription_id_connectivity} + - ${subscription_id_connectivity} management: id: management-${default_postfix} display_name: management parent_id: landing-zones-${default_postfix} base_archetype: management subscriptions: - - ${subscription_id_management} + - ${subscription_id_management} corp: id: corp-${default_postfix} display_name: corp @@ -67,7 +67,7 @@ management_groups: base_archetype: sandboxes connectivity: - hub_networking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. + hub_networking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. hub_virtual_networks: primary: name: vnet-hub-${default_postfix} @@ -80,7 +80,7 @@ connectivity: sku_name: AZFW_VNet sku_tier: Standard subnet_address_prefix: 10.0.1.0/24 - virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary. + virtual_network_gateway: # `vnet-gateway` module, add inputs as listed on the module registry where necessary. name: vgw-hub-${default_postfix} sku: VpnGw1 type: Vpn diff --git a/templates/complete_modular/locals.tf b/templates/complete_modular/locals.tf index 28ad23c7..cb000308 100644 --- a/templates/complete_modular/locals.tf +++ b/templates/complete_modular/locals.tf @@ -45,14 +45,14 @@ locals { } } - output "test" { - value = { - management_groups_layer_1 = local.management_groups_layer_1 - management_groups_layer_2 = local.management_groups_layer_2 - management_groups_layer_3 = local.management_groups_layer_3 - management_groups_layer_4 = local.management_groups_layer_4 - management_groups_layer_5 = local.management_groups_layer_5 - management_groups_layer_6 = local.management_groups_layer_6 - management_groups_layer_7 = local.management_groups_layer_7 - } - } \ No newline at end of file +output "test" { + value = { + management_groups_layer_1 = local.management_groups_layer_1 + management_groups_layer_2 = local.management_groups_layer_2 + management_groups_layer_3 = local.management_groups_layer_3 + management_groups_layer_4 = local.management_groups_layer_4 + management_groups_layer_5 = local.management_groups_layer_5 + management_groups_layer_6 = local.management_groups_layer_6 + management_groups_layer_7 = local.management_groups_layer_7 + } +} diff --git a/templates/complete_modular/management_groups.tf b/templates/complete_modular/management_groups.tf index 8219888c..72487099 100644 --- a/templates/complete_modular/management_groups.tf +++ b/templates/complete_modular/management_groups.tf @@ -22,7 +22,7 @@ module "management_groups_layer_2" { default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id subscription_ids = try(each.value.subscription_ids, []) - depends_on = [module.management_groups_layer_1] + depends_on = [module.management_groups_layer_1] } module "management_groups_layer_3" { @@ -36,7 +36,7 @@ module "management_groups_layer_3" { default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id subscription_ids = try(each.value.subscription_ids, []) - depends_on = [module.management_groups_layer_2] + depends_on = [module.management_groups_layer_2] } module "management_groups_layer_4" { @@ -50,7 +50,7 @@ module "management_groups_layer_4" { default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id subscription_ids = try(each.value.subscription_ids, []) - depends_on = [module.management_groups_layer_3] + depends_on = [module.management_groups_layer_3] } module "management_groups_layer_5" { @@ -64,7 +64,7 @@ module "management_groups_layer_5" { default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id subscription_ids = try(each.value.subscription_ids, []) - depends_on = [module.management_groups_layer_4] + depends_on = [module.management_groups_layer_4] } module "management_groups_layer_6" { @@ -78,7 +78,7 @@ module "management_groups_layer_6" { default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id subscription_ids = try(each.value.subscription_ids, []) - depends_on = [module.management_groups_layer_5] + depends_on = [module.management_groups_layer_5] } module "management_groups_layer_7" { @@ -92,5 +92,5 @@ module "management_groups_layer_7" { default_location = var.default_location default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id subscription_ids = try(each.value.subscription_ids, []) - depends_on = [module.management_groups_layer_6] + depends_on = [module.management_groups_layer_6] } From 291ffc1255cdd705d3380408ef43e6cd1dcbb0bd Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 20 Nov 2023 10:52:19 +0000 Subject: [PATCH 09/12] Rename module --- templates/{complete_modular => complete_vnext}/config.yaml | 0 templates/{complete_modular => complete_vnext}/data.tf | 0 templates/{complete_modular => complete_vnext}/locals.tf | 0 templates/{complete_modular => complete_vnext}/main.tf | 0 .../{complete_modular => complete_vnext}/management_groups.tf | 0 templates/{complete_modular => complete_vnext}/variables.tf | 0 templates/{complete_modular => complete_vnext}/versions.tf | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename templates/{complete_modular => complete_vnext}/config.yaml (100%) rename templates/{complete_modular => complete_vnext}/data.tf (100%) rename templates/{complete_modular => complete_vnext}/locals.tf (100%) rename templates/{complete_modular => complete_vnext}/main.tf (100%) rename templates/{complete_modular => complete_vnext}/management_groups.tf (100%) rename templates/{complete_modular => complete_vnext}/variables.tf (100%) rename templates/{complete_modular => complete_vnext}/versions.tf (100%) diff --git a/templates/complete_modular/config.yaml b/templates/complete_vnext/config.yaml similarity index 100% rename from templates/complete_modular/config.yaml rename to templates/complete_vnext/config.yaml diff --git a/templates/complete_modular/data.tf b/templates/complete_vnext/data.tf similarity index 100% rename from templates/complete_modular/data.tf rename to templates/complete_vnext/data.tf diff --git a/templates/complete_modular/locals.tf b/templates/complete_vnext/locals.tf similarity index 100% rename from templates/complete_modular/locals.tf rename to templates/complete_vnext/locals.tf diff --git a/templates/complete_modular/main.tf b/templates/complete_vnext/main.tf similarity index 100% rename from templates/complete_modular/main.tf rename to templates/complete_vnext/main.tf diff --git a/templates/complete_modular/management_groups.tf b/templates/complete_vnext/management_groups.tf similarity index 100% rename from templates/complete_modular/management_groups.tf rename to templates/complete_vnext/management_groups.tf diff --git a/templates/complete_modular/variables.tf b/templates/complete_vnext/variables.tf similarity index 100% rename from templates/complete_modular/variables.tf rename to templates/complete_vnext/variables.tf diff --git a/templates/complete_modular/versions.tf b/templates/complete_vnext/versions.tf similarity index 100% rename from templates/complete_modular/versions.tf rename to templates/complete_vnext/versions.tf From 4a2e62f6139c18cf8d41da82b078f4cfd3ebf621 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 20 Nov 2023 12:33:47 +0000 Subject: [PATCH 10/12] Working plan --- templates/complete_vnext/config.yaml | 2 +- templates/complete_vnext/locals.tf | 20 ++------- .../locals_management_groups.tf | 21 ++++++++++ templates/complete_vnext/management_groups.tf | 42 +++++++++---------- 4 files changed, 47 insertions(+), 38 deletions(-) create mode 100644 templates/complete_vnext/locals_management_groups.tf diff --git a/templates/complete_vnext/config.yaml b/templates/complete_vnext/config.yaml index 3d1294e8..db939917 100644 --- a/templates/complete_vnext/config.yaml +++ b/templates/complete_vnext/config.yaml @@ -9,7 +9,7 @@ --- management: automation_account_name: aa-${default_postfix} - location: uksouth + location: ${default_location} log_analytics_workspace_name: law-${default_postfix} resource_group_name: rg-management-${default_postfix} diff --git a/templates/complete_vnext/locals.tf b/templates/complete_vnext/locals.tf index cb000308..455f907c 100644 --- a/templates/complete_vnext/locals.tf +++ b/templates/complete_vnext/locals.tf @@ -1,5 +1,4 @@ locals { - tenant_root_management_group_id = var.tenant_root_management_group_id == "" ? data.azurerm_client_config.current.tenant_id : var.tenant_root_management_group_id base_config_replacements = { @@ -11,22 +10,11 @@ locals { subscription_id_management = var.subscription_id_management } - initial_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) - - management = local.initial_config.management - management_groups = local.initial_config.management_groups - - management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.parent_id == local.tenant_root_management_group_id } - management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_1)[*].id, v.parent_id) } - management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_2)[*].id, v.parent_id) } - management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_3)[*].id, v.parent_id) } - management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_4)[*].id, v.parent_id) } - management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_5)[*].id, v.parent_id) } - management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_6)[*].id, v.parent_id) } - - + raw_config = yamldecode(file("${path.module}/config.yaml")) + templated_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) - connectivity = local.initial_config.connectivity + management = local.templated_config.management + connectivity = local.templated_config.connectivity hub_virtual_networks = { for k, v in local.connectivity.hub_networking.hub_virtual_networks : k => { diff --git a/templates/complete_vnext/locals_management_groups.tf b/templates/complete_vnext/locals_management_groups.tf new file mode 100644 index 00000000..7e0bbafa --- /dev/null +++ b/templates/complete_vnext/locals_management_groups.tf @@ -0,0 +1,21 @@ +locals { + management_groups_raw = local.raw_config.management_groups + + management_groups = { + for key, value in local.management_groups_raw : key => { + id = replace(value.id, "$${default_postfix}", local.base_config_replacements.default_postfix) + parent_id = replace(replace(value.parent_id, "$${default_postfix}", local.base_config_replacements.default_postfix), "$${tenant_root_management_group_id}", local.base_config_replacements.tenant_root_management_group_id) + base_archetype = value.base_archetype + } + } + + management_groups_templated = local.templated_config.management_groups + + management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.parent_id == "$${tenant_root_management_group_id}" } + management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_1)[*].id, v.parent_id) } + management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_2)[*].id, v.parent_id) } + management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_3)[*].id, v.parent_id) } + management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_4)[*].id, v.parent_id) } + management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_5)[*].id, v.parent_id) } + management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_6)[*].id, v.parent_id) } +} diff --git a/templates/complete_vnext/management_groups.tf b/templates/complete_vnext/management_groups.tf index 72487099..001748ac 100644 --- a/templates/complete_vnext/management_groups.tf +++ b/templates/complete_vnext/management_groups.tf @@ -3,12 +3,12 @@ module "management_groups_layer_1" { version = "~> 0.4.1" for_each = local.management_groups_layer_1 id = each.value.id - display_name = try(each.value.display_name, each.value.id) + display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) parent_id = each.value.parent_id base_archetype = each.value.base_archetype default_location = var.default_location - default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(each.value.subscription_ids, []) + #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) } module "management_groups_layer_2" { @@ -16,12 +16,12 @@ module "management_groups_layer_2" { version = "~> 0.4.1" for_each = local.management_groups_layer_2 id = each.value.id - display_name = try(each.value.display_name, each.value.id) + display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) parent_id = each.value.parent_id base_archetype = each.value.base_archetype default_location = var.default_location - default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(each.value.subscription_ids, []) + #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) depends_on = [module.management_groups_layer_1] } @@ -30,12 +30,12 @@ module "management_groups_layer_3" { version = "~> 0.4.1" for_each = local.management_groups_layer_3 id = each.value.id - display_name = try(each.value.display_name, each.value.id) + display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) parent_id = each.value.parent_id base_archetype = each.value.base_archetype default_location = var.default_location - default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(each.value.subscription_ids, []) + #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) depends_on = [module.management_groups_layer_2] } @@ -44,12 +44,12 @@ module "management_groups_layer_4" { version = "~> 0.4.1" for_each = local.management_groups_layer_4 id = each.value.id - display_name = try(each.value.display_name, each.value.id) + display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) parent_id = each.value.parent_id base_archetype = each.value.base_archetype default_location = var.default_location - default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(each.value.subscription_ids, []) + #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) depends_on = [module.management_groups_layer_3] } @@ -58,12 +58,12 @@ module "management_groups_layer_5" { version = "~> 0.4.1" for_each = local.management_groups_layer_5 id = each.value.id - display_name = try(each.value.display_name, each.value.id) + display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) parent_id = each.value.parent_id base_archetype = each.value.base_archetype default_location = var.default_location - default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(each.value.subscription_ids, []) + #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) depends_on = [module.management_groups_layer_4] } @@ -72,12 +72,12 @@ module "management_groups_layer_6" { version = "~> 0.4.1" for_each = local.management_groups_layer_6 id = each.value.id - display_name = try(each.value.display_name, each.value.id) + display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) parent_id = each.value.parent_id base_archetype = each.value.base_archetype default_location = var.default_location - default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(each.value.subscription_ids, []) + #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) depends_on = [module.management_groups_layer_5] } @@ -86,11 +86,11 @@ module "management_groups_layer_7" { version = "~> 0.4.1" for_each = local.management_groups_layer_7 id = each.value.id - display_name = try(each.value.display_name, each.value.id) + display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) parent_id = each.value.parent_id base_archetype = each.value.base_archetype default_location = var.default_location - default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(each.value.subscription_ids, []) + #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) depends_on = [module.management_groups_layer_6] } From d40805c8ae2cc811890ede4f4a1ad4d23bebfd36 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 11 Dec 2023 13:04:02 +0000 Subject: [PATCH 11/12] Fixes and improvements --- templates/complete_vnext/config.yaml | 51 ++++++++------- templates/complete_vnext/locals.tf | 23 ++----- .../locals_management_groups.tf | 38 ++++++------ templates/complete_vnext/management_groups.tf | 62 +++++++++---------- templates/complete_vnext/variables.tf | 4 +- 5 files changed, 83 insertions(+), 95 deletions(-) diff --git a/templates/complete_vnext/config.yaml b/templates/complete_vnext/config.yaml index db939917..6b5c657d 100644 --- a/templates/complete_vnext/config.yaml +++ b/templates/complete_vnext/config.yaml @@ -2,7 +2,7 @@ # Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use: # `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency. # `default_location`: This is an Azure location sourced from the `default_location` variable. This can be used to set the location of resources. -# `tenant_root_management_group_id`: This is ID of the top level managemrnt group that you will build your hierarchy under. This is primarily used to set the root management group `parent_id`. +# `root_management_group_id`: This is ID of the top level managemrnt group that you will build your hierarchy under. This is primarily used to set the root management group `parent`. # `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`. # `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`. # `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`. @@ -14,57 +14,62 @@ management: resource_group_name: rg-management-${default_postfix} management_groups: - root: - id: root-${default_postfix} - display_name: root - parent_id: ${tenant_root_management_group_id} - base_archetype: root - landing_zones: + root: # `key`: the unique identifier for the management group within the Terraform Module this is used in the `parent` field to build the hierarchy + id: root-${default_postfix} # `id`: the id the management group will be created with in Azure + display_name: Intermediate Root # `display_name`: the name the management group will be created with in Azure + parent: ${root_management_group_id} # `parent`: for the root management group this should be the id of the tenant root management group or your chosen root management group + base_archetype: root # `archetype`: the archetype to use for this management group + landing-zones: id: landing-zones-${default_postfix} - display_name: landing-zones - parent_id: root-${default_postfix} + display_name: Landing Zones + parent: root # Note that `parent` refers to the `key` of it's parent as opposed to the `id` which can be different base_archetype: landing_zones platform: id: platform-${default_postfix} - display_name: platform - parent_id: root-${default_postfix} + display_name: Platform + parent: root base_archetype: platform identity: id: identity-${default_postfix} - display_name: identity - parent_id: platform-${default_postfix} + display_name: Identity + parent: platform base_archetype: identity subscriptions: - ${subscription_id_identity} connectivity: id: connectivity-${default_postfix} - display_name: connectivity - parent_id: platform-${default_postfix} + display_name: Connectivity + parent: platform base_archetype: connectivity subscriptions: - ${subscription_id_connectivity} management: id: management-${default_postfix} - display_name: management - parent_id: landing-zones-${default_postfix} + display_name: Management + parent: platform base_archetype: management subscriptions: - ${subscription_id_management} corp: id: corp-${default_postfix} - display_name: corp - parent_id: landing-zones-${default_postfix} + display_name: Corp + parent: landing-zones base_archetype: corp online: id: online-${default_postfix} - display_name: online - parent_id: landing-zones-${default_postfix} + display_name: Online + parent: landing-zones base_archetype: online sandboxes: id: sandboxes-${default_postfix} - display_name: sandboxes - parent_id: root-${default_postfix} + display_name: Sandboxes + parent: root base_archetype: sandboxes + decommissioned: + id: decommissioned-${default_postfix} + display_name: Decommissioned + parent: root + base_archetype: decommissioned connectivity: hub_networking: # `hubnetworking` module, add inputs as listed on the module registry where necessary. diff --git a/templates/complete_vnext/locals.tf b/templates/complete_vnext/locals.tf index 455f907c..6104844c 100644 --- a/templates/complete_vnext/locals.tf +++ b/templates/complete_vnext/locals.tf @@ -1,20 +1,19 @@ locals { - tenant_root_management_group_id = var.tenant_root_management_group_id == "" ? data.azurerm_client_config.current.tenant_id : var.tenant_root_management_group_id + root_management_group_id = var.root_management_group_id == "" ? data.azurerm_client_config.current.tenant_id : var.root_management_group_id base_config_replacements = { default_location = var.default_location default_postfix = var.default_postfix - tenant_root_management_group_id = local.tenant_root_management_group_id + root_management_group_id = local.root_management_group_id subscription_id_connectivity = var.subscription_id_connectivity subscription_id_identity = var.subscription_id_identity subscription_id_management = var.subscription_id_management } - raw_config = yamldecode(file("${path.module}/config.yaml")) - templated_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) + initial_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) - management = local.templated_config.management - connectivity = local.templated_config.connectivity + management = local.initial_config.management + connectivity = local.initial_config.connectivity hub_virtual_networks = { for k, v in local.connectivity.hub_networking.hub_virtual_networks : k => { @@ -32,15 +31,3 @@ locals { ) } } - -output "test" { - value = { - management_groups_layer_1 = local.management_groups_layer_1 - management_groups_layer_2 = local.management_groups_layer_2 - management_groups_layer_3 = local.management_groups_layer_3 - management_groups_layer_4 = local.management_groups_layer_4 - management_groups_layer_5 = local.management_groups_layer_5 - management_groups_layer_6 = local.management_groups_layer_6 - management_groups_layer_7 = local.management_groups_layer_7 - } -} diff --git a/templates/complete_vnext/locals_management_groups.tf b/templates/complete_vnext/locals_management_groups.tf index 7e0bbafa..423331f9 100644 --- a/templates/complete_vnext/locals_management_groups.tf +++ b/templates/complete_vnext/locals_management_groups.tf @@ -1,21 +1,23 @@ -locals { - management_groups_raw = local.raw_config.management_groups +locals { + management_groups = local.initial_config.management_groups - management_groups = { - for key, value in local.management_groups_raw : key => { - id = replace(value.id, "$${default_postfix}", local.base_config_replacements.default_postfix) - parent_id = replace(replace(value.parent_id, "$${default_postfix}", local.base_config_replacements.default_postfix), "$${tenant_root_management_group_id}", local.base_config_replacements.tenant_root_management_group_id) - base_archetype = value.base_archetype - } - } - - management_groups_templated = local.templated_config.management_groups + management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.parent == local.root_management_group_id } + management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_1), v.parent) } + management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_2), v.parent) } + management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_3), v.parent) } + management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_4), v.parent) } + management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_5), v.parent) } + management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_6), v.parent) } +} - management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.parent_id == "$${tenant_root_management_group_id}" } - management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_1)[*].id, v.parent_id) } - management_groups_layer_3 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_2)[*].id, v.parent_id) } - management_groups_layer_4 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_3)[*].id, v.parent_id) } - management_groups_layer_5 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_4)[*].id, v.parent_id) } - management_groups_layer_6 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_5)[*].id, v.parent_id) } - management_groups_layer_7 = { for k, v in local.management_groups : k => v if contains(values(local.management_groups_layer_6)[*].id, v.parent_id) } +output "test" { + value = { + management_groups_layer_1 = local.management_groups_layer_1 + management_groups_layer_2 = local.management_groups_layer_2 + management_groups_layer_3 = local.management_groups_layer_3 + management_groups_layer_4 = local.management_groups_layer_4 + management_groups_layer_5 = local.management_groups_layer_5 + management_groups_layer_6 = local.management_groups_layer_6 + management_groups_layer_7 = local.management_groups_layer_7 + } } diff --git a/templates/complete_vnext/management_groups.tf b/templates/complete_vnext/management_groups.tf index 001748ac..9e2a046e 100644 --- a/templates/complete_vnext/management_groups.tf +++ b/templates/complete_vnext/management_groups.tf @@ -3,12 +3,12 @@ module "management_groups_layer_1" { version = "~> 0.4.1" for_each = local.management_groups_layer_1 id = each.value.id - display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) - parent_id = each.value.parent_id + display_name = try(each.value.display_name, each.value.id) + parent_id = each.value.parent base_archetype = each.value.base_archetype default_location = var.default_location - #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(each.value.subscriptions, []) } module "management_groups_layer_2" { @@ -16,13 +16,12 @@ module "management_groups_layer_2" { version = "~> 0.4.1" for_each = local.management_groups_layer_2 id = each.value.id - display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) - parent_id = each.value.parent_id + display_name = try(each.value.display_name, each.value.id) + parent_id = module.management_groups_layer_1[each.value.parent].management_group_name base_archetype = each.value.base_archetype default_location = var.default_location - #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) - depends_on = [module.management_groups_layer_1] + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(each.value.subscriptions, []) } module "management_groups_layer_3" { @@ -30,13 +29,12 @@ module "management_groups_layer_3" { version = "~> 0.4.1" for_each = local.management_groups_layer_3 id = each.value.id - display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) - parent_id = each.value.parent_id + display_name = try(each.value.display_name, each.value.id) + parent_id = module.management_groups_layer_2[each.value.parent].management_group_name base_archetype = each.value.base_archetype default_location = var.default_location - #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) - depends_on = [module.management_groups_layer_2] + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(each.value.subscriptions, []) } module "management_groups_layer_4" { @@ -44,13 +42,12 @@ module "management_groups_layer_4" { version = "~> 0.4.1" for_each = local.management_groups_layer_4 id = each.value.id - display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) - parent_id = each.value.parent_id + display_name = try(each.value.display_name, each.value.id) + parent_id = module.management_groups_layer_3[each.value.parent].management_group_name base_archetype = each.value.base_archetype default_location = var.default_location - #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) - depends_on = [module.management_groups_layer_3] + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(each.value.subscriptions, []) } module "management_groups_layer_5" { @@ -58,13 +55,12 @@ module "management_groups_layer_5" { version = "~> 0.4.1" for_each = local.management_groups_layer_5 id = each.value.id - display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) - parent_id = each.value.parent_id + display_name = try(each.value.display_name, each.value.id) + parent_id = module.management_groups_layer_4[each.value.parent].management_group_name base_archetype = each.value.base_archetype default_location = var.default_location - #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) - depends_on = [module.management_groups_layer_4] + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(each.value.subscriptions, []) } module "management_groups_layer_6" { @@ -72,13 +68,12 @@ module "management_groups_layer_6" { version = "~> 0.4.1" for_each = local.management_groups_layer_6 id = each.value.id - display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) - parent_id = each.value.parent_id + display_name = try(each.value.display_name, each.value.id) + parent_id = module.management_groups_layer_5[each.value.parent].management_group_name base_archetype = each.value.base_archetype default_location = var.default_location - #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) - depends_on = [module.management_groups_layer_5] + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(each.value.subscriptions, []) } module "management_groups_layer_7" { @@ -86,11 +81,10 @@ module "management_groups_layer_7" { version = "~> 0.4.1" for_each = local.management_groups_layer_7 id = each.value.id - display_name = try(local.management_groups_templated[each.key].display_name, each.value.id) - parent_id = each.value.parent_id + display_name = try(each.value.display_name, each.value.id) + parent_id = module.management_groups_layer_6[each.value.parent].management_group_name base_archetype = each.value.base_archetype default_location = var.default_location - #default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id - subscription_ids = try(local.management_groups_templated[each.key].subscription_ids, []) - depends_on = [module.management_groups_layer_6] + default_log_analytics_workspace_id = module.management_resources.log_analytics_workspace.id + subscription_ids = try(each.value.subscriptions, []) } diff --git a/templates/complete_vnext/variables.tf b/templates/complete_vnext/variables.tf index 5bb91cbe..44d09aca 100644 --- a/templates/complete_vnext/variables.tf +++ b/templates/complete_vnext/variables.tf @@ -9,8 +9,8 @@ variable "default_postfix" { default = "landing-zone" } -variable "tenant_root_management_group_id" { - description = "The identifier of the Tenant Root Management Group. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_name" +variable "root_management_group_id" { + description = "The identifier of the Tenant Root Management Group, if left blank will use the tenant id. (e.g '00000000-0000-0000-0000-000000000000')|3|azure_name" type = string default = "" } From bcb0c14a15eafdcf403ae642da7a5e5c959feca4 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 11 Dec 2023 14:20:12 +0000 Subject: [PATCH 12/12] Fix linting --- templates/complete_vnext/locals.tf | 14 +++++++------- .../complete_vnext/locals_management_groups.tf | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/templates/complete_vnext/locals.tf b/templates/complete_vnext/locals.tf index 6104844c..bb4468d2 100644 --- a/templates/complete_vnext/locals.tf +++ b/templates/complete_vnext/locals.tf @@ -2,17 +2,17 @@ locals { root_management_group_id = var.root_management_group_id == "" ? data.azurerm_client_config.current.tenant_id : var.root_management_group_id base_config_replacements = { - default_location = var.default_location - default_postfix = var.default_postfix - root_management_group_id = local.root_management_group_id - subscription_id_connectivity = var.subscription_id_connectivity - subscription_id_identity = var.subscription_id_identity - subscription_id_management = var.subscription_id_management + default_location = var.default_location + default_postfix = var.default_postfix + root_management_group_id = local.root_management_group_id + subscription_id_connectivity = var.subscription_id_connectivity + subscription_id_identity = var.subscription_id_identity + subscription_id_management = var.subscription_id_management } initial_config = yamldecode(templatefile("${path.module}/config.yaml", local.base_config_replacements)) - management = local.initial_config.management + management = local.initial_config.management connectivity = local.initial_config.connectivity hub_virtual_networks = { diff --git a/templates/complete_vnext/locals_management_groups.tf b/templates/complete_vnext/locals_management_groups.tf index 423331f9..02353859 100644 --- a/templates/complete_vnext/locals_management_groups.tf +++ b/templates/complete_vnext/locals_management_groups.tf @@ -1,5 +1,5 @@ locals { - management_groups = local.initial_config.management_groups + management_groups = local.initial_config.management_groups management_groups_layer_1 = { for k, v in local.management_groups : k => v if v.parent == local.root_management_group_id } management_groups_layer_2 = { for k, v in local.management_groups : k => v if contains(keys(local.management_groups_layer_1), v.parent) }