aztfmod · kevindelmont · Mar 14, 2024 · Mar 14, 2024 · Mar 14, 2024 · Mar 14, 2024
diff --git a/.github/workflows/on_push_fmt.yaml b/.github/workflows/on_push_fmt.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - visiativ/*
 
 jobs:
   terraform:
@@ -14,7 +15,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # Important: This is needed to push changes back to the repository
+          fetch-depth: 0 # Important: This is needed to push changes back to the repository
 
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
@@ -27,8 +28,9 @@ jobs:
           git config --local user.email "[email protected]"
           git config --local user.name "GitHub Action"
           git diff --quiet && git diff --staged --quiet || (git add -A && git commit -m "Apply terraform fmt")
-      
+
       - name: Push changes
         uses: ad-m/[email protected]
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          branch: ${{ github.ref }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/standalone-compute.json b/.github/workflows/standalone-compute.json
@@ -50,6 +50,7 @@
     "compute/virtual_machine/215-vm-keyvault-for-windows-extension",
     "compute/virtual_machine/216-vm-linux_diagnostic_extensions",
     "compute/virtual_machine/217-vm-disk-encryption-set-msi",
+    "compute/virtual_machine/300-single-windows-recovery-site",
     "compute/vmware_cluster/101-vmware_cluster"
   ]
 }
diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json
@@ -2,6 +2,7 @@
   "config_files": [
     "cognitive_services/100-cognitive-services-account",
     "cognitive_services/101-cognitive-services-account-managed-identity",
+    "cognitive_services/200-cognitive-services-deployment",
     "compute/batch/batch_certificate/100-batch-certificate - path",
     "compute/batch/batch_job/100-batch-job - quotas",
     "compute/batch/batch_pool/100-batch-pool - quotas",

diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json
@@ -20,6 +20,7 @@
     "apim/118-api_management_platform_stv2",
     "app_config/100-simple",
     "app_config/101-private-link",
+    "app_config/102-dynamic-settings",
     "app_insights/100-all-attributes",
     "app_insights/100-simple",
     "app_insights/102-workspace-based-central-logs",
@@ -29,6 +30,7 @@
     "automation/102-automation-msi",
     "automation/103-automation-private-endpoints",
     "automation/104-automation-schedule-runbook",
+    "automation/105-automation-powershell-module",
     "communication/communication_services/101-communication_service",
     "diagnostics_profiles/100-multiple-destinations",
     "diagnostics_profiles/100-multiple-destinations",
@@ -67,7 +69,9 @@
     "maintenance_configuration/101-maintenance-configuration-schedule",
     "maintenance_configuration/200-maintenance-configuration-assignment-vm-windows",
     "maintenance_configuration/201-maintenance-configuration-assignment-vm-linux",
+    "maintenance_configuration/300-maintenance-configuration-assignment-dynamic-scope",
     "managed_service_identity/100-msi-levels",
+    "management_lock/100-basic-lock",
     "maps/101-azure-maps-account",
     "messaging/eventgrid/100-simple-eventgrid-topic",
     "messaging/eventgrid/101-simple-eventgrid-topic-private-endpoint",
@@ -94,15 +98,20 @@
     "recovery_vault/105-asr-with-network-mapping",
     "recovery_vault/106-backupvault-with-sqldatabase-saphana",
     "recovery_vault/107-asr-diagnostics",
+    "recovery_vault/108-simple-asr-plan",
+    "recovery_vault/109-asr-with-cmk-and-msi",
+    "recovery_vault/110-asr-with-custom-encryption-key",
     "redis_cache/100-redis-standard",
     "redis_cache/101-redis-diagnostics",
     "redis_cache/102-redis-private",
     "redis_cache/103-redis-private-endpoints",
     "role_mapping/100-simple-role-mapping",
     "role_mapping/101-function-app-managed-identity",
+    "role_mapping/103-abac",
     "search_service/100-search-service-both-apikeys-and-azuread",
     "search_service/101-search-service-only-api-keys",
     "search_service/102-search-service-only-azuread",
+    "security_center/101-subscription_pricing",
     "sentinel/101-automation_rule",
     "sentinel/104-ar_fusion",
     "sentinel/105-ar_ml_behavior_analytics",
@@ -134,9 +143,15 @@
     "webapps/appservice/107-appservice-private",
     "webapps/appservice/109-appservice-appgw",
     "webapps/appservice/110-appservice-auth",
+    "webapps/appservice/111-windows-web-app",
+    "webapps/appservice/112-windows-web-app-private",
+    "webapps/appservice/113-linux-web-app",
+    "webapps/appservice/114-linux-web-app-private",
     "webapps/function_app/101-function_app-private",
     "webapps/function_app/102-function_app-linux",
     "webapps/function_app/103-function_app-windows",
+    "webapps/windows_function_app/102-function_app-linux",
+    "webapps/windows_function_app/103-function_app-windows",
     "webapps/static_site/101-simple-static-web-app"
   ]
 }
diff --git a/app_config.tf b/app_config.tf
@@ -6,9 +6,12 @@ module "app_config" {
   client_config       = local.client_config
   combined_objects    = local.dynamic_app_config_combined_objects
   global_settings     = local.global_settings
+  managed_identities  = local.combined_objects_managed_identities
+  keyvaults           = local.combined_objects_keyvaults
   settings            = each.value
   vnets               = local.combined_objects_networking
   private_dns         = local.combined_objects_private_dns
+  resource_groups     = local.combined_objects_resource_groups
   base_tags           = local.global_settings.inherit_tags
   resource_group      = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
   resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null
@@ -17,4 +20,4 @@ module "app_config" {
 
 output "app_config" {
   value = module.app_config
-}
+}
diff --git a/app_services.tf b/app_services.tf
@@ -49,3 +49,76 @@ resource "azurerm_app_service_virtual_network_swift_connection" "vnet_config" {
   app_service_id = module.app_services[each.key].id
   subnet_id      = local.combined_objects_networking[try(each.value.vnet_integration.lz_key, local.client_config.landingzone_key)][each.value.vnet_integration.vnet_key].subnets[each.value.vnet_integration.subnet_key].id
 }
+
+module "windows_web_apps" {
+  source               = "./modules/webapps/windows_webapps"
+  depends_on           = [module.networking]
+  for_each             = local.webapp.windows_web_apps
+  name                 = each.value.name
+  client_config        = local.client_config
+  dynamic_app_settings = try(each.value.dynamic_app_settings, {})
+  app_service_plan_id  = can(each.value.app_service_plan_id) ? each.value.app_service_plan_id : local.combined_objects_app_service_plans[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.app_service_plan_key].id
+  combined_objects     = local.dynamic_app_settings_combined_objects
+  global_settings      = local.global_settings
+  settings             = each.value.settings
+  identity             = try(each.value.identity, null)
+  app_settings         = try(each.value.app_settings, null)
+  connection_string    = try(each.value.connection_string, {})
+  vnets                = local.combined_objects_networking
+  virtual_subnets      = local.combined_objects_virtual_subnets
+  subnet_id            = can(each.value.subnet_id) || can(each.value.vnet_key) == false ? try(each.value.subnet_id, null) : local.combined_objects_networking[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id
+  remote_objects = {
+    subnets = try(local.combined_objects_networking[try(each.value.settings.lz_key, local.client_config.landingzone_key)][each.value.settings.vnet_key].subnets, null)
+  }
+  private_endpoints                   = try(each.value.private_endpoints, {})
+  private_dns                         = local.combined_objects_private_dns
+  base_tags                           = local.global_settings.inherit_tags
+  resource_group                      = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
+  resource_group_name                 = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null
+  location                            = try(local.global_settings.regions[each.value.region], null)
+  azuread_applications                = local.combined_objects_azuread_applications
+  azuread_service_principal_passwords = local.combined_objects_azuread_service_principal_passwords
+  application_insight                 = try(each.value.application_insight_key, null) == null ? null : module.azurerm_application_insights[each.value.application_insight_key]
+  diagnostic_profiles                 = try(each.value.diagnostic_profiles, null)
+  diagnostics                         = local.combined_diagnostics
+}
+
+output "windows_web_apps" {
+  value = module.windows_web_apps
+}
+
+module "linux_web_apps" {
+  source               = "./modules/webapps/linux_webapps"
+  depends_on           = [module.networking]
+  for_each             = local.webapp.linux_web_apps
+  name                 = each.value.name
+  client_config        = local.client_config
+  dynamic_app_settings = try(each.value.dynamic_app_settings, {})
+  app_service_plan_id  = can(each.value.app_service_plan_id) ? each.value.app_service_plan_id : local.combined_objects_app_service_plans[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.app_service_plan_key].id
+  combined_objects     = local.dynamic_app_settings_combined_objects
+  global_settings      = local.global_settings
+  settings             = each.value.settings
+  identity             = try(each.value.identity, null)
+  app_settings         = try(each.value.app_settings, null)
+  connection_string    = try(each.value.connection_string, {})
+  vnets                = local.combined_objects_networking
+  virtual_subnets      = local.combined_objects_virtual_subnets
+  subnet_id            = can(each.value.subnet_id) || can(each.value.vnet_key) == false ? try(each.value.subnet_id, null) : local.combined_objects_networking[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id
+  remote_objects = {
+    subnets = try(local.combined_objects_networking[try(each.value.settings.lz_key, local.client_config.landingzone_key)][each.value.settings.vnet_key].subnets, null)
+  }
+  private_endpoints                   = try(each.value.private_endpoints, {})
+  private_dns                         = local.combined_objects_private_dns
+  base_tags                           = local.global_settings.inherit_tags
+  resource_group                      = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
+  resource_group_name                 = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null
+  location                            = try(local.global_settings.regions[each.value.region], null)
+  azuread_applications                = local.combined_objects_azuread_applications
+  azuread_service_principal_passwords = local.combined_objects_azuread_service_principal_passwords
+  application_insight                 = try(each.value.application_insight_key, null) == null ? null : module.azurerm_application_insights[each.value.application_insight_key]
+  diagnostic_profiles                 = try(each.value.diagnostic_profiles, null)
+  diagnostics                         = local.combined_diagnostics
+}
+output "linux_web_apps" {
+  value = module.linux_web_apps
+}
diff --git a/automation_modules.tf b/automation_modules.tf
@@ -0,0 +1,14 @@
+module "automation_powershell72_module" {
+  source   = "./modules/automation/automation_module/automation_powershell72_module"
+  for_each = local.shared_services.automation_powershell72_module
+
+  global_settings       = local.global_settings
+  settings              = each.value
+  client_config         = local.client_config
+  automation_account_id = can(each.value.automation_account_id) ? each.value.automation_account_id : local.combined_objects_automations[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.automation_account_key].id
+  base_tags             = local.global_settings.inherit_tags
+}
+
+output "automation_powershell72_module" {
+  value = module.automation_powershell72_module
+}
diff --git a/compute_virtual_machines.tf b/compute_virtual_machines.tf
@@ -37,6 +37,7 @@ module "virtual_machines" {
   virtual_subnets             = local.combined_objects_virtual_subnets
   resource_group              = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)]
   base_tags                   = local.global_settings.inherit_tags
+  resource_groups             = local.combined_objects_resource_groups
 
   # if boot_diagnostics_storage_account_key is points to a valid storage account, pass the endpoint
   # if boot_diagnostics_storage_account_key is empty string, pass empty string

diff --git a/cosmos_db.tf b/cosmos_db.tf
@@ -2,13 +2,14 @@ module "cosmos_dbs" {
   source   = "./modules/databases/cosmos_dbs"
   for_each = local.database.cosmos_dbs
 
-  global_settings   = local.global_settings
-  client_config     = local.client_config
-  private_endpoints = try(each.value.private_endpoints, {})
-  resource_groups   = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups
-  vnets             = local.combined_objects_networking
-  settings          = each.value
-  private_dns       = local.combined_objects_private_dns
+  global_settings    = local.global_settings
+  client_config      = local.client_config
+  private_endpoints  = try(each.value.private_endpoints, {})
+  resource_groups    = try(each.value.private_endpoints, {}) == {} ? null : local.resource_groups
+  vnets              = local.combined_objects_networking
+  settings           = each.value
+  private_dns        = local.combined_objects_private_dns
+  managed_identities = local.combined_objects_managed_identities
 
   base_tags           = local.global_settings.inherit_tags
   resource_group      = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
@@ -18,4 +19,4 @@ module "cosmos_dbs" {
 
 output "cosmos_dbs" {
   value = module.cosmos_dbs
-}
+}
diff --git a/eventgrid.tf b/eventgrid.tf
@@ -60,7 +60,6 @@ module "eventgrid_event_subscription" {
 output "eventgrid_event_subscription" {
   value = module.eventgrid_event_subscription
 }
-
 module "eventgrid_domain_topic" {
   source   = "./modules/messaging/eventgrid/eventgrid_domain_topic"
   for_each = local.messaging.eventgrid_domain_topic
@@ -77,7 +76,6 @@ module "eventgrid_domain_topic" {
 output "eventgrid_domain_topic" {
   value = module.eventgrid_domain_topic
 }
-
 module "eventgrid_system_topic" {
   source   = "./modules/messaging/eventgrid/eventgrid_system_topic"
   for_each = local.messaging.eventgrid_system_topic
@@ -86,10 +84,8 @@ module "eventgrid_system_topic" {
   client_config   = local.client_config
   settings        = each.value
   base_tags       = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
-
-  location = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
-
-  remote_objects = local.remote_objects
+  location        = lookup(each.value, "region", null) != null ? each.value.region : can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
+  remote_objects  = local.remote_objects
 }
 output "eventgrid_system_topic" {
   value = module.eventgrid_system_topic