Create module for express_route_circuit.

• Express Route Circuit

• Express Route Circuit Peering

• Express Route Circuit Gateway

• Express Route Circuit Authorization

Currently the app service deployment slots configuration (such as site_config, app_settings) is following what we created at the parent app service. These slots need to have option to either go with the parent app service configuration or have their own dedicated configurations.

Reference: https://github.com/aztfmod/terraform-azurerm-caf/blob/0.4/modules/webapps/appservice/slot.tf

Initial support for shared services:

• Azure Site Recovery Services - ASR: Vault, Policies
• Azure Site Recovery Services - Backup: Vault, Policies
• Azure Automation

Review existing modules and make sure it is now implementing the updated attributes
Identify the new modules to create in the backlog
https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/CHANGELOG-v2.md#2280-september-17-2020

When opening the cloned repo on VSCode on Windows, git shows ass files to be modified.
This should be fixed with adding a .gitattributes file as per https://code.visualstudio.com/docs/remote/troubleshooting#_resolving-git-line-ending-issues-in-containers-resulting-in-many-modified-files

Virtual hubs

• enable Express Route Gateway
• point to site vpn gateway
• site to site vpn gateway
• express route circuit
• vhub routes and route tables
• vhub ip
• virtual hub connections
• virtual hub connections - routing
• virtual hub connections - propagated route table
• virtual hub connections - static vnet route

Feature flags have been introduced to provide additional modularity during the deployment of a landing zone or a solution.
Instead of removing from the configuration file the services you do not want to deploy, you can keep the configuration unchanged and use the feature flag attribute to disable the deployment. The scenarios we are targeting are CI and demo environments.

The initial implementation target the bastion hosts and the virtual machines.
The upcoming version of the caf_landingzone scenario 200 will implement it.

enable = {
  bastion_hosts    = false
  virtual_machines = false
}

Tell us what you think and it is something to extend further

To increase the Keyvault delete timeout to 60 minutes.

Ref : https://github.com/aztfmod/terraform-azurerm-caf/runs/1440175347?check_suite_focus=true

["logged_in_aad_app"].azurerm_key_vault_access_policy.policy: Still destroying... [id=/subscriptions/a062cd59-71e9-4dae-92b3-...d/b792cc3c-b21f-4dd0-9d12-8f9aaa824ac5, 30m0s elapsed]

Error: Error updating Access Policy (Object ID "b792cc3c-b21f-4dd0-9d12-8f9aaa824ac5" / Application ID "") for Key Vault "ppnk-kv-secrets" (Resource Group "ppnk-rg-databricks-re1"): keyvault.VaultsClient#UpdateAccessPolicy: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded

Error: failed waiting for Key Vault Access Policy (Object ID: "b792cc3c-b21f-4dd0-9d12-8f9aaa824ac5") to apply: timeout while waiting for state to become 'notfound' (last state: 'found', timeout: 30m0s)

Releasing state lock. This may take a few moments...
Error on or near line 543; exiting with status 1

Add initial support in the module for:

• postgresql
• mysql

Referring to issue here, the connection string should be like this instead.

APPLICATIONINSIGHTS_CONNECTION_STRING = azurerm_application_insights.appinsight.connection_string

Linux Virtual Machine

• Add support to create a VM from image reference
• Add support to create VM from image gallery [#463]
• Add support to assigned System Managed Identity
• Add support to assign one or multiple User Managed Identity
• Add support to assign one or multiple User Managed Identity recreated in a different tfstate
• Add support to create and attach one or multiple nics. Nics can connect to a local or remote vnet/subnet
• Generate ssh public / private keys if not specified and store them into keyvault secret
• Add support to boot diagnostics
• Add support to dedicated host
• Add support for availability set [#143 ]
• Add support for proximity placement group [#145]
• Add support for vm scale set [#348]
• Add support for ultra ssd
• Insert multiple certificates from keyvault
• Insert public key for Linux virtual machine from AKV
• Insert password for Windows virtual machine from AKV
• Support for VM backup configuration [#128]
• Support for VM extension setup [#131]
• Attach multiple data disks
• Add write acceleration to os disk
• Add support for VM remote configuration (Ansible, remote execution, etc.) [#439]

Support for Terraform Cloud/Enterprise:

Launchpad - support an add-on

• Capability of bootstrapping the TFE/TFC environment
• Using an existing TFE/TFC environment given parameters
• Create the workspace for the landing zones execution

Core

• Manage landing zone service composition across levels transparently of the underlying backend (minimal code rewrite, feature flag to switch from azurerm, TFE, TFC, migration path would be nice)

Initial implementation: https://github.com/Azure/caf-terraform-landingzones/tree/0.4-tfc

azurerm_application_gateway

• create one or multiple agw (create, update)
• example (subnet prereq: service delegation, NSG, Routes)
• Add diagnostics settings
• Set the TLS protocol version
• Set the SSL policy name
• Add authentication certificates
• Add trusted root certificates
• Add WAF configuration
• Add Auto scale configuration
• Add Custom error configuration

applications

• create one or multiple applications to expose in the agw
• expose the application through multiple listeners (private and or public)
• Integrate with Keyvault self-signed certificate for HTTPs
• Integrate with Keyvault existing certificate from file
• Integrate with Keyvault existing certificate from Keyvault secret (certificate base64 in secret's value)
• Integrate with Keyvault and external certificate provider
• Add custom probes
• Add URL path map
• Add Rewrite rule set

Overnight, the module disappeared from terraform registry

This URL now returns 404:
https://registry.terraform.io/modules/aztfmod/caf-enterprise-scale/azurerm/

module "launchpad" {
  source  = "aztfmod/caf-enterprise-scale/azurerm"
  version = "~>0.3"

Add support for deploying Virtual Machine Extensions
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension

• Monitoring Extension agent

• InVM Diagnostics settings on storage account

• InVM Diagnostics settings with Azure Monitor

• InVM Diagnostics settings with one or multiple event hubs

• InVM Diagnostics settings with Application Insights

The current Shared Image Gallery code (#140) lets Packer authenticate through an Azure AD Service Principal. Would like to add the option of using Managed Identity as well.

To include:

• a VM
• Assign a Managed Identity to the VM
• Bootstrap Ansible and Packer installation
• Pushing the Packer config file through remote-exec
• Execute Packer command through remote-exec
• (Optionally) delete the VM post Image creation

Ref :https://www.packer.io/docs/builders/azure#azure-managed-identity

Add module for Data Factory

Add enterprise-scale foundations features:

Provided by ES module:

• Management groups
• Policies

Included in CAF module:

• Budgets [#480]

mssql Database

• Add database to existing sql server -
• Add database to remote sql server -
• Add Azure AD authentication for user and groups - https://docs.microsoft.com/en-us/azure/azure-sql/database/secure-database-tutorial#azure-ad-authentication

These resource type need to be added in list
azurerm_synapse_workspace
azurerm_synapse_firewall_rule
azurerm_synapse_spark_pool
azurerm_synapse_sql_pool

Azure Bastion can take more than 30 minutes to provision, propose to extend the bastion timeout to 60 minutes?

As per: https://github.com/Azure/caf-terraform-landingzones/runs/1437552575?check_suite_focus=true

module.networking.azurerm_bastion_host.host["bastion_hub_rg2"]: Still creating... [29m30s elapsed]
module.networking.azurerm_bastion_host.host["bastion_hub_rg2"]: Still creating... [29m40s elapsed]
module.networking.azurerm_bastion_host.host["bastion_hub_rg2"]: Still creating... [29m50s elapsed]
Releasing state lock. This may take a few moments...
Terraform apply return code: 0
Terraform returned errors:
Error on or near line 470: Error running terraform apply; exiting with status 2001

Error: Error waiting for creation/update of Bastion Host "g376885469-bast-bastion-rg2-brotq" (Resource Group "g376885469-rg-vnet-hub-rg2-kykaf"): Future#WaitForCompletion: context has been cancelled: StatusCode=200 -- Original Error: context deadline exceeded

  on /home/vscode/.terraform.cache/modules/networking/bastion_service.tf line 18, in resource "azurerm_bastion_host" "host":
  18: resource "azurerm_bastion_host" "host" {

Review existing modules and make sure it is now implementing the updated attributes
Identify the new modules to create in the backlog
https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/CHANGELOG-v2.md#2290-september-24-2020

Initial Stream Analytics module

Adding networking features:

Virtual WAN

• Add support for Virtual WAN and Virtual Hubs
• Add support for Virtual WAN and Virtual Hubs Firewall Manager
• Add support for Virtual WAN and Virtual Hubs routes
• P2S: Add support for additional AuthN methods
• P2S : Add support for certificate generation and storage in AKV
• Add support for Virtual Hubs peering with Azure Virtual Networks
• Add example for hub spoke model using Virtual WAN and Vnets

Filtering

• Add support for Azure Firewall NAT rule collection
• Add support for DDoS Standard
• Add support for Network Watcher & Traffic Analytics

Core

• Add support for naming convention provider 1.0
  https://github.com/aztfmod/terraform-provider-azurecaf/blob/master/docs/resources/azurecaf_name.md
• General module refactoring

• Code Cleanup
• Adding more Databricks setting settings
• AD Authentication

You can propose additional scenario my adding your comment

• Vnet peering between subscriptions
• Private links

Initial support for Cosmos DB into CAF module, as per https://www.terraform.io/docs/providers/azurerm/r/cosmosdb_account.html

• Account (Rahul)

• SQL (Rahul)

• Cassandra (Ben)

• Mongo (Ben) - Still pending hashicorp/terraform-provider-azurerm#8660 to be resolved

• Gremlin (Ben)

• Table (Ben)

• Add diagnostics capabilities

mssql_mi

• sqlmi module based on arm deployment (create, update)
• example (subnet prereq: service delegation, NSG, Routes)
• destroy part (sqlmi, Virtual Cluster)
• Administrators
• Failover Groups
• Encryption Protector & Keys #204
• Restorable Dropped Databases
• Security Alert Policies
• Vulnerability Assessments
• Instance Pool
• Server Trust Groups
• Restore MI from another MI backup

managed db

• managed database (brand new db: Default)
• managed database (PointInTimeRestore)
• managed database (RestoreExternalBackup)
• managed database (Recovery)
• managed database (RestoreLongTermRetentionBackup) #184
• Backup Short Term Retention Policies
• Backup Long Term Retention Policies #184
• Security Alert Policies
• Vulnerability Assessments

• Machine Learning Workspace
• AML Compute & Cluster through ARM template

• Code Cleanup
• Feature Enhancement

Extend the current keyvault module to support the external certificate issuer
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_certificate_issuer

Include an option to inherit or not the tags from RG when creating resources.

Add module for Eventhub

I'm owner of an AIRS subscription

rover -lz /tf/caf/public/landingzones/caf_launchpad -launchpad -var-file /tf/caf/public/landingzones/caf_launchpad/scenario/100/configuration.tfvars -a apply


Error: Error checking for existence of existing Container "tfstate" (Account "zjzustlevel0yodgp" / Resource Group "zjzu-rg-launchpad-tfstates-yodgp"): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:0fbfd5ee-701e-006f-26f7-8c9f48000000\nTime:2020-09-17T13:34:47.5133915Z"

  on ../../modules/storage_account/container/container.tf line 1, in resource "azurerm_storage_container" "stg":
   1: resource "azurerm_storage_container" "stg" {

When you try to deploy networking scenario: Azure Virtual WAN with Azure Firewall not enabled, you are unable to deploy when the configuration:

    hubs = {
      hub_re1 = {
        hub_name                    = "hub-re1"
        region                      = "region1"
        hub_address_prefix          = "10.0.3.0/24"
        deploy_firewall             = false
        firewall_name               = "hub-fw-re1"
        firewall_resource_group_key = "hub_re1"
        deploy_p2s                  = false
        p2s_config = {
          name       = "caf-sea-vpn-p2s" 
...

It gives you the following error:

Error: Invalid index

 

  on /home/vscode/.terraform.cache/modules/networking/modules/networking/virtual_wan/virtual_hub/azure_firewall.tf line 35, in resource "null_resource" "arm_template_vhub_firewall":
  35:     resource_id = lookup(azurerm_template_deployment.arm_template_vhub_firewall.0.outputs, "resourceID")
    |----------------
    | azurerm_template_deployment.arm_template_vhub_firewall is empty tuple

 

The given key does not identify an element in this collection value.

 

Error on or near line 446: Error running terraform plan; exiting with status 2000

This issue to track the ability to run the examples to consume the submodules without using rover.

Review existing modules and make sure it is now implementing the updated attributes
Identify the new modules to create in the backlog
https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/CHANGELOG-v2.md#2300-october-01-2020

Add support for azurerm_proximity_placement_group

• Creation of the azurerm_proximity_placement_group
• Add the optional azurerm_proximity_placement_group for Windows and Linux Virtual Machines

Add the capability to link a VM to a backup vault and policy:

virtual_machines = {

    vm_example = {
    resource_group_key                   = "vm_region1"
    provision_vm_agent                   = true
    boot_diagnostics_storage_account_key = "bootdiag_region1"
    backup_policy_key = "prod_daily"
    site_recovery_vault_key = "corp_asr"
    shared_services_lz = "shared_services" #optional, should use the default L2 "shared services"
...
}

Videos

• Setup dev environment
• Identity bootstrap
• Zoom: launchpad light
• Zoom: launchpad standard
• Zoom: networking
• Zoom: foundations
• Development 101

Guidance

• Setup dev environment (local and VScode)
• Identity bootstrap
• Deployment guide
• Customisation guide
• Development guide

Add support for availability set:

• Creation of the availability set
• Add the optional availability_set_id for Windows and Linux Virtual Machines

Review existing modules and make sure it is now implementing the updated attributes
Identify the new modules to create in the backlog
https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/CHANGELOG-v2.md#2270-september-10-2020

• Add support for event hub namespaces creation.
• Add support for diagnostics to event hub.

Would like to add the Shared Image Gallery components to the codebase; it would fall under the Shared Services Landing Zone.

The module will include the options to create:

• Shared Image Gallery
• Image Definition
• Image version
• Source Image to be chosen either from Custom Image or Marketplace, dynamically
• Optionally use Packer to create Custom Image

Initial release of vnext landing zones module.