From 0e669e82eca6cc41e3b964491b3b6e51e06aded8 Mon Sep 17 00:00:00 2001 From: Michael Bender Date: Tue, 16 May 2023 21:33:19 -0500 Subject: [PATCH 1/5] updates --- .../101-full/main.tf | 180 +++++++++++++++ .../101-full/qs-avnm-terraform.md | 214 ++++++++++++++++++ 2 files changed, 394 insertions(+) create mode 100644 quickstart/101-virtual-network-manager-create/101-full/main.tf create mode 100644 quickstart/101-virtual-network-manager-create/101-full/qs-avnm-terraform.md diff --git a/quickstart/101-virtual-network-manager-create/101-full/main.tf b/quickstart/101-virtual-network-manager-create/101-full/main.tf new file mode 100644 index 000000000..8c0fdf58d --- /dev/null +++ b/quickstart/101-virtual-network-manager-create/101-full/main.tf @@ -0,0 +1,180 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.56.0" + } + } +} + +provider "azurerm" { + features {} +} + +# Define variables + +variable "region" { + type = string + default = "eastus" +} + +variable "subscriptionID" { + type = string + default = "6a5f35e9-6951-499d-a36b-83c6c6eed44a" +} +variable "resourceGroup" { + type = string + default = "rg-learn-eastus-001" +} + +variable "networkManager" { + type = string + default = "nm-learn-eastus-001" +} + +variable "networkGroup" { + type = string + default = "ng-learn-eastus-001" +} + +variable "configurationName" { + type = string + default = "connectivityconfig" +} + +variable "connectivityTopology" { + type = string + default = "Mesh" +} + +variable "targetRegion" { + type = string + default = "eastus" +} + +variable "commitType"{ + type = string + default = "connectivity" +} + +# Create the Resource Group + +resource "azurerm_resource_group" "rg" { + name = var.resourceGroup + location = var.region +} + +# Create a Virtual Network Manager instance + +data "azurerm_subscription" "current" { +} + +resource "azurerm_network_manager" "networkManager" { + name = var.networkManager + location = var.region + resource_group_name = var.resourceGroup + scope { + subscription_ids = [data.azurerm_subscription.current.id] + } + scope_accesses = ["Connectivity", "SecurityAdmin"] + description = "example network manager" + tags = { + foo = "bar" + } +} + +# Create three virtual networks +resource "azurerm_virtual_network" "vnet_001" { + name = "vnet-learn-prod-eastus-001" + resource_group_name = var.resourceGroup + location = var.region + address_space = ["10.0.0.0/16"] + depends_on = [azurerm_resource_group.rg] +} + +resource "azurerm_virtual_network" "vnet_002" { + name = "vnet-learn-prod-eastus-002" + resource_group_name = var.resourceGroup + location = var.region + address_space = ["10.1.0.0/16"] + depends_on = [azurerm_resource_group.rg] +} + +resource "azurerm_virtual_network" "vnet_003" { + name = "vnet-learn-test-eastus-003" + resource_group_name = var.resourceGroup + location = var.region + address_space = ["10.2.0.0/16"] + depends_on = [azurerm_resource_group.rg] +} + +# Add a subnet to each virtual network + +resource "azurerm_subnet" "subnet_vnet_001" { + name = "default" + virtual_network_name = azurerm_virtual_network.vnet_001.name + resource_group_name = var.resourceGroup + address_prefixes = ["10.0.0.0/24"] + depends_on = [azurerm_virtual_network.vnet_001] +} + +resource "azurerm_subnet" "subnet_vnet_002" { + name = "default" + virtual_network_name = azurerm_virtual_network.vnet_002.name + resource_group_name = var.resourceGroup + address_prefixes = ["10.1.0.0/24"] + depends_on = [azurerm_virtual_network.vnet_002] +} + +resource "azurerm_subnet" "subnet_vnet_003" { + name = "default" + virtual_network_name = azurerm_virtual_network.vnet_003.name + resource_group_name = var.resourceGroup + address_prefixes = ["10.2.0.0/24"] + depends_on = [azurerm_virtual_network.vnet_003] +} + +# Create a network group + +resource "null_resource" "ng_create" { + provisioner "local-exec" { + command = "az network manager group create --name ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup}" + } + depends_on = [azurerm_network_manager.networkManager] +} + +# Define membership for a mesh configuration + +resource "null_resource" "static_members"{ + provisioner "local-exec"{ + command="az network manager group static-member create --name vnet-02 --network-group ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup} --resource-id /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/virtualnetworks/vnet-learn-prod-eastus-002" + } + depends_on=[null_resource.ng_create] +} + +resource "null_resource" "static_members01"{ + provisioner "local-exec"{ + command="az network manager group static-member create --name vnet-01 --network-group ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup} --resource-id /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/virtualnetworks/vnet-learn-prod-eastus-001" + } + depends_on=[null_resource.ng_create] +} + +# Create a connectivity configuration +resource "null_resource" "connectivityConfig"{ + provisioner "local-exec"{ + command="az network manager connect-config create --configuration-name ${var.configurationName} --applies-to-groups network-group-id=/subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/${var.networkGroup} --connectivity-topology ${var.connectivityTopology} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup}" + } + depends_on=[null_resource.ng_create] +} + +# Commit deployment +resource "null_resource" "commitDeployment"{ + provisioner "local-exec"{ + command="az network manager post-commit --network-manager-name ${var.networkManager} --commit-type ${var.commitType} --configuration-ids /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/networkManagers/${var.networkManager}/connectivityConfigurations/${var.configurationName} --target-locations ${var.targetRegion} --resource-group ${var.resourceGroup}" + } + depends_on=[null_resource.ng_create] +} + + + + diff --git a/quickstart/101-virtual-network-manager-create/101-full/qs-avnm-terraform.md b/quickstart/101-virtual-network-manager-create/101-full/qs-avnm-terraform.md new file mode 100644 index 000000000..298292698 --- /dev/null +++ b/quickstart/101-virtual-network-manager-create/101-full/qs-avnm-terraform.md @@ -0,0 +1,214 @@ + + +--- +title: 'Quickstart: ' +description: +keywords: +ms.topic: quickstart +ms.date: +ms.custom: devx-track-terraform +author: +ms.author: +--- + +# Quickstart: + + + +Article tested with the following Terraform and Terraform provider versions: + +- [Terraform v1.2.7](https://releases.hashicorp.com/terraform/) +- [AzureRM Provider v.3.20.0](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) + + + +This article shows how to use Terraform to ... + +[!INCLUDE [Terraform abstract](~/azure-dev-docs-pr/articles/terraform/includes/abstract.md)] + + + +In this article, you learn how to: + +> [!div class="checklist"] + + +> * Task 1 +> * Task 2 +> * Task n + + + +> [!NOTE] +> The example code in this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/...). See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform) + + + +## Prerequisites + +[!INCLUDE [open-source-devops-prereqs-azure-subscription.md](~/azure-dev-docs-pr/articles/includes/open-source-devops-prereqs-azure-subscription.md)] + +- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) + + + +## Implement the Terraform code + + + +1. Create a directory in which to test and run the sample Terraform code and make it the current directory. + +1. Create a file named `providers.tf` and insert the following code: + + [!code-terraform[master]()] + + +1. Create a file named `main.tf` and insert the following code: + + [!code-terraform[master]()] + + +1. Create a file named `variables.tf` and insert the following code: + + [!code-terraform[master]()] + + +1. Create a file named `outputs.tf` and insert the following code: + + [!code-terraform[master]()] + + + + +1. Create a file named and insert the following code: + + [!code-terraform[master]()] + +## Initialize Terraform + +[!INCLUDE [terraform-init.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-init.md)] + +## Create a Terraform execution plan + +[!INCLUDE [terraform-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan.md)] + +## Apply a Terraform execution plan + +[!INCLUDE [terraform-apply-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-apply-plan.md)] + + + +## Verify the results + + + +## Clean up resources + + + +[!INCLUDE [terraform-plan-destroy.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan-destroy.md)] + +## Troubleshoot Terraform on Azure + + + +[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot) + +## Next steps + + + +> [!div class="nextstepaction"] +> \ No newline at end of file From 3dd1cd401e8ad472014b72cc071032c01ac4aeb0 Mon Sep 17 00:00:00 2001 From: Michael Bender <102542398+mbender-ms@users.noreply.github.com> Date: Mon, 19 Jun 2023 10:03:54 -0500 Subject: [PATCH 2/5] Added sec admin config --- pscode.ps1 | 9 + .../main.tf | 259 ++++++++++++++++++ .../main.tfplan | Bin 0 -> 7506 bytes .../outputs.tf | 11 + .../providers.tf | 16 ++ .../readme.md | 37 +++ .../terraform_test/broken-az-pol.json | 50 ++++ .../terraform_test/working-az-pol.json | 48 ++++ .../variables.tf | 11 + 9 files changed, 441 insertions(+) create mode 100644 pscode.ps1 create mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/main.tf create mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/main.tfplan create mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/outputs.tf create mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/providers.tf create mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/readme.md create mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/broken-az-pol.json create mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/working-az-pol.json create mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/variables.tf diff --git a/pscode.ps1 b/pscode.ps1 new file mode 100644 index 000000000..b43e2072c --- /dev/null +++ b/pscode.ps1 @@ -0,0 +1,9 @@ +$shell = New-Object -ComObject WScript.Shell +$shortcut = $shell.CreateShortcut("$HOME\Desktop\Windows PowerShell.lnk") +$shortcut.TargetPath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" +$shortcut.Save() + +$shell = New-Object -ComObject WScript.Shell +$shortcut = $shell.CreateShortcut("$HOME\Desktop\PowerShell 7.lnk") +$shortcut.TargetPath = "C:\Program Files\PowerShell\7\pwsh.exe" +$shortcut.Save() \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/main.tf b/quickstart/201-virtual-network-manager-secure-hub-spoke/main.tf new file mode 100644 index 000000000..c3e05a717 --- /dev/null +++ b/quickstart/201-virtual-network-manager-secure-hub-spoke/main.tf @@ -0,0 +1,259 @@ + +# Create the Resource Group + +resource "random_pet" "rg_name" { + prefix = var.resource_group_name_prefix +} + +resource "azurerm_resource_group" "rg" { + location = var.resource_group_location + name = random_pet.rg_name.id +} + +# Create three virtual networks + +resource "random_pet" "spoke_virtual_network_name" { + prefix = "spoke-vnet" +} +resource "azurerm_virtual_network" "spoke_vnet" { + count = 2 + + name = "${random_pet.spoke_virtual_network_name.id}-0${count.index}" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + address_space = ["10.${count.index}.0.0/16"] +} + +resource "random_pet" "hub_virtual_network_name" { + prefix = "hub-vnet" +} + +resource "azurerm_virtual_network" "hub_vnet" { + name = "${random_pet.hub_virtual_network_name.id}-00" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + address_space = ["10.5.0.0/16"] +} + +# Add a subnet to each virtual network + +resource "azurerm_subnet" "spoke_subnet_vnet" { + count = 2 + + name = "default" + virtual_network_name = azurerm_virtual_network.spoke_vnet[count.index].name + resource_group_name = azurerm_resource_group.rg.name + address_prefixes = ["10.${count.index}.0.0/24"] +} + +resource "azurerm_subnet" "hub_subnet_vnet" { + name = "default" + virtual_network_name = azurerm_virtual_network.hub_vnet.name + resource_group_name = azurerm_resource_group.rg.name + address_prefixes = ["10.5.0.0/24"] +} + +# Create a public IP prefix and two public IPs for the NAT Gateway + +resource "random_pet" "publicIP_name" { + prefix = "pip" +} + +resource "azurerm_public_ip" "nat_gateway_public_ip" { + count = 2 + + name = "${random_pet.publicIP_name.id}-0${count.index}" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" + zones = ["1"] +} + +resource "random_pet" "publicIP_prefix_name" { + prefix = "pip-prefix" +} +resource "azurerm_public_ip_prefix" "nat_gateway_public_ip_prefix" { + count = 2 + + name = "${random_pet.publicIP_prefix_name.id}-0${count.index}" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + prefix_length = 30 + zones = ["1"] +} + +# Create a NAT Gateway and associate the public IP prefix and public IPs + +resource "azurerm_nat_gateway" "nat_gateway" { + name = "nat-gateway" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku_name = "Standard" + zones = ["1"] + } + +resource "azurerm_subnet_nat_gateway_association" "nat_gateway_subnet_association" { + subnet_id = azurerm_subnet.hub_subnet_vnet.id + nat_gateway_id = azurerm_nat_gateway.nat_gateway.id +} + +resource "azurerm_nat_gateway_public_ip_association" "nat_gateway_public_ip_association" { + count = 2 + + nat_gateway_id = azurerm_nat_gateway.nat_gateway.id + public_ip_address_id = azurerm_public_ip.nat_gateway_public_ip[count.index].id +} + +resource "azurerm_nat_gateway_public_ip_prefix_association" "nat_gateway_public_ip_prefix_association" { + count = 2 + + nat_gateway_id = azurerm_nat_gateway.nat_gateway.id + public_ip_prefix_id = azurerm_public_ip_prefix.nat_gateway_public_ip_prefix[count.index].id +} + +# Create a Virtual Network Manager instance + +data "azurerm_subscription" "current" { +} + +resource "azurerm_network_manager" "network_manager_instance" { + name = "network-manager" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + scope_accesses = ["Connectivity", "SecurityAdmin"] + description = "rg network manager" + scope { + subscription_ids = [data.azurerm_subscription.current.id] + } +} + +# Create a network group + +resource "azurerm_network_manager_network_group" "network_group" { + name = "network-group" + network_manager_id = azurerm_network_manager.network_manager_instance.id +} + +# Add the two spoke virtual networks to a network group as dynamic members + +resource "random_pet" "network_group_policy_name" { + prefix = "network-group-policy" +} + +resource "azurerm_policy_definition" "network_group_policy" { + name = "${random_pet.network_group_policy_name.id}" + policy_type = "Custom" + mode = "Microsoft.Network.Data" + display_name = "Policy Definition for Network Group" + + metadata = <F0Q};yb zoLlwvTk~Un%ro6R{dPY+BM*Xue*%O2@HLkVsKERph%hKH_9oWm`j)Si5ny1qHhhhs z8Y@<$Gv8L!AFa&H#G``WA%J|0y(fhnTavZe!qI|Y{Bs%UQ5AI+&Fr1Fq0pK)JF-VD z8+zF#8t|qFER}Gtz4ARMIeLRPo`#d1jt7>CEo;kM_Ay_lIO*xH!ms0>Nqu0lSh`$CIF@k3g7>aq#Ex&1_wlvGx~AOICl2U%D}3U^VQNrc1{eauGPcE4wJaQ6d!m>DrZ)|sJW9ZU zH(ysr4?5c5GDr>x9m{T_JH3(NRH?+9r6VYb3;&&rr!~zQ3B1#7T&B4E&T06Xhhu?~(=KR?TJT;*4k=anG6tUl63FO)ZgM zWxcs;pGkqtB>d=`_-!jNA!S=>d2;BHAgzfBFZ0om-s;)WmLn0+5bXZlK*XwnZ9^|p zQ>`84#nhR+NG(_K@L|O%Vg?YIsS0<%>yQL<-R$98qcY~B*CEycOvmOc2nRv{6d@YlLDApJT(wh^tDVM)X+pAt} z6_FvK&N4`U@}3gkI95`t#pfvFx?*+&>z!IUp+KLIEJ|Z_@p2{u$bE1M0k+m2omqs; z{Jt)KI2*u-%fhCpDvMRX)E3uxYKPEL)ZBov7{$&isP+-g_gbiK((+vVBW!~EC4Zj3 zI|okrgEwKm{P5=T3OqBs5@BVFAApc^E?rub77E~5Q9ApA2Z1YcaiqSwpz=M`<=nk{ zEScWxVmm)d<`38__7=*r}=ED zD6pgUl!1(SNFmO zKoPzv0g55*|GZLq>vicOSfY~r-BPUcaNv=^b_(%F;W(Bl@%n6|lRUwmbtrkreVy8O zJ%W&1f>G=U$31t;#^$;wkWI^1SZK z?pIZ$mYWLxU1Hai?_H7PfE4*@x{0|PSNoO{Qn2Sr=>Fy8?0$U<`&L(;Fq&ter4ls z8%5H-$-lS>%h}e|yl8se@mLs%VTGVU)wG07bDQ^!X6-ppu{(R~J3Xm10an=dq`zq3 zF!v|{Xs@DKf%`p-Nv8K0FaAV@KFm)0&KLkhhJ-Gh8=SDPrHfZtqJ|o+wt6HpcQ0U5 z-yRM-5Joj{VIZOqkwLJG+$RQ5Mk==d+*dzcb$2L5d<6u~2(m`m>o7>QzI=)zCxvrI z8}5mBFBSM^EYYv&`8ivGIncRUVftg5FQ-iqG?Gy%4t4ZWk?j?(JM%1cg0gNQq@5Pu z`OKOzR=UMiP@2b+8xF0UK6#>7X;J^35+fhL9DJMA<}^Z~*hI#nT!2E+`s$;>cx694 z8P}M;Pja8j8|`6hJa~2;UCe!s?S)f?GhL32&h;vCg6hWJe2m70#U!KaQj|EEFM6XZ zs%|7vPT|on>mBO(u98DPnAv=tyG$mi__A2Zhd-U}cK3~EDEFE9m)EPYCL>yHn{4KO z)0W@(JKM3(Whj00bfDFhk3|VyV7m4&@hFW+#&_B6LK>%YXNOODTPF4U+|_3@+Rn5K zx|saX*3}x(+Bc7KImkN5-W~3}S55M=Xo#gJ&aG~{@AqDC&!9V$$Q2B4a(NXs+o_U= zu^$s$lkBi}<=Hsx6W%5lafKk(oxRy4>M5BdOV22J7@;B-4M&5wUU9v&&(9{Q-d_}p!;S7F)ns>? z%^c~h@C=ZJGwg;35{$xs0pRQfcIDvr@z3ia4_I9o;{}Zr7mtH!{<<>?%E4MT#L&JuoQ8vi>7iwl%mDbgq zUK0v3z2p&o3gQea^K-Me$z%2v>Pz`#E2KAru zg$k=kp<`n*)aK+qqbQ!gnuNn_u}E#lTx@3Voo~43#Gh8d+!Gpaa*L4#M|7soW)`8X z#Od(O$j_aEjWZ5kXE|VEECu&2WJm7`oNjnkVUQli(m5q9&$7REbcFGe?`$-2EUCqC zyr4IJ;X_mhv}}uawrMApAi@HJzciO9Sav7dfQfEQf zyT@Bw8!(RTM&Ye`eulJB%sOF@D@zU+3pFs=@VHV(4KZzPPszKYUYAM(VV+fQ4mG?I ze^37b9*FdgDZ`E+4AF;&m@xoa7BEgUE>0?ef@Mc8k>1j#2|7NqUCD?Vgrb$0il^?m zy#@p$=j%=+`zU6+uS??Ug6_xW;csqQ$Tr@t)06@4T(@Cs<~u`W!inu1y9+F~auB@PX( zJdpFhA|y6AYj+bC1_l}ae?cc|tF|1#Csj_l!&8N0w3g*@5qAF^Tg#jRbaBB@D zs4+-A)S0ef{h4A+RkgWS5kn36cpJjkxb4x=6ob4M)~eW#>Xh^GU$+NcclLz6Sg$m{ z#9$y5T_cR9SDUVx@vZm#w= z1ZlYQ&_9&j$b^8!(C{NMWmum#&;~uiP2?IS2td_m4vO(NmzNS){sLWiN3NNWzMUtR zejDWh>`$TR{N%{P!urV(Ps~_DEA$x1sMN`B5`odVcNBCJLNy(s7tBE!dGP)*!h1O3 zEk`xBci1d)@l)p~J_RMhJw{=R(nQUQ&WPbyrDv^4rM`aGpF0vDUO0E;qRGl)0hF}S z7gzVV18&|QWD`VVJRdOw6TMh5*#b(Pzy!imrHmS#JvnTkZuWe(=C;W4?M|8OiygwOYzmjq}ns9#Z0$wi2l>^%&Xo+G}l*lseq<3b*J`u!Y~O7%k*Bvw*=I5Z{H4%P;EQ=T#L^n`hUij^3xrhA7G>2{$AbiYcB(U(c|s*LzIlqA?>&k!Ea6#Zd8F z__d*`xJ=_oYnlhY`gIfBLlzO1;#HTvkJ+P|Q zQGxePMQ0Pohya7l}NBcIYs0@<@dM`-P z@>nqZo4_>dtdia+8vQGl0C%ek4Cg??MQqp@DStI7Zhi?=@f=E!FiD`&0;+Jrl6SAX zQ<1ENv6=P8hfcGmyaBb+hWN7~V(Xcp)v256>F-N;6Gp%jz6wA z`NHSdO4xu8JH;fh3^6F+*%jI>;M-(HJ2DJtI$D%|6o+vFSzugIW+QhB6)_m5{40p+T+S{{4PlcL@S?R4>w%pRHk;YaQ z_q@QH` zd*sN>!t0E&(i<*h6w-yHXjC&?o`i)DzHX;hA&dnmn33-Ll~aI0W~1eo{8_vfS`c>b z`(ldRzcLXXq;d*>$|JN>hFnSw_LW7Bcvu=PeQv^kTEk9$==Q|T!^W#{M; zqcU9$AwA2{Cu9wEia4UJDX!;hgjhd!>O~^L+Zw)PoaZ%(w|^zws9%%l8^`Wo_m#va zCmrdlu;N9DK{+~l*@xTq13cg0bsjk)#=wn_=q9P2YExjQ&qk@7nj&}9>tixWm~0W5 zd249u+u_D>X@Vz==aCa|QJ?(RG0HAY^1j_Kl*XZZP4aAAlba^J$5E%Z^j)i3l%VaD zL*vVX#1t+zJcH=P7nMBq_hhqXN;^{xj+?*XTfL}vlJgk;j)vV{tL@_3Bp$T>>U=kk zk%?Z9yNZrSH(Gmwjg5B2Sz8Gqfg5jSuP`A_8_+U9%R(d2L?RV-G#b)PEZ~5KQ8xfg z&(@wa*3qRgp_(RH>l$K`(^{ypc`10s_TTgm`J_}`g8&1gP5i&oKmH%--^#(>+QHuL z*9!1)L>RS`9ov7+gVKqx(LRdA87GQrP(H_kR%ZLPd~=hUy~0H7&Ao@*8lG&bl+wIH zJ+JsyG~M1VKHNl#B(epAuD$_o*^rTkYcI!V!=Sa1RO{6%^Y9n8kK6JwLKZwTC@eJ2 z#og-`yf!pvgzp5LQNDyo{#|wBDLw35A7&U2mG|GP7~vmgSle1TzB4km{ml@+2w_xT zA$0Kzh|}dTta(VaV2d;n_c}B8dBjGR!I+Lwiog6WV`Ou4`mo5NEWh3em-i`Z_#}`Z z(@7u;Qc$F6!;`lsrme;F)dsEnNNCNQkq4&CCrpp`>+D6Tf^57m7m7en2J>MA4eGo> zCYk0fTlhTNQ6B5qD9c#w3lLlT$7BN$I!DYW5e_@859a(uDFpFnngJXtZop=;n^TaD|(4fQ$JEAhTmqFt~U)qC4|*%!e38) zdwl^?8C?>2B~6;)K=Sgs2J^%dVv$cbGk{zmlQHwT;;2xns{?&w-(sN`{dSk!4hpZAF1~fF zHQj8SWkz5*@Bt~77f(*i`}zibTT;@O7q1A}Y`iiI4&Xv6Yz;wAX zr#8x?a5;+QPiMCrX|hMa>U3RM2Uj<@%bSt4W2Mxz2)T&Bp^KBXxWnywk~-c%(HB3K z#fPV}A*H*!X9y-9jjNneTLEC}ZQF(M%M~x~LS+o_v{R2Pg_*eX)^bQS`}25sqZqtl z6twO3PL7OT#Lueq@@d>QP!3fo${n>Ka~oK!if2W${gybIxQ?X_7AHFF%^9Cd6`sfP z4$e}~cgvF4lm_z+*j*luFHh;8X7D_%;L{fw>CNORlYeC~rB1vg?2GN_eTMV-S+zPX zS6`a!VP^thd_K(mK-+E|&(!BqtWUkBqp$G^9G-q}X9=;=f(F$Ky#f2q8iwII%cLa- z|3&g~H1&FCY32|M6E_#E5o?shY(u)-QXn0UVEog05h(08Yj^ zYbrctmfQ9A-u7T_6Ei^GwyW`Qu$b-}EmMF=_VI%CI}rhAc@j(=hPaR-_IY%E?T&m` zv~E1cl*BL<%+%x{$;q_*W!We1EAy0H^m+XhL@}9kvhyss(>?tQyQ_&Q1s&V#wg5e>0&Pw63qR@d*pK;S2(g-O51~HR@`?NADkr!xnk;tCdcTf@&Abc%! z^oK5Wy$O?PG-`}xh-y#zi27VOh!N`HL6x$LoFqDuO!}E$lR>Hm$0)#9_N@uX)+|^8 zZ?xBuBzYB;$0y)T+-h{oXEd&1{QeB794-L7am*Twz8V*=tISB;CViuXIQHl(azm|0 z>D=eV#MEvx8tksvwYGtGZUU(iZp7W@VymsQW3mPNGAt^i`$JqwHmaa%A4o6T zjT&J(BDC>YUJALRhcvNeGR`#lv2Bto8gZ8H4UftzqrJm*Qy5w~>%z#;4og5Z4L!Q3 z!LtZIyzFV4;)Xn}%t^?SB72PFW zxGL_L313d@eVIE5`#pr~4)4ENu@Z;GZ}_3xok#wW6=5Gef%*Ap_3M4fk4LND<&P(< zKNtVnO8>Z0`6=lS6MK{2FIfIu{cB_Uquu@~9cX{A{=NDB6XI8L^dqbP6dUv(5dYo} z|B3V~KlwqXeu_2D?@0eZt^Nf2l?(i!G(UwG_jj;=BshP<{aQ+Yha-IQJKR6gi9g|f zEs{U#?@ytB2$`Qw`=@IBC)Tf__4@&&K4AT?A}bFV>Y%EK4@2nMF=f#1Tw{2#1M Bbq@dl literal 0 HcmV?d00001 diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/outputs.tf b/quickstart/201-virtual-network-manager-secure-hub-spoke/outputs.tf new file mode 100644 index 000000000..efca48b70 --- /dev/null +++ b/quickstart/201-virtual-network-manager-secure-hub-spoke/outputs.tf @@ -0,0 +1,11 @@ +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} + +output "hub_virtual_network_names" { + value = azurerm_virtual_network.hub_vnet[*].name +} + +output "spoke_virtual_network_names" { + value = azurerm_virtual_network.spoke_vnet[*].name +} \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/providers.tf b/quickstart/201-virtual-network-manager-secure-hub-spoke/providers.tf new file mode 100644 index 000000000..fac66bf76 --- /dev/null +++ b/quickstart/201-virtual-network-manager-secure-hub-spoke/providers.tf @@ -0,0 +1,16 @@ +terraform { + required_version = ">=1.0" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">= 3.56.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } +} +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/readme.md b/quickstart/201-virtual-network-manager-secure-hub-spoke/readme.md new file mode 100644 index 000000000..7915f124c --- /dev/null +++ b/quickstart/201-virtual-network-manager-secure-hub-spoke/readme.md @@ -0,0 +1,37 @@ +# Azure resource group + +This template deploys an Azure Virtual Network Manager instance with a connectivity configuration for a Mesh topology. It includes resources including virtual networks, subnets, and more. + +## Terraform resource types + +- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_virtual_network_manager](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager) +- [azurerm_network_manager_network_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_network_group) +- [azurerm_network_manager_static_member](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_static_member) +- [azurerm_network_manager_connectivity_configuration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_connectivity_configuration) +- [azurerm_network_manager_deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_deployment) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_public_ip_prefix](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip_prefix) +- [azurerm_nat_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway) +- [azurerm_nat_gateway_public_ip_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway_public_ip_association) +- [azurerm_subnet_nat_gateway_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) +- [azurerm_nat_gateway_public_ip_prefix_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway_public_ip_prefix_association) +- [azurerm_policy_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) +- [azurerm_subscription_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_policy_assignment) +- [azurerm_network_manager_admin_rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_admin_rule) +- [azurerm_network_manager_admin_rule_collection](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_admin_rule_collection) +- [azurerm_network_security_admin_configuration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_admin_configuration) + +## Variables + +| **Name** | **Description** | **Default** | +|---|---|---| +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg | +| `resource_group_location` | Location of the resource group. | eastus | + +## Example + +To see how to run this example, see [Quickstart: Deploy a Virtual Network Manager in Azure using Terraform](https://learn.microsoft.com/azure/virtual-network-manager/create-virtual-network-manager-terraform). diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/broken-az-pol.json b/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/broken-az-pol.json new file mode 100644 index 000000000..9273da9f6 --- /dev/null +++ b/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/broken-az-pol.json @@ -0,0 +1,50 @@ +{ + "properties": { + "displayName": "Policy Definition for Network Group", + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "description": "", + "metadata": { + "category": "Azure Virtual Network Manager", + "createdBy": "9297f371-d435-4968-b575-51396e2cb555", + "createdOn": "2023-06-10T00:22:29.0977043Z", + "updatedBy": null, + "updatedOn": null + }, + "policyRule": { + "if": { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "allOf": [ + { + "contains": "spoke-vnet", + "field": "Name" + } + ] + } + ] + }, + "then": { + "details": { + "networkGroupId": "/subscriptions/6a5f35e9-6951-499d-a36b-83c6c6eed44a/resourceGroups/rg-sterling-seahorse/providers/Microsoft.Network/networkManagers/network-manager/networkGroups/network-group" + }, + "effect": "addToNetworkGroup" + } + } + }, + "id": "/subscriptions/6a5f35e9-6951-499d-a36b-83c6c6eed44a/providers/Microsoft.Authorization/policyDefinitions/network-group-policy", + "type": "Microsoft.Authorization/policyDefinitions", + "name": "network-group-policy", + "systemData": { + "createdBy": "mbender@microsoft.com", + "createdByType": "User", + "createdAt": "2023-06-10T00:22:29.0682306Z", + "lastModifiedBy": "mbender@microsoft.com", + "lastModifiedByType": "User", + "lastModifiedAt": "2023-06-10T00:22:29.0682306Z" + } + } \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/working-az-pol.json b/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/working-az-pol.json new file mode 100644 index 000000000..f6624fea0 --- /dev/null +++ b/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/working-az-pol.json @@ -0,0 +1,48 @@ +{ + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "metadata": { + "category": "Azure Virtual Network Manager", + "createdBy": "9297f371-d435-4968-b575-51396e2cb555", + "createdOn": "2023-06-10T01:47:40.2831395Z", + "updatedBy": null, + "updatedOn": null + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "allOf": [ + { + "field": "Name", + "contains": "spoke-vnet" + } + ] + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "/subscriptions/6a5f35e9-6951-499d-a36b-83c6c6eed44a/resourceGroups/rg-sterling-seahorse/providers/Microsoft.Network/networkManagers/network-manager/networkGroups/network-group" + } + } + } + }, + "id": "/subscriptions/6a5f35e9-6951-499d-a36b-83c6c6eed44a/providers/Microsoft.Authorization/policyDefinitions/new-azure-policy", + "type": "Microsoft.Authorization/policyDefinitions", + "name": "new-azure-policy", + "systemData": { + "createdBy": "mbender@microsoft.com", + "createdByType": "User", + "createdAt": "2023-06-10T01:47:40.240191Z", + "lastModifiedBy": "mbender@microsoft.com", + "lastModifiedByType": "User", + "lastModifiedAt": "2023-06-10T01:47:40.240191Z" + } + } \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/variables.tf b/quickstart/201-virtual-network-manager-secure-hub-spoke/variables.tf new file mode 100644 index 000000000..10af0af3b --- /dev/null +++ b/quickstart/201-virtual-network-manager-secure-hub-spoke/variables.tf @@ -0,0 +1,11 @@ +variable "resource_group_location" { + type = string + default = "eastus" + description = "Location of the resource group." +} + +variable "resource_group_name_prefix" { + type = string + description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription." + default = "rg" +} \ No newline at end of file From 12d38c6dd7fd64c8268f9eaf17cb32f23b29cc2b Mon Sep 17 00:00:00 2001 From: Michael Bender <102542398+mbender-ms@users.noreply.github.com> Date: Mon, 19 Jun 2023 16:00:21 -0500 Subject: [PATCH 3/5] Initial terraform files for new article --- .../main.tf | 23 ++++---- .../outputs.tf | 4 -- .../providers.tf | 0 .../readme.md | 0 .../variables.tf | 0 .../main.tfplan | Bin 7506 -> 0 bytes .../terraform_test/broken-az-pol.json | 50 ------------------ .../terraform_test/working-az-pol.json | 48 ----------------- 8 files changed, 10 insertions(+), 115 deletions(-) rename quickstart/{201-virtual-network-manager-secure-hub-spoke => 201-virtual-network-manager-deploy-secure-hub-spoke}/main.tf (96%) rename quickstart/{201-virtual-network-manager-secure-hub-spoke => 201-virtual-network-manager-deploy-secure-hub-spoke}/outputs.tf (63%) rename quickstart/{201-virtual-network-manager-secure-hub-spoke => 201-virtual-network-manager-deploy-secure-hub-spoke}/providers.tf (100%) rename quickstart/{201-virtual-network-manager-secure-hub-spoke => 201-virtual-network-manager-deploy-secure-hub-spoke}/readme.md (100%) rename quickstart/{201-virtual-network-manager-secure-hub-spoke => 201-virtual-network-manager-deploy-secure-hub-spoke}/variables.tf (100%) delete mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/main.tfplan delete mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/broken-az-pol.json delete mode 100644 quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/working-az-pol.json diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/main.tf b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/main.tf similarity index 96% rename from quickstart/201-virtual-network-manager-secure-hub-spoke/main.tf rename to quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/main.tf index c3e05a717..be4d5ca4a 100644 --- a/quickstart/201-virtual-network-manager-secure-hub-spoke/main.tf +++ b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/main.tf @@ -135,7 +135,7 @@ resource "azurerm_network_manager_network_group" "network_group" { network_manager_id = azurerm_network_manager.network_manager_instance.id } -# Add the two spoke virtual networks to a network group as dynamic members +# Add the two spoke virtual networks to a network group as dynamic members with Azure Policy resource "random_pet" "network_group_policy_name" { prefix = "network-group-policy" @@ -205,10 +205,11 @@ resource "azurerm_network_manager_connectivity_configuration" "connectivity_conf resource_type = "Microsoft.Network/virtualNetworks" } } + #create a security admin configuration resource "azurerm_network_manager_security_admin_configuration" "security_admin_config" { - name = "example-admin-config" + name = "security-admin-config" network_manager_id = azurerm_network_manager.network_manager_instance.id } @@ -220,24 +221,20 @@ resource "azurerm_network_manager_admin_rule_collection" "admin_rule_collection" resource "azurerm_network_manager_admin_rule" "admin_rule" { name = "admin-rule" - admin_rule_collection_id = azurerm_network_manager_admin_rule_collection.example.id + admin_rule_collection_id = azurerm_network_manager_admin_rule_collection.admin_rule_collection.id action = "Deny" direction = "Outbound" priority = 1 protocol = "Tcp" - source_port_ranges = ["80","443", "1024-65535"] - destination_port_ranges = ["80","443"] + source_port_ranges = ["80", "443"] + destination_port_ranges = ["80", "443"] source { - address_prefix_type = "ServiceTag" - address_prefix = "Internet" - } - destination { address_prefix_type = "IPPrefix" - address_prefix = "10.1.0.1" + address_prefix = "*" } destination { - address_prefix_type = "IPPrefix" - address_prefix = "10.0.0.0/24" + address_prefix_type = "ServiceTag" + address_prefix = "Internet" } description = "Example of security admin rule" } @@ -256,4 +253,4 @@ resource "azurerm_network_manager_deployment" "commit_deployment_security_admin" location = azurerm_resource_group.rg.location scope_access = "SecurityAdmin" configuration_ids = [azurerm_network_manager_security_admin_configuration.security_admin_config.id] -} +} \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/outputs.tf b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/outputs.tf similarity index 63% rename from quickstart/201-virtual-network-manager-secure-hub-spoke/outputs.tf rename to quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/outputs.tf index efca48b70..cea760ab3 100644 --- a/quickstart/201-virtual-network-manager-secure-hub-spoke/outputs.tf +++ b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/outputs.tf @@ -4,8 +4,4 @@ output "resource_group_name" { output "hub_virtual_network_names" { value = azurerm_virtual_network.hub_vnet[*].name -} - -output "spoke_virtual_network_names" { - value = azurerm_virtual_network.spoke_vnet[*].name } \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/providers.tf b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/providers.tf similarity index 100% rename from quickstart/201-virtual-network-manager-secure-hub-spoke/providers.tf rename to quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/providers.tf diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/readme.md b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/readme.md similarity index 100% rename from quickstart/201-virtual-network-manager-secure-hub-spoke/readme.md rename to quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/readme.md diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/variables.tf b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/variables.tf similarity index 100% rename from quickstart/201-virtual-network-manager-secure-hub-spoke/variables.tf rename to quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/variables.tf diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/main.tfplan b/quickstart/201-virtual-network-manager-secure-hub-spoke/main.tfplan deleted file mode 100644 index 1927085545ed2707c1f06e0008259df0e5087fd1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7506 zcmb7JWl)^U(uUwpAh<(F0Q};yb zoLlwvTk~Un%ro6R{dPY+BM*Xue*%O2@HLkVsKERph%hKH_9oWm`j)Si5ny1qHhhhs z8Y@<$Gv8L!AFa&H#G``WA%J|0y(fhnTavZe!qI|Y{Bs%UQ5AI+&Fr1Fq0pK)JF-VD z8+zF#8t|qFER}Gtz4ARMIeLRPo`#d1jt7>CEo;kM_Ay_lIO*xH!ms0>Nqu0lSh`$CIF@k3g7>aq#Ex&1_wlvGx~AOICl2U%D}3U^VQNrc1{eauGPcE4wJaQ6d!m>DrZ)|sJW9ZU zH(ysr4?5c5GDr>x9m{T_JH3(NRH?+9r6VYb3;&&rr!~zQ3B1#7T&B4E&T06Xhhu?~(=KR?TJT;*4k=anG6tUl63FO)ZgM zWxcs;pGkqtB>d=`_-!jNA!S=>d2;BHAgzfBFZ0om-s;)WmLn0+5bXZlK*XwnZ9^|p zQ>`84#nhR+NG(_K@L|O%Vg?YIsS0<%>yQL<-R$98qcY~B*CEycOvmOc2nRv{6d@YlLDApJT(wh^tDVM)X+pAt} z6_FvK&N4`U@}3gkI95`t#pfvFx?*+&>z!IUp+KLIEJ|Z_@p2{u$bE1M0k+m2omqs; z{Jt)KI2*u-%fhCpDvMRX)E3uxYKPEL)ZBov7{$&isP+-g_gbiK((+vVBW!~EC4Zj3 zI|okrgEwKm{P5=T3OqBs5@BVFAApc^E?rub77E~5Q9ApA2Z1YcaiqSwpz=M`<=nk{ zEScWxVmm)d<`38__7=*r}=ED zD6pgUl!1(SNFmO zKoPzv0g55*|GZLq>vicOSfY~r-BPUcaNv=^b_(%F;W(Bl@%n6|lRUwmbtrkreVy8O zJ%W&1f>G=U$31t;#^$;wkWI^1SZK z?pIZ$mYWLxU1Hai?_H7PfE4*@x{0|PSNoO{Qn2Sr=>Fy8?0$U<`&L(;Fq&ter4ls z8%5H-$-lS>%h}e|yl8se@mLs%VTGVU)wG07bDQ^!X6-ppu{(R~J3Xm10an=dq`zq3 zF!v|{Xs@DKf%`p-Nv8K0FaAV@KFm)0&KLkhhJ-Gh8=SDPrHfZtqJ|o+wt6HpcQ0U5 z-yRM-5Joj{VIZOqkwLJG+$RQ5Mk==d+*dzcb$2L5d<6u~2(m`m>o7>QzI=)zCxvrI z8}5mBFBSM^EYYv&`8ivGIncRUVftg5FQ-iqG?Gy%4t4ZWk?j?(JM%1cg0gNQq@5Pu z`OKOzR=UMiP@2b+8xF0UK6#>7X;J^35+fhL9DJMA<}^Z~*hI#nT!2E+`s$;>cx694 z8P}M;Pja8j8|`6hJa~2;UCe!s?S)f?GhL32&h;vCg6hWJe2m70#U!KaQj|EEFM6XZ zs%|7vPT|on>mBO(u98DPnAv=tyG$mi__A2Zhd-U}cK3~EDEFE9m)EPYCL>yHn{4KO z)0W@(JKM3(Whj00bfDFhk3|VyV7m4&@hFW+#&_B6LK>%YXNOODTPF4U+|_3@+Rn5K zx|saX*3}x(+Bc7KImkN5-W~3}S55M=Xo#gJ&aG~{@AqDC&!9V$$Q2B4a(NXs+o_U= zu^$s$lkBi}<=Hsx6W%5lafKk(oxRy4>M5BdOV22J7@;B-4M&5wUU9v&&(9{Q-d_}p!;S7F)ns>? z%^c~h@C=ZJGwg;35{$xs0pRQfcIDvr@z3ia4_I9o;{}Zr7mtH!{<<>?%E4MT#L&JuoQ8vi>7iwl%mDbgq zUK0v3z2p&o3gQea^K-Me$z%2v>Pz`#E2KAru zg$k=kp<`n*)aK+qqbQ!gnuNn_u}E#lTx@3Voo~43#Gh8d+!Gpaa*L4#M|7soW)`8X z#Od(O$j_aEjWZ5kXE|VEECu&2WJm7`oNjnkVUQli(m5q9&$7REbcFGe?`$-2EUCqC zyr4IJ;X_mhv}}uawrMApAi@HJzciO9Sav7dfQfEQf zyT@Bw8!(RTM&Ye`eulJB%sOF@D@zU+3pFs=@VHV(4KZzPPszKYUYAM(VV+fQ4mG?I ze^37b9*FdgDZ`E+4AF;&m@xoa7BEgUE>0?ef@Mc8k>1j#2|7NqUCD?Vgrb$0il^?m zy#@p$=j%=+`zU6+uS??Ug6_xW;csqQ$Tr@t)06@4T(@Cs<~u`W!inu1y9+F~auB@PX( zJdpFhA|y6AYj+bC1_l}ae?cc|tF|1#Csj_l!&8N0w3g*@5qAF^Tg#jRbaBB@D zs4+-A)S0ef{h4A+RkgWS5kn36cpJjkxb4x=6ob4M)~eW#>Xh^GU$+NcclLz6Sg$m{ z#9$y5T_cR9SDUVx@vZm#w= z1ZlYQ&_9&j$b^8!(C{NMWmum#&;~uiP2?IS2td_m4vO(NmzNS){sLWiN3NNWzMUtR zejDWh>`$TR{N%{P!urV(Ps~_DEA$x1sMN`B5`odVcNBCJLNy(s7tBE!dGP)*!h1O3 zEk`xBci1d)@l)p~J_RMhJw{=R(nQUQ&WPbyrDv^4rM`aGpF0vDUO0E;qRGl)0hF}S z7gzVV18&|QWD`VVJRdOw6TMh5*#b(Pzy!imrHmS#JvnTkZuWe(=C;W4?M|8OiygwOYzmjq}ns9#Z0$wi2l>^%&Xo+G}l*lseq<3b*J`u!Y~O7%k*Bvw*=I5Z{H4%P;EQ=T#L^n`hUij^3xrhA7G>2{$AbiYcB(U(c|s*LzIlqA?>&k!Ea6#Zd8F z__d*`xJ=_oYnlhY`gIfBLlzO1;#HTvkJ+P|Q zQGxePMQ0Pohya7l}NBcIYs0@<@dM`-P z@>nqZo4_>dtdia+8vQGl0C%ek4Cg??MQqp@DStI7Zhi?=@f=E!FiD`&0;+Jrl6SAX zQ<1ENv6=P8hfcGmyaBb+hWN7~V(Xcp)v256>F-N;6Gp%jz6wA z`NHSdO4xu8JH;fh3^6F+*%jI>;M-(HJ2DJtI$D%|6o+vFSzugIW+QhB6)_m5{40p+T+S{{4PlcL@S?R4>w%pRHk;YaQ z_q@QH` zd*sN>!t0E&(i<*h6w-yHXjC&?o`i)DzHX;hA&dnmn33-Ll~aI0W~1eo{8_vfS`c>b z`(ldRzcLXXq;d*>$|JN>hFnSw_LW7Bcvu=PeQv^kTEk9$==Q|T!^W#{M; zqcU9$AwA2{Cu9wEia4UJDX!;hgjhd!>O~^L+Zw)PoaZ%(w|^zws9%%l8^`Wo_m#va zCmrdlu;N9DK{+~l*@xTq13cg0bsjk)#=wn_=q9P2YExjQ&qk@7nj&}9>tixWm~0W5 zd249u+u_D>X@Vz==aCa|QJ?(RG0HAY^1j_Kl*XZZP4aAAlba^J$5E%Z^j)i3l%VaD zL*vVX#1t+zJcH=P7nMBq_hhqXN;^{xj+?*XTfL}vlJgk;j)vV{tL@_3Bp$T>>U=kk zk%?Z9yNZrSH(Gmwjg5B2Sz8Gqfg5jSuP`A_8_+U9%R(d2L?RV-G#b)PEZ~5KQ8xfg z&(@wa*3qRgp_(RH>l$K`(^{ypc`10s_TTgm`J_}`g8&1gP5i&oKmH%--^#(>+QHuL z*9!1)L>RS`9ov7+gVKqx(LRdA87GQrP(H_kR%ZLPd~=hUy~0H7&Ao@*8lG&bl+wIH zJ+JsyG~M1VKHNl#B(epAuD$_o*^rTkYcI!V!=Sa1RO{6%^Y9n8kK6JwLKZwTC@eJ2 z#og-`yf!pvgzp5LQNDyo{#|wBDLw35A7&U2mG|GP7~vmgSle1TzB4km{ml@+2w_xT zA$0Kzh|}dTta(VaV2d;n_c}B8dBjGR!I+Lwiog6WV`Ou4`mo5NEWh3em-i`Z_#}`Z z(@7u;Qc$F6!;`lsrme;F)dsEnNNCNQkq4&CCrpp`>+D6Tf^57m7m7en2J>MA4eGo> zCYk0fTlhTNQ6B5qD9c#w3lLlT$7BN$I!DYW5e_@859a(uDFpFnngJXtZop=;n^TaD|(4fQ$JEAhTmqFt~U)qC4|*%!e38) zdwl^?8C?>2B~6;)K=Sgs2J^%dVv$cbGk{zmlQHwT;;2xns{?&w-(sN`{dSk!4hpZAF1~fF zHQj8SWkz5*@Bt~77f(*i`}zibTT;@O7q1A}Y`iiI4&Xv6Yz;wAX zr#8x?a5;+QPiMCrX|hMa>U3RM2Uj<@%bSt4W2Mxz2)T&Bp^KBXxWnywk~-c%(HB3K z#fPV}A*H*!X9y-9jjNneTLEC}ZQF(M%M~x~LS+o_v{R2Pg_*eX)^bQS`}25sqZqtl z6twO3PL7OT#Lueq@@d>QP!3fo${n>Ka~oK!if2W${gybIxQ?X_7AHFF%^9Cd6`sfP z4$e}~cgvF4lm_z+*j*luFHh;8X7D_%;L{fw>CNORlYeC~rB1vg?2GN_eTMV-S+zPX zS6`a!VP^thd_K(mK-+E|&(!BqtWUkBqp$G^9G-q}X9=;=f(F$Ky#f2q8iwII%cLa- z|3&g~H1&FCY32|M6E_#E5o?shY(u)-QXn0UVEog05h(08Yj^ zYbrctmfQ9A-u7T_6Ei^GwyW`Qu$b-}EmMF=_VI%CI}rhAc@j(=hPaR-_IY%E?T&m` zv~E1cl*BL<%+%x{$;q_*W!We1EAy0H^m+XhL@}9kvhyss(>?tQyQ_&Q1s&V#wg5e>0&Pw63qR@d*pK;S2(g-O51~HR@`?NADkr!xnk;tCdcTf@&Abc%! z^oK5Wy$O?PG-`}xh-y#zi27VOh!N`HL6x$LoFqDuO!}E$lR>Hm$0)#9_N@uX)+|^8 zZ?xBuBzYB;$0y)T+-h{oXEd&1{QeB794-L7am*Twz8V*=tISB;CViuXIQHl(azm|0 z>D=eV#MEvx8tksvwYGtGZUU(iZp7W@VymsQW3mPNGAt^i`$JqwHmaa%A4o6T zjT&J(BDC>YUJALRhcvNeGR`#lv2Bto8gZ8H4UftzqrJm*Qy5w~>%z#;4og5Z4L!Q3 z!LtZIyzFV4;)Xn}%t^?SB72PFW zxGL_L313d@eVIE5`#pr~4)4ENu@Z;GZ}_3xok#wW6=5Gef%*Ap_3M4fk4LND<&P(< zKNtVnO8>Z0`6=lS6MK{2FIfIu{cB_Uquu@~9cX{A{=NDB6XI8L^dqbP6dUv(5dYo} z|B3V~KlwqXeu_2D?@0eZt^Nf2l?(i!G(UwG_jj;=BshP<{aQ+Yha-IQJKR6gi9g|f zEs{U#?@ytB2$`Qw`=@IBC)Tf__4@&&K4AT?A}bFV>Y%EK4@2nMF=f#1Tw{2#1M Bbq@dl diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/broken-az-pol.json b/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/broken-az-pol.json deleted file mode 100644 index 9273da9f6..000000000 --- a/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/broken-az-pol.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "properties": { - "displayName": "Policy Definition for Network Group", - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "description": "", - "metadata": { - "category": "Azure Virtual Network Manager", - "createdBy": "9297f371-d435-4968-b575-51396e2cb555", - "createdOn": "2023-06-10T00:22:29.0977043Z", - "updatedBy": null, - "updatedOn": null - }, - "policyRule": { - "if": { - "allOf": [ - { - "equals": "Microsoft.Network/virtualNetworks", - "field": "type" - }, - { - "allOf": [ - { - "contains": "spoke-vnet", - "field": "Name" - } - ] - } - ] - }, - "then": { - "details": { - "networkGroupId": "/subscriptions/6a5f35e9-6951-499d-a36b-83c6c6eed44a/resourceGroups/rg-sterling-seahorse/providers/Microsoft.Network/networkManagers/network-manager/networkGroups/network-group" - }, - "effect": "addToNetworkGroup" - } - } - }, - "id": "/subscriptions/6a5f35e9-6951-499d-a36b-83c6c6eed44a/providers/Microsoft.Authorization/policyDefinitions/network-group-policy", - "type": "Microsoft.Authorization/policyDefinitions", - "name": "network-group-policy", - "systemData": { - "createdBy": "mbender@microsoft.com", - "createdByType": "User", - "createdAt": "2023-06-10T00:22:29.0682306Z", - "lastModifiedBy": "mbender@microsoft.com", - "lastModifiedByType": "User", - "lastModifiedAt": "2023-06-10T00:22:29.0682306Z" - } - } \ No newline at end of file diff --git a/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/working-az-pol.json b/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/working-az-pol.json deleted file mode 100644 index f6624fea0..000000000 --- a/quickstart/201-virtual-network-manager-secure-hub-spoke/terraform_test/working-az-pol.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "properties": { - "policyType": "Custom", - "mode": "Microsoft.Network.Data", - "metadata": { - "category": "Azure Virtual Network Manager", - "createdBy": "9297f371-d435-4968-b575-51396e2cb555", - "createdOn": "2023-06-10T01:47:40.2831395Z", - "updatedBy": null, - "updatedOn": null - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/virtualNetworks" - }, - { - "allOf": [ - { - "field": "Name", - "contains": "spoke-vnet" - } - ] - } - ] - }, - "then": { - "effect": "addToNetworkGroup", - "details": { - "networkGroupId": "/subscriptions/6a5f35e9-6951-499d-a36b-83c6c6eed44a/resourceGroups/rg-sterling-seahorse/providers/Microsoft.Network/networkManagers/network-manager/networkGroups/network-group" - } - } - } - }, - "id": "/subscriptions/6a5f35e9-6951-499d-a36b-83c6c6eed44a/providers/Microsoft.Authorization/policyDefinitions/new-azure-policy", - "type": "Microsoft.Authorization/policyDefinitions", - "name": "new-azure-policy", - "systemData": { - "createdBy": "mbender@microsoft.com", - "createdByType": "User", - "createdAt": "2023-06-10T01:47:40.240191Z", - "lastModifiedBy": "mbender@microsoft.com", - "lastModifiedByType": "User", - "lastModifiedAt": "2023-06-10T01:47:40.240191Z" - } - } \ No newline at end of file From 54be3bde84a22da5ee09e917ec16c919d1f9ba0c Mon Sep 17 00:00:00 2001 From: Michael Bender <102542398+mbender-ms@users.noreply.github.com> Date: Tue, 20 Jun 2023 09:21:46 -0500 Subject: [PATCH 4/5] Updates to outputs --- .../outputs.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/outputs.tf b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/outputs.tf index cea760ab3..d83d9164b 100644 --- a/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/outputs.tf +++ b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/outputs.tf @@ -4,4 +4,8 @@ output "resource_group_name" { output "hub_virtual_network_names" { value = azurerm_virtual_network.hub_vnet[*].name +} + +output "spoken_virtual_network_names" { + value = azurerm_virtual_network.spoke_vnet[*].name } \ No newline at end of file From 06445873d551af94369e25453b0cffdc9175a027 Mon Sep 17 00:00:00 2001 From: Michael Bender <102542398+mbender-ms@users.noreply.github.com> Date: Tue, 20 Jun 2023 09:45:49 -0500 Subject: [PATCH 5/5] Updates to outputs --- .../main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/main.tf b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/main.tf index be4d5ca4a..5411bc642 100644 --- a/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/main.tf +++ b/quickstart/201-virtual-network-manager-deploy-secure-hub-spoke/main.tf @@ -182,7 +182,7 @@ resource "azurerm_policy_definition" "network_group_policy" { } resource "azurerm_subscription_policy_assignment" "azure_policy_assignment" { - name = "policy-assignment" + name = "${random_pet.network_group_policy_name.id}-policy-assignment" policy_definition_id = azurerm_policy_definition.network_group_policy.id subscription_id = data.azurerm_subscription.current.id } @@ -217,6 +217,8 @@ resource "azurerm_network_manager_admin_rule_collection" "admin_rule_collection" name = "admin-rule-collection" security_admin_configuration_id = azurerm_network_manager_security_admin_configuration.security_admin_config.id network_group_ids = [azurerm_network_manager_network_group.network_group.id] + + depends_on = [azurerm_policy_definition.network_group_policy] } resource "azurerm_network_manager_admin_rule" "admin_rule" { @@ -253,4 +255,6 @@ resource "azurerm_network_manager_deployment" "commit_deployment_security_admin" location = azurerm_resource_group.rg.location scope_access = "SecurityAdmin" configuration_ids = [azurerm_network_manager_security_admin_configuration.security_admin_config.id] + + depends_on = [azurerm_network_manager_security_admin_configuration.security_admin_config] } \ No newline at end of file