From 2fff77ea6a8a0fbd6087ed9ec3c65b86daae3045 Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Fri, 12 Aug 2022 14:24:31 +0100 Subject: [PATCH] feat!: implement hub network mesh peering (#429) --- .gitignore | 3 + README.md | 4 +- ...ectivity-Resources-With-Custom-Settings.md | 2 +- ...Examples]-Deploy-Connectivity-Resources.md | 2 +- ...]-Deploy-Custom-Landing-Zone-Archetypes.md | 2 +- ...[Examples]-Deploy-Default-Configuration.md | 2 +- ...es]-Deploy-Demo-Landing-Zone-Archetypes.md | 2 +- ...Identity-Resources-With-Custom-Settings.md | 2 +- .../[Examples]-Deploy-Identity-Resources.md | 2 +- ...nagement-Resources-With-Custom-Settings.md | 2 +- .../[Examples]-Deploy-Management-Resources.md | 2 +- .../[Examples]-Deploy-Using-Module-Nesting.md | 6 +- ...tual-WAN-Resources-With-Custom-Settings.md | 2 +- ...[Examples]-Deploy-Virtual-WAN-Resources.md | 2 +- ...]-Expand-built-in-archetype-definitions.md | 2 +- ...mples]-Override-Module-Role-Assignments.md | 2 +- docs/wiki/[User-Guide]-Getting-Started.md | 2 +- docs/wiki/[User-Guide]-Module-Releases.md | 4 +- .../[User-Guide]-Provider-Configuration.md | 6 +- ...ables]-configure_connectivity_resources.md | 2 + ...ctivity_resources.settings.hub_networks.md | 6 + ...iables]-strict_subscription_association.md | 20 +- locals.version.tf | 2 +- modules/connectivity/locals.tf | 262 +++++++++++------- modules/connectivity/variables.tf | 1 + resources.management_groups.tf | 8 +- .../modules/settings/settings.connectivity.tf | 2 + .../baseline_values.json | 52 +++- tests/modules/test_003_add_mgmt_conn/main.tf | 3 - variables.tf | 2 + 30 files changed, 272 insertions(+), 139 deletions(-) diff --git a/.gitignore b/.gitignore index 4b64e8e95..4977d7115 100644 --- a/.gitignore +++ b/.gitignore @@ -37,6 +37,9 @@ override.tf.json # Ignore any files with .ignore. in the filename *.ignore.* +# Ignore test_local +tests/modules/test_local + # Ignore macOS .DS_Store files which are generated automatically by Finder. .DS_Store diff --git a/README.md b/README.md index beafb3416..f2ae52a9f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Azure landing zones Terraform module -[![Build Status](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_apis/build/status/Tests/E2E?branchName=refs%2Ftags%2Fv2.1.2)](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_build/latest?definitionId=26&branchName=refs%2Ftags%2Fv2.1.2) +[![Build Status](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_apis/build/status/Tests/E2E?branchName=refs%2Ftags%2Fv2.2.0)](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_build/latest?definitionId=26&branchName=refs%2Ftags%2Fv2.2.0) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat&logo=github) Detailed information about how to use, configure and extend this module can be found on our Wiki: @@ -94,7 +94,7 @@ variable "root_name" { module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md index 3cfd716b1..a468b2a59 100644 --- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md @@ -139,7 +139,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md index a7587b99d..697f8a40d 100644 --- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md @@ -70,7 +70,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md index 4067b9d4a..83cdcd08a 100644 --- a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md +++ b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md @@ -95,7 +95,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Default-Configuration.md b/docs/wiki/[Examples]-Deploy-Default-Configuration.md index 26c1e6851..03dd2db14 100644 --- a/docs/wiki/[Examples]-Deploy-Default-Configuration.md +++ b/docs/wiki/[Examples]-Deploy-Default-Configuration.md @@ -45,7 +45,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md index e3137f186..e0ccb5374 100644 --- a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md +++ b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md @@ -52,7 +52,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md index 2d6348ae4..f4a54abcc 100644 --- a/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md @@ -101,7 +101,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Identity-Resources.md b/docs/wiki/[Examples]-Deploy-Identity-Resources.md index b3e53c353..752cce754 100644 --- a/docs/wiki/[Examples]-Deploy-Identity-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Identity-Resources.md @@ -60,7 +60,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md index 4f95bbbd8..6c99c5884 100644 --- a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md @@ -131,7 +131,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources.md b/docs/wiki/[Examples]-Deploy-Management-Resources.md index 53fa704b0..55c8bf9bd 100644 --- a/docs/wiki/[Examples]-Deploy-Management-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Management-Resources.md @@ -61,7 +61,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md index 99c3b0e3b..a9c86f9a2 100644 --- a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md +++ b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md @@ -13,7 +13,7 @@ The extra code needed to extend your configuration, is the following: module "enterprise_scale_nested_landing_zone" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm @@ -135,7 +135,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm @@ -184,7 +184,7 @@ module "enterprise_scale" { module "enterprise_scale_nested_landing_zone" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources-With-Custom-Settings.md index b10dd4db8..4ea457bcf 100644 --- a/docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources-With-Custom-Settings.md @@ -137,7 +137,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources.md b/docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources.md index b94fd0b5a..247f32ac1 100644 --- a/docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Virtual-WAN-Resources.md @@ -77,7 +77,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md index ef296d65e..ed0f20e2b 100644 --- a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md +++ b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md @@ -97,7 +97,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md index b768f19bd..6a2e4c82e 100644 --- a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md +++ b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md @@ -103,7 +103,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[User-Guide]-Getting-Started.md b/docs/wiki/[User-Guide]-Getting-Started.md index 91f9dd1c5..7398bf16c 100644 --- a/docs/wiki/[User-Guide]-Getting-Started.md +++ b/docs/wiki/[User-Guide]-Getting-Started.md @@ -73,7 +73,7 @@ Copy and paste the following 'module' block into your Terraform configuration, i ```hcl module "caf-enterprise-scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[User-Guide]-Module-Releases.md b/docs/wiki/[User-Guide]-Module-Releases.md index aa53b5a0b..fe5dccb11 100644 --- a/docs/wiki/[User-Guide]-Module-Releases.md +++ b/docs/wiki/[User-Guide]-Module-Releases.md @@ -61,7 +61,7 @@ To do this, you would use the following version constraint syntax: ```terraform module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" # Insert provider block and input variables here } @@ -74,7 +74,7 @@ To allow automatic upgrades to the latest patch release, use the following versi ```terraform module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "~> 2.1.2" + version = "~> 2.2.0" # Insert provider block and input variables here } diff --git a/docs/wiki/[User-Guide]-Provider-Configuration.md b/docs/wiki/[User-Guide]-Provider-Configuration.md index 4a0eeaf36..2e03b7c22 100644 --- a/docs/wiki/[User-Guide]-Provider-Configuration.md +++ b/docs/wiki/[User-Guide]-Provider-Configuration.md @@ -70,7 +70,7 @@ provider "azurerm" { module "caf-enterprise-scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm @@ -150,7 +150,7 @@ provider "azurerm" { module "caf-enterprise-scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm @@ -208,7 +208,7 @@ data "azurerm_client_config" "connectivity" { # Map each module provider to their corresponding `azurerm` provider using the providers input object module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.1.2" + version = "2.2.0" providers = { azurerm = azurerm diff --git a/docs/wiki/[Variables]-configure_connectivity_resources.md b/docs/wiki/[Variables]-configure_connectivity_resources.md index 0b95c3cdc..f2adb84bf 100644 --- a/docs/wiki/[Variables]-configure_connectivity_resources.md +++ b/docs/wiki/[Variables]-configure_connectivity_resources.md @@ -60,6 +60,7 @@ If specified, will customize the "connectivity" landing zone settings and resour } spoke_virtual_network_resource_ids = [] enable_outbound_virtual_network_peering = false + enable_hub_network_mesh_peering = false } }, ] @@ -278,6 +279,7 @@ object({ }) spoke_virtual_network_resource_ids = list(string) enable_outbound_virtual_network_peering = bool + enable_hub_network_mesh_peering = bool }) }) ) diff --git a/docs/wiki/[Variables]-configure_connectivity_resources.settings.hub_networks.md b/docs/wiki/[Variables]-configure_connectivity_resources.settings.hub_networks.md index 6629348a9..001acdcbc 100644 --- a/docs/wiki/[Variables]-configure_connectivity_resources.settings.hub_networks.md +++ b/docs/wiki/[Variables]-configure_connectivity_resources.settings.hub_networks.md @@ -57,6 +57,7 @@ For each configuration object added to the `configure_connectivity_resources.set } spoke_virtual_network_resource_ids = [] enable_outbound_virtual_network_peering = false + enable_hub_network_mesh_peering = false } } ``` @@ -162,6 +163,7 @@ object({ }) spoke_virtual_network_resource_ids = list(string) enable_outbound_virtual_network_peering = bool + enable_hub_network_mesh_peering = bool }) }) ``` @@ -461,6 +463,10 @@ List of Azure Resource IDs used to identify spoke Virtual Networks associated wi > > We are working on a solution for this using the recently released [AzAPI provider][tf_reg_azapi] which allows a single provider to deploy resources into multiple subscriptions using a [parent_id][tf_reg_azapi_parent_id] input. +#### `config.enable_hub_network_mesh_peering` + +`bool` input to control whether the module will create fully meshed Virtual Network peerings between the hub networks that have this setting enabled. + [//]: # "************************" [//]: # "INSERT LINK LABELS BELOW" [//]: # "************************" diff --git a/docs/wiki/[Variables]-strict_subscription_association.md b/docs/wiki/[Variables]-strict_subscription_association.md index d3baa1214..4469abb5b 100644 --- a/docs/wiki/[Variables]-strict_subscription_association.md +++ b/docs/wiki/[Variables]-strict_subscription_association.md @@ -6,14 +6,22 @@ If set to true, subscriptions associated to management groups will be exclusively set by the module and any added by another process will be removed. If set to false, the module will will only enforce association of the specified subscriptions and those added to management groups by other processes will not be removed. -> **Note:** -> Platform subscriptions should always be associated to their respective management groups using this module, due to other dependencies on these inputs. +Note that platform subscriptions should always be associated to their respective management groups using this module, due to other dependencies on these inputs. + +For more information, please refer to: + +- [`subscription_id_connectivity`][subscription_id_connectivity] +- [`subscription_id_identity`][subscription_id_identity] +- [`subscription_id_management`][subscription_id_management] + +> **Important** > -> For more information, please refer to: +> Migration from strict to non-strict is not idempotent, this is due to the behavior of the AzureRM provider. If you are setting this variable to `false` with an existing config, you must either: > -> - [`subscription_id_connectivity`][subscription_id_connectivity] -> - [`subscription_id_identity`][subscription_id_identity] -> - [`subscription_id_management`][subscription_id_management] +> - Remove all platform & other managed subscriptions associated to management groups to another place, e.g. the tenant root group. The module will then put them back; Or, +> - Perform a Terraform import of the management group subscription association. The address of the Terraform resource for the import is is: +> `module.MODULENAME.azurerm_management_group_subscription_association.enterprise_scale["/providers/Microsoft.Management/managementGroups/MGNAME/subscriptions/SUBID"]`. +> The Azure resource ID should be the same as the key name (in square brackets `[]` ). ## Default value diff --git a/locals.version.tf b/locals.version.tf index 6d7500885..bd3a6515b 100644 --- a/locals.version.tf +++ b/locals.version.tf @@ -1,3 +1,3 @@ locals { - module_version = "v2.1.2" + module_version = "v2.2.0" } diff --git a/modules/connectivity/locals.tf b/modules/connectivity/locals.tf index 8f7d44546..1e79728b0 100644 --- a/modules/connectivity/locals.tf +++ b/modules/connectivity/locals.tf @@ -207,6 +207,12 @@ locals { local.deploy_hub_network[location] && hub_network.config.enable_outbound_virtual_network_peering } + deploy_hub_virtual_network_mesh_peering = { + for location, hub_network in local.hub_networks_by_location : + location => + local.deploy_hub_network[location] && + hub_network.config.enable_hub_network_mesh_peering + } } # Logic to determine whether specific resources @@ -1514,6 +1520,16 @@ locals { ) } } + virtual_network_hub_peering_name = { + for location_src, hub_config_src in local.hub_networks_by_location : + location_src => { + for location_dst, hub_config_dst in local.hub_networks_by_location : + location_dst => try( + local.custom_settings.azurerm_virtual_network_peering["connectivity"][location_src][location_dst].name, + "peering-${uuidv5("url", local.virtual_network_resource_id[location_dst])}" + ) if location_src != location_dst && hub_config_dst.config.enable_hub_network_mesh_peering + } if hub_config_src.config.enable_hub_network_mesh_peering + } virtual_network_peering_resource_id_prefix = { for location, hub_config in local.hub_networks_by_location : location => @@ -1527,7 +1543,41 @@ locals { "${local.virtual_network_peering_resource_id_prefix[location]}/${peering_name}" } } - azurerm_virtual_network_peering = flatten( + virtual_network_hub_peerings = { + for location_src, hub_config_src in local.hub_networks_by_location : + location_src => { + for location_dst, hub_config_dst in local.hub_networks_by_location : + location_dst => { + remote_virtual_network_id = local.virtual_network_resource_id[location_dst] + virtual_network_peering_name = local.virtual_network_hub_peering_name[location_src][location_dst] + virtual_network_peering_resource_id = "${local.virtual_network_resource_id[location_src]}/virtualNetworkPeerings/${local.virtual_network_hub_peering_name[location_src][location_dst]}" + } if location_src != location_dst && hub_config_dst.config.enable_hub_network_mesh_peering + } if hub_config_src.config.enable_hub_network_mesh_peering + } + azurerm_virtual_network_peering_hubs = flatten( + [ + for location_src, remote in local.virtual_network_hub_peerings : + [ + for location_dst, peerconfig in remote : + { + # Resource logic attributes + resource_id = peerconfig.virtual_network_peering_resource_id + managed_by_module = local.deploy_hub_virtual_network_mesh_peering[location_src] + # Resource definition attributes + name = peerconfig.virtual_network_peering_name + resource_group_name = local.resource_group_names_by_scope_and_location["connectivity"][location_src] + virtual_network_name = local.virtual_network_name[location_src] + remote_virtual_network_id = peerconfig.remote_virtual_network_id + # Optional definition attributes + allow_virtual_network_access = true + allow_forwarded_traffic = true + allow_gateway_transit = true + use_remote_gateways = false + } + ] + ] + ) + azurerm_virtual_network_peering_spokes = flatten( [ for location, hub_config in local.hub_networks_by_location : [ @@ -1550,6 +1600,10 @@ locals { ] ] ) + azurerm_virtual_network_peering = distinct(concat( + local.azurerm_virtual_network_peering_hubs, + local.azurerm_virtual_network_peering_spokes + )) } # Configuration settings for resource type: @@ -1921,128 +1975,132 @@ locals { locals { debug_output = { - hub_networks = local.hub_networks - hub_networks_by_location = local.hub_networks_by_location - hub_network_locations = local.hub_network_locations - virtual_hubs = local.virtual_hubs - virtual_hubs_by_location = local.virtual_hubs_by_location - virtual_hubs_by_location_for_resource_group_per_location = local.virtual_hubs_by_location_for_resource_group_per_location - virtual_hubs_by_location_for_shared_resource_group = local.virtual_hubs_by_location_for_shared_resource_group - virtual_hubs_by_location_for_managed_virtual_wan = local.virtual_hubs_by_location_for_managed_virtual_wan - virtual_hubs_by_location_for_existing_virtual_wan = local.virtual_hubs_by_location_for_existing_virtual_wan - virtual_hub_locations = local.virtual_hub_locations - virtual_wan_locations = local.virtual_wan_locations - ddos_location = local.ddos_location - dns_location = local.dns_location + archetype_config_overrides = local.archetype_config_overrides + azfw_name = local.azfw_name + azfw_pip_name = local.azfw_pip_name + azfw_pip_resource_id = local.azfw_pip_resource_id + azfw_pip_resource_id_prefix = local.azfw_pip_resource_id_prefix + azfw_policy_name = local.azfw_policy_name + azfw_policy_resource_id = local.azfw_policy_resource_id + azfw_policy_resource_id_prefix = local.azfw_policy_resource_id_prefix + azfw_resource_id = local.azfw_resource_id + azfw_resource_id_prefix = local.azfw_resource_id_prefix + azfw_zones = local.azfw_zones + azfw_zones_enabled = local.azfw_zones_enabled + azurerm_dns_zone = local.azurerm_dns_zone + azurerm_express_route_gateway = local.azurerm_express_route_gateway + azurerm_firewall = local.azurerm_firewall + azurerm_firewall_policy = local.azurerm_firewall_policy + azurerm_network_ddos_protection_plan = local.azurerm_network_ddos_protection_plan + azurerm_private_dns_zone = local.azurerm_private_dns_zone + azurerm_private_dns_zone_virtual_network_link = local.azurerm_private_dns_zone_virtual_network_link + azurerm_public_ip = local.azurerm_public_ip + azurerm_resource_group = local.azurerm_resource_group + azurerm_subnet = local.azurerm_subnet + azurerm_virtual_hub = local.azurerm_virtual_hub + azurerm_virtual_hub_connection = local.azurerm_virtual_hub_connection + azurerm_virtual_network = local.azurerm_virtual_network + azurerm_virtual_network_gateway = local.azurerm_virtual_network_gateway + azurerm_virtual_network_gateway_express_route = local.azurerm_virtual_network_gateway_express_route + azurerm_virtual_network_gateway_vpn = local.azurerm_virtual_network_gateway_vpn + azurerm_virtual_network_peering = local.azurerm_virtual_network_peering + azurerm_virtual_network_peering_hubs = local.azurerm_virtual_network_peering_hubs + azurerm_virtual_network_peering_spokes = local.azurerm_virtual_network_peering_spokes + azurerm_virtual_wan = local.azurerm_virtual_wan + azurerm_vpn_gateway = local.azurerm_vpn_gateway connectivity_locations = local.connectivity_locations - result_when_location_missing = local.result_when_location_missing - vpn_gen1_only_skus = local.vpn_gen1_only_skus - private_ip_address_allocation_values = local.private_ip_address_allocation_values - deploy_resource_groups = local.deploy_resource_groups + ddos_location = local.ddos_location + ddos_protection_plan_name = local.ddos_protection_plan_name + ddos_protection_plan_resource_id = local.ddos_protection_plan_resource_id + ddos_resource_group_id = local.ddos_resource_group_id + deploy_azure_firewall = local.deploy_azure_firewall + deploy_azure_firewall_policy = local.deploy_azure_firewall_policy deploy_ddos_protection_plan = local.deploy_ddos_protection_plan deploy_dns = local.deploy_dns + deploy_hub_network = local.deploy_hub_network + deploy_outbound_virtual_network_peering = local.deploy_outbound_virtual_network_peering deploy_private_dns_zone_virtual_network_link_on_hubs = local.deploy_private_dns_zone_virtual_network_link_on_hubs deploy_private_dns_zone_virtual_network_link_on_spokes = local.deploy_private_dns_zone_virtual_network_link_on_spokes - deploy_hub_network = local.deploy_hub_network + deploy_resource_groups = local.deploy_resource_groups + deploy_virtual_hub = local.deploy_virtual_hub + deploy_virtual_hub_azure_firewall = local.deploy_virtual_hub_azure_firewall + deploy_virtual_hub_azure_firewall_policy = local.deploy_virtual_hub_azure_firewall_policy + deploy_virtual_hub_connection = local.deploy_virtual_hub_connection + deploy_virtual_hub_express_route_gateway = local.deploy_virtual_hub_express_route_gateway + deploy_virtual_hub_vpn_gateway = local.deploy_virtual_hub_vpn_gateway deploy_virtual_network_gateway = local.deploy_virtual_network_gateway deploy_virtual_network_gateway_express_route = local.deploy_virtual_network_gateway_express_route deploy_virtual_network_gateway_vpn = local.deploy_virtual_network_gateway_vpn - deploy_azure_firewall_policy = local.deploy_azure_firewall_policy - deploy_azure_firewall = local.deploy_azure_firewall - deploy_outbound_virtual_network_peering = local.deploy_outbound_virtual_network_peering deploy_virtual_wan = local.deploy_virtual_wan - deploy_virtual_hub = local.deploy_virtual_hub - deploy_virtual_hub_express_route_gateway = local.deploy_virtual_hub_express_route_gateway - deploy_virtual_hub_vpn_gateway = local.deploy_virtual_hub_vpn_gateway - deploy_virtual_hub_azure_firewall_policy = local.deploy_virtual_hub_azure_firewall_policy - deploy_virtual_hub_azure_firewall = local.deploy_virtual_hub_azure_firewall - deploy_virtual_hub_connection = local.deploy_virtual_hub_connection - resource_group_names_by_scope_and_location = local.resource_group_names_by_scope_and_location - resource_group_config_by_scope_and_location = local.resource_group_config_by_scope_and_location - azurerm_resource_group = local.azurerm_resource_group - ddos_resource_group_id = local.ddos_resource_group_id - ddos_protection_plan_name = local.ddos_protection_plan_name - ddos_protection_plan_resource_id = local.ddos_protection_plan_resource_id - azurerm_network_ddos_protection_plan = local.azurerm_network_ddos_protection_plan - virtual_network_name = local.virtual_network_name - virtual_network_resource_group_id = local.virtual_network_resource_group_id - virtual_network_resource_id_prefix = local.virtual_network_resource_id_prefix - virtual_network_resource_id = local.virtual_network_resource_id - azurerm_virtual_network = local.azurerm_virtual_network - subnets_by_virtual_network = local.subnets_by_virtual_network - azurerm_subnet = local.azurerm_subnet + dns_location = local.dns_location + enable_private_link_by_service = local.enable_private_link_by_service er_gateway_name = local.er_gateway_name - er_gateway_resource_id_prefix = local.er_gateway_resource_id_prefix - er_gateway_resource_id = local.er_gateway_resource_id er_gateway_pip_name = local.er_gateway_pip_name - er_gateway_pip_resource_id_prefix = local.er_gateway_pip_resource_id_prefix er_gateway_pip_resource_id = local.er_gateway_pip_resource_id - azurerm_virtual_network_gateway_express_route = local.azurerm_virtual_network_gateway_express_route - vpn_gateway_name = local.vpn_gateway_name - vpn_gateway_resource_id_prefix = local.vpn_gateway_resource_id_prefix - vpn_gateway_resource_id = local.vpn_gateway_resource_id - vpn_gateway_pip_name = local.vpn_gateway_pip_name - vpn_gateway_pip_2_name = local.vpn_gateway_pip_2_name - vpn_gateway_pip_resource_id_prefix = local.vpn_gateway_pip_resource_id_prefix - vpn_gateway_pip_resource_id = local.vpn_gateway_pip_resource_id - vpn_gateway_pip_2_resource_id = local.vpn_gateway_pip_2_resource_id - azurerm_virtual_network_gateway_vpn = local.azurerm_virtual_network_gateway_vpn - azurerm_virtual_network_gateway = local.azurerm_virtual_network_gateway - azfw_name = local.azfw_name - azfw_resource_id_prefix = local.azfw_resource_id_prefix - azfw_resource_id = local.azfw_resource_id - azfw_zones = local.azfw_zones - azfw_zones_enabled = local.azfw_zones_enabled - azfw_policy_name = local.azfw_policy_name - azfw_policy_resource_id_prefix = local.azfw_policy_resource_id_prefix - azfw_policy_resource_id = local.azfw_policy_resource_id - azfw_pip_name = local.azfw_pip_name - azfw_pip_resource_id_prefix = local.azfw_pip_resource_id_prefix - azfw_pip_resource_id = local.azfw_pip_resource_id + er_gateway_pip_resource_id_prefix = local.er_gateway_pip_resource_id_prefix + er_gateway_resource_id = local.er_gateway_resource_id + er_gateway_resource_id_prefix = local.er_gateway_resource_id_prefix + hub_network_locations = local.hub_network_locations + hub_networks = local.hub_networks + hub_networks_by_location = local.hub_networks_by_location + hub_virtual_networks_for_dns = local.hub_virtual_networks_for_dns + lookup_private_link_dns_zone_by_service = local.lookup_private_link_dns_zone_by_service + lookup_private_link_group_id_by_service = local.lookup_private_link_group_id_by_service + private_dns_zone_enabled = local.private_dns_zone_enabled + private_ip_address_allocation_values = local.private_ip_address_allocation_values + private_link_locations = local.private_link_locations + resource_group_config_by_scope_and_location = local.resource_group_config_by_scope_and_location + resource_group_names_by_scope_and_location = local.resource_group_names_by_scope_and_location + result_when_location_missing = local.result_when_location_missing + services_by_private_link_dns_zone = local.services_by_private_link_dns_zone + spoke_virtual_networks_for_dns = local.spoke_virtual_networks_for_dns + subnets_by_virtual_network = local.subnets_by_virtual_network + template_file_variables = local.template_file_variables virtual_hub_azfw_name = local.virtual_hub_azfw_name - virtual_hub_azfw_resource_id_prefix = local.virtual_hub_azfw_resource_id_prefix - virtual_hub_azfw_resource_id = local.virtual_hub_azfw_resource_id virtual_hub_azfw_policy_name = local.virtual_hub_azfw_policy_name - virtual_hub_azfw_policy_resource_id_prefix = local.virtual_hub_azfw_policy_resource_id_prefix virtual_hub_azfw_policy_resource_id = local.virtual_hub_azfw_policy_resource_id + virtual_hub_azfw_policy_resource_id_prefix = local.virtual_hub_azfw_policy_resource_id_prefix + virtual_hub_azfw_resource_id = local.virtual_hub_azfw_resource_id + virtual_hub_azfw_resource_id_prefix = local.virtual_hub_azfw_resource_id_prefix virtual_hub_azfw_zones = local.virtual_hub_azfw_zones - azurerm_firewall = local.azurerm_firewall - azurerm_firewall_policy = local.azurerm_firewall_policy - virtual_wan_name = local.virtual_wan_name - virtual_wan_resource_group_id = local.virtual_wan_resource_group_id - virtual_wan_resource_id_prefix = local.virtual_wan_resource_id_prefix - virtual_wan_resource_id = local.virtual_wan_resource_id - azurerm_virtual_wan = local.azurerm_virtual_wan + virtual_hub_express_route_gateway_name = local.virtual_hub_express_route_gateway_name + virtual_hub_express_route_gateway_resource_id = local.virtual_hub_express_route_gateway_resource_id + virtual_hub_express_route_gateway_resource_id_prefix = local.virtual_hub_express_route_gateway_resource_id_prefix + virtual_hub_locations = local.virtual_hub_locations virtual_hub_name = local.virtual_hub_name - virtual_hub_resource_group_name = local.virtual_hub_resource_group_name virtual_hub_resource_group_id = local.virtual_hub_resource_group_id - virtual_hub_resource_id_prefix = local.virtual_hub_resource_id_prefix + virtual_hub_resource_group_name = local.virtual_hub_resource_group_name virtual_hub_resource_id = local.virtual_hub_resource_id - azurerm_virtual_hub = local.azurerm_virtual_hub - virtual_hub_express_route_gateway_name = local.virtual_hub_express_route_gateway_name - virtual_hub_express_route_gateway_resource_id_prefix = local.virtual_hub_express_route_gateway_resource_id_prefix - virtual_hub_express_route_gateway_resource_id = local.virtual_hub_express_route_gateway_resource_id - azurerm_express_route_gateway = local.azurerm_express_route_gateway + virtual_hub_resource_id_prefix = local.virtual_hub_resource_id_prefix virtual_hub_vpn_gateway_name = local.virtual_hub_vpn_gateway_name - virtual_hub_vpn_gateway_resource_id_prefix = local.virtual_hub_vpn_gateway_resource_id_prefix virtual_hub_vpn_gateway_resource_id = local.virtual_hub_vpn_gateway_resource_id - azurerm_vpn_gateway = local.azurerm_vpn_gateway - azurerm_public_ip = local.azurerm_public_ip - enable_private_link_by_service = local.enable_private_link_by_service - private_link_locations = local.private_link_locations - lookup_private_link_dns_zone_by_service = local.lookup_private_link_dns_zone_by_service - lookup_private_link_group_id_by_service = local.lookup_private_link_group_id_by_service - services_by_private_link_dns_zone = local.services_by_private_link_dns_zone - private_dns_zone_enabled = local.private_dns_zone_enabled - azurerm_private_dns_zone = local.azurerm_private_dns_zone - azurerm_dns_zone = local.azurerm_dns_zone - hub_virtual_networks_for_dns = local.hub_virtual_networks_for_dns - spoke_virtual_networks_for_dns = local.spoke_virtual_networks_for_dns + virtual_hub_vpn_gateway_resource_id_prefix = local.virtual_hub_vpn_gateway_resource_id_prefix + virtual_hubs = local.virtual_hubs + virtual_hubs_by_location = local.virtual_hubs_by_location + virtual_hubs_by_location_for_existing_virtual_wan = local.virtual_hubs_by_location_for_existing_virtual_wan + virtual_hubs_by_location_for_managed_virtual_wan = local.virtual_hubs_by_location_for_managed_virtual_wan + virtual_hubs_by_location_for_resource_group_per_location = local.virtual_hubs_by_location_for_resource_group_per_location + virtual_hubs_by_location_for_shared_resource_group = local.virtual_hubs_by_location_for_shared_resource_group + virtual_network_hub_peering_name = local.virtual_network_hub_peering_name + virtual_network_hub_peerings = local.virtual_network_hub_peerings + virtual_network_name = local.virtual_network_name + virtual_network_resource_group_id = local.virtual_network_resource_group_id + virtual_network_resource_id = local.virtual_network_resource_id + virtual_network_resource_id_prefix = local.virtual_network_resource_id_prefix virtual_networks_for_dns = local.virtual_networks_for_dns - azurerm_private_dns_zone_virtual_network_link = local.azurerm_private_dns_zone_virtual_network_link - azurerm_virtual_network_peering = local.azurerm_virtual_network_peering - azurerm_virtual_hub_connection = local.azurerm_virtual_hub_connection - archetype_config_overrides = local.archetype_config_overrides - template_file_variables = local.template_file_variables + virtual_wan_locations = local.virtual_wan_locations + virtual_wan_name = local.virtual_wan_name + virtual_wan_resource_group_id = local.virtual_wan_resource_group_id + virtual_wan_resource_id = local.virtual_wan_resource_id + virtual_wan_resource_id_prefix = local.virtual_wan_resource_id_prefix + vpn_gateway_name = local.vpn_gateway_name + vpn_gateway_pip_2_name = local.vpn_gateway_pip_2_name + vpn_gateway_pip_2_resource_id = local.vpn_gateway_pip_2_resource_id + vpn_gateway_pip_name = local.vpn_gateway_pip_name + vpn_gateway_pip_resource_id = local.vpn_gateway_pip_resource_id + vpn_gateway_pip_resource_id_prefix = local.vpn_gateway_pip_resource_id_prefix + vpn_gateway_resource_id = local.vpn_gateway_resource_id + vpn_gateway_resource_id_prefix = local.vpn_gateway_resource_id_prefix + vpn_gen1_only_skus = local.vpn_gen1_only_skus } } diff --git a/modules/connectivity/variables.tf b/modules/connectivity/variables.tf index f7307ace3..317cef0f3 100644 --- a/modules/connectivity/variables.tf +++ b/modules/connectivity/variables.tf @@ -135,6 +135,7 @@ variable "settings" { }) spoke_virtual_network_resource_ids = list(string) enable_outbound_virtual_network_peering = bool + enable_hub_network_mesh_peering = bool }) }) ) diff --git a/resources.management_groups.tf b/resources.management_groups.tf index 145a9450d..2abee94c0 100644 --- a/resources.management_groups.tf +++ b/resources.management_groups.tf @@ -84,7 +84,13 @@ resource "azurerm_management_group_subscription_association" "enterprise_scale" subscription_id = each.value.subscription_id depends_on = [ - time_sleep.after_azurerm_management_group + time_sleep.after_azurerm_management_group, + azurerm_management_group.level_1, + azurerm_management_group.level_2, + azurerm_management_group.level_3, + azurerm_management_group.level_4, + azurerm_management_group.level_5, + azurerm_management_group.level_6, ] } diff --git a/tests/modules/settings/settings.connectivity.tf b/tests/modules/settings/settings.connectivity.tf index 64ef231fe..7ab160b35 100644 --- a/tests/modules/settings/settings.connectivity.tf +++ b/tests/modules/settings/settings.connectivity.tf @@ -49,6 +49,7 @@ locals { } spoke_virtual_network_resource_ids = [] enable_outbound_virtual_network_peering = false + enable_hub_network_mesh_peering = true } }, { @@ -97,6 +98,7 @@ locals { } spoke_virtual_network_resource_ids = [] enable_outbound_virtual_network_peering = false + enable_hub_network_mesh_peering = true } }, ] diff --git a/tests/modules/test_003_add_mgmt_conn/baseline_values.json b/tests/modules/test_003_add_mgmt_conn/baseline_values.json index af6e8afd4..d4795ee48 100644 --- a/tests/modules/test_003_add_mgmt_conn/baseline_values.json +++ b/tests/modules/test_003_add_mgmt_conn/baseline_values.json @@ -338,7 +338,10 @@ { "connectivity": [ "tuple", - [] + [ + "string", + "string" + ] ] } ], @@ -1649,7 +1652,10 @@ ] }, "azurerm_virtual_network_peering": { - "connectivity": [] + "connectivity": [ + "/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/virtualNetworkPeerings/peering-32e4fb6d-8d44-5cd6-a7b6-aa17ca11b626", + "/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope/virtualNetworkPeerings/peering-f8bddac9-6d62-5e41-9c52-1bf7a4263cc0" + ] }, "azurerm_virtual_wan": { "virtual_wan": [ @@ -3573,6 +3579,48 @@ "vpn_client_configuration": [] } }, + { + "address": "module.test_connectivity.azurerm_virtual_network_peering.connectivity[\"/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/virtualNetworkPeerings/peering-32e4fb6d-8d44-5cd6-a7b6-aa17ca11b626\"]", + "mode": "managed", + "type": "azurerm_virtual_network_peering", + "name": "connectivity", + "index": "/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/virtualNetworkPeerings/peering-32e4fb6d-8d44-5cd6-a7b6-aa17ca11b626", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "allow_forwarded_traffic": true, + "allow_gateway_transit": true, + "allow_virtual_network_access": true, + "name": "peering-32e4fb6d-8d44-5cd6-a7b6-aa17ca11b626", + "remote_virtual_network_id": "/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope", + "resource_group_name": "root-id-1-connectivity-northeurope", + "timeouts": null, + "use_remote_gateways": false, + "virtual_network_name": "root-id-1-hub-northeurope" + }, + "sensitive_values": {} + }, + { + "address": "module.test_connectivity.azurerm_virtual_network_peering.connectivity[\"/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope/virtualNetworkPeerings/peering-f8bddac9-6d62-5e41-9c52-1bf7a4263cc0\"]", + "mode": "managed", + "type": "azurerm_virtual_network_peering", + "name": "connectivity", + "index": "/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope/virtualNetworkPeerings/peering-f8bddac9-6d62-5e41-9c52-1bf7a4263cc0", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "allow_forwarded_traffic": true, + "allow_gateway_transit": true, + "allow_virtual_network_access": true, + "name": "peering-f8bddac9-6d62-5e41-9c52-1bf7a4263cc0", + "remote_virtual_network_id": "/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope", + "resource_group_name": "root-id-1-connectivity-westeurope", + "timeouts": null, + "use_remote_gateways": false, + "virtual_network_name": "root-id-1-hub-westeurope" + }, + "sensitive_values": {} + }, { "address": "module.test_connectivity.azurerm_virtual_wan.virtual_wan[\"/subscriptions/fa2fa118-a60d-4700-9ef1-fa02beeaaea5/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualWans/root-id-1-vwan-northeurope\"]", "mode": "managed", diff --git a/tests/modules/test_003_add_mgmt_conn/main.tf b/tests/modules/test_003_add_mgmt_conn/main.tf index 4e091b678..2627456ef 100644 --- a/tests/modules/test_003_add_mgmt_conn/main.tf +++ b/tests/modules/test_003_add_mgmt_conn/main.tf @@ -44,9 +44,6 @@ module "test_core" { deploy_connectivity_resources = false configure_connectivity_resources = module.settings.connectivity.configure_connectivity_resources subscription_id_connectivity = data.azurerm_client_config.connectivity.subscription_id - - # Disable strict management group subscription association - strict_subscription_association = false } module "test_core_nested" { diff --git a/variables.tf b/variables.tf index e773d8aef..e62dac6b1 100644 --- a/variables.tf +++ b/variables.tf @@ -316,6 +316,7 @@ variable "configure_connectivity_resources" { }) spoke_virtual_network_resource_ids = list(string) enable_outbound_virtual_network_peering = bool + enable_hub_network_mesh_peering = bool }) }) ) @@ -498,6 +499,7 @@ variable "configure_connectivity_resources" { } spoke_virtual_network_resource_ids = [] enable_outbound_virtual_network_peering = false + enable_hub_network_mesh_peering = false } }, ]