Feature/106/tf modularization

[JinLee794]

Description

copilot:summary

• Terraform pipelines refactored to be modular
• Multitenant ase scenario supported by TF action pipeline
• Minor documentation update/version update from merging latest from main

Type of Change

Please delete options that are not relevant.

• [ ] Bugfix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [x] Update to documentation

Checklist

• [x] I'm sure there are no other open Pull Requests for the same update/change
• [x] My corresponding pipelines / checks run clean and green without any errors or warnings
• [x] My code follows the style guidelines of this project
• [x] I have commented my code, particularly in hard-to-understand areas
• [x] I have made corresponding changes to the documentation (readme)
• [x] I did format my code

[github-actions[bot]]

Terraform Plan failed

Plan Error Output

``` Error: No configuration files Plan requires configuration to be present. Planning without a configuration would mark everything for destruction, which is normally not what is desired. If you would like to destroy everything, run plan with the -destroy option. Otherwise, create a Terraform configuration file (.tf file) and try again. ``` *Pusher: @JinLee794, Action: `pull_request`, Working Directory: `scenarios/secure-baseline-multitenant/terraform`, Workflow: `Multi-tenant Secure Baseline: Terraform Deploy`*

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # azurerm_subnet.vnetSpokeSubnet will be updated in-place ~ resource "azurerm_subnet" "vnetSpokeSubnet" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rgtf-networking-sec-baseline-sgl-dev-westus2-001/providers/Microsoft.Network/virtualNetworks/vnet-spoke-sec-baseline-sgl-dev-westus2-001/subnets/snet-ase-sec-baseline-sgl-dev-westus2-001" name = "snet-ase-sec-baseline-sgl-dev-westus2-001" # (9 unchanged attributes hidden) ~ delegation { name = "hostingEnvironment" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Single-tenant ASEv3 Secure Baseline: Terraform Deploy

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurecaf_name.bastion_host will be created + resource "azurecaf_name" "bastion_host" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_bastion_host" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.firewall will be created + resource "azurecaf_name" "firewall" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.vnet will be created + resource "azurecaf_name" "vnet" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.hub will be created + resource "azurerm_resource_group" "hub" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "terraform" = "true" } } # module.bastion[0].azurecaf_name.bastion_pip will be created + resource "azurecaf_name" "bastion_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion will be created + resource "azurerm_bastion_host" "bastion" { + copy_paste_enabled = true + dns_name = (known after apply) + file_copy_enabled = false + id = (known after apply) + ip_connect_enabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + scale_units = 2 + shareable_link_enabled = false + sku = "Standard" + tunneling_enabled = true + ip_configuration { + name = "bastionHostIpConfiguration" + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.bastion[0].azurerm_public_ip.bastion_pip will be created + resource "azurerm_public_ip" "bastion_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.firewall[0].azurecaf_name.firewall_pip will be created + resource "azurecaf_name" "firewall_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurerm_firewall.firewall will be created + resource "azurerm_firewall" "firewall" { + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku_name = "AZFW_VNet" + sku_tier = "Standard" + threat_intel_mode = (known after apply) + ip_configuration { + name = "firewallIpConfiguration" + private_ip_address = (known after apply) + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.firewall[0].azurerm_public_ip.firewall_pip will be created + resource "azurerm_public_ip" "firewall_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureFirewallSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureBastionSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.242.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } Plan: 21 to add, 0 to change, 0 to destroy. Changes to Outputs: + bastion_name = (known after apply) + firewall_private_ip = (known after apply) + firewall_rules = {} + rg_name = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # azurerm_subnet.vnetSpokeSubnet will be updated in-place ~ resource "azurerm_subnet" "vnetSpokeSubnet" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rgtf-networking-sec-baseline-sgl-dev-westus2-001/providers/Microsoft.Network/virtualNetworks/vnet-spoke-sec-baseline-sgl-dev-westus2-001/subnets/snet-ase-sec-baseline-sgl-dev-westus2-001" name = "snet-ase-sec-baseline-sgl-dev-westus2-001" # (9 unchanged attributes hidden) ~ delegation { name = "hostingEnvironment" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurecaf_name.bastion_host will be created + resource "azurecaf_name" "bastion_host" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_bastion_host" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.firewall will be created + resource "azurecaf_name" "firewall" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.vnet will be created + resource "azurecaf_name" "vnet" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.hub will be created + resource "azurerm_resource_group" "hub" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "terraform" = "true" } } # module.bastion[0].azurecaf_name.bastion_pip will be created + resource "azurecaf_name" "bastion_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion will be created + resource "azurerm_bastion_host" "bastion" { + copy_paste_enabled = true + dns_name = (known after apply) + file_copy_enabled = false + id = (known after apply) + ip_connect_enabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + scale_units = 2 + shareable_link_enabled = false + sku = "Standard" + tunneling_enabled = true + ip_configuration { + name = "bastionHostIpConfiguration" + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.bastion[0].azurerm_public_ip.bastion_pip will be created + resource "azurerm_public_ip" "bastion_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.firewall[0].azurecaf_name.firewall_pip will be created + resource "azurecaf_name" "firewall_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurerm_firewall.firewall will be created + resource "azurerm_firewall" "firewall" { + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku_name = "AZFW_VNet" + sku_tier = "Standard" + threat_intel_mode = (known after apply) + ip_configuration { + name = "firewallIpConfiguration" + private_ip_address = (known after apply) + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.firewall[0].azurerm_public_ip.firewall_pip will be created + resource "azurerm_public_ip" "firewall_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureFirewallSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureBastionSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.242.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } Plan: 21 to add, 0 to change, 0 to destroy. Changes to Outputs: + bastion_name = (known after apply) + firewall_private_ip = (known after apply) + firewall_rules = {} + rg_name = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # azurerm_subnet.vnetSpokeSubnet will be updated in-place ~ resource "azurerm_subnet" "vnetSpokeSubnet" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rgtf-networking-sec-baseline-sgl-dev-westus2-001/providers/Microsoft.Network/virtualNetworks/vnet-spoke-sec-baseline-sgl-dev-westus2-001/subnets/snet-ase-sec-baseline-sgl-dev-westus2-001" name = "snet-ase-sec-baseline-sgl-dev-westus2-001" # (9 unchanged attributes hidden) ~ delegation { name = "hostingEnvironment" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurecaf_name.bastion_host will be created + resource "azurecaf_name" "bastion_host" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_bastion_host" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.firewall will be created + resource "azurecaf_name" "firewall" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.vnet will be created + resource "azurecaf_name" "vnet" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.hub will be created + resource "azurerm_resource_group" "hub" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "terraform" = "true" } } # module.bastion[0].azurecaf_name.bastion_pip will be created + resource "azurecaf_name" "bastion_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion will be created + resource "azurerm_bastion_host" "bastion" { + copy_paste_enabled = true + dns_name = (known after apply) + file_copy_enabled = false + id = (known after apply) + ip_connect_enabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + scale_units = 2 + shareable_link_enabled = false + sku = "Standard" + tunneling_enabled = true + ip_configuration { + name = "bastionHostIpConfiguration" + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.bastion[0].azurerm_public_ip.bastion_pip will be created + resource "azurerm_public_ip" "bastion_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.firewall[0].azurecaf_name.firewall_pip will be created + resource "azurecaf_name" "firewall_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurerm_firewall.firewall will be created + resource "azurerm_firewall" "firewall" { + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku_name = "AZFW_VNet" + sku_tier = "Standard" + threat_intel_mode = (known after apply) + ip_configuration { + name = "firewallIpConfiguration" + private_ip_address = (known after apply) + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.firewall[0].azurerm_public_ip.firewall_pip will be created + resource "azurerm_public_ip" "firewall_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureFirewallSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureBastionSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.242.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } Plan: 21 to add, 0 to change, 0 to destroy. Changes to Outputs: + bastion_name = (known after apply) + firewall_private_ip = (known after apply) + firewall_rules = {} + rg_name = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # azurecaf_name.appsvc_subnet will be created + resource "azurecaf_name" "appsvc_subnet" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.contributor_identity will be created + resource "azurecaf_name" "contributor_identity" { + clean_input = true + id = (known after apply) + name = "secure-webapp-contributor" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_subnet will be created + resource "azurecaf_name" "devops_subnet" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_vm will be created + resource "azurecaf_name" "devops_vm" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_windows_virtual_machine" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # azurecaf_name.ingress_subnet will be created + resource "azurecaf_name" "ingress_subnet" { + clean_input = true + id = (known after apply) + name = "ingress" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurecaf_name.private_link_subnet will be created + resource "azurecaf_name" "private_link_subnet" { + clean_input = true + id = (known after apply) + name = "private-link" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.reader_identity will be created + resource "azurecaf_name" "reader_identity" { + clean_input = true + id = (known after apply) + name = "secure-webapp-reader" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "wus2", ] + use_slug = true } # azurecaf_name.spoke_network will be created + resource "azurecaf_name" "spoke_network" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "application-name" = "secure-webapp" + "environment" = "prod" + "terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_virtual_network_peering.hub_to_spoke will be created + resource "azurerm_virtual_network_peering" "hub_to_spoke" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-secure-webapp" + remote_virtual_network_id = (known after apply) + resource_group_name = "rg-hub-wus2" + use_remote_gateways = false + virtual_network_name = "vnet-hub-wus2" } # azurerm_virtual_network_peering.spoke_to_hub will be created + resource "azurerm_virtual_network_peering" "spoke_to_hub" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-secure-webapp" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } # random_integer.unique_id will be created + resource "random_integer" "unique_id" { + id = (known after apply) + max = 9999 + min = 1 + result = (known after apply) } # random_password.vm_admin_password will be created + resource "random_password" "vm_admin_password" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 16 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = true + upper = true } # random_password.vm_admin_username will be created + resource "random_password" "vm_admin_username" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 10 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = false + upper = true } # module.app_configuration[0].azurecaf_name.app_config will be created + resource "azurecaf_name" "app_config" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_app_configuration" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.app_configuration[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus2" + name = (known after apply) + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = (known after apply) + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_insights.azurecaf_name.app_insights will be created + resource "azurecaf_name" "app_insights" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_application_insights" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_insights.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus2" + maximum_elastic_worker_count = (known after apply) + name = "asp-secure-webapp-win-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = (known after apply) + sku_name = "S1" + worker_count = 1 + zone_balancing_enabled = false } # module.devops_vm[0].data.azuread_user.vm_admin will be read during apply # (depends on a resource or a module with changes pending) <= data "azuread_user" "vm_admin" { + account_enabled = (known after apply) + age_group = (known after apply) + business_phones = (known after apply) + city = (known after apply) + company_name = (known after apply) + consent_provided_for_minor = (known after apply) + cost_center = (known after apply) + country = (known after apply) + creation_type = (known after apply) + department = (known after apply) + display_name = (known after apply) + division = (known after apply) + employee_id = (known after apply) + employee_type = (known after apply) + external_user_state = (known after apply) + fax_number = (known after apply) + given_name = (known after apply) + id = (known after apply) + im_addresses = (known after apply) + job_title = (known after apply) + mail = (known after apply) + mail_nickname = (known after apply) + manager_id = (known after apply) + mobile_phone = (known after apply) + object_id = (known after apply) + office_location = (known after apply) + onpremises_distinguished_name = (known after apply) + onpremises_domain_name = (known after apply) + onpremises_immutable_id = (known after apply) + onpremises_sam_account_name = (known after apply) + onpremises_security_identifier = (known after apply) + onpremises_sync_enabled = (known after apply) + onpremises_user_principal_name = (known after apply) + other_mails = (known after apply) + postal_code = (known after apply) + preferred_language = (known after apply) + proxy_addresses = (known after apply) + show_in_address_list = (known after apply) + state = (known after apply) + street_address = (known after apply) + surname = (known after apply) + usage_location = (known after apply) + user_principal_name = "bob@contoso.com" + user_type = (known after apply) } # module.devops_vm[0].azurerm_network_interface.vm_nic will be created + resource "azurerm_network_interface" "vm_nic" { + applied_dns_servers = (known after apply) + dns_servers = (known after apply) + enable_accelerated_networking = false + enable_ip_forwarding = false + id = (known after apply) + internal_dns_name_label = (known after apply) + internal_domain_name_suffix = (known after apply) + location = "westus2" + mac_address = (known after apply) + name = (known after apply) + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + resource_group_name = (known after apply) + virtual_machine_id = (known after apply) + ip_configuration { + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + name = (known after apply) + primary = (known after apply) + private_ip_address = (known after apply) + private_ip_address_allocation = "Dynamic" + private_ip_address_version = "IPv4" + subnet_id = (known after apply) } } # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment will be created + resource "azurerm_role_assignment" "vm_admin_role_assignment" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Virtual Machine Administrator Login" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.devops_vm[0].azurerm_windows_virtual_machine.vm will be created + resource "azurerm_windows_virtual_machine" "vm" { + admin_password = (sensitive value) + admin_username = (sensitive value) + allow_extension_operations = true + computer_name = (known after apply) + enable_automatic_updates = true + extensions_time_budget = "PT1H30M" + hotpatching_enabled = false + id = (known after apply) + location = "westus2" + max_bid_price = -1 + name = (known after apply) + network_interface_ids = (known after apply) + patch_assessment_mode = "ImageDefault" + patch_mode = "AutomaticByOS" + platform_fault_domain = -1 + priority = "Regular" + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + provision_vm_agent = true + public_ip_address = (known after apply) + public_ip_addresses = (known after apply) + resource_group_name = (known after apply) + size = "Standard_B2ms" + virtual_machine_id = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + os_disk { + caching = "ReadWrite" + disk_size_gb = (known after apply) + name = (known after apply) + storage_account_type = "Standard_LRS" + write_accelerator_enabled = false } + source_image_reference { + offer = "windows-11" + publisher = "MicrosoftWindowsDesktop" + sku = "win11-22h2-pro" + version = "latest" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.aad[0] will be created + resource "azurerm_virtual_machine_extension" "aad" { + auto_upgrade_minor_version = true + failure_suppression_enabled = false + id = (known after apply) + name = "aad-login-for-windows" + publisher = "Microsoft.Azure.ActiveDirectory" + settings = <<-EOT { "mdmId": "0000000a-0000-0000-c000-000000000000" } EOT + type = "AADLoginForWindows" + type_handler_version = "1.0" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.post_deployment will be created + resource "azurerm_virtual_machine_extension" "post_deployment" { + failure_suppression_enabled = false + id = (known after apply) + name = "post_deployment" + protected_settings = (sensitive value) + publisher = "Microsoft.Compute" + type = "CustomScriptExtension" + type_handler_version = "1.10" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.front_door.azurecaf_name.frontdoor will be created + resource "azurecaf_name" "frontdoor" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_cdn_frontdoor_profile" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.front_door.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = (known after apply) + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.front_door.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = (known after apply) + resource_group_name = (known after apply) + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" } # module.front_door.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.key_vault.azurecaf_name.key_vault will be created + resource "azurecaf_name" "key_vault" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_key_vault" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.key_vault.azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus2" + name = (known after apply) + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = (known after apply) + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } # module.private_dns_zones.azurerm_private_dns_zone.this[0] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[1] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[2] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[3] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[4] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.redis.cache.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.redis_cache[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.redis_cache[0].azurecaf_name.redis_cache will be created + resource "azurecaf_name" "redis_cache" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_redis_cache" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.redis_cache[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.redis.cache.windows.net" } # module.redis_cache[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "redisCache", ] } } # module.redis_cache[0].azurerm_redis_cache.this will be created + resource "azurerm_redis_cache" "this" { + capacity = 2 + enable_non_ssl_port = false + family = "C" + hostname = (known after apply) + id = (known after apply) + location = "westus2" + minimum_tls_version = "1.2" + name = (known after apply) + port = (known after apply) + primary_access_key = (sensitive value) + primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) + public_network_access_enabled = false + redis_version = (known after apply) + replicas_per_master = (known after apply) + replicas_per_primary = (known after apply) + resource_group_name = (known after apply) + secondary_access_key = (sensitive value) + secondary_connection_string = (sensitive value) + sku_name = "Standard" + ssl_port = (known after apply) + tags = { + "environment" = "prod" } + redis_configuration { + enable_authentication = true + maxclients = (known after apply) + maxfragmentationmemory_reserved = (known after apply) + maxmemory_delta = (known after apply) + maxmemory_policy = "volatile-lru" + maxmemory_reserved = (known after apply) } } # module.sql_database[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.sql_database[0].azurecaf_name.sql_server will be created + resource "azurecaf_name" "sql_server" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_mssql_server" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.sql_database[0].azurerm_mssql_database.this[0] will be created + resource "azurerm_mssql_database" "this" { + auto_pause_delay_in_minutes = (known after apply) + collation = (known after apply) + create_mode = "Default" + creation_source_database_id = (known after apply) + geo_backup_enabled = true + id = (known after apply) + ledger_enabled = (known after apply) + license_type = (known after apply) + maintenance_configuration_name = (known after apply) + max_size_gb = (known after apply) + min_capacity = (known after apply) + name = "sample-db" + read_replica_count = (known after apply) + read_scale = (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) + server_id = (known after apply) + sku_name = "S0" + storage_account_type = "Geo" + transparent_data_encryption_enabled = true + zone_redundant = (known after apply) } # module.sql_database[0].azurerm_mssql_server.this will be created + resource "azurerm_mssql_server" "this" { + administrator_login = (known after apply) + connection_policy = "Default" + fully_qualified_domain_name = (known after apply) + id = (known after apply) + location = "westus2" + minimum_tls_version = "1.2" + name = (known after apply) + outbound_network_restriction_enabled = false + primary_user_assigned_identity_id = (known after apply) + public_network_access_enabled = false + resource_group_name = (known after apply) + restorable_dropped_database_ids = (known after apply) + tags = { + "environment" = "prod" } + version = "12.0" + azuread_administrator { + azuread_authentication_only = true + login_username = "AppSvcLZA Azure AD SQL Admins" + object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" } } # module.sql_database[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.database.windows.net" } # module.sql_database[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sqlServer", ] } } # module.user_defined_routes[0].azurecaf_name.route_table will be created + resource "azurecaf_name" "route_table" { + clean_input = true + id = (known after apply) + name = "egress-lockdown" + passthrough = false + random_length = 0 + resource_type = "azurerm_route_table" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.user_defined_routes[0].azurerm_route.this[0] will be created + resource "azurerm_route" "this" { + address_prefix = "0.0.0.0/0" + id = (known after apply) + name = "defaultRoute" + next_hop_in_ip_address = "10.242.0.4" + next_hop_type = "VirtualAppliance" + resource_group_name = (known after apply) + route_table_name = (known after apply) } # module.user_defined_routes[0].azurerm_route_table.this will be created + resource "azurerm_route_table" "this" { + disable_bgp_route_propagation = false + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + route = (known after apply) + subnets = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[0] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[1] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[2] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[3] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.app_service.module.windows_web_app[0].azurecaf_name.slot will be created + resource "azurecaf_name" "slot" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurecaf_name.webapp will be created + resource "azurecaf_name" "webapp" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "AllLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this will be created + resource "azurerm_windows_web_app" "this" { + app_settings = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + location = "westus2" + name = (known after apply) + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + resource_group_name = (known after apply) + service_plan_id = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + linux_fx_version = (known after apply) + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } + sticky_settings { + app_setting_names = [ + "APPINSIGHTS_INSTRUMENTATIONKEY", + "APPINSIGHTS_PROFILERFEATURE_VERSION", + "APPINSIGHTS_SNAPSHOTFEATURE_VERSION", + "APPLICATIONINSIGHTS_CONNECTION_STRING", + "ApplicationInsightsAgent_EXTENSION_VERSION", + "DiagnosticServices_EXTENSION_VERSION", + "InstrumentationEngine_EXTENSION_VERSION", + "SnapshotDebugger_EXTENSION_VERSION", + "XDT_MicrosoftApplicationInsights_BaseExtensions", + "XDT_MicrosoftApplicationInsights_Java", + "XDT_MicrosoftApplicationInsights_Mode", + "XDT_MicrosoftApplicationInsights_NodeJS", + "XDT_MicrosoftApplicationInsights_PreemptSdk", ] } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot will be created + resource "azurerm_windows_web_app_slot" "slot" { + app_service_id = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + name = "staging" + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } } # module.app_service.module.windows_web_app[0].null_resource.service_plan will be created + resource "null_resource" "service_plan" { + id = (known after apply) + triggers = { + "service_plan_name" = "asp-secure-webapp-win-prod" + "service_plan_os" = "Windows" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app will be created + resource "azurerm_cdn_frontdoor_endpoint" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + enabled = true + host_name = (known after apply) + id = (known after apply) + name = (known after apply) } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app will be created + resource "azurerm_cdn_frontdoor_origin" "web_app" { + cdn_frontdoor_origin_group_id = (known after apply) + certificate_name_check_enabled = true + enabled = true + health_probes_enabled = (known after apply) + host_name = (known after apply) + http_port = 80 + https_port = 443 + id = (known after apply) + name = (known after apply) + origin_host_header = (known after apply) + priority = 1 + weight = 1000 + private_link { + location = "westus2" + private_link_target_id = (known after apply) + request_message = "Request access for CDN Frontdoor Private Link Origin to Web App 2" + target_type = "sites" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app will be created + resource "azurerm_cdn_frontdoor_origin_group" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = (known after apply) + restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10 + session_affinity_enabled = false + health_probe { + interval_in_seconds = 100 + path = "/" + protocol = "Https" + request_type = "HEAD" } + load_balancing { + additional_latency_in_milliseconds = 0 + sample_size = 16 + successful_samples_required = 3 } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_route.web_app will be created + resource "azurerm_cdn_frontdoor_route" "web_app" { + cdn_frontdoor_endpoint_id = (known after apply) + cdn_frontdoor_origin_group_id = (known after apply) + cdn_frontdoor_origin_ids = (known after apply) + enabled = true + forwarding_protocol = "HttpsOnly" + https_redirect_enabled = true + id = (known after apply) + link_to_default_domain = true + name = (known after apply) + patterns_to_match = [ + "/*", ] + supported_protocols = [ + "Http", + "Https", ] } # module.front_door.module.endpoint[0].null_resource.web_app will be created + resource "null_resource" "web_app" { + id = (known after apply) + triggers = { + "private_link_target_type" = "sites" } } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites", ] } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites-staging", ] } } Plan: 101 to add, 0 to change, 0 to destroy. Changes to Outputs: + devops_vm_id = (known after apply) + key_vault_name = (known after apply) + key_vault_uri = (known after apply) + redis_connection_secret_name = "redis-connection-string" + redis_connection_string = (sensitive value) + rg_name = (known after apply) + sql_db_connection_string = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) + web_app_name = (known after apply) + web_app_slot_name = "staging" + web_app_uri = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # azurecaf_name.appsvc_subnet will be created + resource "azurecaf_name" "appsvc_subnet" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.contributor_identity will be created + resource "azurecaf_name" "contributor_identity" { + clean_input = true + id = (known after apply) + name = "secure-webapp-contributor" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_subnet will be created + resource "azurecaf_name" "devops_subnet" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_vm will be created + resource "azurecaf_name" "devops_vm" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_windows_virtual_machine" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # azurecaf_name.ingress_subnet will be created + resource "azurecaf_name" "ingress_subnet" { + clean_input = true + id = (known after apply) + name = "ingress" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurecaf_name.private_link_subnet will be created + resource "azurecaf_name" "private_link_subnet" { + clean_input = true + id = (known after apply) + name = "private-link" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.reader_identity will be created + resource "azurecaf_name" "reader_identity" { + clean_input = true + id = (known after apply) + name = "secure-webapp-reader" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "wus2", ] + use_slug = true } # azurecaf_name.spoke_network will be created + resource "azurecaf_name" "spoke_network" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "application-name" = "secure-webapp" + "environment" = "prod" + "terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_virtual_network_peering.hub_to_spoke will be created + resource "azurerm_virtual_network_peering" "hub_to_spoke" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-secure-webapp" + remote_virtual_network_id = (known after apply) + resource_group_name = "rg-hub-wus2" + use_remote_gateways = false + virtual_network_name = "vnet-hub-wus2" } # azurerm_virtual_network_peering.spoke_to_hub will be created + resource "azurerm_virtual_network_peering" "spoke_to_hub" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-secure-webapp" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } # random_integer.unique_id will be created + resource "random_integer" "unique_id" { + id = (known after apply) + max = 9999 + min = 1 + result = (known after apply) } # random_password.vm_admin_password will be created + resource "random_password" "vm_admin_password" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 16 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = true + upper = true } # random_password.vm_admin_username will be created + resource "random_password" "vm_admin_username" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 10 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = false + upper = true } # module.app_configuration[0].azurecaf_name.app_config will be created + resource "azurecaf_name" "app_config" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_app_configuration" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.app_configuration[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus2" + name = (known after apply) + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = (known after apply) + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_insights.azurecaf_name.app_insights will be created + resource "azurecaf_name" "app_insights" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_application_insights" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_insights.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus2" + maximum_elastic_worker_count = (known after apply) + name = "asp-secure-webapp-win-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = (known after apply) + sku_name = "S1" + worker_count = 1 + zone_balancing_enabled = false } # module.devops_vm[0].data.azuread_user.vm_admin will be read during apply # (depends on a resource or a module with changes pending) <= data "azuread_user" "vm_admin" { + account_enabled = (known after apply) + age_group = (known after apply) + business_phones = (known after apply) + city = (known after apply) + company_name = (known after apply) + consent_provided_for_minor = (known after apply) + cost_center = (known after apply) + country = (known after apply) + creation_type = (known after apply) + department = (known after apply) + display_name = (known after apply) + division = (known after apply) + employee_id = (known after apply) + employee_type = (known after apply) + external_user_state = (known after apply) + fax_number = (known after apply) + given_name = (known after apply) + id = (known after apply) + im_addresses = (known after apply) + job_title = (known after apply) + mail = (known after apply) + mail_nickname = (known after apply) + manager_id = (known after apply) + mobile_phone = (known after apply) + object_id = (known after apply) + office_location = (known after apply) + onpremises_distinguished_name = (known after apply) + onpremises_domain_name = (known after apply) + onpremises_immutable_id = (known after apply) + onpremises_sam_account_name = (known after apply) + onpremises_security_identifier = (known after apply) + onpremises_sync_enabled = (known after apply) + onpremises_user_principal_name = (known after apply) + other_mails = (known after apply) + postal_code = (known after apply) + preferred_language = (known after apply) + proxy_addresses = (known after apply) + show_in_address_list = (known after apply) + state = (known after apply) + street_address = (known after apply) + surname = (known after apply) + usage_location = (known after apply) + user_principal_name = "bob@contoso.com" + user_type = (known after apply) } # module.devops_vm[0].azurerm_network_interface.vm_nic will be created + resource "azurerm_network_interface" "vm_nic" { + applied_dns_servers = (known after apply) + dns_servers = (known after apply) + enable_accelerated_networking = false + enable_ip_forwarding = false + id = (known after apply) + internal_dns_name_label = (known after apply) + internal_domain_name_suffix = (known after apply) + location = "westus2" + mac_address = (known after apply) + name = (known after apply) + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + resource_group_name = (known after apply) + virtual_machine_id = (known after apply) + ip_configuration { + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + name = (known after apply) + primary = (known after apply) + private_ip_address = (known after apply) + private_ip_address_allocation = "Dynamic" + private_ip_address_version = "IPv4" + subnet_id = (known after apply) } } # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment will be created + resource "azurerm_role_assignment" "vm_admin_role_assignment" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Virtual Machine Administrator Login" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.devops_vm[0].azurerm_windows_virtual_machine.vm will be created + resource "azurerm_windows_virtual_machine" "vm" { + admin_password = (sensitive value) + admin_username = (sensitive value) + allow_extension_operations = true + computer_name = (known after apply) + enable_automatic_updates = true + extensions_time_budget = "PT1H30M" + hotpatching_enabled = false + id = (known after apply) + location = "westus2" + max_bid_price = -1 + name = (known after apply) + network_interface_ids = (known after apply) + patch_assessment_mode = "ImageDefault" + patch_mode = "AutomaticByOS" + platform_fault_domain = -1 + priority = "Regular" + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + provision_vm_agent = true + public_ip_address = (known after apply) + public_ip_addresses = (known after apply) + resource_group_name = (known after apply) + size = "Standard_B2ms" + virtual_machine_id = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + os_disk { + caching = "ReadWrite" + disk_size_gb = (known after apply) + name = (known after apply) + storage_account_type = "Standard_LRS" + write_accelerator_enabled = false } + source_image_reference { + offer = "windows-11" + publisher = "MicrosoftWindowsDesktop" + sku = "win11-22h2-pro" + version = "latest" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.aad[0] will be created + resource "azurerm_virtual_machine_extension" "aad" { + auto_upgrade_minor_version = true + failure_suppression_enabled = false + id = (known after apply) + name = "aad-login-for-windows" + publisher = "Microsoft.Azure.ActiveDirectory" + settings = <<-EOT { "mdmId": "0000000a-0000-0000-c000-000000000000" } EOT + type = "AADLoginForWindows" + type_handler_version = "1.0" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.post_deployment will be created + resource "azurerm_virtual_machine_extension" "post_deployment" { + failure_suppression_enabled = false + id = (known after apply) + name = "post_deployment" + protected_settings = (sensitive value) + publisher = "Microsoft.Compute" + type = "CustomScriptExtension" + type_handler_version = "1.10" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.front_door.azurecaf_name.frontdoor will be created + resource "azurecaf_name" "frontdoor" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_cdn_frontdoor_profile" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.front_door.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = (known after apply) + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.front_door.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = (known after apply) + resource_group_name = (known after apply) + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" } # module.front_door.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.key_vault.azurecaf_name.key_vault will be created + resource "azurecaf_name" "key_vault" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_key_vault" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.key_vault.azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus2" + name = (known after apply) + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = (known after apply) + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } # module.private_dns_zones.azurerm_private_dns_zone.this[0] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[1] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[2] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[3] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[4] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.redis.cache.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.redis_cache[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.redis_cache[0].azurecaf_name.redis_cache will be created + resource "azurecaf_name" "redis_cache" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_redis_cache" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.redis_cache[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.redis.cache.windows.net" } # module.redis_cache[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "redisCache", ] } } # module.redis_cache[0].azurerm_redis_cache.this will be created + resource "azurerm_redis_cache" "this" { + capacity = 2 + enable_non_ssl_port = false + family = "C" + hostname = (known after apply) + id = (known after apply) + location = "westus2" + minimum_tls_version = "1.2" + name = (known after apply) + port = (known after apply) + primary_access_key = (sensitive value) + primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) + public_network_access_enabled = false + redis_version = (known after apply) + replicas_per_master = (known after apply) + replicas_per_primary = (known after apply) + resource_group_name = (known after apply) + secondary_access_key = (sensitive value) + secondary_connection_string = (sensitive value) + sku_name = "Standard" + ssl_port = (known after apply) + tags = { + "environment" = "prod" } + redis_configuration { + enable_authentication = true + maxclients = (known after apply) + maxfragmentationmemory_reserved = (known after apply) + maxmemory_delta = (known after apply) + maxmemory_policy = "volatile-lru" + maxmemory_reserved = (known after apply) } } # module.sql_database[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.sql_database[0].azurecaf_name.sql_server will be created + resource "azurecaf_name" "sql_server" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_mssql_server" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.sql_database[0].azurerm_mssql_database.this[0] will be created + resource "azurerm_mssql_database" "this" { + auto_pause_delay_in_minutes = (known after apply) + collation = (known after apply) + create_mode = "Default" + creation_source_database_id = (known after apply) + geo_backup_enabled = true + id = (known after apply) + ledger_enabled = (known after apply) + license_type = (known after apply) + maintenance_configuration_name = (known after apply) + max_size_gb = (known after apply) + min_capacity = (known after apply) + name = "sample-db" + read_replica_count = (known after apply) + read_scale = (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) + server_id = (known after apply) + sku_name = "S0" + storage_account_type = "Geo" + transparent_data_encryption_enabled = true + zone_redundant = (known after apply) } # module.sql_database[0].azurerm_mssql_server.this will be created + resource "azurerm_mssql_server" "this" { + administrator_login = (known after apply) + connection_policy = "Default" + fully_qualified_domain_name = (known after apply) + id = (known after apply) + location = "westus2" + minimum_tls_version = "1.2" + name = (known after apply) + outbound_network_restriction_enabled = false + primary_user_assigned_identity_id = (known after apply) + public_network_access_enabled = false + resource_group_name = (known after apply) + restorable_dropped_database_ids = (known after apply) + tags = { + "environment" = "prod" } + version = "12.0" + azuread_administrator { + azuread_authentication_only = true + login_username = "AppSvcLZA Azure AD SQL Admins" + object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" } } # module.sql_database[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.database.windows.net" } # module.sql_database[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sqlServer", ] } } # module.user_defined_routes[0].azurecaf_name.route_table will be created + resource "azurecaf_name" "route_table" { + clean_input = true + id = (known after apply) + name = "egress-lockdown" + passthrough = false + random_length = 0 + resource_type = "azurerm_route_table" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.user_defined_routes[0].azurerm_route.this[0] will be created + resource "azurerm_route" "this" { + address_prefix = "0.0.0.0/0" + id = (known after apply) + name = "defaultRoute" + next_hop_in_ip_address = "10.242.0.4" + next_hop_type = "VirtualAppliance" + resource_group_name = (known after apply) + route_table_name = (known after apply) } # module.user_defined_routes[0].azurerm_route_table.this will be created + resource "azurerm_route_table" "this" { + disable_bgp_route_propagation = false + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + route = (known after apply) + subnets = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[0] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[1] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[2] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[3] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.app_service.module.windows_web_app[0].azurecaf_name.slot will be created + resource "azurecaf_name" "slot" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurecaf_name.webapp will be created + resource "azurecaf_name" "webapp" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "AllLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this will be created + resource "azurerm_windows_web_app" "this" { + app_settings = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + location = "westus2" + name = (known after apply) + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + resource_group_name = (known after apply) + service_plan_id = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + linux_fx_version = (known after apply) + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } + sticky_settings { + app_setting_names = [ + "APPINSIGHTS_INSTRUMENTATIONKEY", + "APPINSIGHTS_PROFILERFEATURE_VERSION", + "APPINSIGHTS_SNAPSHOTFEATURE_VERSION", + "APPLICATIONINSIGHTS_CONNECTION_STRING", + "ApplicationInsightsAgent_EXTENSION_VERSION", + "DiagnosticServices_EXTENSION_VERSION", + "InstrumentationEngine_EXTENSION_VERSION", + "SnapshotDebugger_EXTENSION_VERSION", + "XDT_MicrosoftApplicationInsights_BaseExtensions", + "XDT_MicrosoftApplicationInsights_Java", + "XDT_MicrosoftApplicationInsights_Mode", + "XDT_MicrosoftApplicationInsights_NodeJS", + "XDT_MicrosoftApplicationInsights_PreemptSdk", ] } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot will be created + resource "azurerm_windows_web_app_slot" "slot" { + app_service_id = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + name = "staging" + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } } # module.app_service.module.windows_web_app[0].null_resource.service_plan will be created + resource "null_resource" "service_plan" { + id = (known after apply) + triggers = { + "service_plan_name" = "asp-secure-webapp-win-prod" + "service_plan_os" = "Windows" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app will be created + resource "azurerm_cdn_frontdoor_endpoint" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + enabled = true + host_name = (known after apply) + id = (known after apply) + name = (known after apply) } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app will be created + resource "azurerm_cdn_frontdoor_origin" "web_app" { + cdn_frontdoor_origin_group_id = (known after apply) + certificate_name_check_enabled = true + enabled = true + health_probes_enabled = (known after apply) + host_name = (known after apply) + http_port = 80 + https_port = 443 + id = (known after apply) + name = (known after apply) + origin_host_header = (known after apply) + priority = 1 + weight = 1000 + private_link { + location = "westus2" + private_link_target_id = (known after apply) + request_message = "Request access for CDN Frontdoor Private Link Origin to Web App 2" + target_type = "sites" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app will be created + resource "azurerm_cdn_frontdoor_origin_group" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = (known after apply) + restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10 + session_affinity_enabled = false + health_probe { + interval_in_seconds = 100 + path = "/" + protocol = "Https" + request_type = "HEAD" } + load_balancing { + additional_latency_in_milliseconds = 0 + sample_size = 16 + successful_samples_required = 3 } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_route.web_app will be created + resource "azurerm_cdn_frontdoor_route" "web_app" { + cdn_frontdoor_endpoint_id = (known after apply) + cdn_frontdoor_origin_group_id = (known after apply) + cdn_frontdoor_origin_ids = (known after apply) + enabled = true + forwarding_protocol = "HttpsOnly" + https_redirect_enabled = true + id = (known after apply) + link_to_default_domain = true + name = (known after apply) + patterns_to_match = [ + "/*", ] + supported_protocols = [ + "Http", + "Https", ] } # module.front_door.module.endpoint[0].null_resource.web_app will be created + resource "null_resource" "web_app" { + id = (known after apply) + triggers = { + "private_link_target_type" = "sites" } } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites", ] } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites-staging", ] } } Plan: 101 to add, 0 to change, 0 to destroy. Changes to Outputs: + devops_vm_id = (known after apply) + key_vault_name = (known after apply) + key_vault_uri = (known after apply) + redis_connection_secret_name = "redis-connection-string" + redis_connection_string = (sensitive value) + rg_name = (known after apply) + sql_db_connection_string = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) + web_app_name = (known after apply) + web_app_slot_name = "staging" + web_app_uri = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurecaf_name.bastion_host will be created + resource "azurecaf_name" "bastion_host" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_bastion_host" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.firewall will be created + resource "azurecaf_name" "firewall" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurecaf_name.vnet will be created + resource "azurecaf_name" "vnet" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus2", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.hub will be created + resource "azurerm_resource_group" "hub" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "terraform" = "true" } } # module.bastion[0].azurecaf_name.bastion_pip will be created + resource "azurecaf_name" "bastion_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion will be created + resource "azurerm_bastion_host" "bastion" { + copy_paste_enabled = true + dns_name = (known after apply) + file_copy_enabled = false + id = (known after apply) + ip_connect_enabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + scale_units = 2 + shareable_link_enabled = false + sku = "Standard" + tunneling_enabled = true + ip_configuration { + name = "bastionHostIpConfiguration" + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.bastion[0].azurerm_public_ip.bastion_pip will be created + resource "azurerm_public_ip" "bastion_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.firewall[0].azurecaf_name.firewall_pip will be created + resource "azurecaf_name" "firewall_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurerm_firewall.firewall will be created + resource "azurerm_firewall" "firewall" { + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku_name = "AZFW_VNet" + sku_tier = "Standard" + threat_intel_mode = (known after apply) + ip_configuration { + name = "firewallIpConfiguration" + private_ip_address = (known after apply) + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.firewall[0].azurerm_public_ip.firewall_pip will be created + resource "azurerm_public_ip" "firewall_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureFirewallSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureBastionSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.242.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } Plan: 21 to add, 0 to change, 0 to destroy. Changes to Outputs: + bastion_name = (known after apply) + firewall_private_ip = (known after apply) + firewall_rules = {} + rg_name = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # azurerm_subnet.vnetSpokeSubnet will be updated in-place ~ resource "azurerm_subnet" "vnetSpokeSubnet" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rgtf-networking-sec-baseline-sgl-dev-westus2-001/providers/Microsoft.Network/virtualNetworks/vnet-spoke-sec-baseline-sgl-dev-westus2-001/subnets/snet-ase-sec-baseline-sgl-dev-westus2-001" name = "snet-ase-sec-baseline-sgl-dev-westus2-001" # (9 unchanged attributes hidden) ~ delegation { name = "hostingEnvironment" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # azurecaf_name.appsvc_subnet will be created + resource "azurecaf_name" "appsvc_subnet" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.contributor_identity will be created + resource "azurecaf_name" "contributor_identity" { + clean_input = true + id = (known after apply) + name = "secure-webapp-contributor" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_subnet will be created + resource "azurecaf_name" "devops_subnet" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_vm will be created + resource "azurecaf_name" "devops_vm" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_windows_virtual_machine" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # azurecaf_name.ingress_subnet will be created + resource "azurecaf_name" "ingress_subnet" { + clean_input = true + id = (known after apply) + name = "ingress" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurecaf_name.private_link_subnet will be created + resource "azurecaf_name" "private_link_subnet" { + clean_input = true + id = (known after apply) + name = "private-link" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.reader_identity will be created + resource "azurecaf_name" "reader_identity" { + clean_input = true + id = (known after apply) + name = "secure-webapp-reader" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "wus2", ] + use_slug = true } # azurecaf_name.spoke_network will be created + resource "azurecaf_name" "spoke_network" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "application-name" = "secure-webapp" + "environment" = "prod" + "terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_virtual_network_peering.hub_to_spoke will be created + resource "azurerm_virtual_network_peering" "hub_to_spoke" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-secure-webapp" + remote_virtual_network_id = (known after apply) + resource_group_name = "rg-hub-wus2" + use_remote_gateways = false + virtual_network_name = "vnet-hub-wus2" } # azurerm_virtual_network_peering.spoke_to_hub will be created + resource "azurerm_virtual_network_peering" "spoke_to_hub" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-secure-webapp" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } # random_integer.unique_id will be created + resource "random_integer" "unique_id" { + id = (known after apply) + max = 9999 + min = 1 + result = (known after apply) } # random_password.vm_admin_password will be created + resource "random_password" "vm_admin_password" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 16 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = true + upper = true } # random_password.vm_admin_username will be created + resource "random_password" "vm_admin_username" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 10 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = false + upper = true } # module.app_configuration[0].azurecaf_name.app_config will be created + resource "azurecaf_name" "app_config" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_app_configuration" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.app_configuration[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus2" + name = (known after apply) + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = (known after apply) + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_insights.azurecaf_name.app_insights will be created + resource "azurecaf_name" "app_insights" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_application_insights" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_insights.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus2" + maximum_elastic_worker_count = (known after apply) + name = "asp-secure-webapp-win-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = (known after apply) + sku_name = "S1" + worker_count = 1 + zone_balancing_enabled = false } # module.devops_vm[0].data.azuread_user.vm_admin will be read during apply # (depends on a resource or a module with changes pending) <= data "azuread_user" "vm_admin" { + account_enabled = (known after apply) + age_group = (known after apply) + business_phones = (known after apply) + city = (known after apply) + company_name = (known after apply) + consent_provided_for_minor = (known after apply) + cost_center = (known after apply) + country = (known after apply) + creation_type = (known after apply) + department = (known after apply) + display_name = (known after apply) + division = (known after apply) + employee_id = (known after apply) + employee_type = (known after apply) + external_user_state = (known after apply) + fax_number = (known after apply) + given_name = (known after apply) + id = (known after apply) + im_addresses = (known after apply) + job_title = (known after apply) + mail = (known after apply) + mail_nickname = (known after apply) + manager_id = (known after apply) + mobile_phone = (known after apply) + object_id = (known after apply) + office_location = (known after apply) + onpremises_distinguished_name = (known after apply) + onpremises_domain_name = (known after apply) + onpremises_immutable_id = (known after apply) + onpremises_sam_account_name = (known after apply) + onpremises_security_identifier = (known after apply) + onpremises_sync_enabled = (known after apply) + onpremises_user_principal_name = (known after apply) + other_mails = (known after apply) + postal_code = (known after apply) + preferred_language = (known after apply) + proxy_addresses = (known after apply) + show_in_address_list = (known after apply) + state = (known after apply) + street_address = (known after apply) + surname = (known after apply) + usage_location = (known after apply) + user_principal_name = "bob@contoso.com" + user_type = (known after apply) } # module.devops_vm[0].azurerm_network_interface.vm_nic will be created + resource "azurerm_network_interface" "vm_nic" { + applied_dns_servers = (known after apply) + dns_servers = (known after apply) + enable_accelerated_networking = false + enable_ip_forwarding = false + id = (known after apply) + internal_dns_name_label = (known after apply) + internal_domain_name_suffix = (known after apply) + location = "westus2" + mac_address = (known after apply) + name = (known after apply) + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + resource_group_name = (known after apply) + virtual_machine_id = (known after apply) + ip_configuration { + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + name = (known after apply) + primary = (known after apply) + private_ip_address = (known after apply) + private_ip_address_allocation = "Dynamic" + private_ip_address_version = "IPv4" + subnet_id = (known after apply) } } # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment will be created + resource "azurerm_role_assignment" "vm_admin_role_assignment" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Virtual Machine Administrator Login" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.devops_vm[0].azurerm_windows_virtual_machine.vm will be created + resource "azurerm_windows_virtual_machine" "vm" { + admin_password = (sensitive value) + admin_username = (sensitive value) + allow_extension_operations = true + computer_name = (known after apply) + enable_automatic_updates = true + extensions_time_budget = "PT1H30M" + hotpatching_enabled = false + id = (known after apply) + location = "westus2" + max_bid_price = -1 + name = (known after apply) + network_interface_ids = (known after apply) + patch_assessment_mode = "ImageDefault" + patch_mode = "AutomaticByOS" + platform_fault_domain = -1 + priority = "Regular" + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + provision_vm_agent = true + public_ip_address = (known after apply) + public_ip_addresses = (known after apply) + resource_group_name = (known after apply) + size = "Standard_B2ms" + virtual_machine_id = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + os_disk { + caching = "ReadWrite" + disk_size_gb = (known after apply) + name = (known after apply) + storage_account_type = "Standard_LRS" + write_accelerator_enabled = false } + source_image_reference { + offer = "windows-11" + publisher = "MicrosoftWindowsDesktop" + sku = "win11-22h2-pro" + version = "latest" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.aad[0] will be created + resource "azurerm_virtual_machine_extension" "aad" { + auto_upgrade_minor_version = true + failure_suppression_enabled = false + id = (known after apply) + name = "aad-login-for-windows" + publisher = "Microsoft.Azure.ActiveDirectory" + settings = <<-EOT { "mdmId": "0000000a-0000-0000-c000-000000000000" } EOT + type = "AADLoginForWindows" + type_handler_version = "1.0" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.post_deployment will be created + resource "azurerm_virtual_machine_extension" "post_deployment" { + failure_suppression_enabled = false + id = (known after apply) + name = "post_deployment" + protected_settings = (sensitive value) + publisher = "Microsoft.Compute" + type = "CustomScriptExtension" + type_handler_version = "1.10" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.front_door.azurecaf_name.frontdoor will be created + resource "azurecaf_name" "frontdoor" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_cdn_frontdoor_profile" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.front_door.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = (known after apply) + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.front_door.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = (known after apply) + resource_group_name = (known after apply) + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" } # module.front_door.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.key_vault.azurecaf_name.key_vault will be created + resource "azurecaf_name" "key_vault" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_key_vault" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.key_vault.azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus2" + name = (known after apply) + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = (known after apply) + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } # module.private_dns_zones.azurerm_private_dns_zone.this[0] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[1] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[2] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[3] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[4] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.redis.cache.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.redis_cache[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.redis_cache[0].azurecaf_name.redis_cache will be created + resource "azurecaf_name" "redis_cache" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_redis_cache" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.redis_cache[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.redis.cache.windows.net" } # module.redis_cache[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "redisCache", ] } } # module.redis_cache[0].azurerm_redis_cache.this will be created + resource "azurerm_redis_cache" "this" { + capacity = 2 + enable_non_ssl_port = false + family = "C" + hostname = (known after apply) + id = (known after apply) + location = "westus2" + minimum_tls_version = "1.2" + name = (known after apply) + port = (known after apply) + primary_access_key = (sensitive value) + primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) + public_network_access_enabled = false + redis_version = (known after apply) + replicas_per_master = (known after apply) + replicas_per_primary = (known after apply) + resource_group_name = (known after apply) + secondary_access_key = (sensitive value) + secondary_connection_string = (sensitive value) + sku_name = "Standard" + ssl_port = (known after apply) + tags = { + "environment" = "prod" } + redis_configuration { + enable_authentication = true + maxclients = (known after apply) + maxfragmentationmemory_reserved = (known after apply) + maxmemory_delta = (known after apply) + maxmemory_policy = "volatile-lru" + maxmemory_reserved = (known after apply) } } # module.sql_database[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.sql_database[0].azurecaf_name.sql_server will be created + resource "azurecaf_name" "sql_server" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_mssql_server" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.sql_database[0].azurerm_mssql_database.this[0] will be created + resource "azurerm_mssql_database" "this" { + auto_pause_delay_in_minutes = (known after apply) + collation = (known after apply) + create_mode = "Default" + creation_source_database_id = (known after apply) + geo_backup_enabled = true + id = (known after apply) + ledger_enabled = (known after apply) + license_type = (known after apply) + maintenance_configuration_name = (known after apply) + max_size_gb = (known after apply) + min_capacity = (known after apply) + name = "sample-db" + read_replica_count = (known after apply) + read_scale = (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) + server_id = (known after apply) + sku_name = "S0" + storage_account_type = "Geo" + transparent_data_encryption_enabled = true + zone_redundant = (known after apply) } # module.sql_database[0].azurerm_mssql_server.this will be created + resource "azurerm_mssql_server" "this" { + administrator_login = (known after apply) + connection_policy = "Default" + fully_qualified_domain_name = (known after apply) + id = (known after apply) + location = "westus2" + minimum_tls_version = "1.2" + name = (known after apply) + outbound_network_restriction_enabled = false + primary_user_assigned_identity_id = (known after apply) + public_network_access_enabled = false + resource_group_name = (known after apply) + restorable_dropped_database_ids = (known after apply) + tags = { + "environment" = "prod" } + version = "12.0" + azuread_administrator { + azuread_authentication_only = true + login_username = "AppSvcLZA Azure AD SQL Admins" + object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" } } # module.sql_database[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.database.windows.net" } # module.sql_database[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sqlServer", ] } } # module.user_defined_routes[0].azurecaf_name.route_table will be created + resource "azurecaf_name" "route_table" { + clean_input = true + id = (known after apply) + name = "egress-lockdown" + passthrough = false + random_length = 0 + resource_type = "azurerm_route_table" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.user_defined_routes[0].azurerm_route.this[0] will be created + resource "azurerm_route" "this" { + address_prefix = "0.0.0.0/0" + id = (known after apply) + name = "defaultRoute" + next_hop_in_ip_address = "10.242.0.4" + next_hop_type = "VirtualAppliance" + resource_group_name = (known after apply) + route_table_name = (known after apply) } # module.user_defined_routes[0].azurerm_route_table.this will be created + resource "azurerm_route_table" "this" { + disable_bgp_route_propagation = false + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + route = (known after apply) + subnets = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[0] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[1] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[2] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[3] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.app_service.module.windows_web_app[0].azurecaf_name.slot will be created + resource "azurecaf_name" "slot" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurecaf_name.webapp will be created + resource "azurecaf_name" "webapp" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "AllLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this will be created + resource "azurerm_windows_web_app" "this" { + app_settings = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + location = "westus2" + name = (known after apply) + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + resource_group_name = (known after apply) + service_plan_id = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + linux_fx_version = (known after apply) + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } + sticky_settings { + app_setting_names = [ + "APPINSIGHTS_INSTRUMENTATIONKEY", + "APPINSIGHTS_PROFILERFEATURE_VERSION", + "APPINSIGHTS_SNAPSHOTFEATURE_VERSION", + "APPLICATIONINSIGHTS_CONNECTION_STRING", + "ApplicationInsightsAgent_EXTENSION_VERSION", + "DiagnosticServices_EXTENSION_VERSION", + "InstrumentationEngine_EXTENSION_VERSION", + "SnapshotDebugger_EXTENSION_VERSION", + "XDT_MicrosoftApplicationInsights_BaseExtensions", + "XDT_MicrosoftApplicationInsights_Java", + "XDT_MicrosoftApplicationInsights_Mode", + "XDT_MicrosoftApplicationInsights_NodeJS", + "XDT_MicrosoftApplicationInsights_PreemptSdk", ] } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot will be created + resource "azurerm_windows_web_app_slot" "slot" { + app_service_id = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + name = "staging" + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } } # module.app_service.module.windows_web_app[0].null_resource.service_plan will be created + resource "null_resource" "service_plan" { + id = (known after apply) + triggers = { + "service_plan_name" = "asp-secure-webapp-win-prod" + "service_plan_os" = "Windows" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app will be created + resource "azurerm_cdn_frontdoor_endpoint" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + enabled = true + host_name = (known after apply) + id = (known after apply) + name = (known after apply) } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app will be created + resource "azurerm_cdn_frontdoor_origin" "web_app" { + cdn_frontdoor_origin_group_id = (known after apply) + certificate_name_check_enabled = true + enabled = true + health_probes_enabled = (known after apply) + host_name = (known after apply) + http_port = 80 + https_port = 443 + id = (known after apply) + name = (known after apply) + origin_host_header = (known after apply) + priority = 1 + weight = 1000 + private_link { + location = "westus2" + private_link_target_id = (known after apply) + request_message = "Request access for CDN Frontdoor Private Link Origin to Web App 2" + target_type = "sites" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app will be created + resource "azurerm_cdn_frontdoor_origin_group" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = (known after apply) + restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10 + session_affinity_enabled = false + health_probe { + interval_in_seconds = 100 + path = "/" + protocol = "Https" + request_type = "HEAD" } + load_balancing { + additional_latency_in_milliseconds = 0 + sample_size = 16 + successful_samples_required = 3 } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_route.web_app will be created + resource "azurerm_cdn_frontdoor_route" "web_app" { + cdn_frontdoor_endpoint_id = (known after apply) + cdn_frontdoor_origin_group_id = (known after apply) + cdn_frontdoor_origin_ids = (known after apply) + enabled = true + forwarding_protocol = "HttpsOnly" + https_redirect_enabled = true + id = (known after apply) + link_to_default_domain = true + name = (known after apply) + patterns_to_match = [ + "/*", ] + supported_protocols = [ + "Http", + "Https", ] } # module.front_door.module.endpoint[0].null_resource.web_app will be created + resource "null_resource" "web_app" { + id = (known after apply) + triggers = { + "private_link_target_type" = "sites" } } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites", ] } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites-staging", ] } } Plan: 101 to add, 0 to change, 0 to destroy. Changes to Outputs: + devops_vm_id = (known after apply) + key_vault_name = (known after apply) + key_vault_uri = (known after apply) + redis_connection_secret_name = "redis-connection-string" + redis_connection_string = (sensitive value) + rg_name = (known after apply) + sql_db_connection_string = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) + web_app_name = (known after apply) + web_app_slot_name = "staging" + web_app_uri = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = "log-secure-webapp-prod" + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus2" + name = "rg-secure-webapp-prod-wus2" + tags = { + "application-name" = "secure-webapp" + "environment" = "prod" + "terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus2" + name = "msi-secure-webapp-contributor" + principal_id = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus2" + name = "msi-secure-webapp-reader" + principal_id = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + tenant_id = (known after apply) } # azurerm_virtual_network_peering.hub_to_spoke will be created + resource "azurerm_virtual_network_peering" "hub_to_spoke" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-secure-webapp" + remote_virtual_network_id = (known after apply) + resource_group_name = "rg-hub-wus2" + use_remote_gateways = false + virtual_network_name = "vnet-hub-wus2" } # azurerm_virtual_network_peering.spoke_to_hub will be created + resource "azurerm_virtual_network_peering" "spoke_to_hub" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-secure-webapp" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" + resource_group_name = "rg-secure-webapp-prod-wus2" + use_remote_gateways = false + virtual_network_name = "vnet-secure-webapp-prod" } # module.app_configuration[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = "appcg-secure-webapp-prod-3079" + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus2" + name = "appcg-secure-webapp-prod-3079" + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = "rg-secure-webapp-prod-wus2" + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "appcg-secure-webapp-prod-3079" + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_insights.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = "appi-secure-webapp-prod" + resource_group_name = "rg-secure-webapp-prod-wus2" + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus2" + maximum_elastic_worker_count = (known after apply) + name = "asp-secure-webapp-win-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + sku_name = "S1" + worker_count = 1 + zone_balancing_enabled = false } # module.devops_vm[0].data.azuread_user.vm_admin will be read during apply # (depends on a resource or a module with changes pending) <= data "azuread_user" "vm_admin" { + account_enabled = (known after apply) + age_group = (known after apply) + business_phones = (known after apply) + city = (known after apply) + company_name = (known after apply) + consent_provided_for_minor = (known after apply) + cost_center = (known after apply) + country = (known after apply) + creation_type = (known after apply) + department = (known after apply) + display_name = (known after apply) + division = (known after apply) + employee_id = (known after apply) + employee_type = (known after apply) + external_user_state = (known after apply) + fax_number = (known after apply) + given_name = (known after apply) + id = (known after apply) + im_addresses = (known after apply) + job_title = (known after apply) + mail = (known after apply) + mail_nickname = (known after apply) + manager_id = (known after apply) + mobile_phone = (known after apply) + object_id = (known after apply) + office_location = (known after apply) + onpremises_distinguished_name = (known after apply) + onpremises_domain_name = (known after apply) + onpremises_immutable_id = (known after apply) + onpremises_sam_account_name = (known after apply) + onpremises_security_identifier = (known after apply) + onpremises_sync_enabled = (known after apply) + onpremises_user_principal_name = (known after apply) + other_mails = (known after apply) + postal_code = (known after apply) + preferred_language = (known after apply) + proxy_addresses = (known after apply) + show_in_address_list = (known after apply) + state = (known after apply) + street_address = (known after apply) + surname = (known after apply) + usage_location = (known after apply) + user_principal_name = "bob@contoso.com" + user_type = (known after apply) } # module.devops_vm[0].azurerm_network_interface.vm_nic will be created + resource "azurerm_network_interface" "vm_nic" { + applied_dns_servers = (known after apply) + dns_servers = (known after apply) + enable_accelerated_networking = false + enable_ip_forwarding = false + id = (known after apply) + internal_dns_name_label = (known after apply) + internal_domain_name_suffix = (known after apply) + location = "westus2" + mac_address = (known after apply) + name = "vm-devops-3079-nic" + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + virtual_machine_id = (known after apply) + ip_configuration { + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + name = "vm-devops-3079-ipconfig" + primary = (known after apply) + private_ip_address = (known after apply) + private_ip_address_allocation = "Dynamic" + private_ip_address_version = "IPv4" + subnet_id = (known after apply) } } # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment will be created + resource "azurerm_role_assignment" "vm_admin_role_assignment" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Virtual Machine Administrator Login" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.devops_vm[0].azurerm_windows_virtual_machine.vm will be created + resource "azurerm_windows_virtual_machine" "vm" { + admin_password = (sensitive value) + admin_username = (sensitive value) + allow_extension_operations = true + computer_name = (known after apply) + enable_automatic_updates = true + extensions_time_budget = "PT1H30M" + hotpatching_enabled = false + id = (known after apply) + location = "westus2" + max_bid_price = -1 + name = "vm-devops-3079" + network_interface_ids = (known after apply) + patch_assessment_mode = "ImageDefault" + patch_mode = "AutomaticByOS" + platform_fault_domain = -1 + priority = "Regular" + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + provision_vm_agent = true + public_ip_address = (known after apply) + public_ip_addresses = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + size = "Standard_B2ms" + virtual_machine_id = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + os_disk { + caching = "ReadWrite" + disk_size_gb = (known after apply) + name = (known after apply) + storage_account_type = "Standard_LRS" + write_accelerator_enabled = false } + source_image_reference { + offer = "windows-11" + publisher = "MicrosoftWindowsDesktop" + sku = "win11-22h2-pro" + version = "latest" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.aad[0] will be created + resource "azurerm_virtual_machine_extension" "aad" { + auto_upgrade_minor_version = true + failure_suppression_enabled = false + id = (known after apply) + name = "aad-login-for-windows" + publisher = "Microsoft.Azure.ActiveDirectory" + settings = <<-EOT { "mdmId": "0000000a-0000-0000-c000-000000000000" } EOT + type = "AADLoginForWindows" + type_handler_version = "1.0" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.post_deployment will be created + resource "azurerm_virtual_machine_extension" "post_deployment" { + failure_suppression_enabled = false + id = (known after apply) + name = "post_deployment" + protected_settings = (sensitive value) + publisher = "Microsoft.Compute" + type = "CustomScriptExtension" + type_handler_version = "1.10" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.front_door.azurecaf_name.frontdoor will be created + resource "azurecaf_name" "frontdoor" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_cdn_frontdoor_profile" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.front_door.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = "rg-secure-webapp-prod-wus2" + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.front_door.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" } # module.front_door.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.key_vault.azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = "kv-appsvc-prod-3079" + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus2" + name = "kv-appsvc-prod-3079" + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = "rg-secure-webapp-prod-wus2" + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "kv-appsvc-prod-3079" + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "snet-appsvc" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + virtual_network_name = "vnet-secure-webapp-prod" + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "snet-ingress" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + virtual_network_name = "vnet-secure-webapp-prod" } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "snet-devops" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + virtual_network_name = "vnet-secure-webapp-prod" } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "snet-private-link" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + virtual_network_name = "vnet-secure-webapp-prod" } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = "vnet-secure-webapp-prod" + resource_group_name = "rg-secure-webapp-prod-wus2" + subnet = (known after apply) } # module.private_dns_zones.azurerm_private_dns_zone.this[0] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[1] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[2] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[3] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[4] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.redis.cache.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.redis_cache[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = "redis-secure-webapp-prod-3079" + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.redis_cache[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "redis-secure-webapp-prod-3079" + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.redis.cache.windows.net" } # module.redis_cache[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "redisCache", ] } } # module.redis_cache[0].azurerm_redis_cache.this will be created + resource "azurerm_redis_cache" "this" { + capacity = 2 + enable_non_ssl_port = false + family = "C" + hostname = (known after apply) + id = (known after apply) + location = "westus2" + minimum_tls_version = "1.2" + name = "redis-secure-webapp-prod-3079" + port = (known after apply) + primary_access_key = (sensitive value) + primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) + public_network_access_enabled = false + redis_version = (known after apply) + replicas_per_master = (known after apply) + replicas_per_primary = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + secondary_access_key = (sensitive value) + secondary_connection_string = (sensitive value) + sku_name = "Standard" + ssl_port = (known after apply) + tags = { + "environment" = "prod" } + redis_configuration { + enable_authentication = true + maxclients = (known after apply) + maxfragmentationmemory_reserved = (known after apply) + maxmemory_delta = (known after apply) + maxmemory_policy = "volatile-lru" + maxmemory_reserved = (known after apply) } } # module.sql_database[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = "sql-secure-webapp-prod-3079" + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.sql_database[0].azurerm_mssql_database.this[0] will be created + resource "azurerm_mssql_database" "this" { + auto_pause_delay_in_minutes = (known after apply) + collation = (known after apply) + create_mode = "Default" + creation_source_database_id = (known after apply) + geo_backup_enabled = true + id = (known after apply) + ledger_enabled = (known after apply) + license_type = (known after apply) + maintenance_configuration_name = (known after apply) + max_size_gb = (known after apply) + min_capacity = (known after apply) + name = "sample-db" + read_replica_count = (known after apply) + read_scale = (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) + server_id = (known after apply) + sku_name = "S0" + storage_account_type = "Geo" + transparent_data_encryption_enabled = true + zone_redundant = (known after apply) } # module.sql_database[0].azurerm_mssql_server.this will be created + resource "azurerm_mssql_server" "this" { + administrator_login = (known after apply) + connection_policy = "Default" + fully_qualified_domain_name = (known after apply) + id = (known after apply) + location = "westus2" + minimum_tls_version = "1.2" + name = "sql-secure-webapp-prod-3079" + outbound_network_restriction_enabled = false + primary_user_assigned_identity_id = (known after apply) + public_network_access_enabled = false + resource_group_name = "rg-secure-webapp-prod-wus2" + restorable_dropped_database_ids = (known after apply) + tags = { + "environment" = "prod" } + version = "12.0" + azuread_administrator { + azuread_authentication_only = true + login_username = "AppSvcLZA Azure AD SQL Admins" + object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" } } # module.sql_database[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "sql-secure-webapp-prod-3079" + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.database.windows.net" } # module.sql_database[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sqlServer", ] } } # module.user_defined_routes[0].azurerm_route.this[0] will be created + resource "azurerm_route" "this" { + address_prefix = "0.0.0.0/0" + id = (known after apply) + name = "defaultRoute" + next_hop_in_ip_address = "10.242.0.4" + next_hop_type = "VirtualAppliance" + resource_group_name = "rg-secure-webapp-prod-wus2" + route_table_name = "route-egress-lockdown" } # module.user_defined_routes[0].azurerm_route_table.this will be created + resource "azurerm_route_table" "this" { + disable_bgp_route_propagation = false + id = (known after apply) + location = "westus2" + name = "route-egress-lockdown" + resource_group_name = "rg-secure-webapp-prod-wus2" + route = (known after apply) + subnets = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[0] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[1] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[2] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[3] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.app_service.module.windows_web_app[0].azurecaf_name.slot will be created + resource "azurecaf_name" "slot" { + clean_input = true + id = (known after apply) + name = "app-secure-webapp-prod-3079-staging" + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurecaf_name.webapp will be created + resource "azurecaf_name" "webapp" { + clean_input = true + id = (known after apply) + name = "app-secure-webapp-prod-3079" + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = "app-secure-webapp-prod-3079-diagnostic-settings}" + target_resource_id = (known after apply) + enabled_log { + category_group = "AllLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this will be created + resource "azurerm_windows_web_app" "this" { + app_settings = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + location = "westus2" + name = "app-secure-webapp-prod-3079" + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + service_plan_id = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + linux_fx_version = (known after apply) + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } + sticky_settings { + app_setting_names = [ + "APPINSIGHTS_INSTRUMENTATIONKEY", + "APPINSIGHTS_PROFILERFEATURE_VERSION", + "APPINSIGHTS_SNAPSHOTFEATURE_VERSION", + "APPLICATIONINSIGHTS_CONNECTION_STRING", + "ApplicationInsightsAgent_EXTENSION_VERSION", + "DiagnosticServices_EXTENSION_VERSION", + "InstrumentationEngine_EXTENSION_VERSION", + "SnapshotDebugger_EXTENSION_VERSION", + "XDT_MicrosoftApplicationInsights_BaseExtensions", + "XDT_MicrosoftApplicationInsights_Java", + "XDT_MicrosoftApplicationInsights_Mode", + "XDT_MicrosoftApplicationInsights_NodeJS", + "XDT_MicrosoftApplicationInsights_PreemptSdk", ] } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot will be created + resource "azurerm_windows_web_app_slot" "slot" { + app_service_id = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + name = "staging" + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } } # module.app_service.module.windows_web_app[0].null_resource.service_plan will be created + resource "null_resource" "service_plan" { + id = (known after apply) + triggers = { + "service_plan_name" = "asp-secure-webapp-win-prod" + "service_plan_os" = "Windows" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app will be created + resource "azurerm_cdn_frontdoor_endpoint" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + enabled = true + host_name = (known after apply) + id = (known after apply) + name = "secure-webapp-prod-3079" } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app will be created + resource "azurerm_cdn_frontdoor_origin" "web_app" { + cdn_frontdoor_origin_group_id = (known after apply) + certificate_name_check_enabled = true + enabled = true + health_probes_enabled = (known after apply) + host_name = (known after apply) + http_port = 80 + https_port = 443 + id = (known after apply) + name = "secure-webapp-prod-3079" + origin_host_header = (known after apply) + priority = 1 + weight = 1000 + private_link { + location = "westus2" + private_link_target_id = (known after apply) + request_message = "Request access for CDN Frontdoor Private Link Origin to Web App 2" + target_type = "sites" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app will be created + resource "azurerm_cdn_frontdoor_origin_group" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "secure-webapp-prod-3079" + restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10 + session_affinity_enabled = false + health_probe { + interval_in_seconds = 100 + path = "/" + protocol = "Https" + request_type = "HEAD" } + load_balancing { + additional_latency_in_milliseconds = 0 + sample_size = 16 + successful_samples_required = 3 } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_route.web_app will be created + resource "azurerm_cdn_frontdoor_route" "web_app" { + cdn_frontdoor_endpoint_id = (known after apply) + cdn_frontdoor_origin_group_id = (known after apply) + cdn_frontdoor_origin_ids = (known after apply) + enabled = true + forwarding_protocol = "HttpsOnly" + https_redirect_enabled = true + id = (known after apply) + link_to_default_domain = true + name = "secure-webapp-prod-3079" + patterns_to_match = [ + "/*", ] + supported_protocols = [ + "Http", + "Https", ] } # module.front_door.module.endpoint[0].null_resource.web_app will be created + resource "null_resource" "web_app" { + id = (known after apply) + triggers = { + "private_link_target_type" = "sites" } } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-secure-webapp-prod-wus2" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-secure-webapp-prod-wus2" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-secure-webapp-prod-wus2" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-secure-webapp-prod-wus2" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-secure-webapp-prod-wus2" + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "app-secure-webapp-prod-3079" + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "app-secure-webapp-prod-3079.scm" + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites", ] } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "app-secure-webapp-prod-3079-staging" + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "app-secure-webapp-prod-3079-staging.scm" + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "rg-secure-webapp-prod-wus2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites-staging", ] } } Plan: 82 to add, 0 to change, 0 to destroy. Changes to Outputs: + devops_vm_id = (known after apply) + key_vault_name = "kv-appsvc-prod-3079" + key_vault_uri = (known after apply) + redis_connection_string = (sensitive value) + rg_name = "rg-secure-webapp-prod-wus2" + sql_db_connection_string = "Server=tcp:sql-secure-webapp-prod-3079.database.windows.net;Authentication=Active Directory Default;Database=sample-db;" + vnet_id = (known after apply) + vnet_name = "vnet-secure-webapp-prod" + web_app_name = "app-secure-webapp-prod-3079" + web_app_uri = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurecaf_name.bastion_host will be created + resource "azurecaf_name" "bastion_host" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_bastion_host" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurecaf_name.firewall will be created + resource "azurecaf_name" "firewall" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurecaf_name.vnet will be created + resource "azurecaf_name" "vnet" { + clean_input = true + id = (known after apply) + name = "hub" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.hub will be created + resource "azurerm_resource_group" "hub" { + id = (known after apply) + location = "westus3" + name = (known after apply) + tags = { + "terraform" = "true" } } # module.bastion[0].azurecaf_name.bastion_pip will be created + resource "azurecaf_name" "bastion_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion will be created + resource "azurerm_bastion_host" "bastion" { + copy_paste_enabled = true + dns_name = (known after apply) + file_copy_enabled = false + id = (known after apply) + ip_connect_enabled = false + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + scale_units = 2 + shareable_link_enabled = false + sku = "Standard" + tunneling_enabled = true + ip_configuration { + name = "bastionHostIpConfiguration" + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.bastion[0].azurerm_public_ip.bastion_pip will be created + resource "azurerm_public_ip" "bastion_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.firewall[0].azurecaf_name.firewall_pip will be created + resource "azurecaf_name" "firewall_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurerm_firewall.firewall will be created + resource "azurerm_firewall" "firewall" { + id = (known after apply) + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + sku_name = "AZFW_VNet" + sku_tier = "Standard" + threat_intel_mode = (known after apply) + ip_configuration { + name = "firewallIpConfiguration" + private_ip_address = (known after apply) + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.firewall[0].azurerm_public_ip.firewall_pip will be created + resource "azurerm_public_ip" "firewall_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureFirewallSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureBastionSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.242.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } Plan: 21 to add, 0 to change, 0 to destroy. Changes to Outputs: + bastion_name = (known after apply) + firewall_private_ip = (known after apply) + firewall_rules = {} + rg_name = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # azurecaf_name.appsvc_subnet will be created + resource "azurecaf_name" "appsvc_subnet" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.contributor_identity will be created + resource "azurecaf_name" "contributor_identity" { + clean_input = true + id = (known after apply) + name = "secure-webapp-contributor" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_subnet will be created + resource "azurecaf_name" "devops_subnet" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_vm will be created + resource "azurecaf_name" "devops_vm" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_windows_virtual_machine" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # azurecaf_name.ingress_subnet will be created + resource "azurecaf_name" "ingress_subnet" { + clean_input = true + id = (known after apply) + name = "ingress" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurecaf_name.private_link_subnet will be created + resource "azurecaf_name" "private_link_subnet" { + clean_input = true + id = (known after apply) + name = "private-link" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.reader_identity will be created + resource "azurecaf_name" "reader_identity" { + clean_input = true + id = (known after apply) + name = "secure-webapp-reader" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "wus3", ] + use_slug = true } # azurecaf_name.spoke_network will be created + resource "azurecaf_name" "spoke_network" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus3" + name = (known after apply) + tags = { + "application-name" = "secure-webapp" + "environment" = "prod" + "terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_virtual_network_peering.hub_to_spoke will be created + resource "azurerm_virtual_network_peering" "hub_to_spoke" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-secure-webapp" + remote_virtual_network_id = (known after apply) + resource_group_name = "rg-hub-wus2" + use_remote_gateways = false + virtual_network_name = "vnet-hub-wus2" } # azurerm_virtual_network_peering.spoke_to_hub will be created + resource "azurerm_virtual_network_peering" "spoke_to_hub" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-secure-webapp" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } # random_integer.unique_id will be created + resource "random_integer" "unique_id" { + id = (known after apply) + max = 9999 + min = 1 + result = (known after apply) } # random_password.vm_admin_password will be created + resource "random_password" "vm_admin_password" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 16 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = true + upper = true } # random_password.vm_admin_username will be created + resource "random_password" "vm_admin_username" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 10 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = false + upper = true } # module.app_configuration[0].azurecaf_name.app_config will be created + resource "azurecaf_name" "app_config" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_app_configuration" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.app_configuration[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus3" + name = (known after apply) + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = (known after apply) + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_insights.azurecaf_name.app_insights will be created + resource "azurecaf_name" "app_insights" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_application_insights" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_insights.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus3" + maximum_elastic_worker_count = (known after apply) + name = "asp-secure-webapp-win-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = (known after apply) + sku_name = "S1" + worker_count = 1 + zone_balancing_enabled = false } # module.devops_vm[0].data.azuread_user.vm_admin will be read during apply # (depends on a resource or a module with changes pending) <= data "azuread_user" "vm_admin" { + account_enabled = (known after apply) + age_group = (known after apply) + business_phones = (known after apply) + city = (known after apply) + company_name = (known after apply) + consent_provided_for_minor = (known after apply) + cost_center = (known after apply) + country = (known after apply) + creation_type = (known after apply) + department = (known after apply) + display_name = (known after apply) + division = (known after apply) + employee_id = (known after apply) + employee_type = (known after apply) + external_user_state = (known after apply) + fax_number = (known after apply) + given_name = (known after apply) + id = (known after apply) + im_addresses = (known after apply) + job_title = (known after apply) + mail = (known after apply) + mail_nickname = (known after apply) + manager_id = (known after apply) + mobile_phone = (known after apply) + object_id = (known after apply) + office_location = (known after apply) + onpremises_distinguished_name = (known after apply) + onpremises_domain_name = (known after apply) + onpremises_immutable_id = (known after apply) + onpremises_sam_account_name = (known after apply) + onpremises_security_identifier = (known after apply) + onpremises_sync_enabled = (known after apply) + onpremises_user_principal_name = (known after apply) + other_mails = (known after apply) + postal_code = (known after apply) + preferred_language = (known after apply) + proxy_addresses = (known after apply) + show_in_address_list = (known after apply) + state = (known after apply) + street_address = (known after apply) + surname = (known after apply) + usage_location = (known after apply) + user_principal_name = "jinle@microsoft.com" + user_type = (known after apply) } # module.devops_vm[0].azurerm_network_interface.vm_nic will be created + resource "azurerm_network_interface" "vm_nic" { + applied_dns_servers = (known after apply) + dns_servers = (known after apply) + enable_accelerated_networking = false + enable_ip_forwarding = false + id = (known after apply) + internal_dns_name_label = (known after apply) + internal_domain_name_suffix = (known after apply) + location = "westus3" + mac_address = (known after apply) + name = (known after apply) + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + resource_group_name = (known after apply) + virtual_machine_id = (known after apply) + ip_configuration { + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + name = (known after apply) + primary = (known after apply) + private_ip_address = (known after apply) + private_ip_address_allocation = "Dynamic" + private_ip_address_version = "IPv4" + subnet_id = (known after apply) } } # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment will be created + resource "azurerm_role_assignment" "vm_admin_role_assignment" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Virtual Machine Administrator Login" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.devops_vm[0].azurerm_windows_virtual_machine.vm will be created + resource "azurerm_windows_virtual_machine" "vm" { + admin_password = (sensitive value) + admin_username = (sensitive value) + allow_extension_operations = true + computer_name = (known after apply) + enable_automatic_updates = true + extensions_time_budget = "PT1H30M" + hotpatching_enabled = false + id = (known after apply) + location = "westus3" + max_bid_price = -1 + name = (known after apply) + network_interface_ids = (known after apply) + patch_assessment_mode = "ImageDefault" + patch_mode = "AutomaticByOS" + platform_fault_domain = -1 + priority = "Regular" + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + provision_vm_agent = true + public_ip_address = (known after apply) + public_ip_addresses = (known after apply) + resource_group_name = (known after apply) + size = "Standard_B2ms" + virtual_machine_id = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + os_disk { + caching = "ReadWrite" + disk_size_gb = (known after apply) + name = (known after apply) + storage_account_type = "Standard_LRS" + write_accelerator_enabled = false } + source_image_reference { + offer = "windows-11" + publisher = "MicrosoftWindowsDesktop" + sku = "win11-22h2-pro" + version = "latest" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.aad[0] will be created + resource "azurerm_virtual_machine_extension" "aad" { + auto_upgrade_minor_version = true + failure_suppression_enabled = false + id = (known after apply) + name = "aad-login-for-windows" + publisher = "Microsoft.Azure.ActiveDirectory" + settings = <<-EOT { "mdmId": "0000000a-0000-0000-c000-000000000000" } EOT + type = "AADLoginForWindows" + type_handler_version = "1.0" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.post_deployment will be created + resource "azurerm_virtual_machine_extension" "post_deployment" { + failure_suppression_enabled = false + id = (known after apply) + name = "post_deployment" + protected_settings = (sensitive value) + publisher = "Microsoft.Compute" + type = "CustomScriptExtension" + type_handler_version = "1.10" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.front_door.azurecaf_name.frontdoor will be created + resource "azurecaf_name" "frontdoor" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_cdn_frontdoor_profile" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.front_door.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = (known after apply) + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.front_door.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = (known after apply) + resource_group_name = (known after apply) + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" } # module.front_door.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.key_vault.azurecaf_name.key_vault will be created + resource "azurecaf_name" "key_vault" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_key_vault" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.key_vault.azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus3" + name = (known after apply) + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = (known after apply) + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } # module.private_dns_zones.azurerm_private_dns_zone.this[0] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[1] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[2] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[3] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[4] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.redis.cache.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.redis_cache[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.redis_cache[0].azurecaf_name.redis_cache will be created + resource "azurecaf_name" "redis_cache" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_redis_cache" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.redis_cache[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.redis.cache.windows.net" } # module.redis_cache[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "redisCache", ] } } # module.redis_cache[0].azurerm_redis_cache.this will be created + resource "azurerm_redis_cache" "this" { + capacity = 2 + enable_non_ssl_port = false + family = "C" + hostname = (known after apply) + id = (known after apply) + location = "westus3" + minimum_tls_version = "1.2" + name = (known after apply) + port = (known after apply) + primary_access_key = (sensitive value) + primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) + public_network_access_enabled = false + redis_version = (known after apply) + replicas_per_master = (known after apply) + replicas_per_primary = (known after apply) + resource_group_name = (known after apply) + secondary_access_key = (sensitive value) + secondary_connection_string = (sensitive value) + sku_name = "Standard" + ssl_port = (known after apply) + tags = { + "environment" = "prod" } + redis_configuration { + enable_authentication = true + maxclients = (known after apply) + maxfragmentationmemory_reserved = (known after apply) + maxmemory_delta = (known after apply) + maxmemory_policy = "volatile-lru" + maxmemory_reserved = (known after apply) } } # module.sql_database[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.sql_database[0].azurecaf_name.sql_server will be created + resource "azurecaf_name" "sql_server" { + clean_input = true + id = (known after apply) + name = "secure-webapp" + passthrough = false + random_length = 0 + resource_type = "azurerm_mssql_server" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.sql_database[0].azurerm_mssql_database.this[0] will be created + resource "azurerm_mssql_database" "this" { + auto_pause_delay_in_minutes = (known after apply) + collation = (known after apply) + create_mode = "Default" + creation_source_database_id = (known after apply) + geo_backup_enabled = true + id = (known after apply) + ledger_enabled = (known after apply) + license_type = (known after apply) + maintenance_configuration_name = (known after apply) + max_size_gb = (known after apply) + min_capacity = (known after apply) + name = "sample-db" + read_replica_count = (known after apply) + read_scale = (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) + server_id = (known after apply) + sku_name = "S0" + storage_account_type = "Geo" + transparent_data_encryption_enabled = true + zone_redundant = (known after apply) } # module.sql_database[0].azurerm_mssql_server.this will be created + resource "azurerm_mssql_server" "this" { + administrator_login = (known after apply) + connection_policy = "Default" + fully_qualified_domain_name = (known after apply) + id = (known after apply) + location = "westus3" + minimum_tls_version = "1.2" + name = (known after apply) + outbound_network_restriction_enabled = false + primary_user_assigned_identity_id = (known after apply) + public_network_access_enabled = false + resource_group_name = (known after apply) + restorable_dropped_database_ids = (known after apply) + tags = { + "environment" = "prod" } + version = "12.0" + azuread_administrator { + azuread_authentication_only = true + login_username = "AppSvcLZA Azure AD SQL Admins" + object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" } } # module.sql_database[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.database.windows.net" } # module.sql_database[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sqlServer", ] } } # module.user_defined_routes[0].azurecaf_name.route_table will be created + resource "azurecaf_name" "route_table" { + clean_input = true + id = (known after apply) + name = "egress-lockdown" + passthrough = false + random_length = 0 + resource_type = "azurerm_route_table" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.user_defined_routes[0].azurerm_route.this[0] will be created + resource "azurerm_route" "this" { + address_prefix = "0.0.0.0/0" + id = (known after apply) + name = "defaultRoute" + next_hop_in_ip_address = "10.242.0.4" + next_hop_type = "VirtualAppliance" + resource_group_name = (known after apply) + route_table_name = (known after apply) } # module.user_defined_routes[0].azurerm_route_table.this will be created + resource "azurerm_route_table" "this" { + disable_bgp_route_propagation = false + id = (known after apply) + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + route = (known after apply) + subnets = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[0] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[1] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[2] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[3] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.app_service.module.windows_web_app[0].azurecaf_name.slot will be created + resource "azurecaf_name" "slot" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurecaf_name.webapp will be created + resource "azurecaf_name" "webapp" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "AllLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this will be created + resource "azurerm_windows_web_app" "this" { + app_settings = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + location = "westus3" + name = (known after apply) + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + resource_group_name = (known after apply) + service_plan_id = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + linux_fx_version = (known after apply) + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } + sticky_settings { + app_setting_names = [ + "APPINSIGHTS_INSTRUMENTATIONKEY", + "APPINSIGHTS_PROFILERFEATURE_VERSION", + "APPINSIGHTS_SNAPSHOTFEATURE_VERSION", + "APPLICATIONINSIGHTS_CONNECTION_STRING", + "ApplicationInsightsAgent_EXTENSION_VERSION", + "DiagnosticServices_EXTENSION_VERSION", + "InstrumentationEngine_EXTENSION_VERSION", + "SnapshotDebugger_EXTENSION_VERSION", + "XDT_MicrosoftApplicationInsights_BaseExtensions", + "XDT_MicrosoftApplicationInsights_Java", + "XDT_MicrosoftApplicationInsights_Mode", + "XDT_MicrosoftApplicationInsights_NodeJS", + "XDT_MicrosoftApplicationInsights_PreemptSdk", ] } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot will be created + resource "azurerm_windows_web_app_slot" "slot" { + app_service_id = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + name = "staging" + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + site_credential = (known after apply) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } } # module.app_service.module.windows_web_app[0].null_resource.service_plan will be created + resource "null_resource" "service_plan" { + id = (known after apply) + triggers = { + "service_plan_name" = "asp-secure-webapp-win-prod" + "service_plan_os" = "Windows" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app will be created + resource "azurerm_cdn_frontdoor_endpoint" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + enabled = true + host_name = (known after apply) + id = (known after apply) + name = (known after apply) } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app will be created + resource "azurerm_cdn_frontdoor_origin" "web_app" { + cdn_frontdoor_origin_group_id = (known after apply) + certificate_name_check_enabled = true + enabled = true + health_probes_enabled = (known after apply) + host_name = (known after apply) + http_port = 80 + https_port = 443 + id = (known after apply) + name = (known after apply) + origin_host_header = (known after apply) + priority = 1 + weight = 1000 + private_link { + location = "westus3" + private_link_target_id = (known after apply) + request_message = "Request access for CDN Frontdoor Private Link Origin to Web App 2" + target_type = "sites" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app will be created + resource "azurerm_cdn_frontdoor_origin_group" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = (known after apply) + restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10 + session_affinity_enabled = false + health_probe { + interval_in_seconds = 100 + path = "/" + protocol = "Https" + request_type = "HEAD" } + load_balancing { + additional_latency_in_milliseconds = 0 + sample_size = 16 + successful_samples_required = 3 } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_route.web_app will be created + resource "azurerm_cdn_frontdoor_route" "web_app" { + cdn_frontdoor_endpoint_id = (known after apply) + cdn_frontdoor_origin_group_id = (known after apply) + cdn_frontdoor_origin_ids = (known after apply) + enabled = true + forwarding_protocol = "HttpsOnly" + https_redirect_enabled = true + id = (known after apply) + link_to_default_domain = true + name = (known after apply) + patterns_to_match = [ + "/*", ] + supported_protocols = [ + "Http", + "Https", ] } # module.front_door.module.endpoint[0].null_resource.web_app will be created + resource "null_resource" "web_app" { + id = (known after apply) + triggers = { + "private_link_target_type" = "sites" } } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites", ] } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites-staging", ] } } Plan: 101 to add, 0 to change, 0 to destroy. Changes to Outputs: + devops_vm_id = (known after apply) + key_vault_name = (known after apply) + key_vault_uri = (known after apply) + redis_connection_secret_name = "redis-connection-string" + redis_connection_string = (sensitive value) + rg_name = (known after apply) + sql_db_connection_string = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) + web_app_name = (known after apply) + web_app_slot_name = "staging" + web_app_uri = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurecaf_name.bastion_host will be created + resource "azurecaf_name" "bastion_host" { + clean_input = true + id = (known after apply) + name = "hub-scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_bastion_host" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurecaf_name.firewall will be created + resource "azurecaf_name" "firewall" { + clean_input = true + id = (known after apply) + name = "hub-scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "hub-scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "hub-scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurecaf_name.vnet will be created + resource "azurecaf_name" "vnet" { + clean_input = true + id = (known after apply) + name = "hub-scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "wus3", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.hub will be created + resource "azurerm_resource_group" "hub" { + id = (known after apply) + location = "westus3" + name = (known after apply) + tags = { + "terraform" = "true" } } # module.bastion[0].azurecaf_name.bastion_pip will be created + resource "azurecaf_name" "bastion_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion will be created + resource "azurerm_bastion_host" "bastion" { + copy_paste_enabled = true + dns_name = (known after apply) + file_copy_enabled = false + id = (known after apply) + ip_connect_enabled = false + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + scale_units = 2 + shareable_link_enabled = false + sku = "Standard" + tunneling_enabled = true + ip_configuration { + name = "bastionHostIpConfiguration" + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.bastion[0].azurerm_public_ip.bastion_pip will be created + resource "azurerm_public_ip" "bastion_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.firewall[0].azurecaf_name.firewall_pip will be created + resource "azurecaf_name" "firewall_pip" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurerm_firewall.firewall will be created + resource "azurerm_firewall" "firewall" { + id = (known after apply) + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + sku_name = "AZFW_VNet" + sku_tier = "Standard" + threat_intel_mode = (known after apply) + ip_configuration { + name = "firewallIpConfiguration" + private_ip_address = (known after apply) + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_monitor_diagnostic_setting.this will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.firewall[0].azurerm_public_ip.firewall_pip will be created + resource "azurerm_public_ip" "firewall_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureFirewallSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.242.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureBastionSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.242.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } Plan: 21 to add, 0 to change, 0 to destroy. Changes to Outputs: + bastion_name = (known after apply) + firewall_private_ip = (known after apply) + firewall_rules = {} + rg_name = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # azurerm_subnet.vnetSpokeSubnet will be updated in-place ~ resource "azurerm_subnet" "vnetSpokeSubnet" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rgtf-networking-sec-baseline-sgl-dev-westus2-001/providers/Microsoft.Network/virtualNetworks/vnet-spoke-sec-baseline-sgl-dev-westus2-001/subnets/snet-ase-sec-baseline-sgl-dev-westus2-001" name = "snet-ase-sec-baseline-sgl-dev-westus2-001" # (9 unchanged attributes hidden) ~ delegation { name = "hostingEnvironment" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # azurecaf_name.appsvc_subnet will be created + resource "azurecaf_name" "appsvc_subnet" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.contributor_identity will be created + resource "azurecaf_name" "contributor_identity" { + clean_input = true + id = (known after apply) + name = "spoke-scenario1-contributor" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_subnet will be created + resource "azurecaf_name" "devops_subnet" { + clean_input = true + id = (known after apply) + name = "devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.devops_vm will be created + resource "azurecaf_name" "devops_vm" { + clean_input = true + id = (known after apply) + name = "spoke-scenario1-devops" + passthrough = false + random_length = 0 + resource_type = "azurerm_windows_virtual_machine" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # azurecaf_name.ingress_subnet will be created + resource "azurecaf_name" "ingress_subnet" { + clean_input = true + id = (known after apply) + name = "ingress" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurecaf_name.private_link_subnet will be created + resource "azurecaf_name" "private_link_subnet" { + clean_input = true + id = (known after apply) + name = "private-link" + passthrough = false + random_length = 0 + resource_type = "azurerm_subnet" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.reader_identity will be created + resource "azurecaf_name" "reader_identity" { + clean_input = true + id = (known after apply) + name = "spoke-scenario1-reader" + passthrough = false + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.resource_group will be created + resource "azurecaf_name" "resource_group" { + clean_input = true + id = (known after apply) + name = "spoke-scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "wus3", ] + use_slug = true } # azurecaf_name.spoke_network will be created + resource "azurecaf_name" "spoke_network" { + clean_input = true + id = (known after apply) + name = "spoke-scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus3" + name = (known after apply) + tags = { + "application-name" = "scenario1" + "environment" = "prod" + "terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + principal_id = (known after apply) + resource_group_name = (known after apply) + tenant_id = (known after apply) } # azurerm_virtual_network_peering.hub_to_spoke will be created + resource "azurerm_virtual_network_peering" "hub_to_spoke" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-scenario1" + remote_virtual_network_id = (known after apply) + resource_group_name = "rg-hub-wus2" + use_remote_gateways = false + virtual_network_name = "vnet-hub-wus2" } # azurerm_virtual_network_peering.spoke_to_hub will be created + resource "azurerm_virtual_network_peering" "spoke_to_hub" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-scenario1" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } # random_integer.unique_id will be created + resource "random_integer" "unique_id" { + id = (known after apply) + max = 9999 + min = 1 + result = (known after apply) } # random_password.vm_admin_password will be created + resource "random_password" "vm_admin_password" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 16 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = true + upper = true } # random_password.vm_admin_username will be created + resource "random_password" "vm_admin_username" { + bcrypt_hash = (sensitive value) + id = (known after apply) + length = 10 + lower = true + min_lower = 0 + min_numeric = 0 + min_special = 0 + min_upper = 0 + number = true + numeric = true + result = (sensitive value) + special = false + upper = true } # module.app_configuration[0].azurecaf_name.app_config will be created + resource "azurecaf_name" "app_config" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_app_configuration" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.app_configuration[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus3" + name = (known after apply) + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = (known after apply) + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_insights.azurecaf_name.app_insights will be created + resource "azurecaf_name" "app_insights" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_application_insights" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_insights.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus3" + maximum_elastic_worker_count = (known after apply) + name = "asp-scenario1-win-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = (known after apply) + sku_name = "S1" + worker_count = 1 + zone_balancing_enabled = false } # module.devops_vm[0].data.azuread_user.vm_admin will be read during apply # (depends on a resource or a module with changes pending) <= data "azuread_user" "vm_admin" { + account_enabled = (known after apply) + age_group = (known after apply) + business_phones = (known after apply) + city = (known after apply) + company_name = (known after apply) + consent_provided_for_minor = (known after apply) + cost_center = (known after apply) + country = (known after apply) + creation_type = (known after apply) + department = (known after apply) + display_name = (known after apply) + division = (known after apply) + employee_id = (known after apply) + employee_type = (known after apply) + external_user_state = (known after apply) + fax_number = (known after apply) + given_name = (known after apply) + id = (known after apply) + im_addresses = (known after apply) + job_title = (known after apply) + mail = (known after apply) + mail_nickname = (known after apply) + manager_id = (known after apply) + mobile_phone = (known after apply) + object_id = (known after apply) + office_location = (known after apply) + onpremises_distinguished_name = (known after apply) + onpremises_domain_name = (known after apply) + onpremises_immutable_id = (known after apply) + onpremises_sam_account_name = (known after apply) + onpremises_security_identifier = (known after apply) + onpremises_sync_enabled = (known after apply) + onpremises_user_principal_name = (known after apply) + other_mails = (known after apply) + postal_code = (known after apply) + preferred_language = (known after apply) + proxy_addresses = (known after apply) + show_in_address_list = (known after apply) + state = (known after apply) + street_address = (known after apply) + surname = (known after apply) + usage_location = (known after apply) + user_principal_name = "jinle@microsoft.com" + user_type = (known after apply) } # module.devops_vm[0].azurerm_network_interface.vm_nic will be created + resource "azurerm_network_interface" "vm_nic" { + applied_dns_servers = (known after apply) + dns_servers = (known after apply) + enable_accelerated_networking = false + enable_ip_forwarding = false + id = (known after apply) + internal_dns_name_label = (known after apply) + internal_domain_name_suffix = (known after apply) + location = "westus3" + mac_address = (known after apply) + name = (known after apply) + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + resource_group_name = (known after apply) + virtual_machine_id = (known after apply) + ip_configuration { + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + name = (known after apply) + primary = (known after apply) + private_ip_address = (known after apply) + private_ip_address_allocation = "Dynamic" + private_ip_address_version = "IPv4" + subnet_id = (known after apply) } } # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment will be created + resource "azurerm_role_assignment" "vm_admin_role_assignment" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Virtual Machine Administrator Login" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.devops_vm[0].azurerm_windows_virtual_machine.vm will be created + resource "azurerm_windows_virtual_machine" "vm" { + admin_password = (sensitive value) + admin_username = (sensitive value) + allow_extension_operations = true + computer_name = (known after apply) + enable_automatic_updates = true + extensions_time_budget = "PT1H30M" + hotpatching_enabled = false + id = (known after apply) + location = "westus3" + max_bid_price = -1 + name = (known after apply) + network_interface_ids = (known after apply) + patch_assessment_mode = "ImageDefault" + patch_mode = "AutomaticByOS" + platform_fault_domain = -1 + priority = "Regular" + private_ip_address = (known after apply) + private_ip_addresses = (known after apply) + provision_vm_agent = true + public_ip_address = (known after apply) + public_ip_addresses = (known after apply) + resource_group_name = (known after apply) + size = "Standard_B2ms" + virtual_machine_id = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + os_disk { + caching = "ReadWrite" + disk_size_gb = (known after apply) + name = (known after apply) + storage_account_type = "Standard_LRS" + write_accelerator_enabled = false } + source_image_reference { + offer = "windows-11" + publisher = "MicrosoftWindowsDesktop" + sku = "win11-22h2-pro" + version = "latest" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.aad[0] will be created + resource "azurerm_virtual_machine_extension" "aad" { + auto_upgrade_minor_version = true + failure_suppression_enabled = false + id = (known after apply) + name = "aad-login-for-windows" + publisher = "Microsoft.Azure.ActiveDirectory" + settings = <<-EOT { "mdmId": "0000000a-0000-0000-c000-000000000000" } EOT + type = "AADLoginForWindows" + type_handler_version = "1.0" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.devops_vm_extension[0].azurerm_virtual_machine_extension.post_deployment will be created + resource "azurerm_virtual_machine_extension" "post_deployment" { + failure_suppression_enabled = false + id = (known after apply) + name = "post_deployment" + protected_settings = (sensitive value) + publisher = "Microsoft.Compute" + type = "CustomScriptExtension" + type_handler_version = "1.10" + virtual_machine_id = (known after apply) + timeouts { + create = "60m" + delete = "5m" } } # module.front_door.azurecaf_name.frontdoor will be created + resource "azurecaf_name" "frontdoor" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_cdn_frontdoor_profile" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.front_door.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = (known after apply) + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.front_door.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = (known after apply) + resource_group_name = (known after apply) + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" } # module.front_door.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.key_vault.azurecaf_name.key_vault will be created + resource "azurecaf_name" "key_vault" { + clean_input = true + id = (known after apply) + name = "appsvc" + passthrough = false + random_length = 0 + resource_type = "azurerm_key_vault" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.key_vault.azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus3" + name = (known after apply) + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = (known after apply) + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "environment" = "prod" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = (known after apply) + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) } # module.private_dns_zones.azurerm_private_dns_zone.this[0] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[1] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[2] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[3] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.private_dns_zones.azurerm_private_dns_zone.this[4] will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.redis.cache.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "rg-hub-wus2" } # module.redis_cache[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.redis_cache[0].azurecaf_name.redis_cache will be created + resource "azurecaf_name" "redis_cache" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_redis_cache" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.redis_cache[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.redis.cache.windows.net" } # module.redis_cache[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "redisCache", ] } } # module.redis_cache[0].azurerm_redis_cache.this will be created + resource "azurerm_redis_cache" "this" { + capacity = 2 + enable_non_ssl_port = false + family = "C" + hostname = (known after apply) + id = (known after apply) + location = "westus3" + minimum_tls_version = "1.2" + name = (known after apply) + port = (known after apply) + primary_access_key = (sensitive value) + primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) + public_network_access_enabled = false + redis_version = (known after apply) + replicas_per_master = (known after apply) + replicas_per_primary = (known after apply) + resource_group_name = (known after apply) + secondary_access_key = (sensitive value) + secondary_connection_string = (sensitive value) + sku_name = "Standard" + ssl_port = (known after apply) + tags = { + "environment" = "prod" } + redis_configuration { + enable_authentication = true + maxclients = (known after apply) + maxfragmentationmemory_reserved = (known after apply) + maxmemory_delta = (known after apply) + maxmemory_policy = "volatile-lru" + maxmemory_reserved = (known after apply) } } # module.sql_database[0].azurecaf_name.private_endpoint will be created + resource "azurecaf_name" "private_endpoint" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.sql_database[0].azurecaf_name.sql_server will be created + resource "azurecaf_name" "sql_server" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + random_length = 0 + resource_type = "azurerm_mssql_server" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = (known after apply) + use_slug = true } # module.sql_database[0].azurerm_mssql_database.this[0] will be created + resource "azurerm_mssql_database" "this" { + auto_pause_delay_in_minutes = (known after apply) + collation = (known after apply) + create_mode = "Default" + creation_source_database_id = (known after apply) + geo_backup_enabled = true + id = (known after apply) + ledger_enabled = (known after apply) + license_type = (known after apply) + maintenance_configuration_name = (known after apply) + max_size_gb = (known after apply) + min_capacity = (known after apply) + name = "sample-db" + read_replica_count = (known after apply) + read_scale = (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) + server_id = (known after apply) + sku_name = "S0" + storage_account_type = "Geo" + transparent_data_encryption_enabled = true + zone_redundant = (known after apply) } # module.sql_database[0].azurerm_mssql_server.this will be created + resource "azurerm_mssql_server" "this" { + administrator_login = (known after apply) + connection_policy = "Default" + fully_qualified_domain_name = (known after apply) + id = (known after apply) + location = "westus3" + minimum_tls_version = "1.2" + name = (known after apply) + outbound_network_restriction_enabled = false + primary_user_assigned_identity_id = (known after apply) + public_network_access_enabled = false + resource_group_name = (known after apply) + restorable_dropped_database_ids = (known after apply) + tags = { + "environment" = "prod" } + version = "12.0" + azuread_administrator { + azuread_authentication_only = true + login_username = "AppSvcLZA Azure AD SQL Admins" + object_id = "bda41c64-1493-4d8d-b4b5-7135159d4884" + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" } } # module.sql_database[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.database.windows.net" } # module.sql_database[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sqlServer", ] } } # module.user_defined_routes[0].azurecaf_name.route_table will be created + resource "azurecaf_name" "route_table" { + clean_input = true + id = (known after apply) + name = "egress-lockdown" + passthrough = false + random_length = 0 + resource_type = "azurerm_route_table" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.user_defined_routes[0].azurerm_route.this[0] will be created + resource "azurerm_route" "this" { + address_prefix = "0.0.0.0/0" + id = (known after apply) + name = "defaultRoute" + next_hop_in_ip_address = "10.242.0.4" + next_hop_type = "VirtualAppliance" + resource_group_name = (known after apply) + route_table_name = (known after apply) } # module.user_defined_routes[0].azurerm_route_table.this will be created + resource "azurerm_route_table" "this" { + disable_bgp_route_propagation = false + id = (known after apply) + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + route = (known after apply) + subnets = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[0] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[1] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[2] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.user_defined_routes[0].azurerm_subnet_route_table_association.this[3] will be created + resource "azurerm_subnet_route_table_association" "this" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # module.app_service.module.windows_web_app[0].azurecaf_name.slot will be created + resource "azurecaf_name" "slot" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurecaf_name.webapp will be created + resource "azurecaf_name" "webapp" { + clean_input = true + id = (known after apply) + name = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.app_service.module.windows_web_app[0].azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = (known after apply) + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "AllLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this will be created + resource "azurerm_windows_web_app" "this" { + app_settings = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + location = "westus3" + name = (known after apply) + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + resource_group_name = (known after apply) + service_plan_id = (known after apply) + site_credential = (sensitive value) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + linux_fx_version = (known after apply) + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } + sticky_settings { + app_setting_names = [ + "APPINSIGHTS_INSTRUMENTATIONKEY", + "APPINSIGHTS_PROFILERFEATURE_VERSION", + "APPINSIGHTS_SNAPSHOTFEATURE_VERSION", + "APPLICATIONINSIGHTS_CONNECTION_STRING", + "ApplicationInsightsAgent_EXTENSION_VERSION", + "DiagnosticServices_EXTENSION_VERSION", + "InstrumentationEngine_EXTENSION_VERSION", + "SnapshotDebugger_EXTENSION_VERSION", + "XDT_MicrosoftApplicationInsights_BaseExtensions", + "XDT_MicrosoftApplicationInsights_Java", + "XDT_MicrosoftApplicationInsights_Mode", + "XDT_MicrosoftApplicationInsights_NodeJS", + "XDT_MicrosoftApplicationInsights_PreemptSdk", ] } } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot will be created + resource "azurerm_windows_web_app_slot" "slot" { + app_service_id = (known after apply) + client_affinity_enabled = false + client_certificate_enabled = false + client_certificate_mode = "Required" + custom_domain_verification_id = (sensitive value) + default_hostname = (known after apply) + enabled = true + https_only = true + id = (known after apply) + key_vault_reference_identity_id = (known after apply) + kind = (known after apply) + name = "staging" + outbound_ip_address_list = (known after apply) + outbound_ip_addresses = (known after apply) + possible_outbound_ip_address_list = (known after apply) + possible_outbound_ip_addresses = (known after apply) + site_credential = (sensitive value) + virtual_network_subnet_id = (known after apply) + zip_deploy_file = (known after apply) + identity { + identity_ids = (known after apply) + principal_id = (known after apply) + tenant_id = (known after apply) + type = "UserAssigned" } + site_config { + always_on = true + auto_heal_enabled = false + container_registry_use_managed_identity = false + default_documents = (known after apply) + detailed_error_logging_enabled = (known after apply) + ftps_state = "Disabled" + health_check_eviction_time_in_min = (known after apply) + http2_enabled = false + load_balancing_mode = "LeastRequests" + local_mysql_enabled = false + managed_pipeline_mode = "Integrated" + minimum_tls_version = "1.2" + remote_debugging_enabled = false + remote_debugging_version = (known after apply) + scm_minimum_tls_version = "1.2" + scm_type = (known after apply) + scm_use_main_ip_restriction = false + use_32_bit_worker = false + vnet_route_all_enabled = true + websockets_enabled = false + windows_fx_version = (known after apply) + worker_count = (known after apply) + application_stack { + current_stack = "dotnet" + dotnet_version = "v6.0" + java_embedded_server_enabled = (known after apply) + java_version = "17" + php_version = "Off" + python = false + python_version = (known after apply) } } } # module.app_service.module.windows_web_app[0].null_resource.service_plan will be created + resource "null_resource" "service_plan" { + id = (known after apply) + triggers = { + "service_plan_name" = "asp-scenario1-win-prod" + "service_plan_os" = "Windows" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app will be created + resource "azurerm_cdn_frontdoor_endpoint" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + enabled = true + host_name = (known after apply) + id = (known after apply) + name = (known after apply) } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app will be created + resource "azurerm_cdn_frontdoor_origin" "web_app" { + cdn_frontdoor_origin_group_id = (known after apply) + certificate_name_check_enabled = true + enabled = true + health_probes_enabled = (known after apply) + host_name = (known after apply) + http_port = 80 + https_port = 443 + id = (known after apply) + name = (known after apply) + origin_host_header = (known after apply) + priority = 1 + weight = 1000 + private_link { + location = "westus3" + private_link_target_id = (known after apply) + request_message = "Request access for CDN Frontdoor Private Link Origin to Web App 2" + target_type = "sites" } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app will be created + resource "azurerm_cdn_frontdoor_origin_group" "web_app" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = (known after apply) + restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10 + session_affinity_enabled = false + health_probe { + interval_in_seconds = 100 + path = "/" + protocol = "Https" + request_type = "HEAD" } + load_balancing { + additional_latency_in_milliseconds = 0 + sample_size = 16 + successful_samples_required = 3 } } # module.front_door.module.endpoint[0].azurerm_cdn_frontdoor_route.web_app will be created + resource "azurerm_cdn_frontdoor_route" "web_app" { + cdn_frontdoor_endpoint_id = (known after apply) + cdn_frontdoor_origin_group_id = (known after apply) + cdn_frontdoor_origin_ids = (known after apply) + enabled = true + forwarding_protocol = "HttpsOnly" + https_redirect_enabled = true + id = (known after apply) + link_to_default_domain = true + name = (known after apply) + patterns_to_match = [ + "/*", ] + supported_protocols = [ + "Http", + "Https", ] } # module.front_door.module.endpoint[0].null_resource.web_app will be created + resource "null_resource" "web_app" { + id = (known after apply) + triggers = { + "private_link_target_type" = "sites" } } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[0].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[1].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[2].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[3].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "rg-hub-wus2" + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-wus2/providers/Microsoft.Network/virtualNetworks/vnet-hub-wus2" } # module.private_dns_zones.module.private_dns_zone_vnet_link[4].azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = "privatelink.redis.cache.windows.net" + registration_enabled = false + resource_group_name = "rg-hub-wus2" + virtual_network_id = (known after apply) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites", ] } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + resource_group_name = "rg-hub-wus2" + ttl = 300 + zone_name = "privatelink.azurewebsites.net" } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = (known after apply) + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = (known after apply) + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "sites-staging", ] } } Plan: 101 to add, 0 to change, 0 to destroy. Changes to Outputs: + devops_vm_id = (known after apply) + key_vault_name = (known after apply) + key_vault_uri = (known after apply) + redis_connection_secret_name = "redis-connection-string" + redis_connection_string = (sensitive value) + rg_name = (known after apply) + sql_db_connection_string = (known after apply) + vnet_id = (known after apply) + vnet_name = (known after apply) + web_app_name = (known after apply) + web_app_slot_name = "staging" + web_app_uri = (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # azurerm_subnet.vnetSpokeSubnet will be updated in-place ~ resource "azurerm_subnet" "vnetSpokeSubnet" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rgtf-networking-sec-baseline-sgl-dev-westus2-001/providers/Microsoft.Network/virtualNetworks/vnet-spoke-sec-baseline-sgl-dev-westus2-001/subnets/snet-ase-sec-baseline-sgl-dev-westus2-001" name = "snet-ase-sec-baseline-sgl-dev-westus2-001" # (9 unchanged attributes hidden) ~ delegation { name = "hostingEnvironment" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place ~ resource "azurerm_monitor_diagnostic_setting" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod|cfdp-scenario1-prod-diagnostic-settings}" + log_analytics_destination_type = "AzureDiagnostics" name = "cfdp-scenario1-prod-diagnostic-settings}" # (2 unchanged attributes hidden) # (3 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # azurerm_subnet.vnetSpokeSubnet will be updated in-place ~ resource "azurerm_subnet" "vnetSpokeSubnet" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rgtf-networking-sec-baseline-sgl-dev-westus2-001/providers/Microsoft.Network/virtualNetworks/vnet-spoke-sec-baseline-sgl-dev-westus2-001/subnets/snet-ase-sec-baseline-sgl-dev-westus2-001" name = "snet-ase-sec-baseline-sgl-dev-westus2-001" # (9 unchanged attributes hidden) ~ delegation { name = "hostingEnvironment" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place ~ resource "azurerm_monitor_diagnostic_setting" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod|cfdp-scenario1-prod-diagnostic-settings}" + log_analytics_destination_type = "AzureDiagnostics" name = "cfdp-scenario1-prod-diagnostic-settings}" # (2 unchanged attributes hidden) # (3 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # azurerm_subnet.vnetSpokeSubnet will be updated in-place ~ resource "azurerm_subnet" "vnetSpokeSubnet" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rgtf-networking-sec-baseline-sgl-dev-westus2-001/providers/Microsoft.Network/virtualNetworks/vnet-spoke-sec-baseline-sgl-dev-westus2-001/subnets/snet-ase-sec-baseline-sgl-dev-westus2-001" name = "snet-ase-sec-baseline-sgl-dev-westus2-001" # (9 unchanged attributes hidden) ~ delegation { name = "hostingEnvironment" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @ibersanoMS, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place ~ resource "azurerm_monitor_diagnostic_setting" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod|cfdp-scenario1-prod-diagnostic-settings}" + log_analytics_destination_type = "AzureDiagnostics" name = "cfdp-scenario1-prod-diagnostic-settings}" # (2 unchanged attributes hidden) # (3 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ```

Pusher: @ibersanoMS, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. ```

Pusher: @ibersanoMS, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline