diff --git a/.github/linters/.tflint.hcl b/.github/linters/.tflint.hcl index 81fc8b6b4..26907fcae 100644 --- a/.github/linters/.tflint.hcl +++ b/.github/linters/.tflint.hcl @@ -1,11 +1,11 @@ config { - module = true - plugin_dir = "/root/.tflint.d/plugins" + call_module_type = "all" } -# The following plugin adds rules specific to the azurerm provider plugin "azurerm" { - enabled = true + enabled = true + version = "0.26.0" + source = "github.com/terraform-linters/tflint-ruleset-azurerm" } # The following section determines which rules which will be enabled diff --git a/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 b/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 index eab8e87f1..11f3cf280 100644 --- a/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 +++ b/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 @@ -11,7 +11,7 @@ param ( [Parameter()][String]$TargetPath = "$PWD/terraform-azurerm-caf-enterprise-scale", [Parameter()][String]$SourcePath = "$PWD/enterprise-scale", [Parameter()][String]$LineEnding = "unix", - [Parameter()][String]$ParserToolUrl = "https://github.com/jaredfholgate/template-parser/releases/download/0.1.18" + [Parameter()][String]$ParserToolUrl = "https://github.com/Azure/arm-template-parser/releases/download/0.2.2" ) $ErrorActionPreference = "Stop" @@ -88,32 +88,174 @@ $managementGroupMapping = @{ "platform" = "platform" } -$finalPolicyAssignments = New-Object 'System.Collections.Generic.Dictionary[string,System.Collections.Generic.List[string]]' +$logAnalyticsWorkspaceIdPlaceholder = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/`${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/`${root_scope_id}-la" -$policyAssignmentSourcePath = "$SourcePath/eslzArm/managementGroupTemplates/policyAssignments" +$parameters = @{ + default = @{ + nonComplianceMessagePlaceholder = "{donotchange}" + logAnalyticsWorkspaceName = "`${root_scope_id}-la" + automationAccountName = "`${root_scope_id}-automation" + workspaceRegion = "`${default_location}" + automationRegion = "`${default_location}" + retentionInDays = "30" + rgName = "`${root_scope_id}-mgmt" + logAnalyticsResourceId = "$logAnalyticsWorkspaceIdPlaceholder" + topLevelManagementGroupPrefix = "`${temp}" + dnsZoneResourceGroupId = "`${private_dns_zone_prefix}" + ddosPlanResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/`${root_scope_id}-mgmt/providers/Microsoft.Network/ddosProtectionPlans/`${root_scope_id}-ddos" + emailContactAsc = "security_contact@replace_me" + location = "uksouth" + listOfResourceTypesDisallowedForDeletion = "[[[Array]]]" + userWorkspaceResourceId = "$logAnalyticsWorkspaceIdPlaceholder" + userAssignedIdentityResourceId = "`${user_assigned_managed_identity_resource_id}" + dcrResourceId = "`${azure_monitor_data_collection_rule_resource_id}" + dataCollectionRuleResourceId = "`${azure_monitor_data_collection_rule_resource_id}" + } + overrides = @{ + sql_data_collection_rule_overrides = @{ + policy_assignments = @( + "DINE-MDFCDefenderSQLAMAPolicyAssignment.json" + ) + parameters = @{ + dcrResourceId = "`${azure_monitor_data_collection_rule_sql_resource_id}" + dataCollectionRuleResourceId = "`${azure_monitor_data_collection_rule_sql_resource_id}" + } + } + vm_insights_data_collection_rule_overrides = @{ + policy_assignments = @( + "DINE-VMHybridMonitoringPolicyAssignment.json", + "DINE-VMMonitoringPolicyAssignment.json", + "DINE-VMSSMonitoringPolicyAssignment.json" + ) + parameters = @{ + dcrResourceId = "`${azure_monitor_data_collection_rule_vm_insights_resource_id}" + dataCollectionRuleResourceId = "`${azure_monitor_data_collection_rule_vm_insights_resource_id}" + } + } + change_tracking_data_collection_rule_overrides = @{ + policy_assignments = @( + "DINE-ChangeTrackingVMArcPolicyAssignment.json", + "DINE-ChangeTrackingVMPolicyAssignment.json", + "DINE-ChangeTrackingVMSSPolicyAssignment.json" + ) + parameters = @{ + dcrResourceId = "`${azure_monitor_data_collection_rule_change_tracking_resource_id}" + dataCollectionRuleResourceId = "`${azure_monitor_data_collection_rule_change_tracking_resource_id}" + } + } + } +} +$finalPolicyAssignments = New-Object 'System.Collections.Generic.Dictionary[string,System.Collections.Generic.List[string]]' +$policyAssignmentSourcePath = "$SourcePath/eslzArm/managementGroupTemplates/policyAssignments" +$policyAssignmentTargetPath = "$TargetPath/modules/archetypes/lib/policy_assignments" foreach($managementGroup in $policyAssignments.Keys) { + $managementGroupNameFinal = $managementGroupMapping[$managementGroup.Replace("defaults-", "")] + Write-Output "`nProcessing Archetype Policy Assignments for Management Group: $managementGroupNameFinal" + foreach($policyAssignmentFile in $policyAssignments[$managementGroup]) { - $parsedAssignment = & $parser "-s $policyAssignmentSourcePath/$policyAssignmentFile" | Out-String | ConvertFrom-Json - $policyAssignmentName = $parsedAssignment.name - - $managementGroupNameFinal = $managementGroupMapping[$managementGroup.Replace("defaults-", "")] + Write-Output "`nProcessing Archetype Policy Assignment: $managementGroupNameFinal - $policyAssignmentFile" - Write-Information "Got final data for $managementGroupNameFinal and $policyAssignmentName" -InformationAction Continue - - if(!($finalPolicyAssignments.ContainsKey($managementGroupNameFinal))) + $defaultParameters = $parameters.default + foreach($overrideKey in $parameters.overrides.Keys) { - $values = New-Object 'System.Collections.Generic.List[string]' - $values.Add($policyAssignmentName) - $finalPolicyAssignments.Add($managementGroupNameFinal, $values) + if($policyAssignmentFile -in $parameters.overrides[$overrideKey].policy_assignments) + { + foreach($parameter in $parameters.overrides[$overrideKey].parameters.Keys) + { + $defaultParameters.$parameter = $parameters.overrides[$overrideKey].parameters.$parameter + } + } } - else + + $defaultParameterFormatted = $defaultParameters.GetEnumerator().ForEach({ "-p $($_.Name)=$($_.Value)" }) + + $parsedAssignmentArray = & $parser "-s $policyAssignmentSourcePath/$policyAssignmentFile" $defaultParameterFormatted "-a" | Out-String | ConvertFrom-Json + + foreach($parsedAssignment in $parsedAssignmentArray) { - $finalPolicyAssignments[$managementGroupNameFinal].Add($policyAssignmentName) + if($parsedAssignment.type -ne "Microsoft.Authorization/policyAssignments") + { + continue + } + + $policyAssignmentName = $parsedAssignment.name + + Write-Output "Parsed Assignment Name: $($parsedAssignment.name)" + + if(!(Get-Member -InputObject $parsedAssignment.properties -Name "scope" -MemberType Properties)) + { + $parsedAssignment.properties | Add-Member -MemberType NoteProperty -Name "scope" -Value "`${current_scope_resource_id}" + } + + if(!(Get-Member -InputObject $parsedAssignment.properties -Name "notScopes" -MemberType Properties)) + { + $parsedAssignment.properties | Add-Member -MemberType NoteProperty -Name "notScopes" -Value @() + } + + if(!(Get-Member -InputObject $parsedAssignment.properties -Name "parameters" -MemberType Properties)) + { + $parsedAssignment.properties | Add-Member -MemberType NoteProperty -Name "parameters" -Value @{} + } + + if(!(Get-Member -InputObject $parsedAssignment -Name "location" -MemberType Properties)) + { + $parsedAssignment | Add-Member -MemberType NoteProperty -Name "location" -Value "`${default_location}" + } + + if(!(Get-Member -InputObject $parsedAssignment -Name "identity" -MemberType Properties)) + { + $parsedAssignment | Add-Member -MemberType NoteProperty -Name "identity" -Value @{ type = "None" } + } + + if($parsedAssignment.properties.policyDefinitionId.StartsWith("/providers/Microsoft.Management/managementGroups/`${temp}")) + { + $parsedAssignment.properties.policyDefinitionId = $parsedAssignment.properties.policyDefinitionId.Replace("/providers/Microsoft.Management/managementGroups/`${temp}", "`${root_scope_resource_id}") + } + + foreach($property in Get-Member -InputObject $parsedAssignment.properties.parameters -MemberType NoteProperty) + { + $propertyName = $property.Name + Write-Verbose "Checking Parameter: $propertyName" + if($parsedAssignment.properties.parameters.($propertyName).value.GetType() -ne [System.String]) + { + Write-Verbose "Skipping non-string parameter: $propertyName" + continue + } + + if($parsedAssignment.properties.parameters.($propertyName).value.StartsWith("`${private_dns_zone_prefix}/providers/Microsoft.Network/privateDnsZones/")) + { + $parsedAssignment.properties.parameters.($propertyName).value = $parsedAssignment.properties.parameters.($propertyName).value.Replace("`${private_dns_zone_prefix}/providers/Microsoft.Network/privateDnsZones/", "`${private_dns_zone_prefix}") + $parsedAssignment.properties.parameters.($propertyName).value = $parsedAssignment.properties.parameters.($propertyName).value.Replace("privatelink.uks.backup.windowsazure.com", "privatelink.`${connectivity_location_short}.backup.windowsazure.com") + } + if($parsedAssignment.properties.parameters.($propertyName).value.StartsWith("`${temp}")) + { + $parsedAssignment.properties.parameters.($propertyName).value = $parsedAssignment.properties.parameters.($propertyName).value.Replace("`${temp}", "`${root_scope_id}") + } + } + + $targetPolicyAssignmentFileName = "policy_assignment_es_$($policyAssignmentName.ToLower() -replace "-", "_").tmpl.json" + + Write-Information "Writing $targetPolicyAssignmentFileName" -InformationAction Continue + $json = $parsedAssignment | ConvertTo-Json -Depth 10 + $json | Edit-LineEndings -LineEnding $LineEnding | Out-File -FilePath "$policyAssignmentTargetPath/$targetPolicyAssignmentFileName" -Force + + Write-Verbose "Got final data for $managementGroupNameFinal and $policyAssignmentName" + + if(!($finalPolicyAssignments.ContainsKey($managementGroupNameFinal))) + { + $values = New-Object 'System.Collections.Generic.List[string]' + $values.Add($policyAssignmentName) + $finalPolicyAssignments.Add($managementGroupNameFinal, $values) + } + else + { + $finalPolicyAssignments[$managementGroupNameFinal].Add($policyAssignmentName) + } } } } diff --git a/.github/scripts/Invoke-LibraryUpdatePolicyAssignments.ps1 b/.github/scripts/Invoke-LibraryUpdatePolicyAssignments.ps1 deleted file mode 100644 index 8bc5b0a8a..000000000 --- a/.github/scripts/Invoke-LibraryUpdatePolicyAssignments.ps1 +++ /dev/null @@ -1,168 +0,0 @@ -#!/usr/bin/pwsh - -# -# PowerShell Script -# - Update template library in terraform-azurerm-caf-enterprise-scale repository -# - -[CmdletBinding(SupportsShouldProcess)] -param ( - [Parameter()][String]$AlzToolsPath = "$PWD/enterprise-scale/src/Alz.Tools", - [Parameter()][String]$TargetPath = "$PWD/terraform-azurerm-caf-enterprise-scale", - [Parameter()][String]$SourcePath = "$PWD/enterprise-scale", - [Parameter()][String]$LineEnding = "unix", - [Parameter()][String]$ParserToolUrl = "https://github.com/jaredfholgate/template-parser/releases/download/0.1.18" -) - -$ErrorActionPreference = "Stop" - -# This script relies on a custom set of classes and functions -# defined within the EnterpriseScaleLibraryTools PowerShell -# module. -Import-Module $AlzToolsPath -ErrorAction Stop - -$parserPath = "$TargetPath/.github/scripts" -$parserExe = "Template.Parser.Cli" -if($IsWindows) -{ - $parserExe += ".exe" -} - -$parser = "$parserPath/$parserExe" - -if(!(Test-Path $parser)) -{ - Write-Information "Downloading Template Parser." -InformationAction Continue - Invoke-WebRequest "$ParserToolUrl/$parserExe" -OutFile $parser - if($IsLinux) - { - chmod +x $parser - } -} - -# Update the policy assignments if enabled -Write-Information "Updating Policy Assignments." -InformationAction Continue -$policyAssignmentSourcePath = "$SourcePath/eslzArm/managementGroupTemplates/policyAssignments" -$policyAssignmentTargetPath = "$TargetPath/modules/archetypes/lib/policy_assignments" -$sourcePolicyAssignmentFiles = Get-ChildItem -Path $policyAssignmentSourcePath -File -$targetPolicyAssignmentFiles = Get-ChildItem -Path $policyAssignmentTargetPath -File - -$temporaryNameMatches = @{ - "Deny-IP-forwarding" = "Deny-IP-Forwarding" - "Deny-Priv-Esc-AKS" = "Deny-Priv-Containers-AKS" - "Deny-Privileged-AKS" = "Deny-Priv-Escalation-AKS" -} - -$defaultParameterValues =@( - "-p nonComplianceMessagePlaceholder={donotchange}" - "-p logAnalyticsWorkspaceName=`${root_scope_id}-la", - "-p automationAccountName=`${root_scope_id}-automation", - "-p workspaceRegion=`${default_location}", - "-p automationRegion=`${default_location}", - "-p retentionInDays=30", - "-p rgName=`${root_scope_id}-mgmt", - "-p logAnalyticsResourceId=/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/`${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/`${root_scope_id}-la", - "-p topLevelManagementGroupPrefix=`${temp}", - "-p dnsZoneResourceGroupId=`${private_dns_zone_prefix}", - "-p ddosPlanResourceId=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/`${root_scope_id}-mgmt/providers/Microsoft.Network/ddosProtectionPlans/`${root_scope_id}-ddos", - "-p emailContactAsc=security_contact@replace_me" -) - -$parsedAssignments = @{} -foreach($sourcePolicyAssignmentFile in $sourcePolicyAssignmentFiles) -{ - $parsedAssignment = & $parser "-s $sourcePolicyAssignmentFile" $defaultParameterValues | Out-String | ConvertFrom-Json - $parsedAssignments[$parsedAssignment.name] = @{ - json = $parsedAssignment - file = $sourcePolicyAssignmentFile - } - if(!(Get-Member -InputObject $parsedAssignments[$parsedAssignment.name].json.properties -Name "scope" -MemberType Properties)) - { - $parsedAssignments[$parsedAssignment.name].json.properties | Add-Member -MemberType NoteProperty -Name "scope" -Value "`${current_scope_resource_id}" - } - - if(!(Get-Member -InputObject $parsedAssignments[$parsedAssignment.name].json.properties -Name "notScopes" -MemberType Properties)) - { - $parsedAssignments[$parsedAssignment.name].json.properties | Add-Member -MemberType NoteProperty -Name "notScopes" -Value @() - } - - if(!(Get-Member -InputObject $parsedAssignments[$parsedAssignment.name].json.properties -Name "parameters" -MemberType Properties)) - { - $parsedAssignments[$parsedAssignment.name].json.properties | Add-Member -MemberType NoteProperty -Name "parameters" -Value @{} - } - - if(!(Get-Member -InputObject $parsedAssignments[$parsedAssignment.name].json -Name "location" -MemberType Properties)) - { - $parsedAssignments[$parsedAssignment.name].json | Add-Member -MemberType NoteProperty -Name "location" -Value "`${default_location}" - } - - if(!(Get-Member -InputObject $parsedAssignments[$parsedAssignment.name].json -Name "identity" -MemberType Properties)) - { - $parsedAssignments[$parsedAssignment.name].json | Add-Member -MemberType NoteProperty -Name "identity" -Value @{ type = "None" } - } - - if($parsedAssignments[$parsedAssignment.name].json.properties.policyDefinitionId.StartsWith("/providers/Microsoft.Management/managementGroups/`${temp}")) - { - $parsedAssignments[$parsedAssignment.name].json.properties.policyDefinitionId = $parsedAssignments[$parsedAssignment.name].json.properties.policyDefinitionId.Replace("/providers/Microsoft.Management/managementGroups/`${temp}", "`${root_scope_resource_id}") - } - - foreach($property in Get-Member -InputObject $parsedAssignments[$parsedAssignment.name].json.properties.parameters -MemberType NoteProperty) - { - $propertyName = $property.Name - if($parsedAssignments[$parsedAssignment.name].json.properties.parameters.($propertyName).value.StartsWith("`${private_dns_zone_prefix}/providers/Microsoft.Network/privateDnsZones/")) - { - $parsedAssignments[$parsedAssignment.name].json.properties.parameters.($propertyName).value = $parsedAssignments[$parsedAssignment.name].json.properties.parameters.($propertyName).value.Replace("`${private_dns_zone_prefix}/providers/Microsoft.Network/privateDnsZones/", "`${private_dns_zone_prefix}") - $parsedAssignments[$parsedAssignment.name].json.properties.parameters.($propertyName).value = $parsedAssignments[$parsedAssignment.name].json.properties.parameters.($propertyName).value.Replace("privatelink.batch.azure.com", "privatelink.`${connectivity_location}.batch.azure.com") - } - if($parsedAssignments[$parsedAssignment.name].json.properties.parameters.($propertyName).value.StartsWith("`${temp}")) - { - $parsedAssignments[$parsedAssignment.name].json.properties.parameters.($propertyName).value = $parsedAssignments[$parsedAssignment.name].json.properties.parameters.($propertyName).value.Replace("`${temp}", "`${root_scope_id}") - } - } -} - -$originalAssignments = @{} -foreach($targetPolicyAssignmentFile in $targetPolicyAssignmentFiles) -{ - $originalAssignment = Get-Content $targetPolicyAssignmentFile | ConvertFrom-Json - $originalAssignments[$originalAssignment.name] = @{ - json = $originalAssignment - file = $targetPolicyAssignmentFile - } -} - -foreach($key in $parsedAssignments.Keys | Sort-Object) -{ - $targetPolicyAssignmentFileName = "policy_assignment_es_$($key.ToLower() -replace "-", "_").tmpl.json" - - $mappedKey = $key - if($temporaryNameMatches.ContainsKey($key)) - { - $mappedKey = $temporaryNameMatches[$key] - } - - $sourceFileName = $parsedAssignments[$key].file.Name - - if($originalAssignments.ContainsKey($mappedKey)) - { - $originalFileName = $originalAssignments[$mappedKey].file.Name - - Write-Information "Found match for $mappedKey $key $originalFileName $sourceFileName $targetPolicyAssignmentFileName" -InformationAction Continue - if($originalFileName -ne $targetPolicyAssignmentFileName) - { - Write-Information "Renaming $originalFileName to $targetPolicyAssignmentFileName" -InformationAction Continue - Set-Location $policyAssignmentTargetPath - git mv $originalAssignments[$mappedKey].file.FullName $targetPolicyAssignmentFileName - Set-Location $SourcePath - Set-Location .. - } - } - else - { - Write-Information "No match found for $mappedKey $key $sourceFileName $targetPolicyAssignmentFileName" -InformationAction Continue - } - - Write-Information "Writing $targetPolicyAssignmentFileName" -InformationAction Continue - $json = $parsedAssignments[$key].json | ConvertTo-Json -Depth 10 - $json | Edit-LineEndings -LineEnding $LineEnding | Out-File -FilePath "$policyAssignmentTargetPath/$targetPolicyAssignmentFileName" -Force -} diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index f7d48ac0b..63bdc1a2a 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -31,6 +31,16 @@ jobs: with: fetch-depth: 0 + # - name: Run tflint + # run: | + # CONFIG_FILE=$(realpath ./.github/linters/.tflint.hcl) + # tflint --init --config=$CONFIG_FILE + # tflint --config=$CONFIG_FILE + # tflint --chdir=./examples/400-multi-with-orchestration --config=$CONFIG_FILE + # tflint --chdir=./examples/400-multi-with-remote-state/connectivity --config=$CONFIG_FILE + # tflint --chdir=./examples/400-multi-with-remote-state/core --config=$CONFIG_FILE + # tflint --chdir=./examples/400-multi-with-remote-state/management --config=$CONFIG_FILE + - name: Lint Code Base uses: github/super-linter@v6 env: @@ -52,24 +62,3 @@ jobs: # If a shell script is not executable, the bash-exec # linter will report an error when set to true ERROR_ON_MISSING_EXEC_BIT: true - - # # Temporarily moving terrascan to a dedicated step with - # # errors disabled. This is due to terrascan not yet - # # supporting the GA release of optional() types. - # - name: Run github/super-linter (terrascan only) - # uses: docker://github/super-linter:v4.9.7 - # env: - # # Lint all code - # VALIDATE_ALL_CODEBASE: true - # # Need to define main branch as default - # # is set to master in super-linter - # DEFAULT_BRANCH: main - # # Enable setting the status of each individual linter - # # run in the Checks section of a pull request - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # # The following linter types will be enabled: - # VALIDATE_TERRAFORM_TERRASCAN: true - # # Set linter to suppress errors - # # Enabled due to terrascan not yet supporting optional() - # # types in variables. - # DISABLE_ERRORS: true diff --git a/.github/workflows/update-policy.yml b/.github/workflows/update-policy.yml index d537e4f5f..bc19a4595 100644 --- a/.github/workflows/update-policy.yml +++ b/.github/workflows/update-policy.yml @@ -9,7 +9,7 @@ on: env: remote_repository: "Azure/Enterprise-Scale" - branch_name: "patch-library" + branch_name: "patch-library-${{ github.run_number }}" pr_title: "Update Library Templates (automated)" pr_body: "This is an automated 'pull_request' containing updates to the library templates stored in 'modules/archetypes/lib'.\n @@ -76,13 +76,7 @@ jobs: -SourcePath "${{ github.workspace }}/${{ env.remote_repository }}" ` -Reset - Write-Information "==> Running policy assignments script..." -InformationAction Continue - ${{ github.repository }}/.github/scripts/Invoke-LibraryUpdatePolicyAssignments.ps1 ` - -AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" ` - -TargetPath "${{ github.workspace }}/${{ github.repository }}" ` - -SourcePath "${{ github.workspace }}/${{ env.remote_repository }}" - - Write-Information "==> Running archetypes script..." -InformationAction Continue + Write-Information "==> Running policy assignments and archetypes script..." -InformationAction Continue ${{ github.repository }}/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 ` -AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" ` -TargetPath "${{ github.workspace }}/${{ github.repository }}" ` diff --git a/README.md b/README.md index 2bc9c49b6..35ed2d740 100644 --- a/README.md +++ b/README.md @@ -450,7 +450,7 @@ object({ expressroute_gateway = optional(object({ enabled = optional(bool, false) config = optional(object({ - scale_unit = optional(number, 1) + scale_unit = optional(number, 1) allow_non_virtual_wan_traffic = optional(bool, false) }), {}) }), {}) @@ -1088,6 +1088,7 @@ The following resources are used by this module: - [azurerm_resource_group.virtual_wan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource) - [azurerm_role_assignment.enterprise_scale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource) - [azurerm_role_assignment.policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource) +- [azurerm_role_assignment.private_dns_zone_contributor_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource) - [azurerm_role_definition.enterprise_scale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) (resource) - [azurerm_subnet.connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) (resource) - [azurerm_subscription_template_deployment.telemetry_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_template_deployment) (resource) @@ -1109,6 +1110,7 @@ The following resources are used by this module: - [time_sleep.after_azurerm_policy_set_definition](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) (resource) - [time_sleep.after_azurerm_role_assignment](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) (resource) - [time_sleep.after_azurerm_role_definition](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) (resource) +- [azapi_resource.user_msi](https://registry.terraform.io/providers/Azure/azapi/latest/docs/data-sources/resource) (data source) - [azurerm_policy_definition.external_lookup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/policy_definition) (data source) - [azurerm_policy_set_definition.external_lookup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/policy_set_definition) (data source) diff --git a/modules/connectivity/README.md b/modules/connectivity/README.md index bc61e119c..8721add3f 100644 --- a/modules/connectivity/README.md +++ b/modules/connectivity/README.md @@ -243,7 +243,8 @@ object({ expressroute_gateway = optional(object({ enabled = optional(bool, false) config = optional(object({ - scale_unit = optional(number, 1) + scale_unit = optional(number, 1) + allow_non_virtual_wan_traffic = optional(bool, false) }), {}) }), {}) vpn_gateway = optional(object({ diff --git a/modules/connectivity/locals.tf b/modules/connectivity/locals.tf index 075dc3fb0..5745088b9 100644 --- a/modules/connectivity/locals.tf +++ b/modules/connectivity/locals.tf @@ -1941,6 +1941,7 @@ locals { ddos_protection_plan_resource_id = local.ddos_protection_plan_resource_id private_dns_zone_prefix = local.private_dns_zone_prefix connectivity_location = local.location + connectivity_location_short = local.lookup_azure_backup_geo_codes[local.location] virtual_network_resource_id_by_location = local.virtual_network_resource_id vpn_gateway_resource_id_by_location = local.vpn_gateway_resource_id firewall_resource_id_by_location = local.azfw_resource_id