feat!: implement hub network mesh peering (#429)

.gitignore

@@ -37,6 +37,9 @@ override.tf.json
 # Ignore any files with .ignore. in the filename
 *.ignore.*
 
+# Ignore test_local
+tests/modules/test_local
+
 # Ignore macOS .DS_Store files which are generated automatically by Finder.
 .DS_Store
 

README.md

@@ -1,6 +1,6 @@
 # Azure landing zones Terraform module
 
-[![Build Status](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_apis/build/status/Tests/E2E?branchName=refs%2Ftags%2Fv2.1.2)](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_build/latest?definitionId=26&branchName=refs%2Ftags%2Fv2.1.2)
+[![Build Status](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_apis/build/status/Tests/E2E?branchName=refs%2Ftags%2Fv2.2.0)](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_build/latest?definitionId=26&branchName=refs%2Ftags%2Fv2.2.0)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat&logo=github)
 
 Detailed information about how to use, configure and extend this module can be found on our Wiki:
@@ -94,7 +94,7 @@ variable "root_name" {
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md

@@ -139,7 +139,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Connectivity-Resources.md

@@ -70,7 +70,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md

@@ -95,7 +95,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Default-Configuration.md

@@ -45,7 +45,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md

@@ -52,7 +52,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md

@@ -101,7 +101,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Identity-Resources.md

@@ -60,7 +60,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md

@@ -131,7 +131,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Management-Resources.md

@@ -61,7 +61,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md

@@ -13,7 +13,7 @@ The extra code needed to extend your configuration, is the following:
 
 module "enterprise_scale_nested_landing_zone" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm
@@ -135,7 +135,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm
@@ -184,7 +184,7 @@ module "enterprise_scale" {
 
 module "enterprise_scale_nested_landing_zone" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources-With-Custom-Settings.md

@@ -137,7 +137,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources.md

@@ -77,7 +77,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md

@@ -97,7 +97,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Examples]-Override-Module-Role-Assignments.md

@@ -103,7 +103,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[User-Guide]-Getting-Started.md

@@ -73,7 +73,7 @@ Copy and paste the following 'module' block into your Terraform configuration, i
 ```hcl
 module "caf-enterprise-scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[User-Guide]-Module-Releases.md

@@ -61,7 +61,7 @@ To do this, you would use the following version constraint syntax:
 ```terraform
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   # Insert provider block and input variables here
 }
@@ -74,7 +74,7 @@ To allow automatic upgrades to the latest patch release, use the following versi
 ```terraform
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "~> 2.1.2"
+  version = "~> 2.2.0"
 
   # Insert provider block and input variables here
 }

docs/wiki/[User-Guide]-Provider-Configuration.md

@@ -70,7 +70,7 @@ provider "azurerm" {
 
 module "caf-enterprise-scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm
@@ -150,7 +150,7 @@ provider "azurerm" {
 
 module "caf-enterprise-scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm
@@ -208,7 +208,7 @@ data "azurerm_client_config" "connectivity" {
 # Map each module provider to their corresponding `azurerm` provider using the providers input object
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "2.1.2"
+  version = "2.2.0"
 
   providers = {
     azurerm              = azurerm

docs/wiki/[Variables]-configure_connectivity_resources.md

@@ -60,6 +60,7 @@ If specified, will customize the "connectivity" landing zone settings and resour
           }
           spoke_virtual_network_resource_ids      = []
           enable_outbound_virtual_network_peering = false
+          enable_hub_network_mesh_peering         = false
         }
       },
     ]
@@ -278,6 +279,7 @@ object({
           })
           spoke_virtual_network_resource_ids      = list(string)
           enable_outbound_virtual_network_peering = bool
+          enable_hub_network_mesh_peering         = bool
         })
       })
     )

docs/wiki/[Variables]-configure_connectivity_resources.settings.hub_networks.md

@@ -57,6 +57,7 @@ For each configuration object added to the `configure_connectivity_resources.set
     }
     spoke_virtual_network_resource_ids      = []
     enable_outbound_virtual_network_peering = false
+    enable_hub_network_mesh_peering         = false
   }
 }
 ```
@@ -162,6 +163,7 @@ object({
     })
     spoke_virtual_network_resource_ids      = list(string)
     enable_outbound_virtual_network_peering = bool
+    enable_hub_network_mesh_peering         = bool
   })
 })
 ```
@@ -461,6 +463,10 @@ List of Azure Resource IDs used to identify spoke Virtual Networks associated wi
 >
 > We are working on a solution for this using the recently released [AzAPI provider][tf_reg_azapi] which allows a single provider to deploy resources into multiple subscriptions using a [parent_id][tf_reg_azapi_parent_id] input.
 
+#### `config.enable_hub_network_mesh_peering`
+
+`bool` input to control whether the module will create fully meshed Virtual Network peerings between the hub networks that have this setting enabled.
+
 [//]: # "************************"
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"

docs/wiki/[Variables]-strict_subscription_association.md

@@ -6,14 +6,22 @@
 If set to true, subscriptions associated to management groups will be exclusively set by the module and any added by another process will be removed.
 If set to false, the module will will only enforce association of the specified subscriptions and those added to management groups by other processes will not be removed.
 
-> **Note:**
-> Platform subscriptions should always be associated to their respective management groups using this module, due to other dependencies on these inputs.
+Note that platform subscriptions should always be associated to their respective management groups using this module, due to other dependencies on these inputs.
+
+For more information, please refer to:
+
+- [`subscription_id_connectivity`][subscription_id_connectivity]
+- [`subscription_id_identity`][subscription_id_identity]
+- [`subscription_id_management`][subscription_id_management]
+
+> **Important**
 >
-> For more information, please refer to:
+> Migration from strict to non-strict is not idempotent, this is due to the behavior of the AzureRM provider. If you are setting this variable to `false` with an existing config, you must either:
 >
-> - [`subscription_id_connectivity`][subscription_id_connectivity]
-> - [`subscription_id_identity`][subscription_id_identity]
-> - [`subscription_id_management`][subscription_id_management]
+> - Remove all platform & other managed subscriptions associated to management groups to another place, e.g. the tenant root group. The module will then put them back; Or,
+> - Perform a Terraform import of the management group subscription association. The address of the Terraform resource for the import is is:
+> `module.MODULENAME.azurerm_management_group_subscription_association.enterprise_scale["/providers/Microsoft.Management/managementGroups/MGNAME/subscriptions/SUBID"]`.
+> The Azure resource ID should be the same as the key name (in square brackets `[]` ).
 
 ## Default value
 

locals.version.tf

@@ -1,3 +1,3 @@
 locals {
-  module_version = "v2.1.2"
+  module_version = "v2.2.0"
 }