fixed private endpoints for app svc slots

.github/workflows/scenario1.terraform.yml

@@ -42,7 +42,7 @@ permissions:
 env:
   modulePath: 'scenarios/secure-baseline-multitenant/terraform'
   terraformVersion: 1.9.7 # must be greater than or equal to 1.2 for OIDC
-  backendStateKey: 'scenario1.hub.tfstate'
+  backendStateKey: 'scenario1.appsvclza.tfstate'
   tfvarPath: '_parameters/ase-multitenant.parameters.tfvars'
 
 jobs:
@@ -65,7 +65,7 @@ jobs:
     with:
       modulePath: ${{ needs.prepare-environment.outputs.modulePath }}
       terraformVersion: ${{ needs.prepare-environment.outputs.terraformVersion }}
-      backendStateKey: 'scenario1.hub.tfstate'
+      backendStateKey: ${{ env.backendStateKey}}
       tfvarPath: ${{ needs.prepare-environment.outputs.tfvarPath }}
       # Ensure this value is a boolean
       destroy: ${{ github.event.inputs.destroy == 'true' }}

scenarios/shared/terraform-modules/app-service/linux-web-app/module.tf

@@ -90,22 +90,11 @@ resource "azurerm_monitor_diagnostic_setting" "this" {
   enabled_log {
     category_group = "allLogs"
 
-    ## `retention_policy` has been deprecated in favor of `azurerm_storage_management_policy` resource - to learn more https://aka.ms/diagnostic_settings_log_retention
-    # retention_policy {
-    #   days    = 0
-    #   enabled = false
-    # }
   }
 
   metric {
     category = "AllMetrics"
     enabled  = false
-
-    ## `retention_policy` has been deprecated in favor of `azurerm_storage_management_policy` resource - to learn more https://aka.ms/diagnostic_settings_log_retention
-    # retention_policy {
-    #   days    = 0
-    #   enabled = false
-    # }
   }
 }
 
@@ -159,23 +148,17 @@ resource "azurerm_linux_web_app_slot" "slot" {
   }
 }
 
-resource "azurecaf_name" "slot" {
-  count         = length(var.webapp_options.slots)
-  name          = "${azurecaf_name.caf_name_linwebapp.result}-${var.webapp_options.slots[count.index]}"
-  resource_type = "azurerm_private_endpoint"
-}
-
 module "private_endpoint_slot" {
   source = "../../private-endpoint"
-  count  = length(var.webapp_options.slots)
+  count = length(azurerm_linux_web_app_slot.slot)
 
-  name                           = "${azurecaf_name.slot[count.index].result}-${azurerm_linux_web_app_slot.slot[count.index].name}"
+  name                           = "${azurerm_linux_web_app.this.name}-${azurerm_linux_web_app_slot.slot[count.index].name}"
   resource_group                 = var.resource_group
   location                       = var.location
   subnet_id                      = var.frontend_subnet_id
-  private_connection_resource_id = azurerm_linux_web_app.this.id
+  private_connection_resource_id = azurerm_linux_web_app.this.id // Change this line
 
-  subresource_names = ["sites"]
+  subresource_names = ["sites-${azurerm_linux_web_app_slot.slot[count.index].name}"]
 
   private_dns_zone = var.private_dns_zone
 

scenarios/shared/terraform-modules/app-service/module.tf

@@ -43,7 +43,6 @@ module "windows_web_app" {
 
   resource_group = var.resource_group
   web_app_name   = var.application_name
-  # environment           = var.environment
   location              = var.location
   service_plan_id       = azurerm_service_plan.this.id
   service_plan_resource = azurerm_service_plan.this
@@ -68,7 +67,6 @@ module "linux_web_app" {
 
   resource_group = var.resource_group
   web_app_name   = var.application_name
-  # environment           = var.environment
   location              = var.location
   service_plan_id       = azurerm_service_plan.this.id
   service_plan_resource = azurerm_service_plan.this

scenarios/shared/terraform-modules/app-service/windows-web-app/module.tf

@@ -81,23 +81,11 @@ resource "azurerm_monitor_diagnostic_setting" "this" {
 
   enabled_log {
     category_group = "AllLogs"
-
-    ## `retention_policy` has been deprecated in favor of `azurerm_storage_management_policy` resource - to learn more https://aka.ms/diagnostic_settings_log_retention
-    # retention_policy {
-    #   days    = 0
-    #   enabled = false
-    # }
   }
 
   metric {
     category = "AllMetrics"
     enabled  = false
-
-    ## `retention_policy` has been deprecated in favor of `azurerm_storage_management_policy` resource - to learn more https://aka.ms/diagnostic_settings_log_retention
-    # retention_policy {
-    #   days    = 0
-    #   enabled = false
-    # }
   }
 }
 
@@ -151,29 +139,26 @@ resource "azurerm_windows_web_app_slot" "slot" {
   }
 }
 
-resource "azurecaf_name" "slot" {
-  count         = length(var.webapp_options.slots)
-  name          = "${var.web_app_name}-${var.webapp_options.slots[count.index]}"
-  resource_type = "azurerm_private_endpoint"
-}
-
-# module "private_endpoint_slot" {
-#   source = "../../private-endpoint"
+module "private_endpoint_slot" {
+  source = "../../private-endpoint"
+  count = length(azurerm_windows_web_app_slot.slot)
 
-#   count = length(var.webapp_options.slots)
+  name                           = "${azurerm_windows_web_app.this.name}-${azurerm_windows_web_app_slot.slot[count.index].name}"
+  resource_group                 = var.resource_group
+  location                       = var.location
+  subnet_id                      = var.frontend_subnet_id
+  private_connection_resource_id = azurerm_windows_web_app.this.id // Change this line
 
-#   name                           = "${azurecaf_name.slot[count.index].result}-${azurerm_windows_web_app_slot.slot[count.index].name}"
-#   resource_group                 = var.resource_group
-#   location                       = var.location
-#   subnet_id                      = var.frontend_subnet_id
-#   private_connection_resource_id = azurerm_windows_web_app_slot.slot[count.index].id
+  subresource_names = ["sites-${azurerm_windows_web_app_slot.slot[count.index].name}"]
 
-#   subresource_names = ["sites"]
+  private_dns_zone = var.private_dns_zone
 
-#   private_dns_zone = var.private_dns_zone
+  private_dns_records = [
+    lower("${azurerm_windows_web_app.this.name}-${azurerm_windows_web_app_slot.slot[count.index].name}"),
+    lower("${azurerm_windows_web_app.this.name}-${azurerm_windows_web_app_slot.slot[count.index].name}.scm")
+  ]
 
-#   private_dns_records = [
-#     lower("${azurerm_windows_web_app.this.name}-${azurerm_windows_web_app_slot.slot[count.index].name}"),
-#     lower("${azurerm_windows_web_app.this.name}-${azurerm_windows_web_app_slot.slot[count.index].name}.scm")
-#   ]
-# }
+  depends_on = [
+    azurerm_windows_web_app_slot.slot
+  ]
+}

scenarios/shared/terraform-modules/sql-database/module.tf

@@ -10,10 +10,10 @@ resource "azurecaf_name" "caf_name_sqlserver" {
   use_slug = var.global_settings.use_slug
 }
 
-data "azuread_group" "sql_admin_group" {
-  display_name     = var.entra_admin_group_object_id == null ? var.entra_admin_group_name : null
-  object_id        = var.entra_admin_group_object_id
-  security_enabled = true
+data "azurerm_client_config" "current" { }
+
+data "azuread_user" "current_user" {
+  object_id = data.azurerm_client_config.current.object_id
 }
 
 # Create the SQL Server 
@@ -29,8 +29,8 @@ resource "azurerm_mssql_server" "this" {
   tags = local.tags
 
   azuread_administrator {
-    login_username              = data.azuread_group.sql_admin_group.display_name
-    object_id                   = data.azuread_group.sql_admin_group.object_id
+    login_username              = data.azuread_user.current_user.display_name
+    object_id                   = data.azurerm_client_config.current.object_id
     azuread_authentication_only = true
     tenant_id                   = var.tenant_id
   }

scenarios/shared/terraform-modules/sql-database/variables.tf

@@ -30,16 +30,6 @@ variable "tenant_id" {
   description = "The tenant id where the resources will be created"
 }
 
-variable "entra_admin_group_object_id" {
-  type    = string
-  default = null
-}
-
-variable "entra_admin_group_name" {
-  type    = string
-  default = null
-}
-
 variable "private_link_subnet_id" {
   type        = string
   description = "The subnet id where the SQL database will be integrated"