Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: merge scenarios #192

Merged
merged 42 commits into from
Nov 29, 2023
Merged

feat: merge scenarios #192

merged 42 commits into from
Nov 29, 2023

Conversation

thotheod
Copy link
Contributor

Merged scenarios in one

  • Removed all the second scenario
  • creating a Draft PR to check on the documentation changes required, until we create the Terraform implementation as well

@thotheod thotheod closed this Oct 24, 2023
@thotheod thotheod reopened this Oct 24, 2023
@thotheod thotheod changed the title feat: ASE shared modules (CARML) feat: merge scenarios Oct 24, 2023
@thotheod thotheod marked this pull request as draft October 24, 2023 15:34
@thotheod thotheod requested a review from kunalbabre October 24, 2023 15:35
@thotheod
Copy link
Contributor Author

@kunalbabre this is the link of the custom UX to test the deployment on portal

https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fappservice-landing-zone-accelerator%2Ffeature%2Fmerge-scenarios%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fappservice-landing-zone-accelerator%2Ffeature%2Fmerge-scenarios%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain-portal-ux.json

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/d61def9d-d2d2-491e-aee0-f0516d5f4fe6/terraform-bin show -no-color tfplan

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
::debug::Terraform exited with code 0.
::debug::stdout: %0ANo changes. Your infrastructure matches the configuration.%0A%0ATerraform has compared your real infrastructure against your configuration%0Aand found no differences, so no changes are needed.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/8205589e-3177-41e8-8865-363cb3aafc46/terraform-bin show -no-color tfplan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "gpt-35-turbo"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "text-embedding-ada-002"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A  ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0A  # module.openai[0].azurecaf_name.caf_name_oai will be created%0A  + resource "azurecaf_name" "caf_name_oai" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + prefixes      = [%0A          + "sec-baseline-1-spoke",%0A          + "westus3",%0A        ]%0A      + random_length = 0%0A      + resource_type = "azurerm_cognitive_account"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + suffixes      = [%0A          + "prod",%0A        ]%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurecaf_name.priv_endpoint will be created%0A  + resource "azurecaf_name" "priv_endpoint" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + random_length = 0%0A      + resource_type = "azurerm_private_endpoint"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_account.this will be created%0A  + resource "azurerm_cognitive_account" "this" {%0A      + custom_subdomain_name              = (known after apply)%0A      + endpoint                           = (known after apply)%0A      + id                                 = (known after apply)%0A      + kind                               = "OpenAI"%0A      + local_auth_enabled                 = true%0A      + location                           = "westus3"%0A      + name                               = (known after apply)%0A      + outbound_network_access_restricted = false%0A      + primary_access_key                 = (sensitive value)%0A      + public_network_access_enabled      = false%0A      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + secondary_access_key               = (sensitive value)%0A      + sku_name                           = "S0"%0A      + tags                               = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "cloudops@contoso.com"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "openai"%0A        }%0A%0A      + identity {%0A          + principal_id = (known after apply)%0A          + tenant_id    = (known after apply)%0A          + type         = "SystemAssigned"%0A        }%0A%0A      + network_acls {%0A          + default_action = "Deny"%0A%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"%0A            }%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "gpt-35-turbo"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "gpt-35-turbo"%0A          + version = "0613"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "text-embedding-ada-002"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "text-embedding-ada-002"%0A          + version = "2"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "cloudops@contoso.com"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.database.windows.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "cloudops@contoso.com"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.azconfig.io." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "cloudops@contoso.com"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.vaultcore.azure.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created%0A  + resource "azurerm_private_dns_zone" "this" {%0A      + id                                                    = (known after apply)%0A      + max_number_of_record_sets                             = (known after apply)%0A      + max_number_of_virtual_network_links                   = (known after apply)%0A      + max_number_of_virtual_network_links_with_registration = (known after apply)%0A      + name                                                  = "privatelink.openai.azure.com"%0A      + number_of_record_sets                                 = (known after apply)%0A      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + tags                                                  = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "cloudops@contoso.com"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "private-dns-zone"%0A        }%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created%0A  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      + id                    = (known after apply)%0A      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      + private_dns_zone_name = "privatelink.openai.azure.com"%0A      + registration_enabled  = false%0A      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A    }%0A%0A  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created%0A  + resource "azurerm_private_endpoint" "this" {%0A      + custom_dns_configs       = (known after apply)%0A      + id                       = (known after apply)%0A      + location                 = "westus3"%0A      + name                     = (known after apply)%0A      + network_interface        = (known after apply)%0A      + private_dns_zone_configs = (known after apply)%0A      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A      + tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A%0A      + private_service_connection {%0A          + is_manual_connection           = false%0A          + name                           = (known after apply)%0A          + private_connection_resource_id = (known after apply)%0A          + private_ip_address             = (known after apply)%0A          + subresource_names              = [%0A              + "account",%0A            ]%0A        }%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"%0A        name                = "eslz2"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"%0A        name                = "eslz2.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"%0A        name                     = "pe-eslz2"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"%0A        name                = "eslz2-staging"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"%0A        name                = "eslz2-staging.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"%0A        name                     = "pe-eslz2-staging"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0APlan: 14 to add, 7 to change, 6 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/888305d3-8408-41c9-a754-1fd80e0c7227/terraform-bin show -no-color tfplan

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
::debug::Terraform exited with code 0.
::debug::stdout: %0ANo changes. Your infrastructure matches the configuration.%0A%0ATerraform has compared your real infrastructure against your configuration%0Aand found no differences, so no changes are needed.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

[command]/home/runner/work/_temp/8d20175a-5740-48d8-b5ec-f87f8b03459f/terraform-bin show -no-color tfplan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "gpt-35-turbo"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id = (known after apply)
      + id                   = (known after apply)
      + name                 = "text-embedding-ada-002"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.
::debug::Terraform exited with code 0.
::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A  ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A  ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A      + log_analytics_destination_type = "AzureDiagnostics"%0A        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"%0A        # (2 unchanged attributes hidden)%0A%0A        # (4 unchanged blocks hidden)%0A    }%0A%0A  # module.openai[0].azurecaf_name.caf_name_oai will be created%0A  + resource "azurecaf_name" "caf_name_oai" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + prefixes      = [%0A          + "sec-baseline-1-spoke",%0A          + "westus3",%0A        ]%0A      + random_length = 0%0A      + resource_type = "azurerm_cognitive_account"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + suffixes      = [%0A          + "prod",%0A        ]%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurecaf_name.priv_endpoint will be created%0A  + resource "azurecaf_name" "priv_endpoint" {%0A      + clean_input   = true%0A      + id            = (known after apply)%0A      + passthrough   = false%0A      + random_length = 0%0A      + resource_type = "azurerm_private_endpoint"%0A      + result        = (known after apply)%0A      + results       = (known after apply)%0A      + separator     = "-"%0A      + use_slug      = true%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_account.this will be created%0A  + resource "azurerm_cognitive_account" "this" {%0A      + custom_subdomain_name              = (known after apply)%0A      + endpoint                           = (known after apply)%0A      + id                                 = (known after apply)%0A      + kind                               = "OpenAI"%0A      + local_auth_enabled                 = true%0A      + location                           = "westus3"%0A      + name                               = (known after apply)%0A      + outbound_network_access_restricted = false%0A      + primary_access_key                 = (sensitive value)%0A      + public_network_access_enabled      = false%0A      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + secondary_access_key               = (sensitive value)%0A      + sku_name                           = "S0"%0A      + tags                               = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "cloudops@contoso.com"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "openai"%0A        }%0A%0A      + identity {%0A          + principal_id = (known after apply)%0A          + tenant_id    = (known after apply)%0A          + type         = "SystemAssigned"%0A        }%0A%0A      + network_acls {%0A          + default_action = "Deny"%0A%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A            }%0A          + virtual_network_rules {%0A              + ignore_missing_vnet_service_endpoint = true%0A              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"%0A            }%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "gpt-35-turbo"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "gpt-35-turbo"%0A          + version = "0613"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created%0A  + resource "azurerm_cognitive_deployment" "this" {%0A      + cognitive_account_id = (known after apply)%0A      + id                   = (known after apply)%0A      + name                 = "text-embedding-ada-002"%0A%0A      + model {%0A          + format  = "OpenAI"%0A          + name    = "text-embedding-ada-002"%0A          + version = "2"%0A        }%0A%0A      + scale {%0A          + capacity = 1%0A          + type     = "Standard"%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "cloudops@contoso.com"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.database.windows.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "cloudops@contoso.com"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.azconfig.io." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced%0A-/+ resource "azurerm_private_dns_zone" "this" {%0A      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)%0A      ~ max_number_of_record_sets                             = 25000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)%0A      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)%0A      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      ~ number_of_record_sets                                 = 2 -> (known after apply)%0A        tags                                                  = {%0A            "Environment" = "prod"%0A            "Owner"       = "cloudops@contoso.com"%0A            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A            "Terraform"   = "true"%0A            "module"      = "private-dns-zone"%0A        }%0A        # (1 unchanged attribute hidden)%0A%0A      - soa_record {%0A          - email         = "azureprivatedns-host.microsoft.com" -> null%0A          - expire_time   = 2419200 -> null%0A          - fqdn          = "privatelink.vaultcore.azure.net." -> null%0A          - host_name     = "azureprivatedns.net" -> null%0A          - minimum_ttl   = 10 -> null%0A          - refresh_time  = 3600 -> null%0A          - retry_time    = 300 -> null%0A          - serial_number = 1 -> null%0A          - tags          = {} -> null%0A          - ttl           = 3600 -> null%0A        }%0A    }%0A%0A  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced%0A-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)%0A        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement%0A      - tags                  = {} -> null%0A        # (3 unchanged attributes hidden)%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created%0A  + resource "azurerm_private_dns_zone" "this" {%0A      + id                                                    = (known after apply)%0A      + max_number_of_record_sets                             = (known after apply)%0A      + max_number_of_virtual_network_links                   = (known after apply)%0A      + max_number_of_virtual_network_links_with_registration = (known after apply)%0A      + name                                                  = "privatelink.openai.azure.com"%0A      + number_of_record_sets                                 = (known after apply)%0A      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + tags                                                  = {%0A          + "Environment" = "prod"%0A          + "Owner"       = "cloudops@contoso.com"%0A          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A          + "Terraform"   = "true"%0A          + "module"      = "private-dns-zone"%0A        }%0A    }%0A%0A  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created%0A  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A      + id                    = (known after apply)%0A      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A      + private_dns_zone_name = "privatelink.openai.azure.com"%0A      + registration_enabled  = false%0A      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"%0A      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"%0A    }%0A%0A  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created%0A  + resource "azurerm_private_endpoint" "this" {%0A      + custom_dns_configs       = (known after apply)%0A      + id                       = (known after apply)%0A      + location                 = "westus3"%0A      + name                     = (known after apply)%0A      + network_interface        = (known after apply)%0A      + private_dns_zone_configs = (known after apply)%0A      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"%0A      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"%0A      + tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A%0A      + private_service_connection {%0A          + is_manual_connection           = false%0A          + name                           = (known after apply)%0A          + private_connection_resource_id = (known after apply)%0A          + private_ip_address             = (known after apply)%0A          + subresource_names              = [%0A              + "account",%0A            ]%0A        }%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"%0A        name                = "eslz2"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"%0A        name                = "eslz2.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"%0A        name                     = "pe-eslz2"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"%0A        name                = "eslz2-staging"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place%0A  ~ resource "azurerm_private_dns_a_record" "this" {%0A        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"%0A        name                = "eslz2-staging.scm"%0A      ~ tags                = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (5 unchanged attributes hidden)%0A    }%0A%0A  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place%0A  ~ resource "azurerm_private_endpoint" "this" {%0A        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"%0A        name                     = "pe-eslz2-staging"%0A      ~ tags                     = {%0A          + "module" = "private-endpoint"%0A        }%0A        # (6 unchanged attributes hidden)%0A%0A        # (1 unchanged block hidden)%0A    }%0A%0APlan: 14 to add, 7 to change, 6 to destroy.%0A
::debug::stderr: 
::debug::exitcode: 0

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@thotheod @dependabot @JinLee794
get latest from main (#193)
4e535d1 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thodoris Theodorou <thotheod@microsoft.com>
Co-authored-by: Jin Lee <94473824+JinLee794@users.noreply.github.com>
@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "gpt-35-turbo"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "gpt-35-turbo"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "gpt-35-turbo"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "gpt-35-turbo"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "gpt-35-turbo"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "gpt-35-turbo"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod|sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
      + log_analytics_destination_type = "AzureDiagnostics"
        name                           = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}"
        # (2 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.openai[0].azurecaf_name.caf_name_oai will be created
  + resource "azurecaf_name" "caf_name_oai" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + prefixes      = [
          + "sec-baseline-1-spoke",
          + "westus3",
        ]
      + random_length = 0
      + resource_type = "azurerm_cognitive_account"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + suffixes      = [
          + "prod",
        ]
      + use_slug      = true
    }

  # module.openai[0].azurecaf_name.priv_endpoint will be created
  + resource "azurecaf_name" "priv_endpoint" {
      + clean_input   = true
      + id            = (known after apply)
      + passthrough   = false
      + random_length = 0
      + resource_type = "azurerm_private_endpoint"
      + result        = (known after apply)
      + results       = (known after apply)
      + separator     = "-"
      + use_slug      = true
    }

  # module.openai[0].azurerm_cognitive_account.this will be created
  + resource "azurerm_cognitive_account" "this" {
      + custom_subdomain_name              = (known after apply)
      + endpoint                           = (known after apply)
      + id                                 = (known after apply)
      + kind                               = "OpenAI"
      + local_auth_enabled                 = true
      + location                           = "westus3"
      + name                               = (known after apply)
      + outbound_network_access_restricted = false
      + primary_access_key                 = (sensitive value)
      + public_network_access_enabled      = false
      + resource_group_name                = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + secondary_access_key               = (sensitive value)
      + sku_name                           = "S0"
      + tags                               = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "openai"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }

      + network_acls {
          + default_action = "Deny"

          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
            }
          + virtual_network_rules {
              + ignore_missing_vnet_service_endpoint = true
              + subnet_id                            = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm"
            }
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "gpt-35-turbo"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "gpt-35-turbo"
          + version = "0613"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created
  + resource "azurerm_cognitive_deployment" "this" {
      + cognitive_account_id   = (known after apply)
      + id                     = (known after apply)
      + name                   = "text-embedding-ada-002"
      + version_upgrade_option = "OnceNewDefaultVersionAvailable"

      + model {
          + format  = "OpenAI"
          + name    = "text-embedding-ada-002"
          + version = "2"
        }

      + scale {
          + capacity = 1
          + type     = "Standard"
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.database.windows.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.database.windows.net" -> "privatelink.vaultcore.azure.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.azconfig.io." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.azconfig.io" -> "privatelink.database.windows.net" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone.this must be replaced
-/+ resource "azurerm_private_dns_zone" "this" {
      ~ id                                                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> (known after apply)
      ~ max_number_of_record_sets                             = 25000 -> (known after apply)
      ~ max_number_of_virtual_network_links                   = 1000 -> (known after apply)
      ~ max_number_of_virtual_network_links_with_registration = 100 -> (known after apply)
      ~ name                                                  = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      ~ number_of_record_sets                                 = 2 -> (known after apply)
        tags                                                  = {
            "Environment" = "prod"
            "Owner"       = "cloudops@contoso.com"
            "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
            "Terraform"   = "true"
            "module"      = "private-dns-zone"
        }
        # (1 unchanged attribute hidden)

      - soa_record {
          - email         = "azureprivatedns-host.microsoft.com" -> null
          - expire_time   = 2419200 -> null
          - fqdn          = "privatelink.vaultcore.azure.net." -> null
          - host_name     = "azureprivatedns.net" -> null
          - minimum_ttl   = 10 -> null
          - refresh_time  = 3600 -> null
          - retry_time    = 300 -> null
          - serial_number = 1 -> null
          - tags          = {} -> null
          - ttl           = 3600 -> null
        }
    }

  # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      ~ id                    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" -> (known after apply)
        name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      ~ private_dns_zone_name = "privatelink.vaultcore.azure.net" -> "privatelink.azconfig.io" # forces replacement
      - tags                  = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone.this will be created
  + resource "azurerm_private_dns_zone" "this" {
      + id                                                    = (known after apply)
      + max_number_of_record_sets                             = (known after apply)
      + max_number_of_virtual_network_links                   = (known after apply)
      + max_number_of_virtual_network_links_with_registration = (known after apply)
      + name                                                  = "privatelink.openai.azure.com"
      + number_of_record_sets                                 = (known after apply)
      + resource_group_name                                   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + tags                                                  = {
          + "Environment" = "prod"
          + "Owner"       = "cloudops@contoso.com"
          + "Project"     = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"
          + "Terraform"   = "true"
          + "module"      = "private-dns-zone"
        }
    }

  # module.private_dns_zones[5].azurerm_private_dns_zone_virtual_network_link.this[0] will be created
  + resource "azurerm_private_dns_zone_virtual_network_link" "this" {
      + id                    = (known after apply)
      + name                  = "sec-baseline-1-hub-wus2-vnet-eslz2-prod"
      + private_dns_zone_name = "privatelink.openai.azure.com"
      + registration_enabled  = false
      + resource_group_name   = "sec-baseline-1-hub-wus2-rg-eslz2"
      + virtual_network_id    = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod"
    }

  # module.openai[0].module.private_endpoint.azurerm_private_endpoint.this will be created
  + resource "azurerm_private_endpoint" "this" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westus3"
      + name                     = (known after apply)
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2"
      + subnet_id                = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink"
      + tags                     = {
          + "module" = "private-endpoint"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = (known after apply)
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "account",
            ]
        }
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2"
        name                = "eslz2"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2.scm"
        name                = "eslz2.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2"
        name                     = "pe-eslz2"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging"
        name                = "eslz2-staging"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be updated in-place
  ~ resource "azurerm_private_dns_a_record" "this" {
        id                  = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net/A/eslz2-staging.scm"
        name                = "eslz2-staging.scm"
      ~ tags                = {
          + "module" = "private-endpoint"
        }
        # (5 unchanged attributes hidden)
    }

  # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be updated in-place
  ~ resource "azurerm_private_endpoint" "this" {
        id                       = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging"
        name                     = "pe-eslz2-staging"
      ~ tags                     = {
          + "module" = "private-endpoint"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 14 to add, 7 to change, 6 to destroy.

Pusher: @thotheod, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

@thotheod
Copy link
Contributor Author

Tested thoroughly, made several fixes. Bicep Implementation of merged scenarios (together with OpenAI) seems fine now.
We might need to add/change some documentation and architecture diagrams though....

Pasting the the test link for the Portal Custom Deployment

cc @kunalbabre @JinLee794 @ibersanoMS

@thotheod thotheod requested a review from JinLee794 November 16, 2023 11:39
@thotheod thotheod marked this pull request as ready for review November 16, 2023 11:41
@kunalbabre kunalbabre merged commit 9e5a75c into main Nov 29, 2023
7 checks passed
@kunalbabre kunalbabre deleted the feature/merge-scenarios branch November 29, 2023 17:00
jonlester pushed a commit that referenced this pull request May 20, 2024
@thotheod @dependabot @JinLee794
feat: merge scenarios (#192)
f7aa366 
* feat: ASE shared modules (CARML)
- deployAseV3 param added

* feat: fixed spoke subnets
- added NSGs

* doc: changes for deployAseV3

* fix: typo

* doc: settings

* fix

* fx

* feat: asp merged - test 1

* fix:  nsg

* fix zone redundant

* fix: private DNS Zone

* feat: merged scenarios BICEP

* feat: portal deployment

* fix

* feat: deployAse Merged

* fix

* Removed (most of) ASEV3 scenario

* test actions

* action test

* get latest from main (#193)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thodoris Theodorou <thotheod@microsoft.com>
Co-authored-by: Jin Lee <94473824+JinLee794@users.noreply.github.com>

* test

* there is Scenario 2
- WF needs to be updated or deleted

* fix: fix depedencies

* depedency and conditional logic fix

* ARM sync

* Updated main readme

* ok

* allow non-AZ ASE

* sync ARM

* fix: zone redundant or not support for ASE

* sync json

* fix: dependency error

* fix typo in condition

* test ASE Private DNS Zone Dependency

* fix dependencies

* fix

* ASE Private DNS Zone must be in same scope as ASE

* test

* fix outputs

---------

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jin Lee <94473824+JinLee794@users.noreply.github.com>
Co-authored-by: Jin Lee <jinle@microsoft.com>
ibersanoMS pushed a commit that referenced this pull request Oct 1, 2024
@thotheod @dependabot @JinLee794
feat: merge scenarios (#192)
21c7ab6 
* feat: ASE shared modules (CARML)
- deployAseV3 param added

* feat: fixed spoke subnets
- added NSGs

* doc: changes for deployAseV3

* fix: typo

* doc: settings

* fix

* fx

* feat: asp merged - test 1

* fix:  nsg

* fix zone redundant

* fix: private DNS Zone

* feat: merged scenarios BICEP

* feat: portal deployment

* fix

* feat: deployAse Merged

* fix

* Removed (most of) ASEV3 scenario

* test actions

* action test

* get latest from main (#193)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thodoris Theodorou <thotheod@microsoft.com>
Co-authored-by: Jin Lee <94473824+JinLee794@users.noreply.github.com>

* test

* there is Scenario 2
- WF needs to be updated or deleted

* fix: fix depedencies

* depedency and conditional logic fix

* ARM sync

* Updated main readme

* ok

* allow non-AZ ASE

* sync ARM

* fix: zone redundant or not support for ASE

* sync json

* fix: dependency error

* fix typo in condition

* test ASE Private DNS Zone Dependency

* fix dependencies

* fix

* ASE Private DNS Zone must be in same scope as ASE

* test

* fix outputs

---------

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jin Lee <94473824+JinLee794@users.noreply.github.com>
Co-authored-by: Jin Lee <jinle@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JinLee794 JinLee794 JinLee794 approved these changes

@kunalbabre kunalbabre Awaiting requested review from kunalbabre

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thotheod @JinLee794 @kunalbabre