JinLee794 commented 1 year ago

Description

Refactored Terraform hub/spoke configurations:

unified naming standards embedded inside the modules, and controlled via global_settings variable
tagging standards and propagation reflected in modules
removed unnecessary local blocks by leveraging defaults
referencing hub deployment within spoke config via remote_state block instead of passing in vars
other similar changes

Type of Change

Please delete options that are not relevant.

[ ] Bugfix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[x] Update to documentation

Checklist

[x] I'm sure there are no other open Pull Requests for the same update/change
[] My corresponding pipelines / checks run clean and green without any errors or warnings
[x] My code follows the style guidelines of this project
[x] I have commented my code, particularly in hard-to-understand areas
[x] I have made corresponding changes to the documentation (readme)
[x] I did format my code

github-actions[bot] commented 1 year ago

Terraform Plan failed

Plan Error Output

``` Error: Unsupported attribute on ../../../../shared/terraform-modules/network/module.tf line 5, in resource "azurecaf_name" "caf_name_vnet": 5: suffixes = var.global_settings.suffixes ├──────────────── │ var.global_settings is object with 7 attributes This object does not have an attribute named "suffixes". ``` *Pusher: @JinLee794, Action: `pull_request`, Working Directory: `scenarios/secure-baseline-multitenant/terraform/solutions/hub`, Workflow: `Scenario 1: Terraform HUB Multi-tenant Secure Baseline`*

github-actions[bot] commented 1 year ago

Terraform Plan failed

Plan Error Output

``` Error: Unsupported attribute on ../../../../shared/terraform-modules/network/module.tf line 5, in resource "azurecaf_name" "caf_name_vnet": 5: suffixes = var.global_settings.suffixes ├──────────────── │ var.global_settings is object with 7 attributes This object does not have an attribute named "suffixes". ``` *Pusher: @JinLee794, Action: `pull_request`, Working Directory: `scenarios/secure-baseline-multitenant/terraform/solutions/hub`, Workflow: `Scenario 1: Terraform HUB Multi-tenant Secure Baseline`*

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.bastion_host will be destroyed # (because azurecaf_name.bastion_host is not in configuration) - resource "azurecaf_name" "bastion_host" { - clean_input = true -> null - id = "gggewsruqgiwnjwa" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_bastion_host" -> null - result = "bast-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.caf_name_hub_rg will be created + resource "azurecaf_name" "caf_name_hub_rg" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.firewall will be destroyed # (because azurecaf_name.firewall is not in configuration) - resource "azurecaf_name" "firewall" { - clean_input = true -> null - id = "atqhstfaibxdnjav" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_firewall" -> null - result = "fw-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.law will be destroyed # (because azurecaf_name.law is not in configuration) - resource "azurecaf_name" "law" { - clean_input = true -> null - id = "fqnobcgpjpovkway" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_log_analytics_workspace" -> null - result = "log-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.resource_group will be destroyed # (because azurecaf_name.resource_group is not in configuration) - resource "azurecaf_name" "resource_group" { - clean_input = true -> null - id = "sdhamjahaycopevr" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_resource_group" -> null - result = "rg-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.vnet will be destroyed # (because azurecaf_name.vnet is not in configuration) - resource "azurecaf_name" "vnet" { - clean_input = true -> null - id = "eayygfcnmpfqsowx" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_virtual_network" -> null - result = "vnet-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurerm_log_analytics_workspace.law will be destroyed # (because azurerm_log_analytics_workspace.law is not in configuration) - resource "azurerm_log_analytics_workspace" "law" { - allow_resource_only_permissions = true -> null - cmk_for_query_forced = false -> null - daily_quota_gb = -1 -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> null - internet_ingestion_enabled = true -> null - internet_query_enabled = true -> null - local_authentication_disabled = false -> null - location = "westus3" -> null - name = "log-hub-scenario1-wus3" -> null - primary_shared_key = (sensitive value) -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - retention_in_days = 30 -> null - secondary_shared_key = (sensitive value) -> null - sku = "PerGB2018" -> null - tags = {} -> null - workspace_id = "2b9150ce-64a2-4a6d-885e-cd7dfd9e8153" -> null } # azurerm_resource_group.hub must be replaced -/+ resource "azurerm_resource_group" "hub" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3" -> (known after apply) ~ name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" - "terraform" = "true" -> null } # (1 unchanged attribute hidden) } # module.bastion[0].azurecaf_name.bastion_pip will be destroyed # (because azurecaf_name.bastion_pip is not in configuration) - resource "azurecaf_name" "bastion_pip" { - clean_input = true -> null - id = "qwntecdiprlwaonl" -> null - name = "bast-hub-scenario1-wus3" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_public_ip" -> null - result = "pip-bast-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # module.bastion[0].azurecaf_name.caf_name_bastion will be created + resource "azurecaf_name" "caf_name_bastion" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-69efc60e-54e0-4ac8-b44f-4347f67dc108.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/bastionHosts/bast-hub-scenario1-wus3" -> (known after apply) ~ name = "bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } # (8 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" -> (known after apply) ~ ip_address = "20.25.144.65" -> (known after apply) - ip_tags = {} -> null ~ name = "pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } - zones = [] -> null # (7 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_firewall will be created + resource "azurecaf_name" "caf_name_firewall" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.caf_name_law[0] will be created + resource "azurecaf_name" "caf_name_law" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.firewall_pip will be destroyed # (because azurecaf_name.firewall_pip is not in configuration) - resource "azurecaf_name" "firewall_pip" { - clean_input = true -> null - id = "buncvpcbdyqgwdik" -> null - name = "fw-hub-scenario1-wus3" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_public_ip" -> null - result = "pip-fw-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # module.firewall[0].azurerm_firewall.firewall must be replaced -/+ resource "azurerm_firewall" "firewall" { - dns_servers = [] -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" -> (known after apply) ~ name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - private_ip_ranges = [] -> null ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "firewall" } ~ threat_intel_mode = "Alert" -> (known after apply) - zones = [] -> null # (3 unchanged attributes hidden) ~ ip_configuration { name = "firewallIpConfiguration" ~ private_ip_address = "10.242.0.4" -> (known after apply) ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply) ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "azure_monitor" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) name = "Azure-Monitor-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-azure-monitor" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_application_rule_collection.core must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "core" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) name = "Core-Dependencies-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-core-apis" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-developer-services" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-certificate-dependencies" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) name = "Devops-VM-Dependencies-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-azure-ad-join" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-vm-dependencies-and-tools" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops must be replaced -/+ resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) name = "Windows-VM-Connectivity-Requirements" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - destination_fqdns = [] -> null - destination_ip_groups = [] -> null name = "allow-kms-activation" - source_ip_groups = [] -> null # (4 unchanged attributes hidden) } ~ rule { - destination_fqdns = [] -> null - destination_ip_groups = [] -> null name = "allow-ntp" - source_ip_groups = [] -> null # (4 unchanged attributes hidden) } } # module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3|fw-hub-scenario1-wus3-diagnostic-settings" -> (known after apply) ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply) ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> (known after apply) ~ name = "fw-hub-scenario1-wus3-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced -/+ resource "azurerm_public_ip" "firewall_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply) ~ ip_address = "20.25.144.42" -> (known after apply) - ip_tags = {} -> null ~ name = "pip-fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "firewall" } - zones = [] -> null # (7 unchanged attributes hidden) } # module.network.azurecaf_name.caf_name_vnet will be created + resource "azurecaf_name" "caf_name_vnet" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" -> (known after apply) name = "AzureFirewallSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" -> (known after apply) name = "AzureBastionSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "a57f2f5c-bf2d-4771-b21e-44bd81de7186" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply) ~ name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.242.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" - name = "AzureFirewallSubnet" - security_group = "" }, - { - address_prefix = "10.242.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" - name = "AzureBastionSubnet" - security_group = "" }, ] -> (known after apply) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } # (2 unchanged attributes hidden) } Plan: 21 to add, 0 to change, 21 to destroy. Changes to Outputs: ~ bastion_name = "bast-hub-scenario1-wus3" -> (known after apply) ~ firewall_private_ip = "10.242.0.4" -> (known after apply) ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ~ rg_name = "rg-hub-scenario1-wus3" -> (known after apply) ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply) ~ vnet_name = "vnet-hub-scenario1-wus3" -> (known after apply) ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/59546580-b26c-4175-bf39-cb4ce2774f83/terraform-bin show -no-color tfplan Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.bastion_host will be destroyed # (because azurecaf_name.bastion_host is not in configuration) - resource "azurecaf_name" "bastion_host" { - clean_input = true -> null - id = "gggewsruqgiwnjwa" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_bastion_host" -> null - result = "bast-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.caf_name_hub_rg will be created + resource "azurecaf_name" "caf_name_hub_rg" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.firewall will be destroyed # (because azurecaf_name.firewall is not in configuration) - resource "azurecaf_name" "firewall" { - clean_input = true -> null - id = "atqhstfaibxdnjav" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_firewall" -> null - result = "fw-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.law will be destroyed # (because azurecaf_name.law is not in configuration) - resource "azurecaf_name" "law" { - clean_input = true -> null - id = "fqnobcgpjpovkway" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_log_analytics_workspace" -> null - result = "log-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.resource_group will be destroyed # (because azurecaf_name.resource_group is not in configuration) - resource "azurecaf_name" "resource_group" { - clean_input = true -> null - id = "sdhamjahaycopevr" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_resource_group" -> null - result = "rg-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.vnet will be destroyed # (because azurecaf_name.vnet is not in configuration) - resource "azurecaf_name" "vnet" { - clean_input = true -> null - id = "eayygfcnmpfqsowx" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_virtual_network" -> null - result = "vnet-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurerm_log_analytics_workspace.law will be destroyed # (because azurerm_log_analytics_workspace.law is not in configuration) - resource "azurerm_log_analytics_workspace" "law" { - allow_resource_only_permissions = true -> null - cmk_for_query_forced = false -> null - daily_quota_gb = -1 -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> null - internet_ingestion_enabled = true -> null - internet_query_enabled = true -> null - local_authentication_disabled = false -> null - location = "westus3" -> null - name = "log-hub-scenario1-wus3" -> null - primary_shared_key = (sensitive value) -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - retention_in_days = 30 -> null - secondary_shared_key = (sensitive value) -> null - sku = "PerGB2018" -> null - tags = {} -> null - workspace_id = "2b9150ce-64a2-4a6d-885e-cd7dfd9e8153" -> null } # azurerm_resource_group.hub must be replaced -/+ resource "azurerm_resource_group" "hub" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3" -> (known after apply) ~ name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" - "terraform" = "true" -> null } # (1 unchanged attribute hidden) } # module.bastion[0].azurecaf_name.bastion_pip will be destroyed # (because azurecaf_name.bastion_pip is not in configuration) - resource "azurecaf_name" "bastion_pip" { - clean_input = true -> null - id = "qwntecdiprlwaonl" -> null - name = "bast-hub-scenario1-wus3" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_public_ip" -> null - result = "pip-bast-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # module.bastion[0].azurecaf_name.caf_name_bastion will be created + resource "azurecaf_name" "caf_name_bastion" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-69efc60e-54e0-4ac8-b44f-4347f67dc108.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/bastionHosts/bast-hub-scenario1-wus3" -> (known after apply) ~ name = "bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } # (8 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" -> (known after apply) ~ ip_address = "20.25.144.65" -> (known after apply) - ip_tags = {} -> null ~ name = "pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } - zones = [] -> null # (7 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_firewall will be created + resource "azurecaf_name" "caf_name_firewall" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.caf_name_law[0] will be created + resource "azurecaf_name" "caf_name_law" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.firewall_pip will be destroyed # (because azurecaf_name.firewall_pip is not in configuration) - resource "azurecaf_name" "firewall_pip" { - clean_input = true -> null - id = "buncvpcbdyqgwdik" -> null - name = "fw-hub-scenario1-wus3" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_public_ip" -> null - result = "pip-fw-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # module.firewall[0].azurerm_firewall.firewall must be replaced -/+ resource "azurerm_firewall" "firewall" { - dns_servers = [] -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" -> (known after apply) ~ name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - private_ip_ranges = [] -> null ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "firewall" } ~ threat_intel_mode = "Alert" -> (known after apply) - zones = [] -> null # (3 unchanged attributes hidden) ~ ip_configuration { name = "firewallIpConfiguration" ~ private_ip_address = "10.242.0.4" -> (known after apply) ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply) ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "azure_monitor" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) name = "Azure-Monitor-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-azure-monitor" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_application_rule_collection.core must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "core" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) name = "Core-Dependencies-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-core-apis" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-developer-services" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-certificate-dependencies" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) name = "Devops-VM-Dependencies-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-azure-ad-join" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-vm-dependencies-and-tools" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops must be replaced -/+ resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) name = "Windows-VM-Connectivity-Requirements" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - destination_fqdns = [] -> null - destination_ip_groups = [] -> null name = "allow-kms-activation" - source_ip_groups = [] -> null # (4 unchanged attributes hidden) } ~ rule { - destination_fqdns = [] -> null - destination_ip_groups = [] -> null name = "allow-ntp" - source_ip_groups = [] -> null # (4 unchanged attributes hidden) } } # module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3|fw-hub-scenario1-wus3-diagnostic-settings" -> (known after apply) ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply) ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> (known after apply) ~ name = "fw-hub-scenario1-wus3-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced -/+ resource "azurerm_public_ip" "firewall_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply) ~ ip_address = "20.25.144.42" -> (known after apply) - ip_tags = {} -> null ~ name = "pip-fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "firewall" } - zones = [] -> null # (7 unchanged attributes hidden) } # module.network.azurecaf_name.caf_name_vnet will be created + resource "azurecaf_name" "caf_name_vnet" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" -> (known after apply) name = "AzureFirewallSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" -> (known after apply) name = "AzureBastionSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "a57f2f5c-bf2d-4771-b21e-44bd81de7186" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply) ~ name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.242.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" - name = "AzureFirewallSubnet" - security_group = "" }, - { - address_prefix = "10.242.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" - name = "AzureBastionSubnet" - security_group = "" }, ] -> (known after apply) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } # (2 unchanged attributes hidden) } Plan: 21 to add, 0 to change, 21 to destroy. Changes to Outputs: ~ bastion_name = "bast-hub-scenario1-wus3" -> (known after apply) ~ firewall_private_ip = "10.242.0.4" -> (known after apply) ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ~ rg_name = "rg-hub-scenario1-wus3" -> (known after apply) ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply) ~ vnet_name = "vnet-hub-scenario1-wus3" -> (known after apply) ::debug::Terraform exited with code 0. ::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A - destroy%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # azurecaf_name.bastion_host will be destroyed%0A # (because azurecaf_name.bastion_host is not in configuration)%0A - resource "azurecaf_name" "bastion_host" {%0A - clean_input = true -> null%0A - id = "gggewsruqgiwnjwa" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_bastion_host" -> null%0A - result = "bast-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.caf_name_hub_rg will be created%0A + resource "azurecaf_name" "caf_name_hub_rg" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_resource_group"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # azurecaf_name.firewall will be destroyed%0A # (because azurecaf_name.firewall is not in configuration)%0A - resource "azurecaf_name" "firewall" {%0A - clean_input = true -> null%0A - id = "atqhstfaibxdnjav" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_firewall" -> null%0A - result = "fw-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.law will be destroyed%0A # (because azurecaf_name.law is not in configuration)%0A - resource "azurecaf_name" "law" {%0A - clean_input = true -> null%0A - id = "fqnobcgpjpovkway" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_log_analytics_workspace" -> null%0A - result = "log-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.resource_group will be destroyed%0A # (because azurecaf_name.resource_group is not in configuration)%0A - resource "azurecaf_name" "resource_group" {%0A - clean_input = true -> null%0A - id = "sdhamjahaycopevr" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_resource_group" -> null%0A - result = "rg-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.vnet will be destroyed%0A # (because azurecaf_name.vnet is not in configuration)%0A - resource "azurecaf_name" "vnet" {%0A - clean_input = true -> null%0A - id = "eayygfcnmpfqsowx" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_virtual_network" -> null%0A - result = "vnet-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurerm_log_analytics_workspace.law will be destroyed%0A # (because azurerm_log_analytics_workspace.law is not in configuration)%0A - resource "azurerm_log_analytics_workspace" "law" {%0A - allow_resource_only_permissions = true -> null%0A - cmk_for_query_forced = false -> null%0A - daily_quota_gb = -1 -> null%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> null%0A - internet_ingestion_enabled = true -> null%0A - internet_query_enabled = true -> null%0A - local_authentication_disabled = false -> null%0A - location = "westus3" -> null%0A - name = "log-hub-scenario1-wus3" -> null%0A - primary_shared_key = (sensitive value) -> null%0A - resource_group_name = "rg-hub-scenario1-wus3" -> null%0A - retention_in_days = 30 -> null%0A - secondary_shared_key = (sensitive value) -> null%0A - sku = "PerGB2018" -> null%0A - tags = {} -> null%0A - workspace_id = "2b9150ce-64a2-4a6d-885e-cd7dfd9e8153" -> null%0A }%0A%0A # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A - "terraform" = "true" -> null%0A }%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.bastion[0].azurecaf_name.bastion_pip will be destroyed%0A # (because azurecaf_name.bastion_pip is not in configuration)%0A - resource "azurecaf_name" "bastion_pip" {%0A - clean_input = true -> null%0A - id = "qwntecdiprlwaonl" -> null%0A - name = "bast-hub-scenario1-wus3" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_public_ip" -> null%0A - result = "pip-bast-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - use_slug = true -> null%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_bastion will be created%0A + resource "azurecaf_name" "caf_name_bastion" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip will be created%0A + resource "azurecaf_name" "caf_name_pip" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_public_ip"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A ~ dns_name = "bst-69efc60e-54e0-4ac8-b44f-4347f67dc108.bastion.azure.com" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/bastionHosts/bast-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "bastion"%0A }%0A # (8 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "bastionHostIpConfiguration"%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" -> (known after apply)%0A ~ ip_address = "20.25.144.65" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ name = "pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "bastion"%0A }%0A - zones = [] -> null%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_firewall will be created%0A + resource "azurecaf_name" "caf_name_firewall" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_firewall"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_law[0] will be created%0A + resource "azurecaf_name" "caf_name_law" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_log_analytics_workspace"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_pip will be created%0A + resource "azurecaf_name" "caf_name_pip" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_public_ip"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.firewall_pip will be destroyed%0A # (because azurecaf_name.firewall_pip is not in configuration)%0A - resource "azurecaf_name" "firewall_pip" {%0A - clean_input = true -> null%0A - id = "buncvpcbdyqgwdik" -> null%0A - name = "fw-hub-scenario1-wus3" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_public_ip" -> null%0A - result = "pip-fw-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - use_slug = true -> null%0A }%0A%0A # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A - dns_servers = [] -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - private_ip_ranges = [] -> null%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "firewall"%0A }%0A ~ threat_intel_mode = "Alert" -> (known after apply)%0A - zones = [] -> null%0A # (3 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "firewallIpConfiguration"%0A ~ private_ip_address = "10.242.0.4" -> (known after apply)%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply)%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A name = "Azure-Monitor-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-azure-monitor"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "core" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A name = "Core-Dependencies-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-core-apis"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-developer-services"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-certificate-dependencies"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A name = "Devops-VM-Dependencies-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-azure-ad-join"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-vm-dependencies-and-tools"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops must be replaced%0A-/+ resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A name = "Windows-VM-Connectivity-Requirements"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - destination_fqdns = [] -> null%0A - destination_ip_groups = [] -> null%0A name = "allow-kms-activation"%0A - source_ip_groups = [] -> null%0A # (4 unchanged attributes hidden)%0A }%0A ~ rule {%0A - destination_fqdns = [] -> null%0A - destination_ip_groups = [] -> null%0A name = "allow-ntp"%0A - source_ip_groups = [] -> null%0A # (4 unchanged attributes hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created%0A + resource "azurerm_log_analytics_workspace" "law" {%0A + allow_resource_only_permissions = true%0A + daily_quota_gb = -1%0A + id = (known after apply)%0A + internet_ingestion_enabled = true%0A + internet_query_enabled = true%0A + local_authentication_disabled = false%0A + location = "westus3"%0A + name = (known after apply)%0A + primary_shared_key = (sensitive value)%0A + reservation_capacity_in_gb_per_day = (known after apply)%0A + resource_group_name = (known after apply)%0A + retention_in_days = (known after apply)%0A + secondary_shared_key = (sensitive value)%0A + sku = "PerGB2018"%0A + workspace_id = (known after apply)%0A }%0A%0A # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3|fw-hub-scenario1-wus3-diagnostic-settings" -> (known after apply)%0A ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "fw-hub-scenario1-wus3-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A%0A - log {%0A - category_group = "allLogs" -> null%0A - enabled = true -> null%0A%0A - retention_policy {%0A - days = 0 -> null%0A - enabled = false -> null%0A }%0A }%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply)%0A ~ ip_address = "20.25.144.42" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ name = "pip-fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "firewall"%0A }%0A - zones = [] -> null%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.network.azurecaf_name.caf_name_vnet will be created%0A + resource "azurecaf_name" "caf_name_vnet" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "prod",%0A ]%0A + use_slug = true%0A }%0A%0A # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" -> (known after apply)%0A name = "AzureFirewallSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" -> (known after apply)%0A name = "AzureBastionSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A ~ dns_servers = [] -> (known after apply)%0A - flow_timeout_in_minutes = 0 -> null%0A ~ guid = "a57f2f5c-bf2d-4771-b21e-44bd81de7186" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet = [%0A - {%0A - address_prefix = "10.242.0.0/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet"%0A - name = "AzureFirewallSubnet"%0A - security_group = ""%0A },%0A - {%0A - address_prefix = "10.242.0.64/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet"%0A - name = "AzureBastionSubnet"%0A - security_group = ""%0A },%0A ] -> (known after apply)%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "network"%0A }%0A # (2 unchanged attributes hidden)%0A }%0A%0APlan: 21 to add, 0 to change, 21 to destroy.%0A%0AChanges to Outputs:%0A ~ bastion_name = "bast-hub-scenario1-wus3" -> (known after apply)%0A ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ~ rg_name = "rg-hub-scenario1-wus3" -> (known after apply)%0A ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply)%0A ~ vnet_name = "vnet-hub-scenario1-wus3" -> (known after apply)%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/63ffb9f9-b845-4cd6-bd2d-7496a57c5a98/terraform-bin show -no-color tfplan Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.bastion_host will be destroyed # (because azurecaf_name.bastion_host is not in configuration) - resource "azurecaf_name" "bastion_host" { - clean_input = true -> null - id = "gggewsruqgiwnjwa" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_bastion_host" -> null - result = "bast-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.caf_name_hub_rg will be created + resource "azurecaf_name" "caf_name_hub_rg" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.firewall will be destroyed # (because azurecaf_name.firewall is not in configuration) - resource "azurecaf_name" "firewall" { - clean_input = true -> null - id = "atqhstfaibxdnjav" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_firewall" -> null - result = "fw-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.law will be destroyed # (because azurecaf_name.law is not in configuration) - resource "azurecaf_name" "law" { - clean_input = true -> null - id = "fqnobcgpjpovkway" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_log_analytics_workspace" -> null - result = "log-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.resource_group will be destroyed # (because azurecaf_name.resource_group is not in configuration) - resource "azurecaf_name" "resource_group" { - clean_input = true -> null - id = "sdhamjahaycopevr" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_resource_group" -> null - result = "rg-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.vnet will be destroyed # (because azurecaf_name.vnet is not in configuration) - resource "azurecaf_name" "vnet" { - clean_input = true -> null - id = "eayygfcnmpfqsowx" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_virtual_network" -> null - result = "vnet-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurerm_log_analytics_workspace.law will be destroyed # (because azurerm_log_analytics_workspace.law is not in configuration) - resource "azurerm_log_analytics_workspace" "law" { - allow_resource_only_permissions = true -> null - cmk_for_query_forced = false -> null - daily_quota_gb = -1 -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> null - internet_ingestion_enabled = true -> null - internet_query_enabled = true -> null - local_authentication_disabled = false -> null - location = "westus3" -> null - name = "log-hub-scenario1-wus3" -> null - primary_shared_key = (sensitive value) -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - retention_in_days = 30 -> null - secondary_shared_key = (sensitive value) -> null - sku = "PerGB2018" -> null - tags = {} -> null - workspace_id = "2b9150ce-64a2-4a6d-885e-cd7dfd9e8153" -> null } # azurerm_resource_group.hub must be replaced -/+ resource "azurerm_resource_group" "hub" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3" -> (known after apply) ~ name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" - "terraform" = "true" -> null } # (1 unchanged attribute hidden) } # module.bastion[0].azurecaf_name.bastion_pip will be destroyed # (because azurecaf_name.bastion_pip is not in configuration) - resource "azurecaf_name" "bastion_pip" { - clean_input = true -> null - id = "qwntecdiprlwaonl" -> null - name = "bast-hub-scenario1-wus3" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_public_ip" -> null - result = "pip-bast-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # module.bastion[0].azurecaf_name.caf_name_bastion will be created + resource "azurecaf_name" "caf_name_bastion" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-69efc60e-54e0-4ac8-b44f-4347f67dc108.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/bastionHosts/bast-hub-scenario1-wus3" -> (known after apply) ~ name = "bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } # (8 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" -> (known after apply) ~ ip_address = "20.25.144.65" -> (known after apply) - ip_tags = {} -> null ~ name = "pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } - zones = [] -> null # (7 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_firewall will be created + resource "azurecaf_name" "caf_name_firewall" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.caf_name_law[0] will be created + resource "azurecaf_name" "caf_name_law" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.firewall_pip will be destroyed # (because azurecaf_name.firewall_pip is not in configuration) - resource "azurecaf_name" "firewall_pip" { - clean_input = true -> null - id = "buncvpcbdyqgwdik" -> null - name = "fw-hub-scenario1-wus3" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_public_ip" -> null - result = "pip-fw-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # module.firewall[0].azurerm_firewall.firewall must be replaced -/+ resource "azurerm_firewall" "firewall" { - dns_servers = [] -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" -> (known after apply) ~ name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - private_ip_ranges = [] -> null ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "firewall" } ~ threat_intel_mode = "Alert" -> (known after apply) - zones = [] -> null # (3 unchanged attributes hidden) ~ ip_configuration { name = "firewallIpConfiguration" ~ private_ip_address = "10.242.0.4" -> (known after apply) ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply) ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "azure_monitor" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) name = "Azure-Monitor-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-azure-monitor" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_application_rule_collection.core must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "core" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) name = "Core-Dependencies-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-core-apis" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-developer-services" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-certificate-dependencies" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) name = "Devops-VM-Dependencies-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-azure-ad-join" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-vm-dependencies-and-tools" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops must be replaced -/+ resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) name = "Windows-VM-Connectivity-Requirements" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - destination_fqdns = [] -> null - destination_ip_groups = [] -> null name = "allow-kms-activation" - source_ip_groups = [] -> null # (4 unchanged attributes hidden) } ~ rule { - destination_fqdns = [] -> null - destination_ip_groups = [] -> null name = "allow-ntp" - source_ip_groups = [] -> null # (4 unchanged attributes hidden) } } # module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3|fw-hub-scenario1-wus3-diagnostic-settings" -> (known after apply) ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply) ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> (known after apply) ~ name = "fw-hub-scenario1-wus3-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced -/+ resource "azurerm_public_ip" "firewall_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply) ~ ip_address = "20.25.144.42" -> (known after apply) - ip_tags = {} -> null ~ name = "pip-fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "firewall" } - zones = [] -> null # (7 unchanged attributes hidden) } # module.network.azurecaf_name.caf_name_vnet will be created + resource "azurecaf_name" "caf_name_vnet" { + clean_input = true + id = (known after apply) + name = "appsvclza-scenario1" + passthrough = false + prefixes = [ + "hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" -> (known after apply) name = "AzureFirewallSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" -> (known after apply) name = "AzureBastionSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "a57f2f5c-bf2d-4771-b21e-44bd81de7186" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply) ~ name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.242.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" - name = "AzureFirewallSubnet" - security_group = "" }, - { - address_prefix = "10.242.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" - name = "AzureBastionSubnet" - security_group = "" }, ] -> (known after apply) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } # (2 unchanged attributes hidden) } Plan: 21 to add, 0 to change, 21 to destroy. Changes to Outputs: ~ bastion_name = "bast-hub-scenario1-wus3" -> (known after apply) ~ firewall_private_ip = "10.242.0.4" -> (known after apply) ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ~ rg_name = "rg-hub-scenario1-wus3" -> (known after apply) ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply) ~ vnet_name = "vnet-hub-scenario1-wus3" -> (known after apply) ::debug::Terraform exited with code 0. ::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A - destroy%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # azurecaf_name.bastion_host will be destroyed%0A # (because azurecaf_name.bastion_host is not in configuration)%0A - resource "azurecaf_name" "bastion_host" {%0A - clean_input = true -> null%0A - id = "gggewsruqgiwnjwa" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_bastion_host" -> null%0A - result = "bast-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.caf_name_hub_rg will be created%0A + resource "azurecaf_name" "caf_name_hub_rg" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_resource_group"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # azurecaf_name.firewall will be destroyed%0A # (because azurecaf_name.firewall is not in configuration)%0A - resource "azurecaf_name" "firewall" {%0A - clean_input = true -> null%0A - id = "atqhstfaibxdnjav" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_firewall" -> null%0A - result = "fw-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.law will be destroyed%0A # (because azurecaf_name.law is not in configuration)%0A - resource "azurecaf_name" "law" {%0A - clean_input = true -> null%0A - id = "fqnobcgpjpovkway" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_log_analytics_workspace" -> null%0A - result = "log-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.resource_group will be destroyed%0A # (because azurecaf_name.resource_group is not in configuration)%0A - resource "azurecaf_name" "resource_group" {%0A - clean_input = true -> null%0A - id = "sdhamjahaycopevr" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_resource_group" -> null%0A - result = "rg-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.vnet will be destroyed%0A # (because azurecaf_name.vnet is not in configuration)%0A - resource "azurecaf_name" "vnet" {%0A - clean_input = true -> null%0A - id = "eayygfcnmpfqsowx" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_virtual_network" -> null%0A - result = "vnet-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurerm_log_analytics_workspace.law will be destroyed%0A # (because azurerm_log_analytics_workspace.law is not in configuration)%0A - resource "azurerm_log_analytics_workspace" "law" {%0A - allow_resource_only_permissions = true -> null%0A - cmk_for_query_forced = false -> null%0A - daily_quota_gb = -1 -> null%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> null%0A - internet_ingestion_enabled = true -> null%0A - internet_query_enabled = true -> null%0A - local_authentication_disabled = false -> null%0A - location = "westus3" -> null%0A - name = "log-hub-scenario1-wus3" -> null%0A - primary_shared_key = (sensitive value) -> null%0A - resource_group_name = "rg-hub-scenario1-wus3" -> null%0A - retention_in_days = 30 -> null%0A - secondary_shared_key = (sensitive value) -> null%0A - sku = "PerGB2018" -> null%0A - tags = {} -> null%0A - workspace_id = "2b9150ce-64a2-4a6d-885e-cd7dfd9e8153" -> null%0A }%0A%0A # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A - "terraform" = "true" -> null%0A }%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.bastion[0].azurecaf_name.bastion_pip will be destroyed%0A # (because azurecaf_name.bastion_pip is not in configuration)%0A - resource "azurecaf_name" "bastion_pip" {%0A - clean_input = true -> null%0A - id = "qwntecdiprlwaonl" -> null%0A - name = "bast-hub-scenario1-wus3" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_public_ip" -> null%0A - result = "pip-bast-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - use_slug = true -> null%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_bastion will be created%0A + resource "azurecaf_name" "caf_name_bastion" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip will be created%0A + resource "azurecaf_name" "caf_name_pip" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_public_ip"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A ~ dns_name = "bst-69efc60e-54e0-4ac8-b44f-4347f67dc108.bastion.azure.com" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/bastionHosts/bast-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "bastion"%0A }%0A # (8 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "bastionHostIpConfiguration"%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" -> (known after apply)%0A ~ ip_address = "20.25.144.65" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ name = "pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "bastion"%0A }%0A - zones = [] -> null%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_firewall will be created%0A + resource "azurecaf_name" "caf_name_firewall" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_firewall"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_law[0] will be created%0A + resource "azurecaf_name" "caf_name_law" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_log_analytics_workspace"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_pip will be created%0A + resource "azurecaf_name" "caf_name_pip" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_public_ip"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.firewall_pip will be destroyed%0A # (because azurecaf_name.firewall_pip is not in configuration)%0A - resource "azurecaf_name" "firewall_pip" {%0A - clean_input = true -> null%0A - id = "buncvpcbdyqgwdik" -> null%0A - name = "fw-hub-scenario1-wus3" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_public_ip" -> null%0A - result = "pip-fw-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - use_slug = true -> null%0A }%0A%0A # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A - dns_servers = [] -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - private_ip_ranges = [] -> null%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "firewall"%0A }%0A ~ threat_intel_mode = "Alert" -> (known after apply)%0A - zones = [] -> null%0A # (3 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "firewallIpConfiguration"%0A ~ private_ip_address = "10.242.0.4" -> (known after apply)%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply)%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A name = "Azure-Monitor-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-azure-monitor"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "core" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A name = "Core-Dependencies-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-core-apis"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-developer-services"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-certificate-dependencies"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A name = "Devops-VM-Dependencies-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-azure-ad-join"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-vm-dependencies-and-tools"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops must be replaced%0A-/+ resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A name = "Windows-VM-Connectivity-Requirements"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - destination_fqdns = [] -> null%0A - destination_ip_groups = [] -> null%0A name = "allow-kms-activation"%0A - source_ip_groups = [] -> null%0A # (4 unchanged attributes hidden)%0A }%0A ~ rule {%0A - destination_fqdns = [] -> null%0A - destination_ip_groups = [] -> null%0A name = "allow-ntp"%0A - source_ip_groups = [] -> null%0A # (4 unchanged attributes hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created%0A + resource "azurerm_log_analytics_workspace" "law" {%0A + allow_resource_only_permissions = true%0A + daily_quota_gb = -1%0A + id = (known after apply)%0A + internet_ingestion_enabled = true%0A + internet_query_enabled = true%0A + local_authentication_disabled = false%0A + location = "westus3"%0A + name = (known after apply)%0A + primary_shared_key = (sensitive value)%0A + reservation_capacity_in_gb_per_day = (known after apply)%0A + resource_group_name = (known after apply)%0A + retention_in_days = (known after apply)%0A + secondary_shared_key = (sensitive value)%0A + sku = "PerGB2018"%0A + workspace_id = (known after apply)%0A }%0A%0A # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3|fw-hub-scenario1-wus3-diagnostic-settings" -> (known after apply)%0A ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "fw-hub-scenario1-wus3-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A%0A - log {%0A - category_group = "allLogs" -> null%0A - enabled = true -> null%0A%0A - retention_policy {%0A - days = 0 -> null%0A - enabled = false -> null%0A }%0A }%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply)%0A ~ ip_address = "20.25.144.42" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ name = "pip-fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "firewall"%0A }%0A - zones = [] -> null%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.network.azurecaf_name.caf_name_vnet will be created%0A + resource "azurecaf_name" "caf_name_vnet" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "appsvclza-scenario1"%0A + passthrough = false%0A + prefixes = [%0A + "hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "prod",%0A ]%0A + use_slug = true%0A }%0A%0A # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" -> (known after apply)%0A name = "AzureFirewallSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" -> (known after apply)%0A name = "AzureBastionSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A ~ dns_servers = [] -> (known after apply)%0A - flow_timeout_in_minutes = 0 -> null%0A ~ guid = "a57f2f5c-bf2d-4771-b21e-44bd81de7186" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet = [%0A - {%0A - address_prefix = "10.242.0.0/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet"%0A - name = "AzureFirewallSubnet"%0A - security_group = ""%0A },%0A - {%0A - address_prefix = "10.242.0.64/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet"%0A - name = "AzureBastionSubnet"%0A - security_group = ""%0A },%0A ] -> (known after apply)%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "network"%0A }%0A # (2 unchanged attributes hidden)%0A }%0A%0APlan: 21 to add, 0 to change, 21 to destroy.%0A%0AChanges to Outputs:%0A ~ bastion_name = "bast-hub-scenario1-wus3" -> (known after apply)%0A ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ~ rg_name = "rg-hub-scenario1-wus3" -> (known after apply)%0A ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply)%0A ~ vnet_name = "vnet-hub-scenario1-wus3" -> (known after apply)%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/dd1bb311-77a3-4b6f-ba5f-29782014c0a5/terraform-bin show -no-color tfplan Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.appsvc_subnet must be replaced -/+ resource "azurecaf_name" "appsvc_subnet" { ~ id = "eahfcteguwocrcji" -> (known after apply) ~ name = "appsvc" -> "scenario1" # forces replacement + prefixes = [ # forces replacement + "spoke", + "spoke", + "westus3", ] ~ result = "snet-appsvc" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurecaf_name.caf_name_id_contributor will be created + resource "azurecaf_name" "caf_name_id_contributor" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "contributor", ] + use_slug = true } # azurecaf_name.caf_name_id_reader will be created + resource "azurecaf_name" "caf_name_id_reader" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "reader", ] + use_slug = true } # azurecaf_name.caf_name_law will be created + resource "azurecaf_name" "caf_name_law" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurecaf_name.caf_name_spoke_rg will be created + resource "azurecaf_name" "caf_name_spoke_rg" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.contributor_identity will be destroyed # (because azurecaf_name.contributor_identity is not in configuration) - resource "azurecaf_name" "contributor_identity" { - clean_input = true -> null - id = "faaiwooqlrertweh" -> null - name = "spoke-scenario1-contributor" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_user_assigned_identity" -> null - result = "msi-spoke-scenario1-contributor" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.devops_subnet will be destroyed # (because azurecaf_name.devops_subnet is not in configuration) - resource "azurecaf_name" "devops_subnet" { - clean_input = true -> null - id = "fjomqdwilwaduxok" -> null - name = "devops" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_subnet" -> null - result = "snet-devops" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.devops_vm will be destroyed # (because azurecaf_name.devops_vm is not in configuration) - resource "azurecaf_name" "devops_vm" { - clean_input = true -> null - id = "ttfcmqugwsdkfhks" -> null - name = "spoke-scenario1-devops" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_windows_virtual_machine" -> null - result = "vm-5461" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "5461", ] -> null - use_slug = true -> null } # azurecaf_name.ingress_subnet will be destroyed # (because azurecaf_name.ingress_subnet is not in configuration) - resource "azurecaf_name" "ingress_subnet" { - clean_input = true -> null - id = "uovsewjfyvkpqgmc" -> null - name = "ingress" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_subnet" -> null - result = "snet-ingress" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.private_link_subnet will be destroyed # (because azurecaf_name.private_link_subnet is not in configuration) - resource "azurecaf_name" "private_link_subnet" { - clean_input = true -> null - id = "rxoobxqlkxiyoegd" -> null - name = "private-link" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_subnet" -> null - result = "snet-private-link" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.reader_identity will be destroyed # (because azurecaf_name.reader_identity is not in configuration) - resource "azurecaf_name" "reader_identity" { - clean_input = true -> null - id = "xrauxtuqfikfeusf" -> null - name = "spoke-scenario1-reader" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_user_assigned_identity" -> null - result = "msi-spoke-scenario1-reader" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.resource_group will be destroyed # (because azurecaf_name.resource_group is not in configuration) - resource "azurecaf_name" "resource_group" { - clean_input = true -> null - id = "kfnewsrfqcyurtyr" -> null - name = "spoke-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_resource_group" -> null - result = "rg-spoke-scenario1-prod-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.spoke_network will be destroyed # (because azurecaf_name.spoke_network is not in configuration) - resource "azurecaf_name" "spoke_network" { - clean_input = true -> null - id = "lncsogkngwnchrpr" -> null - name = "spoke-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_virtual_network" -> null - result = "vnet-spoke-scenario1-prod" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", ] -> null - use_slug = true -> null } # azurerm_log_analytics_workspace.law must be replaced -/+ resource "azurerm_log_analytics_workspace" "law" { - cmk_for_query_forced = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.OperationalInsights/workspaces/log-scenario1-prod" -> (known after apply) name = "log-scenario1-prod" ~ primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ secondary_shared_key = (sensitive value) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" } ~ workspace_id = "cd74b5b5-f37f-4600-98ad-40e4ef86be2d" -> (known after apply) # (8 unchanged attributes hidden) } # azurerm_resource_group.spoke must be replaced -/+ resource "azurerm_resource_group" "spoke" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3" -> (known after apply) ~ name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" - "application-name" = "scenario1" -> null - "environment" = "prod" -> null - "terraform" = "true" -> null } # (1 unchanged attribute hidden) } # azurerm_user_assigned_identity.contributor must be replaced -/+ resource "azurerm_user_assigned_identity" "contributor" { ~ client_id = "9a1f7faa-9f41-4c41-be7e-087eb726c23f" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-spoke-scenario1-contributor" -> (known after apply) ~ name = "msi-spoke-scenario1-contributor" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "e0423675-ddf8-4a7d-82f0-74bf3e39617f" -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) # (1 unchanged attribute hidden) } # azurerm_user_assigned_identity.reader must be replaced -/+ resource "azurerm_user_assigned_identity" "reader" { ~ client_id = "dc0137c5-9e48-4ec8-b52f-8b37c8ca4110" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-spoke-scenario1-reader" -> (known after apply) ~ name = "msi-spoke-scenario1-reader" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "59ae8e61-8c55-4668-81c8-029d34ac759f" -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) # (1 unchanged attribute hidden) } # azurerm_virtual_network_peering.hub_to_spoke will be destroyed # (because azurerm_virtual_network_peering.hub_to_spoke is not in configuration) - resource "azurerm_virtual_network_peering" "hub_to_spoke" { - allow_forwarded_traffic = false -> null - allow_gateway_transit = false -> null - allow_virtual_network_access = true -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/virtualNetworkPeerings/hub-to-spoke-scenario1" -> null - name = "hub-to-spoke-scenario1" -> null - remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod" -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - use_remote_gateways = false -> null - virtual_network_name = "vnet-hub-scenario1-wus3" -> null } # azurerm_virtual_network_peering.spoke_to_hub will be destroyed # (because azurerm_virtual_network_peering.spoke_to_hub is not in configuration) - resource "azurerm_virtual_network_peering" "spoke_to_hub" { - allow_forwarded_traffic = false -> null - allow_gateway_transit = false -> null - allow_virtual_network_access = true -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/virtualNetworkPeerings/spoke-to-hub-scenario1" -> null - name = "spoke-to-hub-scenario1" -> null - remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> null - resource_group_name = "rg-spoke-scenario1-prod-wus3" -> null - use_remote_gateways = false -> null - virtual_network_name = "vnet-spoke-scenario1-prod" -> null } # random_password.vm_admin_password will be destroyed # (because random_password.vm_admin_password is not in configuration) - resource "random_password" "vm_admin_password" { - bcrypt_hash = (sensitive value) -> null - id = "none" -> null - length = 16 -> null - lower = true -> null - min_lower = 0 -> null - min_numeric = 0 -> null - min_special = 0 -> null - min_upper = 0 -> null - number = true -> null - numeric = true -> null - result = (sensitive value) -> null - special = true -> null - upper = true -> null } # random_password.vm_admin_username will be destroyed # (because random_password.vm_admin_username is not in configuration) - resource "random_password" "vm_admin_username" { - bcrypt_hash = (sensitive value) -> null - id = "none" -> null - length = 10 -> null - lower = true -> null - min_lower = 0 -> null - min_numeric = 0 -> null - min_special = 0 -> null - min_upper = 0 -> null - number = true -> null - numeric = true -> null - result = (sensitive value) -> null - special = false -> null - upper = true -> null } # module.app_configuration[0].azurecaf_name.app_config will be destroyed # (because azurecaf_name.app_config is not in configuration) - resource "azurecaf_name" "app_config" { - clean_input = true -> null - id = "hvfhgntvkcpjiyhr" -> null - name = "scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_app_configuration" -> null - result = "appcg-scenario1-prod-5461" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", - "5461", ] -> null - use_slug = true -> null } # module.app_configuration[0].azurecaf_name.caf_name_appconf will be created + resource "azurecaf_name" "caf_name_appconf" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_app_configuration" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "5461", ] + use_slug = true } # module.app_configuration[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "pyswsamufmtrushj" -> (known after apply) ~ name = "appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-appcg-scenario1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.app_configuration[0].azurerm_app_configuration.this must be replaced -/+ resource "azurerm_app_configuration" "this" { ~ endpoint = "https://appcg-scenario1-prod-5461.azconfig.io" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461" -> (known after apply) ~ name = "appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ primary_read_key = [] -> (known after apply) ~ primary_write_key = [] -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ secondary_read_key = [] -> (known after apply) ~ secondary_write_key = [] -> (known after apply) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" - "environment" = "prod" -> null + "module" = "app-configuration" } # (6 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "appcg-scenario1-prod-5461.privatelink.azconfig.io." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/A/appcg-scenario1-prod-5461" -> (known after apply) ~ name = "appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.5", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "appcg-scenario1-prod-5461.azconfig.io" - ip_addresses = [ - "10.240.11.5", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/privateEndpoints/pe-appcg-scenario1-prod-5461" -> (known after apply) ~ name = "pe-appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/networkInterfaces/pe-appcg-scenario1-prod-5461.nic.47c44059-1023-40e2-9918-d69f8a28d16b" - name = "pe-appcg-scenario1-prod-5461.nic.47c44059-1023-40e2-9918-d69f8a28d16b" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-private-link" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null # (1 unchanged attribute hidden) ~ private_service_connection { name = "app-config-private-endpoint" ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.5" -> (known after apply) # (2 unchanged attributes hidden) } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] must be replaced -/+ resource "azurerm_role_assignment" "data_owners" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461/providers/Microsoft.Authorization/roleAssignments/00773630-3305-2441-cffe-c432f199ee9b" -> (known after apply) ~ name = "00773630-3305-2441-cffe-c432f199ee9b" -> (known after apply) ~ principal_id = "e0423675-ddf8-4a7d-82f0-74bf3e39617f" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] must be replaced -/+ resource "azurerm_role_assignment" "data_readers" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461/providers/Microsoft.Authorization/roleAssignments/57f38bb6-3905-3e4a-a26c-7f4fd0d28675" -> (known after apply) ~ name = "57f38bb6-3905-3e4a-a26c-7f4fd0d28675" -> (known after apply) ~ principal_id = "59ae8e61-8c55-4668-81c8-029d34ac759f" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_insights.azurecaf_name.app_insights will be destroyed # (because azurecaf_name.app_insights is not in configuration) - resource "azurecaf_name" "app_insights" { - clean_input = true -> null - id = "xuhcuoesrdkfiohr" -> null - name = "scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_application_insights" -> null - result = "appi-scenario1-prod" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", ] -> null - use_slug = true -> null } # module.app_insights.azurerm_application_insights.this will be destroyed # (because azurerm_application_insights.this is not in configuration) - resource "azurerm_application_insights" "this" { - app_id = "bc788d07-2ce1-4a2b-9c13-8b86bb01292f" -> null - application_type = "web" -> null - connection_string = (sensitive value) -> null - daily_data_cap_in_gb = 100 -> null - daily_data_cap_notifications_disabled = false -> null - disable_ip_masking = false -> null - force_customer_storage_for_profiler = false -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Insights/components/appi-scenario1-prod" -> null - instrumentation_key = (sensitive value) -> null - internet_ingestion_enabled = true -> null - internet_query_enabled = true -> null - local_authentication_disabled = false -> null - location = "westus3" -> null - name = "appi-scenario1-prod" -> null - resource_group_name = "rg-spoke-scenario1-prod-wus3" -> null - retention_in_days = 90 -> null - sampling_percentage = 100 -> null - tags = {} -> null - workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.OperationalInsights/workspaces/log-scenario1-prod" -> null } # module.app_service.azurecaf_name.caf_name_appinsights will be created + resource "azurecaf_name" "caf_name_appinsights" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_application_insights" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_service.azurecaf_name.caf_name_asp will be created + resource "azurecaf_name" "caf_name_asp" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_app_service_plan" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_service.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this must be replaced -/+ resource "azurerm_service_plan" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Web/serverfarms/asp-scenario1-win-prod" -> (known after apply) ~ kind = "app" -> (known after apply) ~ maximum_elastic_worker_count = 1 -> (known after apply) ~ name = "asp-scenario1-win-prod" # forces replacement -> (known after apply) # forces replacement ~ reserved = false -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null # (6 unchanged attributes hidden) } # module.front_door.azurecaf_name.frontdoor will be destroyed # (because azurecaf_name.frontdoor is not in configuration) - resource "azurecaf_name" "frontdoor" { - clean_input = true -> null - id = "gwevwynflcnhtxnx" -> null - name = "scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_cdn_frontdoor_profile" -> null - result = "cfdp-scenario1-prod" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", ] -> null - use_slug = true -> null } # module.front_door.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be destroyed # (because azurerm_cdn_frontdoor_firewall_policy.waf is not in configuration) - resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { - custom_block_response_status_code = 0 -> null - enabled = true -> null - frontend_endpoint_ids = [] -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> null - mode = "Prevention" -> null - name = "wafpolicymicrosoftdefaultruleset21" -> null - resource_group_name = "rg-spoke-scenario1-prod-wus3" -> null - sku_name = "Premium_AzureFrontDoor" -> null - tags = {} -> null - managed_rule { - action = "Block" -> null - type = "Microsoft_DefaultRuleSet" -> null - version = "2.1" -> null } } # module.front_door.azurerm_cdn_frontdoor_profile.frontdoor will be destroyed # (because azurerm_cdn_frontdoor_profile.frontdoor is not in configuration) - resource "azurerm_cdn_frontdoor_profile" "frontdoor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod" -> null - name = "cfdp-scenario1-prod" -> null - resource_group_name = "rg-spoke-scenario1-prod-wus3" -> null - resource_guid = "9d932c88-5f8a-4c57-ad23-3edf5506c660" -> null - response_timeout_seconds = 120 -> null - sku_name = "Premium_AzureFrontDoor" -> null - tags = {} -> null } # module.front_door.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be destroyed # (because azurerm_cdn_frontdoor_security_policy.web_app_waf is not in configuration) - resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { - cdn_frontdoor_profile_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod/securityPolicies/WAF-Security-Policy" -> null - name = "WAF-Security-Policy" -> null - security_policies { - firewall { - cdn_frontdoor_firewall_policy_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> null - association { - patterns_to_match = [ - "/*", ] -> null - domain { - active = true -> null - cdn_frontdoor_domain_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod/afdEndpoints/scenario1-prod-5461" -> null } } } } } # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be destroyed # (because azurerm_monitor_diagnostic_setting.this is not in configuration) - resource "azurerm_monitor_diagnostic_setting" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod|cfdp-scenario1-prod-diagnostic-settings}" -> null - log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.OperationalInsights/workspaces/log-scenario1-prod" -> null - name = "cfdp-scenario1-prod-diagnostic-settings}" -> null - target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod" -> null - enabled_log { - category_group = "allLogs" -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - log { - category_group = "audit" -> null - enabled = false -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - metric { - category = "AllMetrics" -> null - enabled = false -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } } # module.frontdoor.azurecaf_name.caf_name_afd will be created + resource "azurecaf_name" "caf_name_afd" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_frontdoor" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = (known after apply) + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = (known after apply) + resource_group_name = (known after apply) + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "frontdoor" } } # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.key_vault.azurecaf_name.caf_name_akv will be created + resource "azurecaf_name" "caf_name_akv" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_key_vault" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "5461", ] + use_slug = true } # module.key_vault.azurecaf_name.key_vault will be destroyed # (because azurecaf_name.key_vault is not in configuration) - resource "azurecaf_name" "key_vault" { - clean_input = true -> null - id = "hguunrloplmbyiry" -> null - name = "appsvc" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_key_vault" -> null - result = "kv-appsvc-prod-5461" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", - "5461", ] -> null - use_slug = true -> null } # module.key_vault.azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "brwyoneninsiueij" -> (known after apply) ~ name = "kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-kv-appsvc-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.key_vault.azurerm_key_vault.this must be replaced -/+ resource "azurerm_key_vault" "this" { ~ access_policy = [] -> (known after apply) - enabled_for_deployment = false -> null - enabled_for_template_deployment = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461" -> (known after apply) ~ name = "kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" - "environment" = "prod" -> null + "module" = "key-vault" } ~ vault_uri = "https://kv-appsvc-prod-5461.vault.azure.net/" -> (known after apply) # (8 unchanged attributes hidden) ~ network_acls { - ip_rules = [] -> null - virtual_network_subnet_ids = [] -> null # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "kv-appsvc-prod-5461.privatelink.vaultcore.azure.net." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/A/kv-appsvc-prod-5461" -> (known after apply) ~ name = "kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.6", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.key_vault.azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "kv-appsvc-prod-5461.vault.azure.net" - ip_addresses = [ - "10.240.11.6", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/privateEndpoints/pe-kv-appsvc-prod-5461" -> (known after apply) ~ name = "pe-kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/networkInterfaces/pe-kv-appsvc-prod-5461.nic.1b86c4a9-ef3f-4d4a-a496-0521921fd6c7" - name = "pe-kv-appsvc-prod-5461.nic.1b86c4a9-ef3f-4d4a-a496-0521921fd6c7" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-private-link" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null # (1 unchanged attribute hidden) ~ private_service_connection { ~ name = "pe-kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.6" -> (known after apply) # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_officer" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461/providers/Microsoft.Authorization/roleAssignments/d9ef4ea5-dfb9-5be5-6fb9-4446ee840b1e" -> (known after apply) ~ name = "d9ef4ea5-dfb9-5be5-6fb9-4446ee840b1e" -> (known after apply) ~ principal_id = "e0423675-ddf8-4a7d-82f0-74bf3e39617f" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.key_vault.azurerm_role_assignment.secrets_user[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_user" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461/providers/Microsoft.Authorization/roleAssignments/0d93282f-6fdc-9e45-ff24-2cbe16e37edb" -> (known after apply) ~ name = "0d93282f-6fdc-9e45-ff24-2cbe16e37edb" -> (known after apply) ~ principal_id = "59ae8e61-8c55-4668-81c8-029d34ac759f" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.network.azurecaf_name.caf_name_vnet will be created + resource "azurecaf_name" "caf_name_vnet" { + clean_input = true + id = (known after apply) + name = "scenario1" + passthrough = false + prefixes = [ + "spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-appsvc" -> (known after apply) ~ name = "snet-appsvc" -> "serverFarm" # forces replacement ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) # (1 unchanged block hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-ingress" -> (known after apply) ~ name = "snet-ingress" -> "ingress" # forces replacement ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[2] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-devops" -> (known after apply) ~ name = "snet-devops" -> "devops" # forces replacement ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[3] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-private-link" -> (known after apply) ~ name = "snet-private-link" -> "privateLink" # forces replacement ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "edeb3250-0d87-4fed-b91a-ce2cbbeec192" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod" -> (known after apply) ~ name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.240.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-appsvc" - name = "snet-appsvc" - security_group = "" }, - { - address_prefix = "10.240.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-ingress" - name = "snet-ingress" - security_group = "" }, - { - address_prefix = "10.240.10.128/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-devops" - name = "snet-devops" - security_group = "" }, - { - address_prefix = "10.240.11.0/24" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-private-link" - name = "snet-private-link" - security_group = "" }, ] -> (known after apply) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } # (2 unchanged attributes hidden) } # module.network.azurerm_virtual_network_peering.target_to_this[0] will be created + resource "azurerm_virtual_network_peering" "target_to_this" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-scenario1" + remote_virtual_network_id = (known after apply) + resource_group_name = "rg-hub-scenario1-wus3" + use_remote_gateways = false + virtual_network_name = "vnet-hub-scenario1-wus3" } # module.network.azurerm_virtual_network_peering.this_to_target[0] will be created + resource "azurerm_virtual_network_peering" "this_to_target" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-scenario1" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } # module.private_dns_zones.azurerm_private_dns_zone.this[0] will be updated in-place ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } # (5 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones.azurerm_private_dns_zone.this[1] will be updated in-place ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } # (5 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones.azurerm_private_dns_zone.this[2] will be updated in-place ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } # (5 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones.azurerm_private_dns_zone.this[3] will be updated in-place ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } # (5 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones.azurerm_private_dns_zone.this[4] will be updated in-place ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } # (5 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones.azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "privatelink.azurewebsites.net" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "rg-hub-scenario1-wus3" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" } # module.private_dns_zones.azurerm_private_dns_zone_virtual_network_link.this[1] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/solutions/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/d60217e1-8b17-4c70-bedb-49692ddc5f13/terraform-bin show -no-color tfplan Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurecaf_name.caf_name_ase_rg will be created + resource "azurecaf_name" "caf_name_ase_rg" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "ase", + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.caf_name_ase_v3[0] will be created + resource "azurecaf_name" "caf_name_ase_v3" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_app_service_environment" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.caf_name_law will be created + resource "azurecaf_name" "caf_name_law" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "dev", ] + use_slug = true } # azurecaf_name.caf_name_network_rg will be created + resource "azurecaf_name" "caf_name_network_rg" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "network", + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.caf_name_shared_rg will be created + resource "azurecaf_name" "caf_name_shared_rg" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "shared", + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.law will be created + resource "azurecaf_name" "law" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "dev", ] + use_slug = true } # azurerm_app_service_environment_v3.ase[0] will be created + resource "azurerm_app_service_environment_v3" "ase" { + allow_new_private_endpoint_connections = true + dns_suffix = (known after apply) + external_inbound_ip_addresses = (known after apply) + id = (known after apply) + inbound_network_dependencies = (known after apply) + internal_inbound_ip_addresses = (known after apply) + internal_load_balancing_mode = "Web, Publishing" + ip_ssl_address_count = (known after apply) + linux_outbound_ip_addresses = (known after apply) + location = (known after apply) + name = (known after apply) + pricing_tier = (known after apply) + resource_group_name = (known after apply) + subnet_id = (known after apply) + windows_outbound_ip_addresses = (known after apply) + zone_redundant = true } # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" } + workspace_id = (known after apply) } # azurerm_resource_group.ase will be created + resource "azurerm_resource_group" "ase" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" } } # azurerm_resource_group.network will be created + resource "azurerm_resource_group" "network" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" } } # azurerm_resource_group.shared will be created + resource "azurerm_resource_group" "shared" { + id = (known after apply) + location = "westus2" + name = (known after apply) + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" } } # module.app_service.azurecaf_name.caf_name_appinsights will be created + resource "azurecaf_name" "caf_name_appinsights" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_application_insights" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "dev", ] + use_slug = true } # module.app_service.azurecaf_name.caf_name_asp will be created + resource "azurecaf_name" "caf_name_asp" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_app_service_plan" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "dev", ] + use_slug = true } # module.app_service.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + app_service_environment_id = (known after apply) + id = (known after apply) + kind = (known after apply) + location = "westus2" + maximum_elastic_worker_count = (known after apply) + name = (known after apply) + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = (known after apply) + sku_name = "P1v2" + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "app-service" } + worker_count = 3 + zone_balancing_enabled = true } # module.bastion[0].azurecaf_name.caf_name_bastion will be created + resource "azurecaf_name" "caf_name_bastion" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion will be created + resource "azurerm_bastion_host" "bastion" { + copy_paste_enabled = true + dns_name = (known after apply) + file_copy_enabled = false + id = (known after apply) + ip_connect_enabled = false + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + scale_units = 2 + shareable_link_enabled = false + sku = "Standard" + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } + tunneling_enabled = true + ip_configuration { + name = "bastionHostIpConfiguration" + public_ip_address_id = (known after apply) + subnet_id = (known after apply) } } # module.bastion[0].azurerm_public_ip.bastion_pip will be created + resource "azurerm_public_ip" "bastion_pip" { + allocation_method = "Static" + ddos_protection_mode = "VirtualNetworkInherited" + fqdn = (known after apply) + id = (known after apply) + idle_timeout_in_minutes = 4 + ip_address = (known after apply) + ip_version = "IPv4" + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + sku = "Standard" + sku_tier = "Regional" + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } } # module.private_dns_zones_ase[0].azurerm_private_dns_a_record.this[0] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "*" + records = (known after apply) + resource_group_name = (known after apply) + ttl = 300 + zone_name = (known after apply) } # module.private_dns_zones_ase[0].azurerm_private_dns_a_record.this[1] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "*.scm" + records = (known after apply) + resource_group_name = (known after apply) + ttl = 300 + zone_name = (known after apply) } # module.private_dns_zones_ase[0].azurerm_private_dns_a_record.this[2] will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "@" + records = (known after apply) + resource_group_name = (known after apply) + ttl = 300 + zone_name = (known after apply) } # module.private_dns_zones_ase[0].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = (known after apply) + number_of_record_sets = (known after apply) + resource_group_name = (known after apply) + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones_ase[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = (known after apply) + private_dns_zone_name = (known after apply) + registration_enabled = false + resource_group_name = (known after apply) + virtual_network_id = (known after apply) } # module.vnetHub.azurecaf_name.caf_name_vnet will be created + resource "azurecaf_name" "caf_name_vnet" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "dev", ] + use_slug = true } # module.vnetHub.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.0.1.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureBastionSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.vnetHub.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.0.3.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "jumpBoxSubnetName" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.vnetHub.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.0.2.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "CICDAgentSubnetName" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) } # module.vnetHub.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.0.0.0/16", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } } # module.vnetSpoke[0].azurecaf_name.caf_name_vnet will be created + resource "azurecaf_name" "caf_name_vnet" { + clean_input = true + id = (known after apply) + name = "lzademo" + passthrough = false + prefixes = [ + "secure-baseline-2-ase", + "wus2", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "dev", ] + use_slug = true } # module.vnetSpoke[0].azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.1.1.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "hostingEnvironment" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + virtual_network_name = (known after apply) + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] + name = "Microsoft.Web/hostingEnvironments" } } } # module.vnetSpoke[0].azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.1.0.0/16", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus2" + name = (known after apply) + resource_group_name = (known after apply) + subnet = (known after apply) + tags = { + "Environment" = "dev" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 2] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } } # module.vnetSpoke[0].azurerm_virtual_network_peering.target_to_this[0] will be created + resource "azurerm_virtual_network_peering" "target_to_this" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-lzademo" + remote_virtual_network_id = (known after apply) + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } # module.vnetSpoke[0].azurerm_virtual_network_peering.this_to_target[0] will be created + resource "azurerm_virtual_network_peering" "this_to_target" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-lzademo" + remote_virtual_network_id = (known after apply) + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } Plan: 34 to add, 0 to change, 0 to destroy. Changes to Outputs: + aseId = (known after apply) + aseName = (known after apply) + hubVNet = { + id = (known after apply) + name = (known after apply) + subnets = { + AzureBastionSubnet = { + address_prefixes = [ + "10.0.1.0/24", ] + delegation = [] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "AzureBastionSubnet" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + service_endpoint_policy_ids = null + service_endpoints = null + timeouts = null + virtual_network_name = (known after apply) } + CICDAgentSubnetName = { + address_prefixes = [ + "10.0.2.0/24", ] + delegation = [] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "CICDAgentSubnetName" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + service_endpoint_policy_ids = null + service_endpoints = null + timeouts = null + virtual_network_name = (known after apply) } + jumpBoxSubnetName = { + address_prefixes = [ + "10.0.3.0/24", ] + delegation = [] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "jumpBoxSubnetName" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + service_endpoint_policy_ids = null + service_endpoints = null + timeouts = null + virtual_network_name = (known after apply) } } } + spokeVNet = { + id = (known after apply) + name = (known after apply) + subnets = { + hostingEnvironment = { + address_prefixes = [ + "10.1.1.0/24", ] + delegation = [ + { + name = "Microsoft.Web/serverFarms" + service_delegation = [ + { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] + name = "Microsoft.Web/hostingEnvironments" }, ] }, ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "hostingEnvironment" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = (known after apply) + service_endpoint_policy_ids = null + service_endpoints = null + timeouts = null + virtual_network_name = (known after apply) } } } ::debug::Terraform exited with code 0. ::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A%0ATerraform will perform the following actions:%0A%0A # azurecaf_name.caf_name_ase_rg will be created%0A + resource "azurecaf_name" "caf_name_ase_rg" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "ase",%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_resource_group"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # azurecaf_name.caf_name_ase_v3[0] will be created%0A + resource "azurecaf_name" "caf_name_ase_v3" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_app_service_environment"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # azurecaf_name.caf_name_law will be created%0A + resource "azurecaf_name" "caf_name_law" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_log_analytics_workspace"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "dev",%0A ]%0A + use_slug = true%0A }%0A%0A # azurecaf_name.caf_name_network_rg will be created%0A + resource "azurecaf_name" "caf_name_network_rg" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "network",%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_resource_group"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # azurecaf_name.caf_name_shared_rg will be created%0A + resource "azurecaf_name" "caf_name_shared_rg" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "shared",%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_resource_group"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # azurecaf_name.law will be created%0A + resource "azurecaf_name" "law" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + random_length = 0%0A + resource_type = "azurerm_log_analytics_workspace"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "dev",%0A ]%0A + use_slug = true%0A }%0A%0A # azurerm_app_service_environment_v3.ase[0] will be created%0A + resource "azurerm_app_service_environment_v3" "ase" {%0A + allow_new_private_endpoint_connections = true%0A + dns_suffix = (known after apply)%0A + external_inbound_ip_addresses = (known after apply)%0A + id = (known after apply)%0A + inbound_network_dependencies = (known after apply)%0A + internal_inbound_ip_addresses = (known after apply)%0A + internal_load_balancing_mode = "Web, Publishing"%0A + ip_ssl_address_count = (known after apply)%0A + linux_outbound_ip_addresses = (known after apply)%0A + location = (known after apply)%0A + name = (known after apply)%0A + pricing_tier = (known after apply)%0A + resource_group_name = (known after apply)%0A + subnet_id = (known after apply)%0A + windows_outbound_ip_addresses = (known after apply)%0A + zone_redundant = true%0A }%0A%0A # azurerm_log_analytics_workspace.law will be created%0A + resource "azurerm_log_analytics_workspace" "law" {%0A + allow_resource_only_permissions = true%0A + daily_quota_gb = -1%0A + id = (known after apply)%0A + internet_ingestion_enabled = true%0A + internet_query_enabled = true%0A + local_authentication_disabled = false%0A + location = "westus2"%0A + name = (known after apply)%0A + primary_shared_key = (sensitive value)%0A + reservation_capacity_in_gb_per_day = (known after apply)%0A + resource_group_name = (known after apply)%0A + retention_in_days = 30%0A + secondary_shared_key = (sensitive value)%0A + sku = "PerGB2018"%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A }%0A + workspace_id = (known after apply)%0A }%0A%0A # azurerm_resource_group.ase will be created%0A + resource "azurerm_resource_group" "ase" {%0A + id = (known after apply)%0A + location = "westus2"%0A + name = (known after apply)%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A }%0A }%0A%0A # azurerm_resource_group.network will be created%0A + resource "azurerm_resource_group" "network" {%0A + id = (known after apply)%0A + location = "westus2"%0A + name = (known after apply)%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A }%0A }%0A%0A # azurerm_resource_group.shared will be created%0A + resource "azurerm_resource_group" "shared" {%0A + id = (known after apply)%0A + location = "westus2"%0A + name = (known after apply)%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A }%0A }%0A%0A # module.app_service.azurecaf_name.caf_name_appinsights will be created%0A + resource "azurecaf_name" "caf_name_appinsights" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_application_insights"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "dev",%0A ]%0A + use_slug = true%0A }%0A%0A # module.app_service.azurecaf_name.caf_name_asp will be created%0A + resource "azurecaf_name" "caf_name_asp" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_app_service_plan"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "dev",%0A ]%0A + use_slug = true%0A }%0A%0A # module.app_service.azurerm_application_insights.this will be created%0A + resource "azurerm_application_insights" "this" {%0A + app_id = (known after apply)%0A + application_type = "web"%0A + connection_string = (sensitive value)%0A + daily_data_cap_in_gb = (known after apply)%0A + daily_data_cap_notifications_disabled = (known after apply)%0A + disable_ip_masking = false%0A + force_customer_storage_for_profiler = false%0A + id = (known after apply)%0A + instrumentation_key = (sensitive value)%0A + internet_ingestion_enabled = true%0A + internet_query_enabled = true%0A + local_authentication_disabled = false%0A + location = "westus2"%0A + name = (known after apply)%0A + resource_group_name = (known after apply)%0A + retention_in_days = 90%0A + sampling_percentage = 100%0A + workspace_id = (known after apply)%0A }%0A%0A # module.app_service.azurerm_service_plan.this will be created%0A + resource "azurerm_service_plan" "this" {%0A + app_service_environment_id = (known after apply)%0A + id = (known after apply)%0A + kind = (known after apply)%0A + location = "westus2"%0A + maximum_elastic_worker_count = (known after apply)%0A + name = (known after apply)%0A + os_type = "Windows"%0A + per_site_scaling_enabled = false%0A + reserved = (known after apply)%0A + resource_group_name = (known after apply)%0A + sku_name = "P1v2"%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "app-service"%0A }%0A + worker_count = 3%0A + zone_balancing_enabled = true%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_bastion will be created%0A + resource "azurecaf_name" "caf_name_bastion" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip will be created%0A + resource "azurecaf_name" "caf_name_pip" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_public_ip"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion will be created%0A + resource "azurerm_bastion_host" "bastion" {%0A + copy_paste_enabled = true%0A + dns_name = (known after apply)%0A + file_copy_enabled = false%0A + id = (known after apply)%0A + ip_connect_enabled = false%0A + location = "westus2"%0A + name = (known after apply)%0A + resource_group_name = (known after apply)%0A + scale_units = 2%0A + shareable_link_enabled = false%0A + sku = "Standard"%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "bastion"%0A }%0A + tunneling_enabled = true%0A%0A + ip_configuration {%0A + name = "bastionHostIpConfiguration"%0A + public_ip_address_id = (known after apply)%0A + subnet_id = (known after apply)%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip will be created%0A + resource "azurerm_public_ip" "bastion_pip" {%0A + allocation_method = "Static"%0A + ddos_protection_mode = "VirtualNetworkInherited"%0A + fqdn = (known after apply)%0A + id = (known after apply)%0A + idle_timeout_in_minutes = 4%0A + ip_address = (known after apply)%0A + ip_version = "IPv4"%0A + location = "westus2"%0A + name = (known after apply)%0A + resource_group_name = (known after apply)%0A + sku = "Standard"%0A + sku_tier = "Regional"%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "bastion"%0A }%0A }%0A%0A # module.private_dns_zones_ase[0].azurerm_private_dns_a_record.this[0] will be created%0A + resource "azurerm_private_dns_a_record" "this" {%0A + fqdn = (known after apply)%0A + id = (known after apply)%0A + name = "*"%0A + records = (known after apply)%0A + resource_group_name = (known after apply)%0A + ttl = 300%0A + zone_name = (known after apply)%0A }%0A%0A # module.private_dns_zones_ase[0].azurerm_private_dns_a_record.this[1] will be created%0A + resource "azurerm_private_dns_a_record" "this" {%0A + fqdn = (known after apply)%0A + id = (known after apply)%0A + name = "*.scm"%0A + records = (known after apply)%0A + resource_group_name = (known after apply)%0A + ttl = 300%0A + zone_name = (known after apply)%0A }%0A%0A # module.private_dns_zones_ase[0].azurerm_private_dns_a_record.this[2] will be created%0A + resource "azurerm_private_dns_a_record" "this" {%0A + fqdn = (known after apply)%0A + id = (known after apply)%0A + name = "@"%0A + records = (known after apply)%0A + resource_group_name = (known after apply)%0A + ttl = 300%0A + zone_name = (known after apply)%0A }%0A%0A # module.private_dns_zones_ase[0].azurerm_private_dns_zone.this will be created%0A + resource "azurerm_private_dns_zone" "this" {%0A + id = (known after apply)%0A + max_number_of_record_sets = (known after apply)%0A + max_number_of_virtual_network_links = (known after apply)%0A + max_number_of_virtual_network_links_with_registration = (known after apply)%0A + name = (known after apply)%0A + number_of_record_sets = (known after apply)%0A + resource_group_name = (known after apply)%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "private-dns-zone"%0A }%0A }%0A%0A # module.private_dns_zones_ase[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created%0A + resource "azurerm_private_dns_zone_virtual_network_link" "this" {%0A + id = (known after apply)%0A + name = (known after apply)%0A + private_dns_zone_name = (known after apply)%0A + registration_enabled = false%0A + resource_group_name = (known after apply)%0A + virtual_network_id = (known after apply)%0A }%0A%0A # module.vnetHub.azurecaf_name.caf_name_vnet will be created%0A + resource "azurecaf_name" "caf_name_vnet" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "dev",%0A ]%0A + use_slug = true%0A }%0A%0A # module.vnetHub.azurerm_subnet.this[0] will be created%0A + resource "azurerm_subnet" "this" {%0A + address_prefixes = [%0A + "10.0.1.0/24",%0A ]%0A + enforce_private_link_endpoint_network_policies = (known after apply)%0A + enforce_private_link_service_network_policies = (known after apply)%0A + id = (known after apply)%0A + name = "AzureBastionSubnet"%0A + private_endpoint_network_policies_enabled = (known after apply)%0A + private_link_service_network_policies_enabled = (known after apply)%0A + resource_group_name = (known after apply)%0A + virtual_network_name = (known after apply)%0A }%0A%0A # module.vnetHub.azurerm_subnet.this[1] will be created%0A + resource "azurerm_subnet" "this" {%0A + address_prefixes = [%0A + "10.0.3.0/24",%0A ]%0A + enforce_private_link_endpoint_network_policies = (known after apply)%0A + enforce_private_link_service_network_policies = (known after apply)%0A + id = (known after apply)%0A + name = "jumpBoxSubnetName"%0A + private_endpoint_network_policies_enabled = (known after apply)%0A + private_link_service_network_policies_enabled = (known after apply)%0A + resource_group_name = (known after apply)%0A + virtual_network_name = (known after apply)%0A }%0A%0A # module.vnetHub.azurerm_subnet.this[2] will be created%0A + resource "azurerm_subnet" "this" {%0A + address_prefixes = [%0A + "10.0.2.0/24",%0A ]%0A + enforce_private_link_endpoint_network_policies = (known after apply)%0A + enforce_private_link_service_network_policies = (known after apply)%0A + id = (known after apply)%0A + name = "CICDAgentSubnetName"%0A + private_endpoint_network_policies_enabled = (known after apply)%0A + private_link_service_network_policies_enabled = (known after apply)%0A + resource_group_name = (known after apply)%0A + virtual_network_name = (known after apply)%0A }%0A%0A # module.vnetHub.azurerm_virtual_network.this will be created%0A + resource "azurerm_virtual_network" "this" {%0A + address_space = [%0A + "10.0.0.0/16",%0A ]%0A + dns_servers = (known after apply)%0A + guid = (known after apply)%0A + id = (known after apply)%0A + location = "westus2"%0A + name = (known after apply)%0A + resource_group_name = (known after apply)%0A + subnet = (known after apply)%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "network"%0A }%0A }%0A%0A # module.vnetSpoke[0].azurecaf_name.caf_name_vnet will be created%0A + resource "azurecaf_name" "caf_name_vnet" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "lzademo"%0A + passthrough = false%0A + prefixes = [%0A + "secure-baseline-2-ase",%0A + "wus2",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "dev",%0A ]%0A + use_slug = true%0A }%0A%0A # module.vnetSpoke[0].azurerm_subnet.this[0] will be created%0A + resource "azurerm_subnet" "this" {%0A + address_prefixes = [%0A + "10.1.1.0/24",%0A ]%0A + enforce_private_link_endpoint_network_policies = (known after apply)%0A + enforce_private_link_service_network_policies = (known after apply)%0A + id = (known after apply)%0A + name = "hostingEnvironment"%0A + private_endpoint_network_policies_enabled = (known after apply)%0A + private_link_service_network_policies_enabled = (known after apply)%0A + resource_group_name = (known after apply)%0A + virtual_network_name = (known after apply)%0A%0A + delegation {%0A + name = "Microsoft.Web/serverFarms"%0A%0A + service_delegation {%0A + actions = [%0A + "Microsoft.Network/virtualNetworks/subnets/join/action",%0A + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",%0A ]%0A + name = "Microsoft.Web/hostingEnvironments"%0A }%0A }%0A }%0A%0A # module.vnetSpoke[0].azurerm_virtual_network.this will be created%0A + resource "azurerm_virtual_network" "this" {%0A + address_space = [%0A + "10.1.0.0/16",%0A ]%0A + dns_servers = (known after apply)%0A + guid = (known after apply)%0A + id = (known after apply)%0A + location = "westus2"%0A + name = (known after apply)%0A + resource_group_name = (known after apply)%0A + subnet = (known after apply)%0A + tags = {%0A + "Environment" = "dev"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "network"%0A }%0A }%0A%0A # module.vnetSpoke[0].azurerm_virtual_network_peering.target_to_this[0] will be created%0A + resource "azurerm_virtual_network_peering" "target_to_this" {%0A + allow_forwarded_traffic = false%0A + allow_gateway_transit = false%0A + allow_virtual_network_access = true%0A + id = (known after apply)%0A + name = "hub-to-spoke-lzademo"%0A + remote_virtual_network_id = (known after apply)%0A + resource_group_name = (known after apply)%0A + use_remote_gateways = false%0A + virtual_network_name = (known after apply)%0A }%0A%0A # module.vnetSpoke[0].azurerm_virtual_network_peering.this_to_target[0] will be created%0A + resource "azurerm_virtual_network_peering" "this_to_target" {%0A + allow_forwarded_traffic = false%0A + allow_gateway_transit = false%0A + allow_virtual_network_access = true%0A + id = (known after apply)%0A + name = "spoke-to-hub-lzademo"%0A + remote_virtual_network_id = (known after apply)%0A + resource_group_name = (known after apply)%0A + use_remote_gateways = false%0A + virtual_network_name = (known after apply)%0A }%0A%0APlan: 34 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A + aseId = (known after apply)%0A + aseName = (known after apply)%0A + hubVNet = {%0A + id = (known after apply)%0A + name = (known after apply)%0A + subnets = {%0A + AzureBastionSubnet = {%0A + address_prefixes = [%0A + "10.0.1.0/24",%0A ]%0A + delegation = []%0A + enforce_private_link_endpoint_network_policies = (known after apply)%0A + enforce_private_link_service_network_policies = (known after apply)%0A + id = (known after apply)%0A + name = "AzureBastionSubnet"%0A + private_endpoint_network_policies_enabled = (known after apply)%0A + private_link_service_network_policies_enabled = (known after apply)%0A + resource_group_name = (known after apply)%0A + service_endpoint_policy_ids = null%0A + service_endpoints = null%0A + timeouts = null%0A + virtual_network_name = (known after apply)%0A }%0A + CICDAgentSubnetName = {%0A + address_prefixes = [%0A + "10.0.2.0/24",%0A ]%0A + delegation = []%0A + enforce_private_link_endpoint_network_policies = (known after apply)%0A + enforce_private_link_service_network_policies = (known after apply)%0A + id = (known after apply)%0A + name = "CICDAgentSubnetName"%0A + private_endpoint_network_policies_enabled = (known after apply)%0A + private_link_service_network_policies_enabled = (known after apply)%0A + resource_group_name = (known after apply)%0A + service_endpoint_policy_ids = null%0A + service_endpoints = null%0A + timeouts = null%0A + virtual_network_name = (known after apply)%0A }%0A + jumpBoxSubnetName = {%0A + address_prefixes = [%0A + "10.0.3.0/24",%0A ]%0A + delegation = []%0A + enforce_private_link_endpoint_network_policies = (known after apply)%0A + enforce_private_link_service_network_policies = (known after apply)%0A + id = (known after apply)%0A + name = "jumpBoxSubnetName"%0A + private_endpoint_network_policies_enabled = (known after apply)%0A + private_link_service_network_policies_enabled = (known after apply)%0A + resource_group_name = (known after apply)%0A + service_endpoint_policy_ids = null%0A + service_endpoints = null%0A + timeouts = null%0A + virtual_network_name = (known after apply)%0A }%0A }%0A }%0A + spokeVNet = {%0A + id = (known after apply)%0A + name = (known after apply)%0A + subnets = {%0A + hostingEnvironment = {%0A + address_prefixes = [%0A + "10.1.1.0/24",%0A ]%0A + delegation = [%0A + {%0A + name = "Microsoft.Web/serverFarms"%0A + service_delegation = [%0A + {%0A + actions = [%0A + "Microsoft.Network/virtualNetworks/subnets/join/action",%0A + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",%0A ]%0A + name = "Microsoft.Web/hostingEnvironments"%0A },%0A ]%0A },%0A ]%0A + enforce_private_link_endpoint_network_policies = (known after apply)%0A + enforce_private_link_service_network_policies = (known after apply)%0A + id = (known after apply)%0A + name = "hostingEnvironment"%0A + private_endpoint_network_policies_enabled = (known after apply)%0A + private_link_service_network_policies_enabled = (known after apply)%0A + resource_group_name = (known after apply)%0A + service_endpoint_policy_ids = null%0A + service_endpoints = null%0A + timeouts = null%0A + virtual_network_name = (known after apply)%0A }%0A }%0A }%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/9ceca4bc-6269-45d2-aa47-d5e37d19f40c/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" name = "vnet-hub-scenario1-wus3" ~ subnet = [ + { + address_prefix = "10.242.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" + name = "AzureFirewallSubnet" + security_group = "" }, + { + address_prefix = "10.242.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" + name = "AzureBastionSubnet" + security_group = "" }, ] + tags = {} # (6 unchanged attributes hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.bastion_host will be destroyed # (because azurecaf_name.bastion_host is not in configuration) - resource "azurecaf_name" "bastion_host" { - clean_input = true -> null - id = "gggewsruqgiwnjwa" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_bastion_host" -> null - result = "bast-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.caf_name_hub_rg will be created + resource "azurecaf_name" "caf_name_hub_rg" { + clean_input = true + id = (known after apply) + name = "eslz2" + passthrough = false + prefixes = [ + "sec-baseline-1-hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.firewall will be destroyed # (because azurecaf_name.firewall is not in configuration) - resource "azurecaf_name" "firewall" { - clean_input = true -> null - id = "atqhstfaibxdnjav" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_firewall" -> null - result = "fw-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.law will be destroyed # (because azurecaf_name.law is not in configuration) - resource "azurecaf_name" "law" { - clean_input = true -> null - id = "fqnobcgpjpovkway" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_log_analytics_workspace" -> null - result = "log-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.resource_group will be destroyed # (because azurecaf_name.resource_group is not in configuration) - resource "azurecaf_name" "resource_group" { - clean_input = true -> null - id = "sdhamjahaycopevr" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_resource_group" -> null - result = "rg-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.vnet will be destroyed # (because azurecaf_name.vnet is not in configuration) - resource "azurecaf_name" "vnet" { - clean_input = true -> null - id = "eayygfcnmpfqsowx" -> null - name = "hub-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_virtual_network" -> null - result = "vnet-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "wus3", ] -> null - use_slug = true -> null } # azurerm_log_analytics_workspace.law will be destroyed # (because azurerm_log_analytics_workspace.law is not in configuration) - resource "azurerm_log_analytics_workspace" "law" { - allow_resource_only_permissions = true -> null - cmk_for_query_forced = false -> null - daily_quota_gb = -1 -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> null - internet_ingestion_enabled = true -> null - internet_query_enabled = true -> null - local_authentication_disabled = false -> null - location = "westus3" -> null - name = "log-hub-scenario1-wus3" -> null - primary_shared_key = (sensitive value) -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - retention_in_days = 30 -> null - secondary_shared_key = (sensitive value) -> null - sku = "PerGB2018" -> null - tags = {} -> null - workspace_id = "2b9150ce-64a2-4a6d-885e-cd7dfd9e8153" -> null } # azurerm_resource_group.hub must be replaced -/+ resource "azurerm_resource_group" "hub" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3" -> (known after apply) ~ name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" - "terraform" = "true" -> null } # (1 unchanged attribute hidden) } # module.bastion[0].azurecaf_name.bastion_pip will be destroyed # (because azurecaf_name.bastion_pip is not in configuration) - resource "azurecaf_name" "bastion_pip" { - clean_input = true -> null - id = "qwntecdiprlwaonl" -> null - name = "bast-hub-scenario1-wus3" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_public_ip" -> null - result = "pip-bast-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # module.bastion[0].azurecaf_name.caf_name_bastion will be created + resource "azurecaf_name" "caf_name_bastion" { + clean_input = true + id = (known after apply) + name = "eslz2" + passthrough = false + prefixes = [ + "sec-baseline-1-hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "eslz2" + passthrough = false + prefixes = [ + "sec-baseline-1-hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-69efc60e-54e0-4ac8-b44f-4347f67dc108.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/bastionHosts/bast-hub-scenario1-wus3" -> (known after apply) ~ name = "bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } # (8 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" -> (known after apply) ~ ip_address = "20.25.144.65" -> (known after apply) - ip_tags = {} -> null ~ name = "pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "bastion" } - zones = [] -> null # (7 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_firewall will be created + resource "azurecaf_name" "caf_name_firewall" { + clean_input = true + id = (known after apply) + name = "eslz2" + passthrough = false + prefixes = [ + "sec-baseline-1-hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_firewall" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.caf_name_law[0] will be created + resource "azurecaf_name" "caf_name_law" { + clean_input = true + id = (known after apply) + name = "eslz2" + passthrough = false + prefixes = [ + "sec-baseline-1-hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.caf_name_pip will be created + resource "azurecaf_name" "caf_name_pip" { + clean_input = true + id = (known after apply) + name = "eslz2" + passthrough = false + prefixes = [ + "sec-baseline-1-hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_public_ip" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.firewall[0].azurecaf_name.firewall_pip will be destroyed # (because azurecaf_name.firewall_pip is not in configuration) - resource "azurecaf_name" "firewall_pip" { - clean_input = true -> null - id = "buncvpcbdyqgwdik" -> null - name = "fw-hub-scenario1-wus3" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_public_ip" -> null - result = "pip-fw-hub-scenario1-wus3" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # module.firewall[0].azurerm_firewall.firewall must be replaced -/+ resource "azurerm_firewall" "firewall" { - dns_servers = [] -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" -> (known after apply) ~ name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - private_ip_ranges = [] -> null ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "firewall" } ~ threat_intel_mode = "Alert" -> (known after apply) - zones = [] -> null # (3 unchanged attributes hidden) ~ ip_configuration { name = "firewallIpConfiguration" ~ private_ip_address = "10.242.0.4" -> (known after apply) ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply) ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "azure_monitor" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) name = "Azure-Monitor-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-azure-monitor" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_application_rule_collection.core must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "core" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) name = "Core-Dependencies-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-core-apis" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-developer-services" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-certificate-dependencies" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops must be replaced -/+ resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) name = "Devops-VM-Dependencies-FQDNs" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - fqdn_tags = [] -> null name = "allow-azure-ad-join" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } ~ rule { - fqdn_tags = [] -> null name = "allow-vm-dependencies-and-tools" - source_ip_groups = [] -> null # (2 unchanged attributes hidden) # (1 unchanged block hidden) } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops must be replaced -/+ resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) name = "Windows-VM-Connectivity-Requirements" ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (2 unchanged attributes hidden) ~ rule { - destination_fqdns = [] -> null - destination_ip_groups = [] -> null name = "allow-kms-activation" - source_ip_groups = [] -> null # (4 unchanged attributes hidden) } ~ rule { - destination_fqdns = [] -> null - destination_ip_groups = [] -> null name = "allow-ntp" - source_ip_groups = [] -> null # (4 unchanged attributes hidden) } } # module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) + resource_group_name = (known after apply) + retention_in_days = (known after apply) + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + workspace_id = (known after apply) } # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3|fw-hub-scenario1-wus3-diagnostic-settings" -> (known after apply) ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply) ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> (known after apply) ~ name = "fw-hub-scenario1-wus3-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced -/+ resource "azurerm_public_ip" "firewall_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply) ~ ip_address = "20.25.144.42" -> (known after apply) - ip_tags = {} -> null ~ name = "pip-fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "firewall" } - zones = [] -> null # (7 unchanged attributes hidden) } # module.network.azurecaf_name.caf_name_vnet will be created + resource "azurecaf_name" "caf_name_vnet" { + clean_input = true + id = (known after apply) + name = "eslz2" + passthrough = false + prefixes = [ + "sec-baseline-1-hub", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" -> (known after apply) name = "AzureFirewallSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" -> (known after apply) name = "AzureBastionSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "a57f2f5c-bf2d-4771-b21e-44bd81de7186" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply) ~ name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.242.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" - name = "AzureFirewallSubnet" - security_group = "" }, - { - address_prefix = "10.242.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" - name = "AzureBastionSubnet" - security_group = "" }, ] -> (known after apply) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } # (2 unchanged attributes hidden) } Plan: 21 to add, 0 to change, 21 to destroy. Changes to Outputs: ~ bastion_name = "bast-hub-scenario1-wus3" -> (known after apply) ~ firewall_private_ip = "10.242.0.4" -> (known after apply) ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ~ rg_name = "rg-hub-scenario1-wus3" -> (known after apply) ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply) ~ vnet_name = "vnet-hub-scenario1-wus3" -> (known after apply) ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.network.azurerm_virtual_network.this has changed%0A ~ resource "azurerm_virtual_network" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3"%0A name = "vnet-hub-scenario1-wus3"%0A ~ subnet = [%0A + {%0A + address_prefix = "10.242.0.0/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet"%0A + name = "AzureFirewallSubnet"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.242.0.64/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet"%0A + name = "AzureBastionSubnet"%0A + security_group = ""%0A },%0A ]%0A + tags = {}%0A # (6 unchanged attributes hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A - destroy%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # azurecaf_name.bastion_host will be destroyed%0A # (because azurecaf_name.bastion_host is not in configuration)%0A - resource "azurecaf_name" "bastion_host" {%0A - clean_input = true -> null%0A - id = "gggewsruqgiwnjwa" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_bastion_host" -> null%0A - result = "bast-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.caf_name_hub_rg will be created%0A + resource "azurecaf_name" "caf_name_hub_rg" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "eslz2"%0A + passthrough = false%0A + prefixes = [%0A + "sec-baseline-1-hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_resource_group"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # azurecaf_name.firewall will be destroyed%0A # (because azurecaf_name.firewall is not in configuration)%0A - resource "azurecaf_name" "firewall" {%0A - clean_input = true -> null%0A - id = "atqhstfaibxdnjav" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_firewall" -> null%0A - result = "fw-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.law will be destroyed%0A # (because azurecaf_name.law is not in configuration)%0A - resource "azurecaf_name" "law" {%0A - clean_input = true -> null%0A - id = "fqnobcgpjpovkway" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_log_analytics_workspace" -> null%0A - result = "log-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.resource_group will be destroyed%0A # (because azurecaf_name.resource_group is not in configuration)%0A - resource "azurecaf_name" "resource_group" {%0A - clean_input = true -> null%0A - id = "sdhamjahaycopevr" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_resource_group" -> null%0A - result = "rg-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurecaf_name.vnet will be destroyed%0A # (because azurecaf_name.vnet is not in configuration)%0A - resource "azurecaf_name" "vnet" {%0A - clean_input = true -> null%0A - id = "eayygfcnmpfqsowx" -> null%0A - name = "hub-scenario1" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_virtual_network" -> null%0A - result = "vnet-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - suffixes = [%0A - "wus3",%0A ] -> null%0A - use_slug = true -> null%0A }%0A%0A # azurerm_log_analytics_workspace.law will be destroyed%0A # (because azurerm_log_analytics_workspace.law is not in configuration)%0A - resource "azurerm_log_analytics_workspace" "law" {%0A - allow_resource_only_permissions = true -> null%0A - cmk_for_query_forced = false -> null%0A - daily_quota_gb = -1 -> null%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> null%0A - internet_ingestion_enabled = true -> null%0A - internet_query_enabled = true -> null%0A - local_authentication_disabled = false -> null%0A - location = "westus3" -> null%0A - name = "log-hub-scenario1-wus3" -> null%0A - primary_shared_key = (sensitive value) -> null%0A - resource_group_name = "rg-hub-scenario1-wus3" -> null%0A - retention_in_days = 30 -> null%0A - secondary_shared_key = (sensitive value) -> null%0A - sku = "PerGB2018" -> null%0A - tags = {} -> null%0A - workspace_id = "2b9150ce-64a2-4a6d-885e-cd7dfd9e8153" -> null%0A }%0A%0A # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A - "terraform" = "true" -> null%0A }%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.bastion[0].azurecaf_name.bastion_pip will be destroyed%0A # (because azurecaf_name.bastion_pip is not in configuration)%0A - resource "azurecaf_name" "bastion_pip" {%0A - clean_input = true -> null%0A - id = "qwntecdiprlwaonl" -> null%0A - name = "bast-hub-scenario1-wus3" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_public_ip" -> null%0A - result = "pip-bast-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - use_slug = true -> null%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_bastion will be created%0A + resource "azurecaf_name" "caf_name_bastion" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "eslz2"%0A + passthrough = false%0A + prefixes = [%0A + "sec-baseline-1-hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip will be created%0A + resource "azurecaf_name" "caf_name_pip" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "eslz2"%0A + passthrough = false%0A + prefixes = [%0A + "sec-baseline-1-hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_public_ip"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A ~ dns_name = "bst-69efc60e-54e0-4ac8-b44f-4347f67dc108.bastion.azure.com" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/bastionHosts/bast-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "bastion"%0A }%0A # (8 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "bastionHostIpConfiguration"%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-bast-hub-scenario1-wus3" -> (known after apply)%0A ~ ip_address = "20.25.144.65" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ name = "pip-bast-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "bastion"%0A }%0A - zones = [] -> null%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_firewall will be created%0A + resource "azurecaf_name" "caf_name_firewall" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "eslz2"%0A + passthrough = false%0A + prefixes = [%0A + "sec-baseline-1-hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_firewall"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_law[0] will be created%0A + resource "azurecaf_name" "caf_name_law" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "eslz2"%0A + passthrough = false%0A + prefixes = [%0A + "sec-baseline-1-hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_log_analytics_workspace"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_pip will be created%0A + resource "azurecaf_name" "caf_name_pip" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "eslz2"%0A + passthrough = false%0A + prefixes = [%0A + "sec-baseline-1-hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_public_ip"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + use_slug = true%0A }%0A%0A # module.firewall[0].azurecaf_name.firewall_pip will be destroyed%0A # (because azurecaf_name.firewall_pip is not in configuration)%0A - resource "azurecaf_name" "firewall_pip" {%0A - clean_input = true -> null%0A - id = "buncvpcbdyqgwdik" -> null%0A - name = "fw-hub-scenario1-wus3" -> null%0A - passthrough = false -> null%0A - random_length = 0 -> null%0A - resource_type = "azurerm_public_ip" -> null%0A - result = "pip-fw-hub-scenario1-wus3" -> null%0A - results = {} -> null%0A - separator = "-" -> null%0A - use_slug = true -> null%0A }%0A%0A # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A - dns_servers = [] -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - private_ip_ranges = [] -> null%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "firewall"%0A }%0A ~ threat_intel_mode = "Alert" -> (known after apply)%0A - zones = [] -> null%0A # (3 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "firewallIpConfiguration"%0A ~ private_ip_address = "10.242.0.4" -> (known after apply)%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply)%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A name = "Azure-Monitor-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-azure-monitor"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "core" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A name = "Core-Dependencies-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-core-apis"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-developer-services"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-certificate-dependencies"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops must be replaced%0A-/+ resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A name = "Devops-VM-Dependencies-FQDNs"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-azure-ad-join"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A ~ rule {%0A - fqdn_tags = [] -> null%0A name = "allow-vm-dependencies-and-tools"%0A - source_ip_groups = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops must be replaced%0A-/+ resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A ~ azure_firewall_name = "fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A name = "Windows-VM-Connectivity-Requirements"%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (2 unchanged attributes hidden)%0A%0A ~ rule {%0A - destination_fqdns = [] -> null%0A - destination_ip_groups = [] -> null%0A name = "allow-kms-activation"%0A - source_ip_groups = [] -> null%0A # (4 unchanged attributes hidden)%0A }%0A ~ rule {%0A - destination_fqdns = [] -> null%0A - destination_ip_groups = [] -> null%0A name = "allow-ntp"%0A - source_ip_groups = [] -> null%0A # (4 unchanged attributes hidden)%0A }%0A }%0A%0A # module.firewall[0].azurerm_log_analytics_workspace.law[0] will be created%0A + resource "azurerm_log_analytics_workspace" "law" {%0A + allow_resource_only_permissions = true%0A + daily_quota_gb = -1%0A + id = (known after apply)%0A + internet_ingestion_enabled = true%0A + internet_query_enabled = true%0A + local_authentication_disabled = false%0A + location = "westus3"%0A + name = (known after apply)%0A + primary_shared_key = (sensitive value)%0A + reservation_capacity_in_gb_per_day = (known after apply)%0A + resource_group_name = (known after apply)%0A + retention_in_days = (known after apply)%0A + secondary_shared_key = (sensitive value)%0A + sku = "PerGB2018"%0A + workspace_id = (known after apply)%0A }%0A%0A # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3|fw-hub-scenario1-wus3-diagnostic-settings" -> (known after apply)%0A ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.OperationalInsights/workspaces/log-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "fw-hub-scenario1-wus3-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A%0A - log {%0A - category_group = "allLogs" -> null%0A - enabled = true -> null%0A%0A - retention_policy {%0A - days = 0 -> null%0A - enabled = false -> null%0A }%0A }%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/publicIPAddresses/pip-fw-hub-scenario1-wus3" -> (known after apply)%0A ~ ip_address = "20.25.144.42" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ name = "pip-fw-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "firewall"%0A }%0A - zones = [] -> null%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.network.azurecaf_name.caf_name_vnet will be created%0A + resource "azurecaf_name" "caf_name_vnet" {%0A + clean_input = true%0A + id = (known after apply)%0A + name = "eslz2"%0A + passthrough = false%0A + prefixes = [%0A + "sec-baseline-1-hub",%0A + "westus3",%0A ]%0A + random_length = 0%0A + resource_type = "azurerm_virtual_network"%0A + result = (known after apply)%0A + results = (known after apply)%0A + separator = "-"%0A + suffixes = [%0A + "prod",%0A ]%0A + use_slug = true%0A }%0A%0A # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet" -> (known after apply)%0A name = "AzureFirewallSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet" -> (known after apply)%0A name = "AzureBastionSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A ~ dns_servers = [] -> (known after apply)%0A - flow_timeout_in_minutes = 0 -> null%0A ~ guid = "a57f2f5c-bf2d-4771-b21e-44bd81de7186" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> (known after apply)%0A ~ name = "vnet-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "rg-hub-scenario1-wus3" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet = [%0A - {%0A - address_prefix = "10.242.0.0/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureFirewallSubnet"%0A - name = "AzureFirewallSubnet"%0A - security_group = ""%0A },%0A - {%0A - address_prefix = "10.242.0.64/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/subnets/AzureBastionSubnet"%0A - name = "AzureBastionSubnet"%0A - security_group = ""%0A },%0A ] -> (known after apply)%0A ~ tags = {%0A + "Environment" = "prod"%0A + "Owner" = "cloudops@contoso.com"%0A + "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A + "Terraform" = "true"%0A + "module" = "network"%0A }%0A # (2 unchanged attributes hidden)%0A }%0A%0APlan: 21 to add, 0 to change, 21 to destroy.%0A%0AChanges to Outputs:%0A ~ bastion_name = "bast-hub-scenario1-wus3" -> (known after apply)%0A ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/azureFirewalls/fw-hub-scenario1-wus3/networkRuleCollections/Windows-VM-Connectivity ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/18d4f0fe-9790-414e-a852-0466fbd486f4/terraform-bin show -no-color tfplan Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.appsvc_subnet must be replaced -/+ resource "azurecaf_name" "appsvc_subnet" { ~ id = "eahfcteguwocrcji" -> (known after apply) ~ name = "appsvc" -> "eslz1" # forces replacement + prefixes = [ # forces replacement + "spoke", + "sec-baseline-1-spoke", + "westus3", ] ~ result = "snet-appsvc" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurecaf_name.caf_name_id_contributor will be created + resource "azurecaf_name" "caf_name_id_contributor" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "contributor", ] + use_slug = true } # azurecaf_name.caf_name_id_reader will be created + resource "azurecaf_name" "caf_name_id_reader" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_user_assigned_identity" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "reader", ] + use_slug = true } # azurecaf_name.caf_name_law will be created + resource "azurecaf_name" "caf_name_law" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_log_analytics_workspace" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # azurecaf_name.caf_name_spoke_rg will be created + resource "azurecaf_name" "caf_name_spoke_rg" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "spoke", + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_resource_group" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # azurecaf_name.contributor_identity will be destroyed # (because azurecaf_name.contributor_identity is not in configuration) - resource "azurecaf_name" "contributor_identity" { - clean_input = true -> null - id = "faaiwooqlrertweh" -> null - name = "spoke-scenario1-contributor" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_user_assigned_identity" -> null - result = "msi-spoke-scenario1-contributor" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.devops_subnet will be destroyed # (because azurecaf_name.devops_subnet is not in configuration) - resource "azurecaf_name" "devops_subnet" { - clean_input = true -> null - id = "fjomqdwilwaduxok" -> null - name = "devops" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_subnet" -> null - result = "snet-devops" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.devops_vm will be destroyed # (because azurecaf_name.devops_vm is not in configuration) - resource "azurecaf_name" "devops_vm" { - clean_input = true -> null - id = "ttfcmqugwsdkfhks" -> null - name = "spoke-scenario1-devops" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_windows_virtual_machine" -> null - result = "vm-5461" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "5461", ] -> null - use_slug = true -> null } # azurecaf_name.ingress_subnet will be destroyed # (because azurecaf_name.ingress_subnet is not in configuration) - resource "azurecaf_name" "ingress_subnet" { - clean_input = true -> null - id = "uovsewjfyvkpqgmc" -> null - name = "ingress" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_subnet" -> null - result = "snet-ingress" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.law must be replaced -/+ resource "azurecaf_name" "law" { ~ id = "skxvsjgcgfwtcqdj" -> (known after apply) ~ name = "scenario1" -> "eslz1" # forces replacement ~ result = "log-scenario1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.private_link_subnet will be destroyed # (because azurecaf_name.private_link_subnet is not in configuration) - resource "azurecaf_name" "private_link_subnet" { - clean_input = true -> null - id = "rxoobxqlkxiyoegd" -> null - name = "private-link" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_subnet" -> null - result = "snet-private-link" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.reader_identity will be destroyed # (because azurecaf_name.reader_identity is not in configuration) - resource "azurecaf_name" "reader_identity" { - clean_input = true -> null - id = "xrauxtuqfikfeusf" -> null - name = "spoke-scenario1-reader" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_user_assigned_identity" -> null - result = "msi-spoke-scenario1-reader" -> null - results = {} -> null - separator = "-" -> null - use_slug = true -> null } # azurecaf_name.resource_group will be destroyed # (because azurecaf_name.resource_group is not in configuration) - resource "azurecaf_name" "resource_group" { - clean_input = true -> null - id = "kfnewsrfqcyurtyr" -> null - name = "spoke-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_resource_group" -> null - result = "rg-spoke-scenario1-prod-wus3" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", - "wus3", ] -> null - use_slug = true -> null } # azurecaf_name.spoke_network will be destroyed # (because azurecaf_name.spoke_network is not in configuration) - resource "azurecaf_name" "spoke_network" { - clean_input = true -> null - id = "lncsogkngwnchrpr" -> null - name = "spoke-scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_virtual_network" -> null - result = "vnet-spoke-scenario1-prod" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", ] -> null - use_slug = true -> null } # azurerm_log_analytics_workspace.law must be replaced -/+ resource "azurerm_log_analytics_workspace" "law" { - cmk_for_query_forced = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.OperationalInsights/workspaces/log-scenario1-prod" -> (known after apply) ~ name = "log-scenario1-prod" # forces replacement -> (known after apply) # forces replacement ~ primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ secondary_shared_key = (sensitive value) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" } ~ workspace_id = "cd74b5b5-f37f-4600-98ad-40e4ef86be2d" -> (known after apply) # (8 unchanged attributes hidden) } # azurerm_resource_group.spoke must be replaced -/+ resource "azurerm_resource_group" "spoke" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3" -> (known after apply) ~ name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" - "application-name" = "scenario1" -> null - "environment" = "prod" -> null - "terraform" = "true" -> null } # (1 unchanged attribute hidden) } # azurerm_user_assigned_identity.contributor must be replaced -/+ resource "azurerm_user_assigned_identity" "contributor" { ~ client_id = "9a1f7faa-9f41-4c41-be7e-087eb726c23f" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-spoke-scenario1-contributor" -> (known after apply) ~ name = "msi-spoke-scenario1-contributor" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "e0423675-ddf8-4a7d-82f0-74bf3e39617f" -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) # (1 unchanged attribute hidden) } # azurerm_user_assigned_identity.reader must be replaced -/+ resource "azurerm_user_assigned_identity" "reader" { ~ client_id = "dc0137c5-9e48-4ec8-b52f-8b37c8ca4110" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-spoke-scenario1-reader" -> (known after apply) ~ name = "msi-spoke-scenario1-reader" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "59ae8e61-8c55-4668-81c8-029d34ac759f" -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) # (1 unchanged attribute hidden) } # azurerm_virtual_network_peering.hub_to_spoke will be destroyed # (because azurerm_virtual_network_peering.hub_to_spoke is not in configuration) - resource "azurerm_virtual_network_peering" "hub_to_spoke" { - allow_forwarded_traffic = false -> null - allow_gateway_transit = false -> null - allow_virtual_network_access = true -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3/virtualNetworkPeerings/hub-to-spoke-scenario1" -> null - name = "hub-to-spoke-scenario1" -> null - remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod" -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - use_remote_gateways = false -> null - virtual_network_name = "vnet-hub-scenario1-wus3" -> null } # azurerm_virtual_network_peering.spoke_to_hub will be destroyed # (because azurerm_virtual_network_peering.spoke_to_hub is not in configuration) - resource "azurerm_virtual_network_peering" "spoke_to_hub" { - allow_forwarded_traffic = false -> null - allow_gateway_transit = false -> null - allow_virtual_network_access = true -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/virtualNetworkPeerings/spoke-to-hub-scenario1" -> null - name = "spoke-to-hub-scenario1" -> null - remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" -> null - resource_group_name = "rg-spoke-scenario1-prod-wus3" -> null - use_remote_gateways = false -> null - virtual_network_name = "vnet-spoke-scenario1-prod" -> null } # random_password.vm_admin_password will be destroyed # (because random_password.vm_admin_password is not in configuration) - resource "random_password" "vm_admin_password" { - bcrypt_hash = (sensitive value) -> null - id = "none" -> null - length = 16 -> null - lower = true -> null - min_lower = 0 -> null - min_numeric = 0 -> null - min_special = 0 -> null - min_upper = 0 -> null - number = true -> null - numeric = true -> null - result = (sensitive value) -> null - special = true -> null - upper = true -> null } # random_password.vm_admin_username will be destroyed # (because random_password.vm_admin_username is not in configuration) - resource "random_password" "vm_admin_username" { - bcrypt_hash = (sensitive value) -> null - id = "none" -> null - length = 10 -> null - lower = true -> null - min_lower = 0 -> null - min_numeric = 0 -> null - min_special = 0 -> null - min_upper = 0 -> null - number = true -> null - numeric = true -> null - result = (sensitive value) -> null - special = false -> null - upper = true -> null } # module.app_configuration[0].azurecaf_name.app_config will be destroyed # (because azurecaf_name.app_config is not in configuration) - resource "azurecaf_name" "app_config" { - clean_input = true -> null - id = "hvfhgntvkcpjiyhr" -> null - name = "scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_app_configuration" -> null - result = "appcg-scenario1-prod-5461" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", - "5461", ] -> null - use_slug = true -> null } # module.app_configuration[0].azurecaf_name.caf_name_appconf will be created + resource "azurecaf_name" "caf_name_appconf" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_app_configuration" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "5461", ] + use_slug = true } # module.app_configuration[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "pyswsamufmtrushj" -> (known after apply) ~ name = "appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-appcg-scenario1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.app_configuration[0].azurerm_app_configuration.this must be replaced -/+ resource "azurerm_app_configuration" "this" { ~ endpoint = "https://appcg-scenario1-prod-5461.azconfig.io" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461" -> (known after apply) ~ name = "appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ primary_read_key = [] -> (known after apply) ~ primary_write_key = [] -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ secondary_read_key = [] -> (known after apply) ~ secondary_write_key = [] -> (known after apply) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" - "environment" = "prod" -> null + "module" = "app-configuration" } # (6 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "appcg-scenario1-prod-5461.privatelink.azconfig.io." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/A/appcg-scenario1-prod-5461" -> (known after apply) ~ name = "appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.5", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "appcg-scenario1-prod-5461.azconfig.io" - ip_addresses = [ - "10.240.11.5", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/privateEndpoints/pe-appcg-scenario1-prod-5461" -> (known after apply) ~ name = "pe-appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/networkInterfaces/pe-appcg-scenario1-prod-5461.nic.47c44059-1023-40e2-9918-d69f8a28d16b" - name = "pe-appcg-scenario1-prod-5461.nic.47c44059-1023-40e2-9918-d69f8a28d16b" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-private-link" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null # (1 unchanged attribute hidden) ~ private_service_connection { name = "app-config-private-endpoint" ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.5" -> (known after apply) # (2 unchanged attributes hidden) } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] must be replaced -/+ resource "azurerm_role_assignment" "data_owners" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461/providers/Microsoft.Authorization/roleAssignments/00773630-3305-2441-cffe-c432f199ee9b" -> (known after apply) ~ name = "00773630-3305-2441-cffe-c432f199ee9b" -> (known after apply) ~ principal_id = "e0423675-ddf8-4a7d-82f0-74bf3e39617f" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] must be replaced -/+ resource "azurerm_role_assignment" "data_readers" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461/providers/Microsoft.Authorization/roleAssignments/57f38bb6-3905-3e4a-a26c-7f4fd0d28675" -> (known after apply) ~ name = "57f38bb6-3905-3e4a-a26c-7f4fd0d28675" -> (known after apply) ~ principal_id = "59ae8e61-8c55-4668-81c8-029d34ac759f" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.AppConfiguration/configurationStores/appcg-scenario1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_insights.azurecaf_name.app_insights will be destroyed # (because azurecaf_name.app_insights is not in configuration) - resource "azurecaf_name" "app_insights" { - clean_input = true -> null - id = "xuhcuoesrdkfiohr" -> null - name = "scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_application_insights" -> null - result = "appi-scenario1-prod" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", ] -> null - use_slug = true -> null } # module.app_insights.azurerm_application_insights.this will be destroyed # (because azurerm_application_insights.this is not in configuration) - resource "azurerm_application_insights" "this" { - app_id = "bc788d07-2ce1-4a2b-9c13-8b86bb01292f" -> null - application_type = "web" -> null - connection_string = (sensitive value) -> null - daily_data_cap_in_gb = 100 -> null - daily_data_cap_notifications_disabled = false -> null - disable_ip_masking = false -> null - force_customer_storage_for_profiler = false -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Insights/components/appi-scenario1-prod" -> null - instrumentation_key = (sensitive value) -> null - internet_ingestion_enabled = true -> null - internet_query_enabled = true -> null - local_authentication_disabled = false -> null - location = "westus3" -> null - name = "appi-scenario1-prod" -> null - resource_group_name = "rg-spoke-scenario1-prod-wus3" -> null - retention_in_days = 90 -> null - sampling_percentage = 100 -> null - tags = {} -> null - workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.OperationalInsights/workspaces/log-scenario1-prod" -> null } # module.app_service.azurecaf_name.caf_name_appinsights will be created + resource "azurecaf_name" "caf_name_appinsights" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_application_insights" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_service.azurecaf_name.caf_name_asp will be created + resource "azurecaf_name" "caf_name_asp" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_app_service_plan" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.app_service.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = (known after apply) + resource_group_name = (known after apply) + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this must be replaced -/+ resource "azurerm_service_plan" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Web/serverfarms/asp-scenario1-win-prod" -> (known after apply) ~ kind = "app" -> (known after apply) ~ maximum_elastic_worker_count = 1 -> (known after apply) ~ name = "asp-scenario1-win-prod" # forces replacement -> (known after apply) # forces replacement ~ reserved = false -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "app-service" } # (6 unchanged attributes hidden) } # module.front_door.azurecaf_name.frontdoor will be destroyed # (because azurecaf_name.frontdoor is not in configuration) - resource "azurecaf_name" "frontdoor" { - clean_input = true -> null - id = "gwevwynflcnhtxnx" -> null - name = "scenario1" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_cdn_frontdoor_profile" -> null - result = "cfdp-scenario1-prod" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", ] -> null - use_slug = true -> null } # module.front_door.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be destroyed # (because azurerm_cdn_frontdoor_firewall_policy.waf is not in configuration) - resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { - custom_block_response_status_code = 0 -> null - enabled = true -> null - frontend_endpoint_ids = [] -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> null - mode = "Prevention" -> null - name = "wafpolicymicrosoftdefaultruleset21" -> null - resource_group_name = "rg-spoke-scenario1-prod-wus3" -> null - sku_name = "Premium_AzureFrontDoor" -> null - tags = {} -> null - managed_rule { - action = "Block" -> null - type = "Microsoft_DefaultRuleSet" -> null - version = "2.1" -> null } } # module.front_door.azurerm_cdn_frontdoor_profile.frontdoor will be destroyed # (because azurerm_cdn_frontdoor_profile.frontdoor is not in configuration) - resource "azurerm_cdn_frontdoor_profile" "frontdoor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod" -> null - name = "cfdp-scenario1-prod" -> null - resource_group_name = "rg-spoke-scenario1-prod-wus3" -> null - resource_guid = "9d932c88-5f8a-4c57-ad23-3edf5506c660" -> null - response_timeout_seconds = 120 -> null - sku_name = "Premium_AzureFrontDoor" -> null - tags = {} -> null } # module.front_door.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be destroyed # (because azurerm_cdn_frontdoor_security_policy.web_app_waf is not in configuration) - resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { - cdn_frontdoor_profile_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod/securityPolicies/WAF-Security-Policy" -> null - name = "WAF-Security-Policy" -> null - security_policies { - firewall { - cdn_frontdoor_firewall_policy_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> null - association { - patterns_to_match = [ - "/*", ] -> null - domain { - active = true -> null - cdn_frontdoor_domain_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod/afdEndpoints/scenario1-prod-5461" -> null } } } } } # module.front_door.azurerm_monitor_diagnostic_setting.this[0] will be destroyed # (because azurerm_monitor_diagnostic_setting.this is not in configuration) - resource "azurerm_monitor_diagnostic_setting" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod|cfdp-scenario1-prod-diagnostic-settings}" -> null - log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.OperationalInsights/workspaces/log-scenario1-prod" -> null - name = "cfdp-scenario1-prod-diagnostic-settings}" -> null - target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Cdn/profiles/cfdp-scenario1-prod" -> null - enabled_log { - category_group = "allLogs" -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - log { - category_group = "audit" -> null - enabled = false -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - metric { - category = "AllMetrics" -> null - enabled = false -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } } # module.frontdoor.azurecaf_name.caf_name_afd will be created + resource "azurecaf_name" "caf_name_afd" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_frontdoor" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = (known after apply) + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = (known after apply) + resource_group_name = (known after apply) + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "frontdoor" } } # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = (known after apply) + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" + retention_policy { + days = 0 + enabled = false } } + metric { + category = "AllMetrics" + enabled = false + retention_policy { + days = 0 + enabled = false } } } # module.key_vault.azurecaf_name.caf_name_akv will be created + resource "azurecaf_name" "caf_name_akv" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_key_vault" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", + "5461", ] + use_slug = true } # module.key_vault.azurecaf_name.key_vault will be destroyed # (because azurecaf_name.key_vault is not in configuration) - resource "azurecaf_name" "key_vault" { - clean_input = true -> null - id = "hguunrloplmbyiry" -> null - name = "appsvc" -> null - passthrough = false -> null - random_length = 0 -> null - resource_type = "azurerm_key_vault" -> null - result = "kv-appsvc-prod-5461" -> null - results = {} -> null - separator = "-" -> null - suffixes = [ - "prod", - "5461", ] -> null - use_slug = true -> null } # module.key_vault.azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "brwyoneninsiueij" -> (known after apply) ~ name = "kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-kv-appsvc-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.key_vault.azurerm_key_vault.this must be replaced -/+ resource "azurerm_key_vault" "this" { ~ access_policy = [] -> (known after apply) - enabled_for_deployment = false -> null - enabled_for_template_deployment = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461" -> (known after apply) ~ name = "kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" - "environment" = "prod" -> null + "module" = "key-vault" } ~ vault_uri = "https://kv-appsvc-prod-5461.vault.azure.net/" -> (known after apply) # (8 unchanged attributes hidden) ~ network_acls { - ip_rules = [] -> null - virtual_network_subnet_ids = [] -> null # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "kv-appsvc-prod-5461.privatelink.vaultcore.azure.net." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/A/kv-appsvc-prod-5461" -> (known after apply) ~ name = "kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.6", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.key_vault.azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "kv-appsvc-prod-5461.vault.azure.net" - ip_addresses = [ - "10.240.11.6", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/privateEndpoints/pe-kv-appsvc-prod-5461" -> (known after apply) ~ name = "pe-kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/networkInterfaces/pe-kv-appsvc-prod-5461.nic.1b86c4a9-ef3f-4d4a-a496-0521921fd6c7" - name = "pe-kv-appsvc-prod-5461.nic.1b86c4a9-ef3f-4d4a-a496-0521921fd6c7" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-private-link" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null # (1 unchanged attribute hidden) ~ private_service_connection { ~ name = "pe-kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.6" -> (known after apply) # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_officer" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461/providers/Microsoft.Authorization/roleAssignments/d9ef4ea5-dfb9-5be5-6fb9-4446ee840b1e" -> (known after apply) ~ name = "d9ef4ea5-dfb9-5be5-6fb9-4446ee840b1e" -> (known after apply) ~ principal_id = "e0423675-ddf8-4a7d-82f0-74bf3e39617f" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.key_vault.azurerm_role_assignment.secrets_user[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_user" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461/providers/Microsoft.Authorization/roleAssignments/0d93282f-6fdc-9e45-ff24-2cbe16e37edb" -> (known after apply) ~ name = "0d93282f-6fdc-9e45-ff24-2cbe16e37edb" -> (known after apply) ~ principal_id = "59ae8e61-8c55-4668-81c8-029d34ac759f" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.KeyVault/vaults/kv-appsvc-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.network.azurecaf_name.caf_name_vnet will be created + resource "azurecaf_name" "caf_name_vnet" { + clean_input = true + id = (known after apply) + name = "eslz1" + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_virtual_network" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-appsvc" -> (known after apply) ~ name = "snet-appsvc" -> "serverFarm" # forces replacement ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) # (1 unchanged block hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-ingress" -> (known after apply) ~ name = "snet-ingress" -> "ingress" # forces replacement ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[2] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-devops" -> (known after apply) ~ name = "snet-devops" -> "devops" # forces replacement ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[3] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-private-link" -> (known after apply) ~ name = "snet-private-link" -> "privateLink" # forces replacement ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "edeb3250-0d87-4fed-b91a-ce2cbbeec192" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod" -> (known after apply) ~ name = "vnet-spoke-scenario1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "rg-spoke-scenario1-prod-wus3" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.240.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-appsvc" - name = "snet-appsvc" - security_group = "" }, - { - address_prefix = "10.240.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-ingress" - name = "snet-ingress" - security_group = "" }, - { - address_prefix = "10.240.10.128/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-devops" - name = "snet-devops" - security_group = "" }, - { - address_prefix = "10.240.11.0/24" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-spoke-scenario1-prod-wus3/providers/Microsoft.Network/virtualNetworks/vnet-spoke-scenario1-prod/subnets/snet-private-link" - name = "snet-private-link" - security_group = "" }, ] -> (known after apply) ~ tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } # (2 unchanged attributes hidden) } # module.network.azurerm_virtual_network_peering.target_to_this[0] will be created + resource "azurerm_virtual_network_peering" "target_to_this" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-eslz1" + remote_virtual_network_id = (known after apply) + resource_group_name = "rg-hub-scenario1-wus3" + use_remote_gateways = false + virtual_network_name = "vnet-hub-scenario1-wus3" } # module.network.azurerm_virtual_network_peering.this_to_target[0] will be created + resource "azurerm_virtual_network_peering" "this_to_target" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-eslz1" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/virtualNetworks/vnet-hub-scenario1-wus3" + resource_group_name = (known after apply) + use_remote_gateways = false + virtual_network_name = (known after apply) } # module.private_dns_zones.azurerm_private_dns_zone.this will be destroyed # (because module.private_dns_zones is not in configuration) # (moved from module.private_dns_zones.azurerm_private_dns_zone.this[0]) - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.azurewebsites.net" -> null - number_of_record_sets = 5 -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - tags = {} -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.azurewebsites.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones.azurerm_private_dns_zone.this[1] will be destroyed # (because module.private_dns_zones is not in configuration) - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.database.windows.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - tags = {} -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.database.windows.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones.azurerm_private_dns_zone.this[2] will be destroyed # (because module.private_dns_zones is not in configuration) - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/rg-hub-scenario1-wus3/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.azconfig.io" -> null - number_of_record_sets = 2 -> null - resource_group_name = "rg-hub-scenario1-wus3" -> null - tags = {} -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.azconfig.io." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_ ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/e2c97f7f-50b0-4eea-941d-f169437da27c/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted - resource "azurerm_firewall_application_rule_collection" "azure_monitor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null name = "Azure-Monitor-FQDNs" # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted - resource "azurerm_firewall_application_rule_collection" "core" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null name = "Core-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null name = "Devops-VM-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null name = "Windows-VM-Connectivity-Requirements" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } Plan: 4 to add, 0 to change, 0 to destroy. Changes to Outputs: ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A name = "Azure-Monitor-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "core" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A name = "Core-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (3 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A name = "Devops-VM-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A name = "Windows-VM-Connectivity-Requirements"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A%0ATerraform will perform the following actions:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Azure-Monitor-FQDNs"%0A + priority = 201%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-monitor"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "dc.applicationinsights.azure.com",%0A + "dc.applicationinsights.microsoft.com",%0A + "dc.services.visualstudio.com",%0A + "*.in.applicationinsights.azure.com",%0A + "live.applicationinsights.azure.com",%0A + "rt.applicationinsights.microsoft.com",%0A + "rt.services.visualstudio.com",%0A + "*.livediagnostics.monitor.azure.com",%0A + "*.monitoring.azure.com",%0A + "agent.azureserviceprofiler.net",%0A + "*.agent.azureserviceprofiler.net",%0A + "*.monitor.azure.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A + resource "azurerm_firewall_application_rule_collection" "core" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Core-Dependencies-FQDNs"%0A + priority = 200%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-core-apis"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "management.azure.com",%0A + "management.core.windows.net",%0A + "login.microsoftonline.com",%0A + "login.windows.net",%0A + "login.live.com",%0A + "graph.windows.net",%0A + "graph.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-developer-services"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "github.com",%0A + "*.github.com",%0A + "*.nuget.org",%0A + "*.blob.core.windows.net",%0A + "*.githubusercontent.com",%0A + "dev.azure.com",%0A + "*.dev.azure.com",%0A + "portal.azure.com",%0A + "*.portal.azure.com",%0A + "*.portal.azure.net",%0A + "appservice.azureedge.net",%0A + "*.azurewebsites.net",%0A + "edge.management.azure.com",%0A + "vstsagentpackage.azureedge.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-certificate-dependencies"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "*.delivery.mp.microsoft.com",%0A + "ctldl.windowsupdate.com",%0A + "download.windowsupdate.com",%0A + "mscrl.microsoft.com",%0A + "ocsp.msocsp.com",%0A + "oneocsp.microsoft.com",%0A + "crl.microsoft.com",%0A + "www.microsoft.com",%0A + "*.digicert.com",%0A + "*.symantec.com",%0A + "*.symcb.com",%0A + "*.d-trust.net",%0A ]%0A%0A + protocol {%0A + port = 80%0A + type = "Http"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Devops-VM-Dependencies-FQDNs"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-ad-join"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "enterpriseregistration.windows.net",%0A + "pas.windows.net",%0A + "login.microsoftonline.com",%0A + "device.login.microsoftonline.com",%0A + "autologon.microsoftazuread-sso.com",%0A + "manage-beta.microsoft.com",%0A + "manage.microsoft.com",%0A + "aadcdn.msauth.net",%0A + "aadcdn.msftauth.net",%0A + "aadcdn.msftauthimages.net",%0A + "*.wns.windows.com",%0A + "*.sts.microsoft.com",%0A + "*.manage-beta.microsoft.com",%0A + "*.manage.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-vm-dependencies-and-tools"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "aka.ms",%0A + "go.microsoft.com",%0A + "download.microsoft.com",%0A + "edge.microsoft.com",%0A + "fs.microsoft.com",%0A + "wdcp.microsoft.com",%0A + "wdcpalt.microsoft.com",%0A + "msedge.api.cdp.microsoft.com",%0A + "winatp-gw-cane.microsoft.com",%0A + "*.google.com",%0A + "*.live.com",%0A + "*.bing.com",%0A + "*.msappproxy.net",%0A + "*.delivery.mp.microsoft.com",%0A + "*.data.microsoft.com",%0A + "*.blob.storage.azure.net",%0A + "*.blob.core.windows.net",%0A + "*.dl.delivery.mp.microsoft.com",%0A + "*.prod.do.dsp.mp.microsoft.com",%0A + "*.update.microsoft.com",%0A + "*.windowsupdate.com",%0A + "*.apps.qualys.com",%0A + "*.bootstrapcdn.com",%0A + "*.jsdelivr.net",%0A + "*.jquery.com",%0A + "*.msecnd.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Windows-VM-Connectivity-Requirements"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + destination_addresses = [%0A + "20.118.99.224",%0A + "40.83.235.53",%0A + "23.102.135.246",%0A + "51.4.143.248",%0A + "23.97.0.13",%0A + "52.126.105.2",%0A ]%0A + destination_ports = [%0A + "*",%0A ]%0A + name = "allow-kms-activation"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A + rule {%0A + destination_addresses = [%0A + "*",%0A ]%0A + destination_ports = [%0A + "123",%0A ]%0A + name = "allow-ntp"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/e15eb814-c533-4dd2-a9a3-c6a811ed44c9/terraform-bin show -no-color tfplan Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # module.bastion[0].azurecaf_name.caf_name_pip must be replaced -/+ resource "azurecaf_name" "caf_name_pip" { ~ id = "fjjblixfamhcidbf" -> (known after apply) ~ name = "lzademo" -> "lzademo-bastion" # forces replacement ~ result = "secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-a8088446-d9ec-40d0-9170-011026643819.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/bastionHosts/secure-baseline-2-ase-wus2-vnet-lzademo" -> (known after apply) name = "secure-baseline-2-ase-wus2-vnet-lzademo" tags = { "Environment" = "dev" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 2] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } # (9 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply) ~ ip_address = "172.171.114.221" -> (known after apply) - ip_tags = {} -> null ~ name = "secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "dev" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 2] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } - zones = [] -> null # (8 unchanged attributes hidden) } # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place ~ resource "azurerm_subnet" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment" name = "hostingEnvironment" # (9 unchanged attributes hidden) ~ delegation { name = "Microsoft.Web/serverFarms" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 3 to add, 1 to change, 3 to destroy. ::debug::Terraform exited with code 0. ::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A ~ id = "fjjblixfamhcidbf" -> (known after apply)%0A ~ name = "lzademo" -> "lzademo-bastion" # forces replacement%0A ~ result = "secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A ~ dns_name = "bst-a8088446-d9ec-40d0-9170-011026643819.bastion.azure.com" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/bastionHosts/secure-baseline-2-ase-wus2-vnet-lzademo" -> (known after apply)%0A name = "secure-baseline-2-ase-wus2-vnet-lzademo"%0A tags = {%0A "Environment" = "dev"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A # (9 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "bastionHostIpConfiguration"%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply)%0A ~ ip_address = "172.171.114.221" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ name = "secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "dev"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A - zones = [] -> null%0A # (8 unchanged attributes hidden)%0A }%0A%0A # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place%0A ~ resource "azurerm_subnet" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment"%0A name = "hostingEnvironment"%0A # (9 unchanged attributes hidden)%0A%0A ~ delegation {%0A name = "Microsoft.Web/serverFarms"%0A%0A ~ service_delegation {%0A ~ actions = [%0A - "Microsoft.Network/virtualNetworks/subnets/action",%0A + "Microsoft.Network/virtualNetworks/subnets/join/action",%0A + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",%0A ]%0A name = "Microsoft.Web/hostingEnvironments"%0A }%0A }%0A }%0A%0APlan: 3 to add, 1 to change, 3 to destroy.%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

github-actions[bot] commented 1 year ago

Terraform Format and Style 🖌``

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖`success`

Show Plan

``` [command]/home/runner/work/_temp/058c0954-7a97-4feb-8233-74d483926450/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" ~ subnet = [ + { + address_prefix = "10.240.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" + name = "serverFarm" + security_group = "" }, + { + address_prefix = "10.240.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" + name = "ingress" + security_group = "" }, + { + address_prefix = "10.240.10.128/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" + name = "devops" + security_group = "" }, + { + address_prefix = "10.240.11.0/24" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" + name = "privateLink" + security_group = "" }, ] tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (6 unchanged attributes hidden) } # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ number_of_record_sets = 1 -> 5 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place ~ resource "azurerm_monitor_diagnostic_setting" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" + log_analytics_destination_type = "AzureDiagnostics" name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # (2 unchanged attributes hidden) # (4 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.network.azurerm_virtual_network.this has changed%0A ~ resource "azurerm_virtual_network" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A ~ subnet = [%0A + {%0A + address_prefix = "10.240.0.0/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A + name = "serverFarm"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.0.64/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A + name = "ingress"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.10.128/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A + name = "devops"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.11.0/24"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A + name = "privateLink"%0A + security_group = ""%0A },%0A ]%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "network"%0A }%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A name = "privatelink.azurewebsites.net"%0A ~ number_of_record_sets = 1 -> 5%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A name = "privatelink.database.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A name = "privatelink.azconfig.io"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A name = "privatelink.vaultcore.azure.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A name = "privatelink.redis.cache.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A + log_analytics_destination_type = "AzureDiagnostics"%0A name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A # (2 unchanged attributes hidden)%0A%0A # (4 unchanged blocks hidden)%0A }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

Azure / appservice-landing-zone-accelerator

Feature/terraform-refactor for scenario 1 #165

Description

Type of Change

Checklist

Terraform Plan failed

Terraform Plan failed

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`