Skip to content

Commit

Permalink
Resolved merge conflicts, tested tf local
Browse files Browse the repository at this point in the history
  • Loading branch information
JinLee794 committed Oct 15, 2024
1 parent 344d722 commit 0dc5223
Show file tree
Hide file tree
Showing 8 changed files with 49 additions and 55 deletions.
12 changes: 6 additions & 6 deletions scenarios/secure-baseline-multitenant/terraform/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Multi-tenant App Service Secure Baseline Terraform Implementation
# Multitenant App Service Secure Baseline Terraform Implementation

## Steps of Implementation for App Service Construction Set

Expand Down Expand Up @@ -37,11 +37,11 @@ location = "swedencentral"
location_short = "swe"

tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
entra_admin_group_object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
entra_admin_group_name = "Microsoft Entra ID SQL Admins"
vm_entra_admin_username = "bob@contoso.com"
aad_admin_group_object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
aad_admin_group_name = "Microsoft Entra ID SQL Admins"
vm_aad_admin_username = "bob@contoso.com"

# Optionally provide non-Entra admin credentials for the VM
# Optionally provide non-AAD admin credentials for the VM
# vm_admin_username = "daniem"
# vm_admin_password = "**************"

Expand Down Expand Up @@ -172,7 +172,7 @@ az upgrade
az network bastion rdp --name bast-bastion --resource-group rg-hub --target-resource-id /subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Compute/virtualMachines/{vm-name} --disable-gateway
```

If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](#unable-to-connect-to-devops-vm-using-microsoft-entra-id-credentials)
If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](#unable-to-connect-to-devops-vm-using-aad-credentials)

Once completed, you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions (the exact command will be provided in the output of the Terraform deployment):

Expand Down
4 changes: 4 additions & 0 deletions scenarios/secure-baseline-multitenant/terraform/backend.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
resource_group_name = "backend-appsrvc-dev-westus2-001"
storage_account_name = "stbackendappsrwestus2001"
container_name = "tfstate"
key = "scenario1.localtest.tfstate"
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
resource_group_name = "backend-appsrvc-dev-westus2-001"
storage_account_name = "stbackendappsrwestus2001"
container_name = "tfstate"
key = "scenario1.hub.tfstate"
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ variable "owner" {

# variable "tenant_id" {
# type = string
# description = "[Required] The Microsoft Entra tenant ID for the identities"
# description = "[Required] The Azure AD tenant ID for the identities"
# }

variable "tags" {
Expand Down
7 changes: 1 addition & 6 deletions scenarios/secure-baseline-multitenant/terraform/spoke/app.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,12 +65,7 @@ module "sql_database" {
private_link_subnet_id = module.network.subnets["privateLink"].id
global_settings = local.global_settings
tags = local.base_tags
sql_databases = [
{
name = "sample-db"
sku_name = "S0"
}
]
sql_databases = var.sql_databases

private_dns_zone = local.provisioned_dns_zones["privatelink.database.windows.net"]
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
resource_group_name = "backend-appsrvc-dev-westus2-001"
storage_account_name = "stbackendappsrwestus2001"
container_name = "tfstate"
key = "scenario1.spoke.tfstate"
Original file line number Diff line number Diff line change
Expand Up @@ -4,21 +4,23 @@ location = "westus3"
owner = "cloudops@contoso.com"

# For the hub state, use the same settings as the remote state config on the hub deployment from /hub/main.tf
hub_state_resource_group_name = "backend-appsrvc-dev-westus2-001"
hub_state_storage_account_name = "stbackendappsrwestus2001"
hub_state_container_name = "tfstate"
hub_state_key = "scenario1.hub.tfstate"
hub_remote_state_settings = {
storage_account_name = "stbackendappsrwestus2001"
container_name = "tfstate"
key = "scenario1.hub.tfstate"
resource_group_name = "backend-appsrvc-dev-westus2-001"
}

entra_admin_group_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884"
entra_admin_group_name = "AppSvcLZA Microsoft Entra SQL Admins"
entra_admin_group_name = "AppSvcLZA Azure AD SQL Admins"

## Lookup the Microsoft Entra User
## Lookup the Azure AD User
# vm_entra_admin_username = "my-user@contoso.com"
## Reference an existing Microsoft Entra User/Group Object ID to bypass lookup
vm_entra_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Microsoft Entra SQL Admins"
## Reference an existing Azure AD User/Group Object ID to bypass lookup
vm_entra_admin_object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" # "AppSvcLZA Azure AD SQL Admins"


## Optionally provide non-Entra ID admin credentials for the VM
## Optionally provide non-entra admin credentials for the VM
# vm_admin_username = "daniem"
# vm_admin_password = "**************"

Expand Down
51 changes: 18 additions & 33 deletions scenarios/secure-baseline-multitenant/terraform/spoke/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ variable "location" {

variable "tenant_id" {
type = string
description = "The Microsoft Entra tenant ID for the identities. If no value provided, will use current deployment environment tenant."
description = "The Azure AD tenant ID for the identities. If no value provided, will use current deployment environment tenant."
default = null
}

Expand All @@ -47,43 +47,27 @@ variable "tags" {
#####################################
# Spoke Resource Configuration Variables
#####################################
variable "entra_admin_group_object_id" {
type = string
description = "The object ID of the Microsoft Entra group that should be granted SQL Admin permissions to the SQL Server"
variable "hub_virtual_network" {
type = any
description = "[Required] Hub virtual network object that is live in Azure. Use either a data block or output of the `Hub` module (virtual_network) to provide this value"
}

variable "entra_admin_group_name" {
type = string
description = "The name of the Microsoft Entra group that should be granted SQL Admin permissions to the SQL Server"
variable "firewall_private_ip" {
type = string
}

variable "bastion_subnet_name" {
type = string
description = "[Optional] Name of the subnet to deploy bastion resource to. Defaults to 'AzureBastionSubnet'"
default = "AzureBastionSubnet"
variable "firewall_rules" {
type = any
}

variable "firewall_subnet_name" {
variable "entra_admin_group_object_id" {
type = string
description = "[Optional] Name of the subnet for firewall resources. Defaults to 'AzureFirewallSubnet'"
default = "AzureFirewallSubnet"
}
variable "hub_vnet_cidr" {
type = list(string)
description = "[Optional] The CIDR block(s) for the hub virtual network. Defaults to 10.242.0.0/20"
default = ["10.242.0.0/20"]
}

variable "firewall_subnet_cidr" {
type = list(string)
description = "[Optional] The CIDR block(s) for the firewall subnet. Defaults to 10.242.0.0/26"
default = ["10.242.0.0/26"]
description = "[Required] The object ID of the Azure AD group that should be granted SQL Admin permissions to the SQL Server"
}

variable "bastion_subnet_cidr" {
type = list(string)
description = "[Optional] The CIDR block(s) for the bastion subnet. Defaults to 10.242.0.64/26"
default = ["10.242.0.64/26"]
variable "entra_admin_group_name" {
type = string
description = "[Required] The name of the Azure AD group that should be granted SQL Admin permissions to the SQL Server"
}

variable "spoke_vnet_cidr" {
Expand Down Expand Up @@ -125,24 +109,25 @@ variable "private_link_subnet_cidr" {

variable "vm_admin_username" {
type = string
description = "The username for the local VM admin account. Autogenerated if null. Prefer using the Microsoft Entra admin account."
description = "[Optional] The username for the local VM admin account. Autogenerated if null. Prefer using the Azure AD admin account."
default = null
}

variable "vm_admin_password" {
type = string
description = "The password for the local VM admin account. Autogenerated if null. Prefer using the Microsoft Entra admin account."
description = "[Optional] The password for the local VM admin account. Autogenerated if null. Prefer using the Azure AD admin account."
default = null
}

variable "vm_entra_admin_username" {
type = string
description = "[Optional] The Microsoft Entra username for the VM admin account. If vm_entra_admin_object_id is not specified, this value will be used."
description = "[Optional] The Azure AD username for the VM admin account. If vm_entra_admin_object_id is not specified, this value will be used."
default = null
}

variable "vm_entra_admin_object_id" {
type = string
description = "The Microsoft Entra object ID for the VM admin user/group. If vm_entra_admin_username is not specified, this value will be used."
description = "[Optional] The Azure AD object ID for the VM admin user/group. If vm_entra_admin_username is not specified, this value will be used."
default = null
}

Expand Down

0 comments on commit 0dc5223

Please sign in to comment.