search

Azure / appservice-landing-zone-accelerator

The Azure App Service landing zone accelerator is an open-source collection of architectural guidance and reference implementation to accelerate deployment of Azure App Service at scale.
https://build.microsoft.com/en-US/sessions/58f92fab-3298-444d-b215-6b93219cd5d7?source=sessions
MIT License
200 stars 95 forks source link

Feature/terraform refactor for Scenarios 1 and 2 #178

Closed JinLee794 closed 10 months ago

JinLee794 commented 11 months ago

Description

106

Pipeline references

For module/pipeline changes, please create and attach the status badge of your successful run.

Pipeline
https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.hub.yml
https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml
https://github.com/Azure/appservice-landing-zone-accelerator/actions/workflows/scenario1.terraform.spoke.yml

Type of Change

Please delete options that are not relevant.

Checklist

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/e988bc5b-e51e-4ae2-a06d-4b84c6f2d008/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted - resource "azurerm_firewall_application_rule_collection" "azure_monitor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null name = "Azure-Monitor-FQDNs" # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted - resource "azurerm_firewall_application_rule_collection" "core" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null name = "Core-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null name = "Devops-VM-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null name = "Windows-VM-Connectivity-Requirements" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } Plan: 4 to add, 0 to change, 0 to destroy. Changes to Outputs: ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A name = "Azure-Monitor-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "core" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A name = "Core-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (3 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A name = "Devops-VM-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A name = "Windows-VM-Connectivity-Requirements"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A%0ATerraform will perform the following actions:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Azure-Monitor-FQDNs"%0A + priority = 201%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-monitor"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "dc.applicationinsights.azure.com",%0A + "dc.applicationinsights.microsoft.com",%0A + "dc.services.visualstudio.com",%0A + "*.in.applicationinsights.azure.com",%0A + "live.applicationinsights.azure.com",%0A + "rt.applicationinsights.microsoft.com",%0A + "rt.services.visualstudio.com",%0A + "*.livediagnostics.monitor.azure.com",%0A + "*.monitoring.azure.com",%0A + "agent.azureserviceprofiler.net",%0A + "*.agent.azureserviceprofiler.net",%0A + "*.monitor.azure.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A + resource "azurerm_firewall_application_rule_collection" "core" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Core-Dependencies-FQDNs"%0A + priority = 200%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-core-apis"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "management.azure.com",%0A + "management.core.windows.net",%0A + "login.microsoftonline.com",%0A + "login.windows.net",%0A + "login.live.com",%0A + "graph.windows.net",%0A + "graph.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-developer-services"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "github.com",%0A + "*.github.com",%0A + "*.nuget.org",%0A + "*.blob.core.windows.net",%0A + "*.githubusercontent.com",%0A + "dev.azure.com",%0A + "*.dev.azure.com",%0A + "portal.azure.com",%0A + "*.portal.azure.com",%0A + "*.portal.azure.net",%0A + "appservice.azureedge.net",%0A + "*.azurewebsites.net",%0A + "edge.management.azure.com",%0A + "vstsagentpackage.azureedge.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-certificate-dependencies"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "*.delivery.mp.microsoft.com",%0A + "ctldl.windowsupdate.com",%0A + "download.windowsupdate.com",%0A + "mscrl.microsoft.com",%0A + "ocsp.msocsp.com",%0A + "oneocsp.microsoft.com",%0A + "crl.microsoft.com",%0A + "www.microsoft.com",%0A + "*.digicert.com",%0A + "*.symantec.com",%0A + "*.symcb.com",%0A + "*.d-trust.net",%0A ]%0A%0A + protocol {%0A + port = 80%0A + type = "Http"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Devops-VM-Dependencies-FQDNs"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-ad-join"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "enterpriseregistration.windows.net",%0A + "pas.windows.net",%0A + "login.microsoftonline.com",%0A + "device.login.microsoftonline.com",%0A + "autologon.microsoftazuread-sso.com",%0A + "manage-beta.microsoft.com",%0A + "manage.microsoft.com",%0A + "aadcdn.msauth.net",%0A + "aadcdn.msftauth.net",%0A + "aadcdn.msftauthimages.net",%0A + "*.wns.windows.com",%0A + "*.sts.microsoft.com",%0A + "*.manage-beta.microsoft.com",%0A + "*.manage.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-vm-dependencies-and-tools"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "aka.ms",%0A + "go.microsoft.com",%0A + "download.microsoft.com",%0A + "edge.microsoft.com",%0A + "fs.microsoft.com",%0A + "wdcp.microsoft.com",%0A + "wdcpalt.microsoft.com",%0A + "msedge.api.cdp.microsoft.com",%0A + "winatp-gw-cane.microsoft.com",%0A + "*.google.com",%0A + "*.live.com",%0A + "*.bing.com",%0A + "*.msappproxy.net",%0A + "*.delivery.mp.microsoft.com",%0A + "*.data.microsoft.com",%0A + "*.blob.storage.azure.net",%0A + "*.blob.core.windows.net",%0A + "*.dl.delivery.mp.microsoft.com",%0A + "*.prod.do.dsp.mp.microsoft.com",%0A + "*.update.microsoft.com",%0A + "*.windowsupdate.com",%0A + "*.apps.qualys.com",%0A + "*.bootstrapcdn.com",%0A + "*.jsdelivr.net",%0A + "*.jquery.com",%0A + "*.msecnd.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Windows-VM-Connectivity-Requirements"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + destination_addresses = [%0A + "20.118.99.224",%0A + "40.83.235.53",%0A + "23.102.135.246",%0A + "51.4.143.248",%0A + "23.97.0.13",%0A + "52.126.105.2",%0A ]%0A + destination_ports = [%0A + "*",%0A ]%0A + name = "allow-kms-activation"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A + rule {%0A + destination_addresses = [%0A + "*",%0A ]%0A + destination_ports = [%0A + "123",%0A ]%0A + name = "allow-ntp"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/2c4a420f-fd26-4da7-9db9-65cbf0e1cf88/terraform-bin show -no-color tfplan Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # module.bastion[0].azurecaf_name.caf_name_pip must be replaced -/+ resource "azurecaf_name" "caf_name_pip" { ~ id = "fjjblixfamhcidbf" -> (known after apply) ~ name = "lzademo" -> "lzademo-bastion" # forces replacement ~ result = "secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-a8088446-d9ec-40d0-9170-011026643819.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/bastionHosts/secure-baseline-2-ase-wus2-vnet-lzademo" -> (known after apply) name = "secure-baseline-2-ase-wus2-vnet-lzademo" tags = { "Environment" = "dev" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 2] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } # (9 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply) ~ ip_address = "172.171.114.221" -> (known after apply) - ip_tags = {} -> null ~ name = "secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "dev" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 2] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } - zones = [] -> null # (8 unchanged attributes hidden) } # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place ~ resource "azurerm_subnet" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment" name = "hostingEnvironment" # (9 unchanged attributes hidden) ~ delegation { name = "Microsoft.Web/serverFarms" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 3 to add, 1 to change, 3 to destroy. ::debug::Terraform exited with code 0. ::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A ~ id = "fjjblixfamhcidbf" -> (known after apply)%0A ~ name = "lzademo" -> "lzademo-bastion" # forces replacement%0A ~ result = "secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A ~ dns_name = "bst-a8088446-d9ec-40d0-9170-011026643819.bastion.azure.com" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/bastionHosts/secure-baseline-2-ase-wus2-vnet-lzademo" -> (known after apply)%0A name = "secure-baseline-2-ase-wus2-vnet-lzademo"%0A tags = {%0A "Environment" = "dev"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A # (9 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "bastionHostIpConfiguration"%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/publicIPAddresses/secure-baseline-2-ase-wus2-pip-lzademo" -> (known after apply)%0A ~ ip_address = "172.171.114.221" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ name = "secure-baseline-2-ase-wus2-pip-lzademo" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "dev"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 2] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A - zones = [] -> null%0A # (8 unchanged attributes hidden)%0A }%0A%0A # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place%0A ~ resource "azurerm_subnet" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment"%0A name = "hostingEnvironment"%0A # (9 unchanged attributes hidden)%0A%0A ~ delegation {%0A name = "Microsoft.Web/serverFarms"%0A%0A ~ service_delegation {%0A ~ actions = [%0A - "Microsoft.Network/virtualNetworks/subnets/action",%0A + "Microsoft.Network/virtualNetworks/subnets/join/action",%0A + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",%0A ]%0A name = "Microsoft.Web/hostingEnvironments"%0A }%0A }%0A }%0A%0APlan: 3 to add, 1 to change, 3 to destroy.%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/913c9e99-f748-46c8-8cb6-170309df7c76/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" ~ subnet = [ + { + address_prefix = "10.240.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" + name = "serverFarm" + security_group = "" }, + { + address_prefix = "10.240.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" + name = "ingress" + security_group = "" }, + { + address_prefix = "10.240.10.128/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" + name = "devops" + security_group = "" }, + { + address_prefix = "10.240.11.0/24" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" + name = "privateLink" + security_group = "" }, ] tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (6 unchanged attributes hidden) } # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ number_of_record_sets = 1 -> 5 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place ~ resource "azurerm_monitor_diagnostic_setting" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" + log_analytics_destination_type = "AzureDiagnostics" name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # (2 unchanged attributes hidden) # (4 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.network.azurerm_virtual_network.this has changed%0A ~ resource "azurerm_virtual_network" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A ~ subnet = [%0A + {%0A + address_prefix = "10.240.0.0/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A + name = "serverFarm"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.0.64/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A + name = "ingress"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.10.128/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A + name = "devops"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.11.0/24"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A + name = "privateLink"%0A + security_group = ""%0A },%0A ]%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "network"%0A }%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A name = "privatelink.azurewebsites.net"%0A ~ number_of_record_sets = 1 -> 5%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A name = "privatelink.database.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A name = "privatelink.azconfig.io"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A name = "privatelink.vaultcore.azure.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A name = "privatelink.redis.cache.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A + log_analytics_destination_type = "AzureDiagnostics"%0A name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A # (2 unchanged attributes hidden)%0A%0A # (4 unchanged blocks hidden)%0A }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Plan failed

Plan Error Output ``` Error: Finding user with UPN: "jinle_microsoft.com#EXT#@customersuccessunit.onmicrosoft.com" with module.devops_vm[0].data.azuread_user.vm_admin, on ../../shared/terraform-modules/windows-vm/module.tf line 88, in data "azuread_user" "vm_admin": 88: data "azuread_user" "vm_admin" { UsersClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation. Error: Finding user with UPN: "jinle_microsoft.com#EXT#@customersuccessunit.onmicrosoft.com" with module.jumpbox_vm[0].data.azuread_user.vm_admin, on ../../shared/terraform-modules/windows-vm/module.tf line 88, in data "azuread_user" "vm_admin": 88: data "azuread_user" "vm_admin" { UsersClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation. ``` *Pusher: @JinLee794, Action: `pull_request`, Working Directory: `scenarios/secure-baseline-ase/terraform`, Workflow: `Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline`*
github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/3645858d-f180-4fea-bfc2-3ac41f944f0b/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted - resource "azurerm_firewall_application_rule_collection" "azure_monitor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null name = "Azure-Monitor-FQDNs" # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted - resource "azurerm_firewall_application_rule_collection" "core" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null name = "Core-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null name = "Devops-VM-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null name = "Windows-VM-Connectivity-Requirements" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } Plan: 4 to add, 0 to change, 0 to destroy. Changes to Outputs: ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A name = "Azure-Monitor-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "core" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A name = "Core-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (3 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A name = "Devops-VM-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A name = "Windows-VM-Connectivity-Requirements"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A%0ATerraform will perform the following actions:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Azure-Monitor-FQDNs"%0A + priority = 201%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-monitor"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "dc.applicationinsights.azure.com",%0A + "dc.applicationinsights.microsoft.com",%0A + "dc.services.visualstudio.com",%0A + "*.in.applicationinsights.azure.com",%0A + "live.applicationinsights.azure.com",%0A + "rt.applicationinsights.microsoft.com",%0A + "rt.services.visualstudio.com",%0A + "*.livediagnostics.monitor.azure.com",%0A + "*.monitoring.azure.com",%0A + "agent.azureserviceprofiler.net",%0A + "*.agent.azureserviceprofiler.net",%0A + "*.monitor.azure.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A + resource "azurerm_firewall_application_rule_collection" "core" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Core-Dependencies-FQDNs"%0A + priority = 200%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-core-apis"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "management.azure.com",%0A + "management.core.windows.net",%0A + "login.microsoftonline.com",%0A + "login.windows.net",%0A + "login.live.com",%0A + "graph.windows.net",%0A + "graph.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-developer-services"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "github.com",%0A + "*.github.com",%0A + "*.nuget.org",%0A + "*.blob.core.windows.net",%0A + "*.githubusercontent.com",%0A + "dev.azure.com",%0A + "*.dev.azure.com",%0A + "portal.azure.com",%0A + "*.portal.azure.com",%0A + "*.portal.azure.net",%0A + "appservice.azureedge.net",%0A + "*.azurewebsites.net",%0A + "edge.management.azure.com",%0A + "vstsagentpackage.azureedge.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-certificate-dependencies"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "*.delivery.mp.microsoft.com",%0A + "ctldl.windowsupdate.com",%0A + "download.windowsupdate.com",%0A + "mscrl.microsoft.com",%0A + "ocsp.msocsp.com",%0A + "oneocsp.microsoft.com",%0A + "crl.microsoft.com",%0A + "www.microsoft.com",%0A + "*.digicert.com",%0A + "*.symantec.com",%0A + "*.symcb.com",%0A + "*.d-trust.net",%0A ]%0A%0A + protocol {%0A + port = 80%0A + type = "Http"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Devops-VM-Dependencies-FQDNs"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-ad-join"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "enterpriseregistration.windows.net",%0A + "pas.windows.net",%0A + "login.microsoftonline.com",%0A + "device.login.microsoftonline.com",%0A + "autologon.microsoftazuread-sso.com",%0A + "manage-beta.microsoft.com",%0A + "manage.microsoft.com",%0A + "aadcdn.msauth.net",%0A + "aadcdn.msftauth.net",%0A + "aadcdn.msftauthimages.net",%0A + "*.wns.windows.com",%0A + "*.sts.microsoft.com",%0A + "*.manage-beta.microsoft.com",%0A + "*.manage.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-vm-dependencies-and-tools"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "aka.ms",%0A + "go.microsoft.com",%0A + "download.microsoft.com",%0A + "edge.microsoft.com",%0A + "fs.microsoft.com",%0A + "wdcp.microsoft.com",%0A + "wdcpalt.microsoft.com",%0A + "msedge.api.cdp.microsoft.com",%0A + "winatp-gw-cane.microsoft.com",%0A + "*.google.com",%0A + "*.live.com",%0A + "*.bing.com",%0A + "*.msappproxy.net",%0A + "*.delivery.mp.microsoft.com",%0A + "*.data.microsoft.com",%0A + "*.blob.storage.azure.net",%0A + "*.blob.core.windows.net",%0A + "*.dl.delivery.mp.microsoft.com",%0A + "*.prod.do.dsp.mp.microsoft.com",%0A + "*.update.microsoft.com",%0A + "*.windowsupdate.com",%0A + "*.apps.qualys.com",%0A + "*.bootstrapcdn.com",%0A + "*.jsdelivr.net",%0A + "*.jquery.com",%0A + "*.msecnd.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Windows-VM-Connectivity-Requirements"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + destination_addresses = [%0A + "20.118.99.224",%0A + "40.83.235.53",%0A + "23.102.135.246",%0A + "51.4.143.248",%0A + "23.97.0.13",%0A + "52.126.105.2",%0A ]%0A + destination_ports = [%0A + "*",%0A ]%0A + name = "allow-kms-activation"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A + rule {%0A + destination_addresses = [%0A + "*",%0A ]%0A + destination_ports = [%0A + "123",%0A ]%0A + name = "allow-ntp"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/a5f78226-09e1-4238-9d14-5a558326d8b4/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" ~ subnet = [ + { + address_prefix = "10.240.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" + name = "serverFarm" + security_group = "" }, + { + address_prefix = "10.240.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" + name = "ingress" + security_group = "" }, + { + address_prefix = "10.240.10.128/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" + name = "devops" + security_group = "" }, + { + address_prefix = "10.240.11.0/24" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" + name = "privateLink" + security_group = "" }, ] tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (6 unchanged attributes hidden) } # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ number_of_record_sets = 1 -> 5 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place ~ resource "azurerm_monitor_diagnostic_setting" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" + log_analytics_destination_type = "AzureDiagnostics" name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # (2 unchanged attributes hidden) # (4 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.network.azurerm_virtual_network.this has changed%0A ~ resource "azurerm_virtual_network" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A ~ subnet = [%0A + {%0A + address_prefix = "10.240.0.0/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A + name = "serverFarm"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.0.64/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A + name = "ingress"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.10.128/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A + name = "devops"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.11.0/24"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A + name = "privateLink"%0A + security_group = ""%0A },%0A ]%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "network"%0A }%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A name = "privatelink.azurewebsites.net"%0A ~ number_of_record_sets = 1 -> 5%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A name = "privatelink.database.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A name = "privatelink.azconfig.io"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A name = "privatelink.vaultcore.azure.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A name = "privatelink.redis.cache.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A + log_analytics_destination_type = "AzureDiagnostics"%0A name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A # (2 unchanged attributes hidden)%0A%0A # (4 unchanged blocks hidden)%0A }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/1a0f5212-0e99-4421-943d-57131bdcc73e/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted - resource "azurerm_firewall_application_rule_collection" "azure_monitor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null name = "Azure-Monitor-FQDNs" # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted - resource "azurerm_firewall_application_rule_collection" "core" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null name = "Core-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null name = "Devops-VM-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null name = "Windows-VM-Connectivity-Requirements" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } Plan: 4 to add, 0 to change, 0 to destroy. Changes to Outputs: ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A name = "Azure-Monitor-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "core" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A name = "Core-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (3 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A name = "Devops-VM-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A name = "Windows-VM-Connectivity-Requirements"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A%0ATerraform will perform the following actions:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Azure-Monitor-FQDNs"%0A + priority = 201%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-monitor"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "dc.applicationinsights.azure.com",%0A + "dc.applicationinsights.microsoft.com",%0A + "dc.services.visualstudio.com",%0A + "*.in.applicationinsights.azure.com",%0A + "live.applicationinsights.azure.com",%0A + "rt.applicationinsights.microsoft.com",%0A + "rt.services.visualstudio.com",%0A + "*.livediagnostics.monitor.azure.com",%0A + "*.monitoring.azure.com",%0A + "agent.azureserviceprofiler.net",%0A + "*.agent.azureserviceprofiler.net",%0A + "*.monitor.azure.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A + resource "azurerm_firewall_application_rule_collection" "core" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Core-Dependencies-FQDNs"%0A + priority = 200%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-core-apis"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "management.azure.com",%0A + "management.core.windows.net",%0A + "login.microsoftonline.com",%0A + "login.windows.net",%0A + "login.live.com",%0A + "graph.windows.net",%0A + "graph.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-developer-services"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "github.com",%0A + "*.github.com",%0A + "*.nuget.org",%0A + "*.blob.core.windows.net",%0A + "*.githubusercontent.com",%0A + "dev.azure.com",%0A + "*.dev.azure.com",%0A + "portal.azure.com",%0A + "*.portal.azure.com",%0A + "*.portal.azure.net",%0A + "appservice.azureedge.net",%0A + "*.azurewebsites.net",%0A + "edge.management.azure.com",%0A + "vstsagentpackage.azureedge.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-certificate-dependencies"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "*.delivery.mp.microsoft.com",%0A + "ctldl.windowsupdate.com",%0A + "download.windowsupdate.com",%0A + "mscrl.microsoft.com",%0A + "ocsp.msocsp.com",%0A + "oneocsp.microsoft.com",%0A + "crl.microsoft.com",%0A + "www.microsoft.com",%0A + "*.digicert.com",%0A + "*.symantec.com",%0A + "*.symcb.com",%0A + "*.d-trust.net",%0A ]%0A%0A + protocol {%0A + port = 80%0A + type = "Http"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Devops-VM-Dependencies-FQDNs"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-ad-join"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "enterpriseregistration.windows.net",%0A + "pas.windows.net",%0A + "login.microsoftonline.com",%0A + "device.login.microsoftonline.com",%0A + "autologon.microsoftazuread-sso.com",%0A + "manage-beta.microsoft.com",%0A + "manage.microsoft.com",%0A + "aadcdn.msauth.net",%0A + "aadcdn.msftauth.net",%0A + "aadcdn.msftauthimages.net",%0A + "*.wns.windows.com",%0A + "*.sts.microsoft.com",%0A + "*.manage-beta.microsoft.com",%0A + "*.manage.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-vm-dependencies-and-tools"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "aka.ms",%0A + "go.microsoft.com",%0A + "download.microsoft.com",%0A + "edge.microsoft.com",%0A + "fs.microsoft.com",%0A + "wdcp.microsoft.com",%0A + "wdcpalt.microsoft.com",%0A + "msedge.api.cdp.microsoft.com",%0A + "winatp-gw-cane.microsoft.com",%0A + "*.google.com",%0A + "*.live.com",%0A + "*.bing.com",%0A + "*.msappproxy.net",%0A + "*.delivery.mp.microsoft.com",%0A + "*.data.microsoft.com",%0A + "*.blob.storage.azure.net",%0A + "*.blob.core.windows.net",%0A + "*.dl.delivery.mp.microsoft.com",%0A + "*.prod.do.dsp.mp.microsoft.com",%0A + "*.update.microsoft.com",%0A + "*.windowsupdate.com",%0A + "*.apps.qualys.com",%0A + "*.bootstrapcdn.com",%0A + "*.jsdelivr.net",%0A + "*.jquery.com",%0A + "*.msecnd.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Windows-VM-Connectivity-Requirements"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + destination_addresses = [%0A + "20.118.99.224",%0A + "40.83.235.53",%0A + "23.102.135.246",%0A + "51.4.143.248",%0A + "23.97.0.13",%0A + "52.126.105.2",%0A ]%0A + destination_ports = [%0A + "*",%0A ]%0A + name = "allow-kms-activation"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A + rule {%0A + destination_addresses = [%0A + "*",%0A ]%0A + destination_ports = [%0A + "123",%0A ]%0A + name = "allow-ntp"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Plan failed

Plan Error Output ``` Error: Finding user with UPN: "AppSvcLZA Azure AD SQL Admins" with module.devops_vm[0].data.azuread_user.vm_admin, on ../../shared/terraform-modules/windows-vm/module.tf line 88, in data "azuread_user" "vm_admin": 88: data "azuread_user" "vm_admin" { UsersClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation. Error: Finding user with UPN: "AppSvcLZA Azure AD SQL Admins" with module.jumpbox_vm[0].data.azuread_user.vm_admin, on ../../shared/terraform-modules/windows-vm/module.tf line 88, in data "azuread_user" "vm_admin": 88: data "azuread_user" "vm_admin" { UsersClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation. ``` *Pusher: @JinLee794, Action: `pull_request`, Working Directory: `scenarios/secure-baseline-ase/terraform`, Workflow: `Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline`*
github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/d55352ed-ef08-403a-ad47-b0ac1ce05f42/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" ~ subnet = [ + { + address_prefix = "10.240.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" + name = "serverFarm" + security_group = "" }, + { + address_prefix = "10.240.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" + name = "ingress" + security_group = "" }, + { + address_prefix = "10.240.10.128/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" + name = "devops" + security_group = "" }, + { + address_prefix = "10.240.11.0/24" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" + name = "privateLink" + security_group = "" }, ] tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (6 unchanged attributes hidden) } # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ number_of_record_sets = 1 -> 5 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place ~ resource "azurerm_monitor_diagnostic_setting" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" + log_analytics_destination_type = "AzureDiagnostics" name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # (2 unchanged attributes hidden) # (4 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.network.azurerm_virtual_network.this has changed%0A ~ resource "azurerm_virtual_network" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A ~ subnet = [%0A + {%0A + address_prefix = "10.240.0.0/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A + name = "serverFarm"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.0.64/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A + name = "ingress"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.10.128/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A + name = "devops"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.11.0/24"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A + name = "privateLink"%0A + security_group = ""%0A },%0A ]%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "network"%0A }%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A name = "privatelink.azurewebsites.net"%0A ~ number_of_record_sets = 1 -> 5%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A name = "privatelink.database.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A name = "privatelink.azconfig.io"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A name = "privatelink.vaultcore.azure.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A name = "privatelink.redis.cache.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A + log_analytics_destination_type = "AzureDiagnostics"%0A name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A # (2 unchanged attributes hidden)%0A%0A # (4 unchanged blocks hidden)%0A }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/9d8d857b-a39e-4bb7-9f13-86746012d79f/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted - resource "azurerm_firewall_application_rule_collection" "azure_monitor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null name = "Azure-Monitor-FQDNs" # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted - resource "azurerm_firewall_application_rule_collection" "core" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null name = "Core-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null name = "Devops-VM-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null name = "Windows-VM-Connectivity-Requirements" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2" + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } Plan: 4 to add, 0 to change, 0 to destroy. Changes to Outputs: ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A name = "Azure-Monitor-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "core" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A name = "Core-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (3 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A name = "Devops-VM-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A name = "Windows-VM-Connectivity-Requirements"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A%0ATerraform will perform the following actions:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Azure-Monitor-FQDNs"%0A + priority = 201%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-monitor"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "dc.applicationinsights.azure.com",%0A + "dc.applicationinsights.microsoft.com",%0A + "dc.services.visualstudio.com",%0A + "*.in.applicationinsights.azure.com",%0A + "live.applicationinsights.azure.com",%0A + "rt.applicationinsights.microsoft.com",%0A + "rt.services.visualstudio.com",%0A + "*.livediagnostics.monitor.azure.com",%0A + "*.monitoring.azure.com",%0A + "agent.azureserviceprofiler.net",%0A + "*.agent.azureserviceprofiler.net",%0A + "*.monitor.azure.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A + resource "azurerm_firewall_application_rule_collection" "core" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Core-Dependencies-FQDNs"%0A + priority = 200%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-core-apis"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "management.azure.com",%0A + "management.core.windows.net",%0A + "login.microsoftonline.com",%0A + "login.windows.net",%0A + "login.live.com",%0A + "graph.windows.net",%0A + "graph.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-developer-services"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "github.com",%0A + "*.github.com",%0A + "*.nuget.org",%0A + "*.blob.core.windows.net",%0A + "*.githubusercontent.com",%0A + "dev.azure.com",%0A + "*.dev.azure.com",%0A + "portal.azure.com",%0A + "*.portal.azure.com",%0A + "*.portal.azure.net",%0A + "appservice.azureedge.net",%0A + "*.azurewebsites.net",%0A + "edge.management.azure.com",%0A + "vstsagentpackage.azureedge.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-certificate-dependencies"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "*.delivery.mp.microsoft.com",%0A + "ctldl.windowsupdate.com",%0A + "download.windowsupdate.com",%0A + "mscrl.microsoft.com",%0A + "ocsp.msocsp.com",%0A + "oneocsp.microsoft.com",%0A + "crl.microsoft.com",%0A + "www.microsoft.com",%0A + "*.digicert.com",%0A + "*.symantec.com",%0A + "*.symcb.com",%0A + "*.d-trust.net",%0A ]%0A%0A + protocol {%0A + port = 80%0A + type = "Http"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Devops-VM-Dependencies-FQDNs"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + name = "allow-azure-ad-join"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "enterpriseregistration.windows.net",%0A + "pas.windows.net",%0A + "login.microsoftonline.com",%0A + "device.login.microsoftonline.com",%0A + "autologon.microsoftazuread-sso.com",%0A + "manage-beta.microsoft.com",%0A + "manage.microsoft.com",%0A + "aadcdn.msauth.net",%0A + "aadcdn.msftauth.net",%0A + "aadcdn.msftauthimages.net",%0A + "*.wns.windows.com",%0A + "*.sts.microsoft.com",%0A + "*.manage-beta.microsoft.com",%0A + "*.manage.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-vm-dependencies-and-tools"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "aka.ms",%0A + "go.microsoft.com",%0A + "download.microsoft.com",%0A + "edge.microsoft.com",%0A + "fs.microsoft.com",%0A + "wdcp.microsoft.com",%0A + "wdcpalt.microsoft.com",%0A + "msedge.api.cdp.microsoft.com",%0A + "winatp-gw-cane.microsoft.com",%0A + "*.google.com",%0A + "*.live.com",%0A + "*.bing.com",%0A + "*.msappproxy.net",%0A + "*.delivery.mp.microsoft.com",%0A + "*.data.microsoft.com",%0A + "*.blob.storage.azure.net",%0A + "*.blob.core.windows.net",%0A + "*.dl.delivery.mp.microsoft.com",%0A + "*.prod.do.dsp.mp.microsoft.com",%0A + "*.update.microsoft.com",%0A + "*.windowsupdate.com",%0A + "*.apps.qualys.com",%0A + "*.bootstrapcdn.com",%0A + "*.jsdelivr.net",%0A + "*.jquery.com",%0A + "*.msecnd.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = "sec-baseline-1-hub-westus3-fw-eslz2"%0A + id = (known after apply)%0A + name = "Windows-VM-Connectivity-Requirements"%0A + priority = 202%0A + resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2"%0A%0A + rule {%0A + destination_addresses = [%0A + "20.118.99.224",%0A + "40.83.235.53",%0A + "23.102.135.246",%0A + "51.4.143.248",%0A + "23.97.0.13",%0A + "52.126.105.2",%0A ]%0A + destination_ports = [%0A + "*",%0A ]%0A + name = "allow-kms-activation"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A + rule {%0A + destination_addresses = [%0A + "*",%0A ]%0A + destination_ports = [%0A + "123",%0A ]%0A + name = "allow-ntp"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A }%0A%0APlan: 4 to add, 0 to change, 0 to destroy.%0A%0AChanges to Outputs:%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/c14153a7-332a-44a0-bfc7-33d8260583e7/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" ~ subnet = [ + { + address_prefix = "10.240.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" + name = "serverFarm" + security_group = "" }, + { + address_prefix = "10.240.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" + name = "ingress" + security_group = "" }, + { + address_prefix = "10.240.10.128/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" + name = "devops" + security_group = "" }, + { + address_prefix = "10.240.11.0/24" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" + name = "privateLink" + security_group = "" }, ] tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (6 unchanged attributes hidden) } # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ number_of_record_sets = 1 -> 5 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place ~ resource "azurerm_monitor_diagnostic_setting" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" + log_analytics_destination_type = "AzureDiagnostics" name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # (2 unchanged attributes hidden) # (4 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.network.azurerm_virtual_network.this has changed%0A ~ resource "azurerm_virtual_network" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod"%0A ~ subnet = [%0A + {%0A + address_prefix = "10.240.0.0/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm"%0A + name = "serverFarm"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.0.64/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress"%0A + name = "ingress"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.10.128/26"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops"%0A + name = "devops"%0A + security_group = ""%0A },%0A + {%0A + address_prefix = "10.240.11.0/24"%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink"%0A + name = "privateLink"%0A + security_group = ""%0A },%0A ]%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "network"%0A }%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"%0A name = "privatelink.azurewebsites.net"%0A ~ number_of_record_sets = 1 -> 5%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"%0A name = "privatelink.database.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"%0A name = "privatelink.azconfig.io"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"%0A name = "privatelink.vaultcore.azure.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed%0A ~ resource "azurerm_private_dns_zone" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net"%0A name = "privatelink.redis.cache.windows.net"%0A ~ number_of_record_sets = 1 -> 2%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "private-dns-zone"%0A }%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A ~ update in-place%0A%0ATerraform will perform the following actions:%0A%0A # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be updated in-place%0A ~ resource "azurerm_monitor_diagnostic_setting" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A + log_analytics_destination_type = "AzureDiagnostics"%0A name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}"%0A # (2 unchanged attributes hidden)%0A%0A # (4 unchanged blocks hidden)%0A }%0A%0APlan: 0 to add, 1 to change, 0 to destroy.%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/91195bd7-a6a1-4e71-bad7-1b678f0918a4/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted - resource "azurerm_firewall_application_rule_collection" "azure_monitor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null name = "Azure-Monitor-FQDNs" # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted - resource "azurerm_firewall_application_rule_collection" "core" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null name = "Core-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null name = "Devops-VM-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null name = "Windows-VM-Connectivity-Requirements" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.caf_name_hub_rg must be replaced -/+ resource "azurecaf_name" "caf_name_hub_rg" { ~ id = "akckvaegwemunepv" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurerm_resource_group.hub must be replaced -/+ resource "azurerm_resource_group" "hub" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" } } # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced -/+ resource "azurecaf_name" "caf_name_bastion" { ~ id = "wbujomtsfcqdpxod" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.bastion[0].azurecaf_name.caf_name_pip must be replaced -/+ resource "azurecaf_name" "caf_name_pip" { ~ id = "paqdxwmbugcxjhhq" -> (known after apply) name = "eslz2-bastion" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } # (7 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply) ~ ip_address = "20.163.49.112" -> (known after apply) - ip_tags = {} -> null ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } - zones = [] -> null # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced -/+ resource "azurecaf_name" "caf_name_firewall" { ~ id = "dtqvqxowbnalaruk" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced -/+ resource "azurecaf_name" "caf_name_law" { ~ id = "lofxpwfygywepldl" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_pip must be replaced -/+ resource "azurecaf_name" "caf_name_pip" { ~ id = "ofhucdctoijllhdb" -> (known after apply) name = "eslz2-fw" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurerm_firewall.firewall must be replaced -/+ resource "azurerm_firewall" "firewall" { - dns_servers = [] -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement - private_ip_ranges = [] -> null ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "firewall" } ~ threat_intel_mode = "Alert" -> (known after apply) - zones = [] -> null # (2 unchanged attributes hidden) ~ ip_configuration { name = "firewallIpConfiguration" ~ private_ip_address = "10.242.0.4" -> (known after apply) ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced -/+ resource "azurerm_log_analytics_workspace" "law" { - cmk_for_query_forced = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement ~ primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement ~ retention_in_days = 30 -> (known after apply) ~ secondary_shared_key = (sensitive value) - tags = {} -> null ~ workspace_id = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply) ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply) ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ name = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced -/+ resource "azurerm_public_ip" "firewall_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ ip_address = "20.25.176.182" -> (known after apply) - ip_tags = {} -> null ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "firewall" } - zones = [] -> null # (6 unchanged attributes hidden) } # module.network.azurecaf_name.caf_name_vnet must be replaced -/+ resource "azurecaf_name" "caf_name_vnet" { ~ id = "pvwuveykntdcxsyc" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply) name = "AzureFirewallSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply) name = "AzureBastionSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.242.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" - name = "AzureFirewallSubnet" - security_group = "" }, - { - address_prefix = "10.242.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" - name = "AzureBastionSubnet" - security_group = "" }, ] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (1 unchanged attribute hidden) } Plan: 21 to add, 0 to change, 17 to destroy. Changes to Outputs: ~ bastion_name = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ firewall_private_ip = "10.242.0.4" -> (known after apply) ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ~ rg_name = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ vnet_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A name = "Azure-Monitor-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "core" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A name = "Core-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (3 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A name = "Devops-VM-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A name = "Windows-VM-Connectivity-Requirements"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # azurecaf_name.caf_name_hub_rg must be replaced%0A-/+ resource "azurecaf_name" "caf_name_hub_rg" {%0A ~ id = "akckvaegwemunepv" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A }%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced%0A-/+ resource "azurecaf_name" "caf_name_bastion" {%0A ~ id = "wbujomtsfcqdpxod" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A ~ id = "paqdxwmbugcxjhhq" -> (known after apply)%0A name = "eslz2-bastion"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A ~ dns_name = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A # (7 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "bastionHostIpConfiguration"%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A ~ ip_address = "20.163.49.112" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A - zones = [] -> null%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced%0A-/+ resource "azurecaf_name" "caf_name_firewall" {%0A ~ id = "dtqvqxowbnalaruk" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced%0A-/+ resource "azurecaf_name" "caf_name_law" {%0A ~ id = "lofxpwfygywepldl" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A ~ id = "ofhucdctoijllhdb" -> (known after apply)%0A name = "eslz2-fw"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A - dns_servers = [] -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - private_ip_ranges = [] -> null%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "firewall"%0A }%0A ~ threat_intel_mode = "Alert" -> (known after apply)%0A - zones = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "firewallIpConfiguration"%0A ~ private_ip_address = "10.242.0.4" -> (known after apply)%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Azure-Monitor-FQDNs"%0A + priority = 201%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-azure-monitor"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "dc.applicationinsights.azure.com",%0A + "dc.applicationinsights.microsoft.com",%0A + "dc.services.visualstudio.com",%0A + "*.in.applicationinsights.azure.com",%0A + "live.applicationinsights.azure.com",%0A + "rt.applicationinsights.microsoft.com",%0A + "rt.services.visualstudio.com",%0A + "*.livediagnostics.monitor.azure.com",%0A + "*.monitoring.azure.com",%0A + "agent.azureserviceprofiler.net",%0A + "*.agent.azureserviceprofiler.net",%0A + "*.monitor.azure.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A + resource "azurerm_firewall_application_rule_collection" "core" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Core-Dependencies-FQDNs"%0A + priority = 200%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-core-apis"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "management.azure.com",%0A + "management.core.windows.net",%0A + "login.microsoftonline.com",%0A + "login.windows.net",%0A + "login.live.com",%0A + "graph.windows.net",%0A + "graph.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-developer-services"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "github.com",%0A + "*.github.com",%0A + "*.nuget.org",%0A + "*.blob.core.windows.net",%0A + "*.githubusercontent.com",%0A + "dev.azure.com",%0A + "*.dev.azure.com",%0A + "portal.azure.com",%0A + "*.portal.azure.com",%0A + "*.portal.azure.net",%0A + "appservice.azureedge.net",%0A + "*.azurewebsites.net",%0A + "edge.management.azure.com",%0A + "vstsagentpackage.azureedge.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-certificate-dependencies"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "*.delivery.mp.microsoft.com",%0A + "ctldl.windowsupdate.com",%0A + "download.windowsupdate.com",%0A + "mscrl.microsoft.com",%0A + "ocsp.msocsp.com",%0A + "oneocsp.microsoft.com",%0A + "crl.microsoft.com",%0A + "www.microsoft.com",%0A + "*.digicert.com",%0A + "*.symantec.com",%0A + "*.symcb.com",%0A + "*.d-trust.net",%0A ]%0A%0A + protocol {%0A + port = 80%0A + type = "Http"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Devops-VM-Dependencies-FQDNs"%0A + priority = 202%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-azure-ad-join"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "enterpriseregistration.windows.net",%0A + "pas.windows.net",%0A + "login.microsoftonline.com",%0A + "device.login.microsoftonline.com",%0A + "autologon.microsoftazuread-sso.com",%0A + "manage-beta.microsoft.com",%0A + "manage.microsoft.com",%0A + "aadcdn.msauth.net",%0A + "aadcdn.msftauth.net",%0A + "aadcdn.msftauthimages.net",%0A + "*.wns.windows.com",%0A + "*.sts.microsoft.com",%0A + "*.manage-beta.microsoft.com",%0A + "*.manage.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-vm-dependencies-and-tools"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "aka.ms",%0A + "go.microsoft.com",%0A + "download.microsoft.com",%0A + "edge.microsoft.com",%0A + "fs.microsoft.com",%0A + "wdcp.microsoft.com",%0A + "wdcpalt.microsoft.com",%0A + "msedge.api.cdp.microsoft.com",%0A + "winatp-gw-cane.microsoft.com",%0A + "*.google.com",%0A + "*.live.com",%0A + "*.bing.com",%0A + "*.msappproxy.net",%0A + "*.delivery.mp.microsoft.com",%0A + "*.data.microsoft.com",%0A + "*.blob.storage.azure.net",%0A + "*.blob.core.windows.net",%0A + "*.dl.delivery.mp.microsoft.com",%0A + "*.prod.do.dsp.mp.microsoft.com",%0A + "*.update.microsoft.com",%0A + "*.windowsupdate.com",%0A + "*.apps.qualys.com",%0A + "*.bootstrapcdn.com",%0A + "*.jsdelivr.net",%0A + "*.jquery.com",%0A + "*.msecnd.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Windows-VM-Connectivity-Requirements"%0A + priority = 202%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + destination_addresses = [%0A + "20.118.99.224",%0A + "40.83.235.53",%0A + "23.102.135.246",%0A + "51.4.143.248",%0A + "23.97.0.13",%0A + "52.126.105.2",%0A ]%0A + destination_ports = [%0A + "*",%0A ]%0A + name = "allow-kms-activation"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A + rule {%0A + destination_addresses = [%0A + "*",%0A ]%0A + destination_ports = [%0A + "123",%0A ]%0A + name = "allow-ntp"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A }%0A%0A # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced%0A-/+ resource "azurerm_log_analytics_workspace" "law" {%0A - cmk_for_query_forced = false -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ primary_shared_key = (sensitive value)%0A + reservation_capacity_in_gb_per_day = (known after apply)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ retention_in_days = 30 -> (known after apply)%0A ~ secondary_shared_key = (sensitive value)%0A - tags = {} -> null%0A ~ workspace_id = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)%0A ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ name = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A%0A - log {%0A - category_group = "allLogs" -> null%0A - enabled = true -> null%0A%0A - retention_policy {%0A - days = 0 -> null%0A - enabled = false -> null%0A }%0A }%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ ip_address = "20.25.176.182" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "firewall"%0A }%0A - zones = [] -> null%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.network.azurecaf_name.caf_name_vnet must be replaced%0A-/+ resource "azurecaf_name" "caf_name_vnet" {%0A ~ id = "pvwuveykntdcxsyc" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)%0A name = "AzureFirewallSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)%0A name = "AzureBastionSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A ~ dns_servers = [] -> (known after apply)%0A - flow_timeout_in_minutes = 0 -> null%0A ~ guid = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet = [%0A - {%0A - address_prefix = "10.242.0.0/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"%0A - name = "AzureFirewallSubnet"%0A - security_group = ""%0A },%0A - {%0A - address_prefix = "10.242.0.64/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"%0A - name = "AzureBastionSubnet"%0A - security_group = ""%0A },%0A ] -> (known after apply)%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "network"%0A }%0A # (1 unchanged attribute hidden)%0A }%0A%0APlan: 21 to add, 0 to change, 17 to destroy.%0A%0AChanges to Outputs:%0A ~ bastion_name = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ~ rg_name = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ vnet_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 11 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/cd5ef368-4558-4c19-b57e-79b1ee5120eb/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" ~ subnet = [ + { + address_prefix = "10.240.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" + name = "serverFarm" + security_group = "" }, + { + address_prefix = "10.240.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" + name = "ingress" + security_group = "" }, + { + address_prefix = "10.240.10.128/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" + name = "devops" + security_group = "" }, + { + address_prefix = "10.240.11.0/24" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" + name = "privateLink" + security_group = "" }, ] tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (6 unchanged attributes hidden) } # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ number_of_record_sets = 1 -> 5 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.appsvc_subnet must be replaced -/+ resource "azurecaf_name" "appsvc_subnet" { ~ id = "bhvjbwlscqphkcyx" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement # (1 unchanged element hidden) "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "spoke-sec-baseline-1-spoke-westus3-snet-eslz1" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurecaf_name.caf_name_id_contributor must be replaced -/+ resource "azurecaf_name" "caf_name_id_contributor" { ~ id = "dnlsksyhpkhsnwdj" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_id_reader must be replaced -/+ resource "azurecaf_name" "caf_name_id_reader" { ~ id = "jvaiptpdjdabmpiw" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_law must be replaced -/+ resource "azurecaf_name" "caf_name_law" { ~ id = "dmgjkgiqpambjtxs" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-log-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_spoke_rg must be replaced -/+ resource "azurecaf_name" "caf_name_spoke_rg" { ~ id = "yhpfxpcghfwqecxw" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement # (1 unchanged element hidden) "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurecaf_name.law must be replaced -/+ resource "azurecaf_name" "law" { ~ id = "deeavlehsaejricp" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ result = "log-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurerm_log_analytics_workspace.law must be replaced -/+ resource "azurerm_log_analytics_workspace" "law" { - cmk_for_query_forced = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "log-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ primary_shared_key = (sensitive value) + reservation_capacity_in_gb_per_day = (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_shared_key = (sensitive value) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } ~ workspace_id = "d011dd81-1237-42e0-9c8b-79b15170a2e9" -> (known after apply) # (7 unchanged attributes hidden) } # azurerm_resource_group.spoke must be replaced -/+ resource "azurerm_resource_group" "spoke" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor must be replaced -/+ resource "azurerm_user_assigned_identity" "contributor" { ~ client_id = "5b6d3e0a-cb5f-469c-8a03-5e84c1cbf762" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) } # azurerm_user_assigned_identity.reader must be replaced -/+ resource "azurerm_user_assigned_identity" "reader" { ~ client_id = "3efaf752-dfe8-4940-ac81-66b619bb3745" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) } # module.app_configuration[0].azurecaf_name.caf_name_appconf must be replaced -/+ resource "azurecaf_name" "caf_name_appconf" { ~ id = "tvaqutjmtrvbvety" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_configuration[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "jxmdskntabkbvfia" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.app_configuration[0].azurerm_app_configuration.this must be replaced -/+ resource "azurerm_app_configuration" "this" { ~ endpoint = "https://sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ primary_read_key = [] -> (known after apply) ~ primary_write_key = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_read_key = [] -> (known after apply) ~ secondary_write_key = [] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-configuration" } # (5 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.privatelink.azconfig.io." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/A/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.4", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" - ip_addresses = [ - "10.240.11.4", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec" - name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { name = "app-config-private-endpoint" ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.4" -> (known after apply) # (2 unchanged attributes hidden) } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] must be replaced -/+ resource "azurerm_role_assignment" "data_owners" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply) ~ name = "af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply) ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] must be replaced -/+ resource "azurerm_role_assignment" "data_readers" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/d67f6551-6738-e975-af28-77f05976002a" -> (known after apply) ~ name = "d67f6551-6738-e975-af28-77f05976002a" -> (known after apply) ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_service.azurecaf_name.caf_name_appinsights must be replaced -/+ resource "azurecaf_name" "caf_name_appinsights" { ~ id = "xcdytgfueolnctqo" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_service.azurecaf_name.caf_name_asp must be replaced -/+ resource "azurecaf_name" "caf_name_asp" { ~ id = "xqnjrrtjgoabvuke" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "westus3-plan-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_service.azurerm_application_insights.this must be replaced -/+ resource "azurerm_application_insights" "this" { ~ app_id = "4bb411f1-e975-444a-b559-823aa404d4ff" -> (known after apply) ~ connection_string = (sensitive value) ~ daily_data_cap_in_gb = 100 -> (known after apply) ~ daily_data_cap_notifications_disabled = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply) ~ instrumentation_key = (sensitive value) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) # (8 unchanged attributes hidden) } # module.app_service.azurerm_service_plan.this must be replaced -/+ resource "azurerm_service_plan" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Web/serverfarms/westus3-plan-eslz1-prod" -> (known after apply) ~ kind = "app" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ maximum_elastic_worker_count = 1 -> (known after apply) ~ name = "westus3-plan-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ reserved = false -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-service" } # (5 unchanged attributes hidden) } # module.frontdoor.azurecaf_name.caf_name_afd must be replaced -/+ resource "azurecaf_name" "caf_name_afd" { ~ id = "vjxqvtjmemddjsyg" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] must be replaced -/+ resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { - custom_block_response_status_code = 0 -> null ~ frontend_endpoint_ids = [] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> (known after apply) name = "wafpolicymicrosoftdefaultruleset21" ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null # (3 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor must be replaced -/+ resource "azurerm_cdn_frontdoor_profile" "frontdoor" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ resource_guid = "a1cefc33-bf49-4155-a28a-d253ba7f23cd" -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "frontdoor" } # (2 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] must be replaced -/+ resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { ~ cdn_frontdoor_profile_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/securityPolicies/WAF-Security-Policy" -> (known after apply) name = "WAF-Security-Policy" ~ security_policies { ~ firewall { ~ cdn_frontdoor_firewall_policy_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" # forces replacement -> (known after apply) # forces replacement ~ association { # (1 unchanged attribute hidden) ~ domain { ~ active = true -> (known after apply) ~ cdn_frontdoor_domain_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/afdEndpoints/eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement } } } } } # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" -> (known after apply) + log_analytics_destination_type = "AzureDiagnostics" ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - log { - category_group = "audit" -> null - enabled = false -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.key_vault.azurecaf_name.caf_name_akv must be replaced -/+ resource "azurecaf_name" "caf_name_akv" { ~ id = "rfuhnmjbhvbivisd" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "kv-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.key_vault.azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "lbivgljqkjfyetww" -> (known after apply) ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-kv-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.key_vault.azurerm_key_vault.this must be replaced -/+ resource "azurerm_key_vault" "this" { ~ access_policy = [] -> (known after apply) - enabled_for_deployment = false -> null - enabled_for_template_deployment = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "key-vault" } ~ vault_uri = "https://kv-eslz1-prod-5461.vault.azure.net/" -> (known after apply) # (7 unchanged attributes hidden) ~ network_acls { - ip_rules = [] -> null - virtual_network_subnet_ids = [] -> null # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "kv-eslz1-prod-5461.privatelink.vaultcore.azure.net." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/A/kv-eslz1-prod-5461" -> (known after apply) ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.6", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.key_vault.azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "kv-eslz1-prod-5461.vault.azure.net" - ip_addresses = [ - "10.240.11.6", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443" - name = "pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { ~ name = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.6" -> (known after apply) # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_officer" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply) ~ name = "914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply) ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.key_vault.azurerm_role_assignment.secrets_user[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_user" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply) ~ name = "f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply) ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.network.azurecaf_name.caf_name_vnet must be replaced -/+ resource "azurecaf_name" "caf_name_vnet" { ~ id = "wrcubxisxkppqukq" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" -> (known after apply) name = "serverFarm" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) # (1 unchanged block hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" -> (known after apply) name = "ingress" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[2] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" -> (known after apply) name = "devops" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[3] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" -> (known after apply) name = "privateLink" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "26abb02b-d37e-4084-9af0-8956b86e48ba" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.240.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" - name = "serverFarm" - security_group = "" }, - { - address_prefix = "10.240.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" - name = "ingress" - security_group = "" }, - { - address_prefix = "10.240.10.128/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" - name = "devops" - security_group = "" }, - { - address_prefix = "10.240.11.0/24" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" - name = "privateLink" - security_group = "" }, ] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network_peering.target_to_this[0] must be replaced -/+ resource "azurerm_virtual_network_peering" "target_to_this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/virtualNetworkPeerings/hub-to-spoke-eslz1" -> (known after apply) ~ name = "hub-to-spoke-eslz1" -> "hub-to-spoke-eslz2" # forces replacement ~ remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (6 unchanged attributes hidden) } # module.network.azurerm_virtual_network_peering.this_to_target[0] must be replaced -/+ resource "azurerm_virtual_network_peering" "this_to_target" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/virtualNetworkPeerings/spoke-to-hub-eslz1" -> (known after apply) ~ name = "spoke-to-hub-eslz1" -> "spoke-to-hub-eslz2" # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (5 unchanged attributes hidden) } # module.redis_cache[0].azurecaf_name.caf_name_redis must be replaced -/+ resource "azurecaf_name" "caf_name_redis" { ~ id = "qmdwakptsqrwgxse" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.redis_cache[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "arfqxqwlltqcwxqo" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.redis_cache[0].azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.privatelink.redis.cache.windows.net." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net/A/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.7", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.redis_cache[0].azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" - ip_addresses = [ - "10.240.11.7", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e" - name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { ~ name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.7" -> (known after apply) # (2 unchanged attributes hidden) } } # module.redis_cache[0].azurerm_redis_cache.this must be replaced -/+ resource "azurerm_redis_cache" "this" { ~ hostname = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ port = 6379 -> (known after apply) ~ primary_access_key = (sensitive value) ~ primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) ~ redis_version = "6.0" -> (known after apply) ~ replicas_per_master = 0 -> (known after apply) ~ replicas_per_primary = 0 -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_access_key = (sensitive value) ~ secondary_connection_string = (sensitive value) - shard_count = 0 -> null ~ ssl_port = 6380 -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "redis" } - tenant_settings = {} -> null - zones = [] -> null # (6 unchanged attributes hidden) ~ redis_configuration { - aof_backup_enabled = false -> null ~ maxclients = 2000 -> (known after apply) ~ maxfragmentationmemory_reserved = 299 -> (known after apply) ~ maxmemory_delta = 299 -> (known after apply) ~ maxmemory_reserved = 299 -> (known after apply) - rdb_backup_enabled = false -> null - rdb_backup_frequency = 0 -> null - rdb_backup_max_snapshot_count = 0 -> null # (2 unchanged attributes hidden) } } # module.sql_database[0].azurecaf_name.caf_name_sqlserver must be replaced -/+ resource "azurecaf_name" "caf_name_sqlserver" { ~ id = "pmnternummrbgqpv" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.sql_database[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "eiedeunwqohdpaah" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.sql_database[0].azurerm_mssql_database.this[0] must be replaced -/+ resource "azurerm_mssql_database" "this" { ~ auto_pause_delay_in_minutes = 0 -> (known after apply) ~ collation = "SQL_Latin1_General_CP1_CI_AS" -> (known after apply) + creation_source_database_id = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461/databases/sample-db" -> (known after apply) ~ ledger_enabled = false -> (known after apply) + license_type = (known after apply) ~ maintenance_configuration_name = "SQL_Default" -> (known after apply) ~ max_size_gb = 250 -> (known after apply) ~ min_capacity = 0 -> (known after apply) name = "sample-db" ~ read_replica_count = 0 -> (known after apply) ~ read_scale = false -> (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) ~ server_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ zone_redundant = false -> (known after apply) # (5 unchanged attributes hidden) - long_term_retention_policy { - monthly_retention = "PT0S" -> null - week_of_year = 1 -> null - weekly_retention = "PT0S" -> null - yearly_retention = "PT0S" -> null } - short_term_retention_policy { - backup_interval_in_hours = 24 -> null - retention_days = 7 -> null } - threat_detection_policy { - disabled_alerts = [] -> null - email_account_admins = "Disabled" -> null - email_addresses = [] -> null - retention_days = 0 -> null - state = "Disabled" -> null } } # module.sql_database[0].azurerm_mssql_server.this must be replaced -/+ resource "azurerm_mssql_server" " ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 10 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/a82f3bda-ba6d-465a-97ce-7979caf5c477/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted - resource "azurerm_firewall_application_rule_collection" "azure_monitor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null name = "Azure-Monitor-FQDNs" # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted - resource "azurerm_firewall_application_rule_collection" "core" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null name = "Core-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null name = "Devops-VM-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null name = "Windows-VM-Connectivity-Requirements" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.caf_name_hub_rg must be replaced -/+ resource "azurecaf_name" "caf_name_hub_rg" { ~ id = "akckvaegwemunepv" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurerm_resource_group.hub must be replaced -/+ resource "azurerm_resource_group" "hub" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" } } # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced -/+ resource "azurecaf_name" "caf_name_bastion" { ~ id = "wbujomtsfcqdpxod" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.bastion[0].azurecaf_name.caf_name_pip must be replaced -/+ resource "azurecaf_name" "caf_name_pip" { ~ id = "paqdxwmbugcxjhhq" -> (known after apply) name = "eslz2-bastion" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } # (7 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply) ~ ip_address = "20.163.49.112" -> (known after apply) - ip_tags = {} -> null ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } - zones = [] -> null # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced -/+ resource "azurecaf_name" "caf_name_firewall" { ~ id = "dtqvqxowbnalaruk" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced -/+ resource "azurecaf_name" "caf_name_law" { ~ id = "lofxpwfygywepldl" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_pip must be replaced -/+ resource "azurecaf_name" "caf_name_pip" { ~ id = "ofhucdctoijllhdb" -> (known after apply) name = "eslz2-fw" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurerm_firewall.firewall must be replaced -/+ resource "azurerm_firewall" "firewall" { - dns_servers = [] -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement - private_ip_ranges = [] -> null ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "firewall" } ~ threat_intel_mode = "Alert" -> (known after apply) - zones = [] -> null # (2 unchanged attributes hidden) ~ ip_configuration { name = "firewallIpConfiguration" ~ private_ip_address = "10.242.0.4" -> (known after apply) ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced -/+ resource "azurerm_log_analytics_workspace" "law" { - cmk_for_query_forced = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement ~ primary_shared_key = (sensitive value) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement ~ retention_in_days = 30 -> (known after apply) ~ secondary_shared_key = (sensitive value) - tags = {} -> null ~ workspace_id = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply) ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply) ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ name = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced -/+ resource "azurerm_public_ip" "firewall_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ ip_address = "20.25.176.182" -> (known after apply) - ip_tags = {} -> null ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "firewall" } - zones = [] -> null # (6 unchanged attributes hidden) } # module.network.azurecaf_name.caf_name_vnet must be replaced -/+ resource "azurecaf_name" "caf_name_vnet" { ~ id = "pvwuveykntdcxsyc" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply) name = "AzureFirewallSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply) name = "AzureBastionSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.242.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" - name = "AzureFirewallSubnet" - security_group = "" }, - { - address_prefix = "10.242.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" - name = "AzureBastionSubnet" - security_group = "" }, ] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (1 unchanged attribute hidden) } Plan: 21 to add, 0 to change, 17 to destroy. Changes to Outputs: ~ bastion_name = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ firewall_private_ip = "10.242.0.4" -> (known after apply) ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ~ rg_name = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ vnet_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A name = "Azure-Monitor-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "core" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A name = "Core-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (3 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A name = "Devops-VM-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A name = "Windows-VM-Connectivity-Requirements"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # azurecaf_name.caf_name_hub_rg must be replaced%0A-/+ resource "azurecaf_name" "caf_name_hub_rg" {%0A ~ id = "akckvaegwemunepv" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A }%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced%0A-/+ resource "azurecaf_name" "caf_name_bastion" {%0A ~ id = "wbujomtsfcqdpxod" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A ~ id = "paqdxwmbugcxjhhq" -> (known after apply)%0A name = "eslz2-bastion"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A ~ dns_name = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A # (7 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "bastionHostIpConfiguration"%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A ~ ip_address = "20.163.49.112" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A - zones = [] -> null%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced%0A-/+ resource "azurecaf_name" "caf_name_firewall" {%0A ~ id = "dtqvqxowbnalaruk" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced%0A-/+ resource "azurecaf_name" "caf_name_law" {%0A ~ id = "lofxpwfygywepldl" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A ~ id = "ofhucdctoijllhdb" -> (known after apply)%0A name = "eslz2-fw"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A - dns_servers = [] -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - private_ip_ranges = [] -> null%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "firewall"%0A }%0A ~ threat_intel_mode = "Alert" -> (known after apply)%0A - zones = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "firewallIpConfiguration"%0A ~ private_ip_address = "10.242.0.4" -> (known after apply)%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Azure-Monitor-FQDNs"%0A + priority = 201%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-azure-monitor"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "dc.applicationinsights.azure.com",%0A + "dc.applicationinsights.microsoft.com",%0A + "dc.services.visualstudio.com",%0A + "*.in.applicationinsights.azure.com",%0A + "live.applicationinsights.azure.com",%0A + "rt.applicationinsights.microsoft.com",%0A + "rt.services.visualstudio.com",%0A + "*.livediagnostics.monitor.azure.com",%0A + "*.monitoring.azure.com",%0A + "agent.azureserviceprofiler.net",%0A + "*.agent.azureserviceprofiler.net",%0A + "*.monitor.azure.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A + resource "azurerm_firewall_application_rule_collection" "core" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Core-Dependencies-FQDNs"%0A + priority = 200%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-core-apis"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "management.azure.com",%0A + "management.core.windows.net",%0A + "login.microsoftonline.com",%0A + "login.windows.net",%0A + "login.live.com",%0A + "graph.windows.net",%0A + "graph.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-developer-services"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "github.com",%0A + "*.github.com",%0A + "*.nuget.org",%0A + "*.blob.core.windows.net",%0A + "*.githubusercontent.com",%0A + "dev.azure.com",%0A + "*.dev.azure.com",%0A + "portal.azure.com",%0A + "*.portal.azure.com",%0A + "*.portal.azure.net",%0A + "appservice.azureedge.net",%0A + "*.azurewebsites.net",%0A + "edge.management.azure.com",%0A + "vstsagentpackage.azureedge.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-certificate-dependencies"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "*.delivery.mp.microsoft.com",%0A + "ctldl.windowsupdate.com",%0A + "download.windowsupdate.com",%0A + "mscrl.microsoft.com",%0A + "ocsp.msocsp.com",%0A + "oneocsp.microsoft.com",%0A + "crl.microsoft.com",%0A + "www.microsoft.com",%0A + "*.digicert.com",%0A + "*.symantec.com",%0A + "*.symcb.com",%0A + "*.d-trust.net",%0A ]%0A%0A + protocol {%0A + port = 80%0A + type = "Http"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Devops-VM-Dependencies-FQDNs"%0A + priority = 202%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-azure-ad-join"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "enterpriseregistration.windows.net",%0A + "pas.windows.net",%0A + "login.microsoftonline.com",%0A + "device.login.microsoftonline.com",%0A + "autologon.microsoftazuread-sso.com",%0A + "manage-beta.microsoft.com",%0A + "manage.microsoft.com",%0A + "aadcdn.msauth.net",%0A + "aadcdn.msftauth.net",%0A + "aadcdn.msftauthimages.net",%0A + "*.wns.windows.com",%0A + "*.sts.microsoft.com",%0A + "*.manage-beta.microsoft.com",%0A + "*.manage.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-vm-dependencies-and-tools"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "aka.ms",%0A + "go.microsoft.com",%0A + "download.microsoft.com",%0A + "edge.microsoft.com",%0A + "fs.microsoft.com",%0A + "wdcp.microsoft.com",%0A + "wdcpalt.microsoft.com",%0A + "msedge.api.cdp.microsoft.com",%0A + "winatp-gw-cane.microsoft.com",%0A + "*.google.com",%0A + "*.live.com",%0A + "*.bing.com",%0A + "*.msappproxy.net",%0A + "*.delivery.mp.microsoft.com",%0A + "*.data.microsoft.com",%0A + "*.blob.storage.azure.net",%0A + "*.blob.core.windows.net",%0A + "*.dl.delivery.mp.microsoft.com",%0A + "*.prod.do.dsp.mp.microsoft.com",%0A + "*.update.microsoft.com",%0A + "*.windowsupdate.com",%0A + "*.apps.qualys.com",%0A + "*.bootstrapcdn.com",%0A + "*.jsdelivr.net",%0A + "*.jquery.com",%0A + "*.msecnd.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Windows-VM-Connectivity-Requirements"%0A + priority = 202%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + destination_addresses = [%0A + "20.118.99.224",%0A + "40.83.235.53",%0A + "23.102.135.246",%0A + "51.4.143.248",%0A + "23.97.0.13",%0A + "52.126.105.2",%0A ]%0A + destination_ports = [%0A + "*",%0A ]%0A + name = "allow-kms-activation"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A + rule {%0A + destination_addresses = [%0A + "*",%0A ]%0A + destination_ports = [%0A + "123",%0A ]%0A + name = "allow-ntp"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A }%0A%0A # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced%0A-/+ resource "azurerm_log_analytics_workspace" "law" {%0A - cmk_for_query_forced = false -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ primary_shared_key = (sensitive value)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ retention_in_days = 30 -> (known after apply)%0A ~ secondary_shared_key = (sensitive value)%0A - tags = {} -> null%0A ~ workspace_id = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)%0A ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ name = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A%0A - log {%0A - category_group = "allLogs" -> null%0A - enabled = true -> null%0A%0A - retention_policy {%0A - days = 0 -> null%0A - enabled = false -> null%0A }%0A }%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ ip_address = "20.25.176.182" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "firewall"%0A }%0A - zones = [] -> null%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.network.azurecaf_name.caf_name_vnet must be replaced%0A-/+ resource "azurecaf_name" "caf_name_vnet" {%0A ~ id = "pvwuveykntdcxsyc" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)%0A name = "AzureFirewallSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)%0A name = "AzureBastionSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A ~ dns_servers = [] -> (known after apply)%0A - flow_timeout_in_minutes = 0 -> null%0A ~ guid = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet = [%0A - {%0A - address_prefix = "10.242.0.0/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"%0A - name = "AzureFirewallSubnet"%0A - security_group = ""%0A },%0A - {%0A - address_prefix = "10.242.0.64/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"%0A - name = "AzureBastionSubnet"%0A - security_group = ""%0A },%0A ] -> (known after apply)%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "network"%0A }%0A # (1 unchanged attribute hidden)%0A }%0A%0APlan: 21 to add, 0 to change, 17 to destroy.%0A%0AChanges to Outputs:%0A ~ bastion_name = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ~ rg_name = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ vnet_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 10 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/7063c579-eb0c-48cb-adb0-e6ed300dd53a/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" ~ subnet = [ + { + address_prefix = "10.240.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" + name = "serverFarm" + security_group = "" }, + { + address_prefix = "10.240.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" + name = "ingress" + security_group = "" }, + { + address_prefix = "10.240.10.128/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" + name = "devops" + security_group = "" }, + { + address_prefix = "10.240.11.0/24" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" + name = "privateLink" + security_group = "" }, ] tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (6 unchanged attributes hidden) } # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ number_of_record_sets = 1 -> 5 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.appsvc_subnet must be replaced -/+ resource "azurecaf_name" "appsvc_subnet" { ~ id = "bhvjbwlscqphkcyx" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement # (1 unchanged element hidden) "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "spoke-sec-baseline-1-spoke-westus3-snet-eslz1" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurecaf_name.caf_name_id_contributor must be replaced -/+ resource "azurecaf_name" "caf_name_id_contributor" { ~ id = "dnlsksyhpkhsnwdj" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_id_reader must be replaced -/+ resource "azurecaf_name" "caf_name_id_reader" { ~ id = "jvaiptpdjdabmpiw" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_law must be replaced -/+ resource "azurecaf_name" "caf_name_law" { ~ id = "dmgjkgiqpambjtxs" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-log-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_spoke_rg must be replaced -/+ resource "azurecaf_name" "caf_name_spoke_rg" { ~ id = "yhpfxpcghfwqecxw" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement # (1 unchanged element hidden) "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurecaf_name.law must be replaced -/+ resource "azurecaf_name" "law" { ~ id = "deeavlehsaejricp" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ result = "log-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurerm_log_analytics_workspace.law must be replaced -/+ resource "azurerm_log_analytics_workspace" "law" { - cmk_for_query_forced = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "log-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ primary_shared_key = (sensitive value) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_shared_key = (sensitive value) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } ~ workspace_id = "d011dd81-1237-42e0-9c8b-79b15170a2e9" -> (known after apply) # (7 unchanged attributes hidden) } # azurerm_resource_group.spoke must be replaced -/+ resource "azurerm_resource_group" "spoke" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor must be replaced -/+ resource "azurerm_user_assigned_identity" "contributor" { ~ client_id = "5b6d3e0a-cb5f-469c-8a03-5e84c1cbf762" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) } # azurerm_user_assigned_identity.reader must be replaced -/+ resource "azurerm_user_assigned_identity" "reader" { ~ client_id = "3efaf752-dfe8-4940-ac81-66b619bb3745" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) } # module.app_configuration[0].azurecaf_name.caf_name_appconf must be replaced -/+ resource "azurecaf_name" "caf_name_appconf" { ~ id = "tvaqutjmtrvbvety" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_configuration[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "jxmdskntabkbvfia" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.app_configuration[0].azurerm_app_configuration.this must be replaced -/+ resource "azurerm_app_configuration" "this" { ~ endpoint = "https://sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ primary_read_key = [] -> (known after apply) ~ primary_write_key = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_read_key = [] -> (known after apply) ~ secondary_write_key = [] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-configuration" } # (5 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.privatelink.azconfig.io." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/A/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.4", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" - ip_addresses = [ - "10.240.11.4", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec" - name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { name = "app-config-private-endpoint" ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.4" -> (known after apply) # (2 unchanged attributes hidden) } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] must be replaced -/+ resource "azurerm_role_assignment" "data_owners" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply) ~ name = "af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply) ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] must be replaced -/+ resource "azurerm_role_assignment" "data_readers" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/d67f6551-6738-e975-af28-77f05976002a" -> (known after apply) ~ name = "d67f6551-6738-e975-af28-77f05976002a" -> (known after apply) ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_service.azurecaf_name.caf_name_appinsights must be replaced -/+ resource "azurecaf_name" "caf_name_appinsights" { ~ id = "xcdytgfueolnctqo" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_service.azurecaf_name.caf_name_asp must be replaced -/+ resource "azurecaf_name" "caf_name_asp" { ~ id = "xqnjrrtjgoabvuke" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "westus3-plan-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_service.azurerm_application_insights.this must be replaced -/+ resource "azurerm_application_insights" "this" { ~ app_id = "4bb411f1-e975-444a-b559-823aa404d4ff" -> (known after apply) ~ connection_string = (sensitive value) ~ daily_data_cap_in_gb = 100 -> (known after apply) ~ daily_data_cap_notifications_disabled = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply) ~ instrumentation_key = (sensitive value) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) # (8 unchanged attributes hidden) } # module.app_service.azurerm_service_plan.this must be replaced -/+ resource "azurerm_service_plan" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Web/serverfarms/westus3-plan-eslz1-prod" -> (known after apply) ~ kind = "app" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ maximum_elastic_worker_count = 1 -> (known after apply) ~ name = "westus3-plan-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ reserved = false -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-service" } # (5 unchanged attributes hidden) } # module.frontdoor.azurecaf_name.caf_name_afd must be replaced -/+ resource "azurecaf_name" "caf_name_afd" { ~ id = "vjxqvtjmemddjsyg" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] must be replaced -/+ resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { - custom_block_response_status_code = 0 -> null ~ frontend_endpoint_ids = [] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> (known after apply) name = "wafpolicymicrosoftdefaultruleset21" ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null # (3 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor must be replaced -/+ resource "azurerm_cdn_frontdoor_profile" "frontdoor" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ resource_guid = "a1cefc33-bf49-4155-a28a-d253ba7f23cd" -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "frontdoor" } # (2 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] must be replaced -/+ resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { ~ cdn_frontdoor_profile_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/securityPolicies/WAF-Security-Policy" -> (known after apply) name = "WAF-Security-Policy" ~ security_policies { ~ firewall { ~ cdn_frontdoor_firewall_policy_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" # forces replacement -> (known after apply) # forces replacement ~ association { # (1 unchanged attribute hidden) ~ domain { ~ active = true -> (known after apply) ~ cdn_frontdoor_domain_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/afdEndpoints/eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement } } } } } # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" -> (known after apply) + log_analytics_destination_type = "AzureDiagnostics" ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - log { - category_group = "audit" -> null - enabled = false -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.key_vault.azurecaf_name.caf_name_akv must be replaced -/+ resource "azurecaf_name" "caf_name_akv" { ~ id = "rfuhnmjbhvbivisd" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "kv-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.key_vault.azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "lbivgljqkjfyetww" -> (known after apply) ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-kv-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.key_vault.azurerm_key_vault.this must be replaced -/+ resource "azurerm_key_vault" "this" { ~ access_policy = [] -> (known after apply) - enabled_for_deployment = false -> null - enabled_for_template_deployment = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "key-vault" } ~ vault_uri = "https://kv-eslz1-prod-5461.vault.azure.net/" -> (known after apply) # (7 unchanged attributes hidden) ~ network_acls { - ip_rules = [] -> null - virtual_network_subnet_ids = [] -> null # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "kv-eslz1-prod-5461.privatelink.vaultcore.azure.net." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/A/kv-eslz1-prod-5461" -> (known after apply) ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.6", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.key_vault.azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "kv-eslz1-prod-5461.vault.azure.net" - ip_addresses = [ - "10.240.11.6", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443" - name = "pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { ~ name = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.6" -> (known after apply) # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_officer" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply) ~ name = "914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply) ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.key_vault.azurerm_role_assignment.secrets_user[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_user" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply) ~ name = "f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply) ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.network.azurecaf_name.caf_name_vnet must be replaced -/+ resource "azurecaf_name" "caf_name_vnet" { ~ id = "wrcubxisxkppqukq" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" -> (known after apply) name = "serverFarm" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) # (1 unchanged block hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" -> (known after apply) name = "ingress" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[2] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" -> (known after apply) name = "devops" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[3] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" -> (known after apply) name = "privateLink" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "26abb02b-d37e-4084-9af0-8956b86e48ba" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.240.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" - name = "serverFarm" - security_group = "" }, - { - address_prefix = "10.240.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" - name = "ingress" - security_group = "" }, - { - address_prefix = "10.240.10.128/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" - name = "devops" - security_group = "" }, - { - address_prefix = "10.240.11.0/24" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" - name = "privateLink" - security_group = "" }, ] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network_peering.target_to_this[0] must be replaced -/+ resource "azurerm_virtual_network_peering" "target_to_this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/virtualNetworkPeerings/hub-to-spoke-eslz1" -> (known after apply) ~ name = "hub-to-spoke-eslz1" -> "hub-to-spoke-eslz2" # forces replacement ~ remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (6 unchanged attributes hidden) } # module.network.azurerm_virtual_network_peering.this_to_target[0] must be replaced -/+ resource "azurerm_virtual_network_peering" "this_to_target" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/virtualNetworkPeerings/spoke-to-hub-eslz1" -> (known after apply) ~ name = "spoke-to-hub-eslz1" -> "spoke-to-hub-eslz2" # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (5 unchanged attributes hidden) } # module.redis_cache[0].azurecaf_name.caf_name_redis must be replaced -/+ resource "azurecaf_name" "caf_name_redis" { ~ id = "qmdwakptsqrwgxse" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.redis_cache[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "arfqxqwlltqcwxqo" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.redis_cache[0].azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.privatelink.redis.cache.windows.net." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net/A/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.7", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.redis_cache[0].azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" - ip_addresses = [ - "10.240.11.7", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e" - name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { ~ name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.7" -> (known after apply) # (2 unchanged attributes hidden) } } # module.redis_cache[0].azurerm_redis_cache.this must be replaced -/+ resource "azurerm_redis_cache" "this" { ~ hostname = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ port = 6379 -> (known after apply) ~ primary_access_key = (sensitive value) ~ primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) ~ redis_version = "6.0" -> (known after apply) ~ replicas_per_master = 0 -> (known after apply) ~ replicas_per_primary = 0 -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_access_key = (sensitive value) ~ secondary_connection_string = (sensitive value) - shard_count = 0 -> null ~ ssl_port = 6380 -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "redis" } - tenant_settings = {} -> null - zones = [] -> null # (6 unchanged attributes hidden) ~ redis_configuration { - aof_backup_enabled = false -> null ~ maxclients = 2000 -> (known after apply) ~ maxfragmentationmemory_reserved = 299 -> (known after apply) ~ maxmemory_delta = 299 -> (known after apply) ~ maxmemory_reserved = 299 -> (known after apply) - rdb_backup_enabled = false -> null - rdb_backup_frequency = 0 -> null - rdb_backup_max_snapshot_count = 0 -> null # (2 unchanged attributes hidden) } } # module.sql_database[0].azurecaf_name.caf_name_sqlserver must be replaced -/+ resource "azurecaf_name" "caf_name_sqlserver" { ~ id = "pmnternummrbgqpv" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.sql_database[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "eiedeunwqohdpaah" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.sql_database[0].azurerm_mssql_database.this[0] must be replaced -/+ resource "azurerm_mssql_database" "this" { ~ auto_pause_delay_in_minutes = 0 -> (known after apply) ~ collation = "SQL_Latin1_General_CP1_CI_AS" -> (known after apply) + creation_source_database_id = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461/databases/sample-db" -> (known after apply) ~ ledger_enabled = false -> (known after apply) + license_type = (known after apply) ~ maintenance_configuration_name = "SQL_Default" -> (known after apply) ~ max_size_gb = 250 -> (known after apply) ~ min_capacity = 0 -> (known after apply) name = "sample-db" ~ read_replica_count = 0 -> (known after apply) ~ read_scale = false -> (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) ~ server_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ zone_redundant = false -> (known after apply) # (5 unchanged attributes hidden) - long_term_retention_policy { - monthly_retention = "PT0S" -> null - week_of_year = 1 -> null - weekly_retention = "PT0S" -> null - yearly_retention = "PT0S" -> null } - short_term_retention_policy { - backup_interval_in_hours = 24 -> null - retention_days = 7 -> null } - threat_detection_policy { - disabled_alerts = [] -> null - email_account_admins = "Disabled" -> null - email_addresses = [] -> null - retention_days = 0 -> null - state = "Disabled" -> null } } # module.sql_database[0].azurerm_mssql_server.this must be replaced -/+ resource "azurerm_mssql_server" "this" { ~ administrator_login = "CloudSA637969e7" -> (known after app ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 10 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/54a6b927-f8e1-4238-8642-f64fbdd2d9f1/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.network.azurerm_virtual_network.this has changed ~ resource "azurerm_virtual_network" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" ~ subnet = [ + { + address_prefix = "10.240.0.0/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" + name = "serverFarm" + security_group = "" }, + { + address_prefix = "10.240.0.64/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" + name = "ingress" + security_group = "" }, + { + address_prefix = "10.240.10.128/26" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" + name = "devops" + security_group = "" }, + { + address_prefix = "10.240.11.0/24" + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" + name = "privateLink" + security_group = "" }, ] tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (6 unchanged attributes hidden) } # module.private_dns_zones[0].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" name = "privatelink.azurewebsites.net" ~ number_of_record_sets = 1 -> 5 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[1].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" name = "privatelink.database.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[2].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" name = "privatelink.azconfig.io" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[3].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" name = "privatelink.vaultcore.azure.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.private_dns_zones[4].azurerm_private_dns_zone.this has changed ~ resource "azurerm_private_dns_zone" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" name = "privatelink.redis.cache.windows.net" ~ number_of_record_sets = 1 -> 2 tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "private-dns-zone" } # (4 unchanged attributes hidden) # (1 unchanged block hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.appsvc_subnet must be replaced -/+ resource "azurecaf_name" "appsvc_subnet" { ~ id = "bhvjbwlscqphkcyx" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement # (1 unchanged element hidden) "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "spoke-sec-baseline-1-spoke-westus3-snet-eslz1" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurecaf_name.caf_name_id_contributor must be replaced -/+ resource "azurecaf_name" "caf_name_id_contributor" { ~ id = "dnlsksyhpkhsnwdj" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_id_reader must be replaced -/+ resource "azurecaf_name" "caf_name_id_reader" { ~ id = "jvaiptpdjdabmpiw" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_law must be replaced -/+ resource "azurecaf_name" "caf_name_law" { ~ id = "dmgjkgiqpambjtxs" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-log-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurecaf_name.caf_name_spoke_rg must be replaced -/+ resource "azurecaf_name" "caf_name_spoke_rg" { ~ id = "yhpfxpcghfwqecxw" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement # (1 unchanged element hidden) "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurecaf_name.law must be replaced -/+ resource "azurecaf_name" "law" { ~ id = "deeavlehsaejricp" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ result = "log-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # azurerm_log_analytics_workspace.law must be replaced -/+ resource "azurerm_log_analytics_workspace" "law" { - cmk_for_query_forced = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "log-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ primary_shared_key = (sensitive value) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_shared_key = (sensitive value) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } ~ workspace_id = "d011dd81-1237-42e0-9c8b-79b15170a2e9" -> (known after apply) # (7 unchanged attributes hidden) } # azurerm_resource_group.spoke must be replaced -/+ resource "azurerm_resource_group" "spoke" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor must be replaced -/+ resource "azurerm_user_assigned_identity" "contributor" { ~ client_id = "5b6d3e0a-cb5f-469c-8a03-5e84c1cbf762" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-contributor" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-msi-eslz1-contributor" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) } # azurerm_user_assigned_identity.reader must be replaced -/+ resource "azurerm_user_assigned_identity" "reader" { ~ client_id = "3efaf752-dfe8-4940-ac81-66b619bb3745" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz1-reader" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-msi-eslz1-reader" # forces replacement -> (known after apply) # forces replacement ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" -> (known after apply) } # module.app_configuration[0].azurecaf_name.caf_name_appconf must be replaced -/+ resource "azurecaf_name" "caf_name_appconf" { ~ id = "tvaqutjmtrvbvety" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_configuration[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "jxmdskntabkbvfia" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.app_configuration[0].azurerm_app_configuration.this must be replaced -/+ resource "azurerm_app_configuration" "this" { ~ endpoint = "https://sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ primary_read_key = [] -> (known after apply) ~ primary_write_key = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_read_key = [] -> (known after apply) ~ secondary_write_key = [] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-configuration" } # (5 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.privatelink.azconfig.io." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io/A/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.4", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461.azconfig.io" - ip_addresses = [ - "10.240.11.4", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec" - name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz1.nic.390eab13-fd68-4e80-bb11-2ecd7f49edec" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { name = "app-config-private-endpoint" ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.4" -> (known after apply) # (2 unchanged attributes hidden) } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] must be replaced -/+ resource "azurerm_role_assignment" "data_owners" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply) ~ name = "af608b42-4749-da08-d090-57c2feb3fbac" -> (known after apply) ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] must be replaced -/+ resource "azurerm_role_assignment" "data_readers" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/d67f6551-6738-e975-af28-77f05976002a" -> (known after apply) ~ name = "d67f6551-6738-e975-af28-77f05976002a" -> (known after apply) ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.app_service.azurecaf_name.caf_name_appinsights must be replaced -/+ resource "azurecaf_name" "caf_name_appinsights" { ~ id = "xcdytgfueolnctqo" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_service.azurecaf_name.caf_name_asp must be replaced -/+ resource "azurecaf_name" "caf_name_asp" { ~ id = "xqnjrrtjgoabvuke" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "westus3-plan-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.app_service.azurerm_application_insights.this must be replaced -/+ resource "azurerm_application_insights" "this" { ~ app_id = "4bb411f1-e975-444a-b559-823aa404d4ff" -> (known after apply) ~ connection_string = (sensitive value) ~ daily_data_cap_in_gb = 100 -> (known after apply) ~ daily_data_cap_notifications_disabled = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz1-prod" -> (known after apply) ~ instrumentation_key = (sensitive value) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-appi-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) # (8 unchanged attributes hidden) } # module.app_service.azurerm_service_plan.this must be replaced -/+ resource "azurerm_service_plan" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Web/serverfarms/westus3-plan-eslz1-prod" -> (known after apply) ~ kind = "app" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ maximum_elastic_worker_count = 1 -> (known after apply) ~ name = "westus3-plan-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ reserved = false -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-service" } # (5 unchanged attributes hidden) } # module.frontdoor.azurecaf_name.caf_name_afd must be replaced -/+ resource "azurecaf_name" "caf_name_afd" { ~ id = "vjxqvtjmemddjsyg" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] must be replaced -/+ resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { - custom_block_response_status_code = 0 -> null ~ frontend_endpoint_ids = [] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> (known after apply) name = "wafpolicymicrosoftdefaultruleset21" ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null # (3 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor must be replaced -/+ resource "azurerm_cdn_frontdoor_profile" "frontdoor" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ resource_guid = "a1cefc33-bf49-4155-a28a-d253ba7f23cd" -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "frontdoor" } # (2 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] must be replaced -/+ resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { ~ cdn_frontdoor_profile_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/securityPolicies/WAF-Security-Policy" -> (known after apply) name = "WAF-Security-Policy" ~ security_policies { ~ firewall { ~ cdn_frontdoor_firewall_policy_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" # forces replacement -> (known after apply) # forces replacement ~ association { # (1 unchanged attribute hidden) ~ domain { ~ active = true -> (known after apply) ~ cdn_frontdoor_domain_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod/afdEndpoints/eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement } } } } } # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod|sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" -> (known after apply) + log_analytics_destination_type = "AzureDiagnostics" ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.OperationalInsights/workspaces/log-eslz1-prod" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-fd-eslz1-prod-diagnostic-settings}" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz1-prod" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } - log { - category_group = "audit" -> null - enabled = false -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.key_vault.azurecaf_name.caf_name_akv must be replaced -/+ resource "azurecaf_name" "caf_name_akv" { ~ id = "rfuhnmjbhvbivisd" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "kv-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.key_vault.azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "lbivgljqkjfyetww" -> (known after apply) ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-kv-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.key_vault.azurerm_key_vault.this must be replaced -/+ resource "azurerm_key_vault" "this" { ~ access_policy = [] -> (known after apply) - enabled_for_deployment = false -> null - enabled_for_template_deployment = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "key-vault" } ~ vault_uri = "https://kv-eslz1-prod-5461.vault.azure.net/" -> (known after apply) # (7 unchanged attributes hidden) ~ network_acls { - ip_rules = [] -> null - virtual_network_subnet_ids = [] -> null # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "kv-eslz1-prod-5461.privatelink.vaultcore.azure.net." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/A/kv-eslz1-prod-5461" -> (known after apply) ~ name = "kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.6", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.key_vault.azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "kv-eslz1-prod-5461.vault.azure.net" - ip_addresses = [ - "10.240.11.6", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443" - name = "pe-kv-eslz1-prod-5461.nic.33c3581f-dfff-4356-b276-0b918059f443" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { ~ name = "pe-kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.6" -> (known after apply) # (2 unchanged attributes hidden) } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_officer" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply) ~ name = "914e8bf0-dbc7-bc9b-2d93-fd8cf928e24e" -> (known after apply) ~ principal_id = "949b4b4e-86eb-432e-b8b3-2ae1fd287991" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.key_vault.azurerm_role_assignment.secrets_user[0] must be replaced -/+ resource "azurerm_role_assignment" "secrets_user" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461/providers/Microsoft.Authorization/roleAssignments/f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply) ~ name = "f11970d7-041d-3036-d1e3-dbe0a4f267c9" -> (known after apply) ~ principal_id = "e33a5214-9e5c-472e-8fb8-f8c39ab3e461" # forces replacement -> (known after apply) # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6" -> (known after apply) ~ scope = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.KeyVault/vaults/kv-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement + skip_service_principal_aad_check = (known after apply) # (1 unchanged attribute hidden) } # module.network.azurecaf_name.caf_name_vnet must be replaced -/+ resource "azurecaf_name" "caf_name_vnet" { ~ id = "wrcubxisxkppqukq" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" -> (known after apply) name = "serverFarm" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) # (1 unchanged block hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" -> (known after apply) name = "ingress" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[2] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" -> (known after apply) name = "devops" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[3] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" -> (known after apply) name = "privateLink" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "26abb02b-d37e-4084-9af0-8956b86e48ba" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.240.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/serverFarm" - name = "serverFarm" - security_group = "" }, - { - address_prefix = "10.240.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/ingress" - name = "ingress" - security_group = "" }, - { - address_prefix = "10.240.10.128/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/devops" - name = "devops" - security_group = "" }, - { - address_prefix = "10.240.11.0/24" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" - name = "privateLink" - security_group = "" }, ] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network_peering.target_to_this[0] must be replaced -/+ resource "azurerm_virtual_network_peering" "target_to_this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/virtualNetworkPeerings/hub-to-spoke-eslz1" -> (known after apply) ~ name = "hub-to-spoke-eslz1" -> "hub-to-spoke-eslz2" # forces replacement ~ remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (6 unchanged attributes hidden) } # module.network.azurerm_virtual_network_peering.this_to_target[0] must be replaced -/+ resource "azurerm_virtual_network_peering" "this_to_target" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/virtualNetworkPeerings/spoke-to-hub-eslz1" -> (known after apply) ~ name = "spoke-to-hub-eslz1" -> "spoke-to-hub-eslz2" # forces replacement ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz1-prod" # forces replacement -> (known after apply) # forces replacement # (5 unchanged attributes hidden) } # module.redis_cache[0].azurecaf_name.caf_name_redis must be replaced -/+ resource "azurecaf_name" "caf_name_redis" { ~ id = "qmdwakptsqrwgxse" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.redis_cache[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "arfqxqwlltqcwxqo" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.redis_cache[0].azurerm_private_dns_a_record.this must be replaced -/+ resource "azurerm_private_dns_a_record" "this" { ~ fqdn = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.privatelink.redis.cache.windows.net." -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net/A/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ records = [ - "10.240.11.7", ] -> (known after apply) - tags = {} -> null # (3 unchanged attributes hidden) } # module.redis_cache[0].azurerm_private_endpoint.this must be replaced -/+ resource "azurerm_private_endpoint" "this" { ~ custom_dns_configs = [ - { - fqdn = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" - ip_addresses = [ - "10.240.11.7", ] }, ] -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ network_interface = [ - { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/networkInterfaces/pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e" - name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1.nic.2fda8657-9d6b-4e08-83c1-5802ef5ef09e" }, ] -> (known after apply) ~ private_dns_zone_configs = [] -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz1-prod/subnets/privateLink" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ private_service_connection { ~ name = "pe-sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_connection_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ private_ip_address = "10.240.11.7" -> (known after apply) # (2 unchanged attributes hidden) } } # module.redis_cache[0].azurerm_redis_cache.this must be replaced -/+ resource "azurerm_redis_cache" "this" { ~ hostname = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461.redis.cache.windows.net" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-spoke-westus3-redis-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ port = 6379 -> (known after apply) ~ primary_access_key = (sensitive value) ~ primary_connection_string = (sensitive value) + private_static_ip_address = (known after apply) ~ redis_version = "6.0" -> (known after apply) ~ replicas_per_master = 0 -> (known after apply) ~ replicas_per_primary = 0 -> (known after apply) ~ resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz1" # forces replacement -> (known after apply) # forces replacement ~ secondary_access_key = (sensitive value) ~ secondary_connection_string = (sensitive value) - shard_count = 0 -> null ~ ssl_port = 6380 -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "redis" } - tenant_settings = {} -> null - zones = [] -> null # (6 unchanged attributes hidden) ~ redis_configuration { - aof_backup_enabled = false -> null ~ maxclients = 2000 -> (known after apply) ~ maxfragmentationmemory_reserved = 299 -> (known after apply) ~ maxmemory_delta = 299 -> (known after apply) ~ maxmemory_reserved = 299 -> (known after apply) - rdb_backup_enabled = false -> null - rdb_backup_frequency = 0 -> null - rdb_backup_max_snapshot_count = 0 -> null # (2 unchanged attributes hidden) } } # module.sql_database[0].azurecaf_name.caf_name_sqlserver must be replaced -/+ resource "azurecaf_name" "caf_name_sqlserver" { ~ id = "pmnternummrbgqpv" -> (known after apply) ~ name = "eslz1" -> "eslz2" # forces replacement ~ prefixes = [ # forces replacement "sec-baseline-1-spoke", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.sql_database[0].azurecaf_name.private_endpoint must be replaced -/+ resource "azurecaf_name" "private_endpoint" { ~ id = "eiedeunwqohdpaah" -> (known after apply) ~ name = "sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement ~ result = "pe-sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.sql_database[0].azurerm_mssql_database.this[0] must be replaced -/+ resource "azurerm_mssql_database" "this" { ~ auto_pause_delay_in_minutes = 0 -> (known after apply) ~ collation = "SQL_Latin1_General_CP1_CI_AS" -> (known after apply) + creation_source_database_id = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461/databases/sample-db" -> (known after apply) ~ ledger_enabled = false -> (known after apply) + license_type = (known after apply) ~ maintenance_configuration_name = "SQL_Default" -> (known after apply) ~ max_size_gb = 250 -> (known after apply) ~ min_capacity = 0 -> (known after apply) name = "sample-db" ~ read_replica_count = 0 -> (known after apply) ~ read_scale = false -> (known after apply) + restore_point_in_time = (known after apply) + sample_name = (known after apply) ~ server_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz1/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz1-prod-5461" # forces replacement -> (known after apply) # forces replacement - tags = {} -> null ~ zone_redundant = false -> (known after apply) # (5 unchanged attributes hidden) - long_term_retention_policy { - monthly_retention = "PT0S" -> null - week_of_year = 1 -> null - weekly_retention = "PT0S" -> null - yearly_retention = "PT0S" -> null } - short_term_retention_policy { - backup_interval_in_hours = 24 -> null - retention_days = 7 -> null } - threat_detection_policy { - disabled_alerts = [] -> null - email_account_admins = "Disabled" -> null - email_addresses = [] -> null - retention_days = 0 -> null - state = "Disabled" -> null } } # module.sql_database[0].azurerm_mssql_server.this must be replaced -/+ resource "azurerm_mssql_server" "this" { ~ administrator_login = "CloudSA637969e7" -> (known after app ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform SPOKE Multi-tenant Secure Baseline

github-actions[bot] commented 10 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/906e514e-cd8a-41ff-a9d8-78535aa51e7f/terraform-bin show -no-color tfplan Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted - resource "azurerm_firewall_application_rule_collection" "azure_monitor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null name = "Azure-Monitor-FQDNs" # (4 unchanged attributes hidden) # (1 unchanged block hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted - resource "azurerm_firewall_application_rule_collection" "core" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null name = "Core-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null name = "Devops-VM-Dependencies-FQDNs" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null name = "Windows-VM-Connectivity-Requirements" # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # azurecaf_name.caf_name_hub_rg must be replaced -/+ resource "azurecaf_name" "caf_name_hub_rg" { ~ id = "akckvaegwemunepv" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # azurerm_resource_group.hub must be replaced -/+ resource "azurerm_resource_group" "hub" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" } } # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced -/+ resource "azurecaf_name" "caf_name_bastion" { ~ id = "wbujomtsfcqdpxod" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.bastion[0].azurecaf_name.caf_name_pip must be replaced -/+ resource "azurecaf_name" "caf_name_pip" { ~ id = "paqdxwmbugcxjhhq" -> (known after apply) name = "eslz2-bastion" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.bastion[0].azurerm_bastion_host.bastion must be replaced -/+ resource "azurerm_bastion_host" "bastion" { ~ dns_name = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } # (7 unchanged attributes hidden) ~ ip_configuration { name = "bastionHostIpConfiguration" ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced -/+ resource "azurerm_public_ip" "bastion_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply) ~ ip_address = "20.163.49.112" -> (known after apply) - ip_tags = {} -> null ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "bastion" } - zones = [] -> null # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced -/+ resource "azurecaf_name" "caf_name_firewall" { ~ id = "dtqvqxowbnalaruk" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced -/+ resource "azurecaf_name" "caf_name_law" { ~ id = "lofxpwfygywepldl" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurecaf_name.caf_name_pip must be replaced -/+ resource "azurecaf_name" "caf_name_pip" { ~ id = "ofhucdctoijllhdb" -> (known after apply) name = "eslz2-fw" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ results = {} -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurerm_firewall.firewall must be replaced -/+ resource "azurerm_firewall" "firewall" { - dns_servers = [] -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement - private_ip_ranges = [] -> null ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "firewall" } ~ threat_intel_mode = "Alert" -> (known after apply) - zones = [] -> null # (2 unchanged attributes hidden) ~ ip_configuration { name = "firewallIpConfiguration" ~ private_ip_address = "10.242.0.4" -> (known after apply) ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement } } # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created + resource "azurerm_firewall_application_rule_collection" "azure_monitor" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Azure-Monitor-FQDNs" + priority = 201 + resource_group_name = (known after apply) + rule { + name = "allow-azure-monitor" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "dc.applicationinsights.azure.com", + "dc.applicationinsights.microsoft.com", + "dc.services.visualstudio.com", + "*.in.applicationinsights.azure.com", + "live.applicationinsights.azure.com", + "rt.applicationinsights.microsoft.com", + "rt.services.visualstudio.com", + "*.livediagnostics.monitor.azure.com", + "*.monitoring.azure.com", + "agent.azureserviceprofiler.net", + "*.agent.azureserviceprofiler.net", + "*.monitor.azure.com", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created + resource "azurerm_firewall_application_rule_collection" "core" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Core-Dependencies-FQDNs" + priority = 200 + resource_group_name = (known after apply) + rule { + name = "allow-core-apis" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "management.azure.com", + "management.core.windows.net", + "login.microsoftonline.com", + "login.windows.net", + "login.live.com", + "graph.windows.net", + "graph.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-developer-services" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "github.com", + "*.github.com", + "*.nuget.org", + "*.blob.core.windows.net", + "*.githubusercontent.com", + "dev.azure.com", + "*.dev.azure.com", + "portal.azure.com", + "*.portal.azure.com", + "*.portal.azure.net", + "appservice.azureedge.net", + "*.azurewebsites.net", + "edge.management.azure.com", + "vstsagentpackage.azureedge.net", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-certificate-dependencies" + source_addresses = [ + "10.242.0.0/20", + "10.240.0.0/20", ] + target_fqdns = [ + "*.delivery.mp.microsoft.com", + "ctldl.windowsupdate.com", + "download.windowsupdate.com", + "mscrl.microsoft.com", + "ocsp.msocsp.com", + "oneocsp.microsoft.com", + "crl.microsoft.com", + "www.microsoft.com", + "*.digicert.com", + "*.symantec.com", + "*.symcb.com", + "*.d-trust.net", ] + protocol { + port = 80 + type = "Http" } } } # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Devops-VM-Dependencies-FQDNs" + priority = 202 + resource_group_name = (known after apply) + rule { + name = "allow-azure-ad-join" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "enterpriseregistration.windows.net", + "pas.windows.net", + "login.microsoftonline.com", + "device.login.microsoftonline.com", + "autologon.microsoftazuread-sso.com", + "manage-beta.microsoft.com", + "manage.microsoft.com", + "aadcdn.msauth.net", + "aadcdn.msftauth.net", + "aadcdn.msftauthimages.net", + "*.wns.windows.com", + "*.sts.microsoft.com", + "*.manage-beta.microsoft.com", + "*.manage.microsoft.com", ] + protocol { + port = 443 + type = "Https" } } + rule { + name = "allow-vm-dependencies-and-tools" + source_addresses = [ + "10.240.10.128/26", ] + target_fqdns = [ + "aka.ms", + "go.microsoft.com", + "download.microsoft.com", + "edge.microsoft.com", + "fs.microsoft.com", + "wdcp.microsoft.com", + "wdcpalt.microsoft.com", + "msedge.api.cdp.microsoft.com", + "winatp-gw-cane.microsoft.com", + "*.google.com", + "*.live.com", + "*.bing.com", + "*.msappproxy.net", + "*.delivery.mp.microsoft.com", + "*.data.microsoft.com", + "*.blob.storage.azure.net", + "*.blob.core.windows.net", + "*.dl.delivery.mp.microsoft.com", + "*.prod.do.dsp.mp.microsoft.com", + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.apps.qualys.com", + "*.bootstrapcdn.com", + "*.jsdelivr.net", + "*.jquery.com", + "*.msecnd.net", ] + protocol { + port = 443 + type = "Https" } } } # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" { + action = "Allow" + azure_firewall_name = (known after apply) + id = (known after apply) + name = "Windows-VM-Connectivity-Requirements" + priority = 202 + resource_group_name = (known after apply) + rule { + destination_addresses = [ + "20.118.99.224", + "40.83.235.53", + "23.102.135.246", + "51.4.143.248", + "23.97.0.13", + "52.126.105.2", ] + destination_ports = [ + "*", ] + name = "allow-kms-activation" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } + rule { + destination_addresses = [ + "*", ] + destination_ports = [ + "123", ] + name = "allow-ntp" + protocols = [ + "TCP", + "UDP", ] + source_addresses = [ + "10.240.10.128/26", ] } } # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced -/+ resource "azurerm_log_analytics_workspace" "law" { - cmk_for_query_forced = false -> null ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement ~ primary_shared_key = (sensitive value) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement ~ retention_in_days = 30 -> (known after apply) ~ secondary_shared_key = (sensitive value) - tags = {} -> null ~ workspace_id = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply) # (6 unchanged attributes hidden) } # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced -/+ resource "azurerm_monitor_diagnostic_setting" "this" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply) ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply) ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply) ~ name = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement - log { - category_group = "allLogs" -> null - enabled = true -> null - retention_policy { - days = 0 -> null - enabled = false -> null } } # (2 unchanged blocks hidden) } # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced -/+ resource "azurerm_public_ip" "firewall_pip" { + fqdn = (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply) ~ ip_address = "20.25.176.182" -> (known after apply) - ip_tags = {} -> null ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "firewall" } - zones = [] -> null # (6 unchanged attributes hidden) } # module.network.azurecaf_name.caf_name_vnet must be replaced -/+ resource "azurecaf_name" "caf_name_vnet" { ~ id = "pvwuveykntdcxsyc" -> (known after apply) name = "eslz2" ~ prefixes = [ # forces replacement "sec-baseline-1-hub", - "westus3", + "wus2", ] ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ results = {} -> (known after apply) # (7 unchanged attributes hidden) } # module.network.azurerm_subnet.this[0] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply) name = "AzureFirewallSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_subnet.this[1] must be replaced -/+ resource "azurerm_subnet" "this" { ~ enforce_private_link_endpoint_network_policies = false -> (known after apply) ~ enforce_private_link_service_network_policies = false -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply) name = "AzureBastionSubnet" ~ private_endpoint_network_policies_enabled = true -> (known after apply) ~ private_link_service_network_policies_enabled = true -> (known after apply) ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement - service_endpoint_policy_ids = [] -> null - service_endpoints = [] -> null ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement # (1 unchanged attribute hidden) } # module.network.azurerm_virtual_network.this must be replaced -/+ resource "azurerm_virtual_network" "this" { ~ dns_servers = [] -> (known after apply) - flow_timeout_in_minutes = 0 -> null ~ guid = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply) ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ location = "westus3" -> "westus2" # forces replacement ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement ~ subnet = [ - { - address_prefix = "10.242.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" - name = "AzureFirewallSubnet" - security_group = "" }, - { - address_prefix = "10.242.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" - name = "AzureBastionSubnet" - security_group = "" }, ] -> (known after apply) tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "network" } # (1 unchanged attribute hidden) } Plan: 21 to add, 0 to change, 17 to destroy. Changes to Outputs: ~ bastion_name = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply) ~ firewall_private_ip = "10.242.0.4" -> (known after apply) ~ firewall_rules = { ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply) ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply) ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply) } ~ rg_name = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply) ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ~ vnet_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply) ::debug::Terraform exited with code 0. ::debug::stdout: %0ANote: Objects have changed outside of Terraform%0A%0ATerraform detected the following changes made outside of Terraform since the%0Alast "terraform apply" which may have affected this plan:%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> null%0A name = "Azure-Monitor-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (1 unchanged block hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "core" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> null%0A name = "Core-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (3 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> null%0A name = "Devops-VM-Dependencies-FQDNs"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops has been deleted%0A - resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> null%0A name = "Windows-VM-Connectivity-Requirements"%0A # (4 unchanged attributes hidden)%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A%0AUnless you have made equivalent changes to your configuration, or ignored the%0Arelevant attributes using ignore_changes, the following plan may include%0Aactions to undo or respond to these changes.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A + create%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # azurecaf_name.caf_name_hub_rg must be replaced%0A-/+ resource "azurecaf_name" "caf_name_hub_rg" {%0A ~ id = "akckvaegwemunepv" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # azurerm_resource_group.hub must be replaced%0A-/+ resource "azurerm_resource_group" "hub" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A }%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_bastion must be replaced%0A-/+ resource "azurecaf_name" "caf_name_bastion" {%0A ~ id = "wbujomtsfcqdpxod" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.bastion[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A ~ id = "paqdxwmbugcxjhhq" -> (known after apply)%0A name = "eslz2-bastion"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.bastion[0].azurerm_bastion_host.bastion must be replaced%0A-/+ resource "azurerm_bastion_host" "bastion" {%0A ~ dns_name = "bst-17852899-7610-4883-86ff-84a3a485f96f.bastion.azure.com" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/bastionHosts/sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A # (7 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "bastionHostIpConfiguration"%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.bastion[0].azurerm_public_ip.bastion_pip must be replaced%0A-/+ resource "azurerm_public_ip" "bastion_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-bastion" -> (known after apply)%0A ~ ip_address = "20.163.49.112" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-bastion" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "bastion"%0A }%0A - zones = [] -> null%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_firewall must be replaced%0A-/+ resource "azurecaf_name" "caf_name_firewall" {%0A ~ id = "dtqvqxowbnalaruk" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_law[0] must be replaced%0A-/+ resource "azurecaf_name" "caf_name_law" {%0A ~ id = "lofxpwfygywepldl" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurecaf_name.caf_name_pip must be replaced%0A-/+ resource "azurecaf_name" "caf_name_pip" {%0A ~ id = "ofhucdctoijllhdb" -> (known after apply)%0A name = "eslz2-fw"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurerm_firewall.firewall must be replaced%0A-/+ resource "azurerm_firewall" "firewall" {%0A - dns_servers = [] -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - private_ip_ranges = [] -> null%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "firewall"%0A }%0A ~ threat_intel_mode = "Alert" -> (known after apply)%0A - zones = [] -> null%0A # (2 unchanged attributes hidden)%0A%0A ~ ip_configuration {%0A name = "firewallIpConfiguration"%0A ~ private_ip_address = "10.242.0.4" -> (known after apply)%0A ~ public_ip_address_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ subnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" # forces replacement -> (known after apply) # forces replacement%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.azure_monitor will be created%0A + resource "azurerm_firewall_application_rule_collection" "azure_monitor" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Azure-Monitor-FQDNs"%0A + priority = 201%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-azure-monitor"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "dc.applicationinsights.azure.com",%0A + "dc.applicationinsights.microsoft.com",%0A + "dc.services.visualstudio.com",%0A + "*.in.applicationinsights.azure.com",%0A + "live.applicationinsights.azure.com",%0A + "rt.applicationinsights.microsoft.com",%0A + "rt.services.visualstudio.com",%0A + "*.livediagnostics.monitor.azure.com",%0A + "*.monitoring.azure.com",%0A + "agent.azureserviceprofiler.net",%0A + "*.agent.azureserviceprofiler.net",%0A + "*.monitor.azure.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.core will be created%0A + resource "azurerm_firewall_application_rule_collection" "core" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Core-Dependencies-FQDNs"%0A + priority = 200%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-core-apis"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "management.azure.com",%0A + "management.core.windows.net",%0A + "login.microsoftonline.com",%0A + "login.windows.net",%0A + "login.live.com",%0A + "graph.windows.net",%0A + "graph.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-developer-services"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "github.com",%0A + "*.github.com",%0A + "*.nuget.org",%0A + "*.blob.core.windows.net",%0A + "*.githubusercontent.com",%0A + "dev.azure.com",%0A + "*.dev.azure.com",%0A + "portal.azure.com",%0A + "*.portal.azure.com",%0A + "*.portal.azure.net",%0A + "appservice.azureedge.net",%0A + "*.azurewebsites.net",%0A + "edge.management.azure.com",%0A + "vstsagentpackage.azureedge.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-certificate-dependencies"%0A + source_addresses = [%0A + "10.242.0.0/20",%0A + "10.240.0.0/20",%0A ]%0A + target_fqdns = [%0A + "*.delivery.mp.microsoft.com",%0A + "ctldl.windowsupdate.com",%0A + "download.windowsupdate.com",%0A + "mscrl.microsoft.com",%0A + "ocsp.msocsp.com",%0A + "oneocsp.microsoft.com",%0A + "crl.microsoft.com",%0A + "www.microsoft.com",%0A + "*.digicert.com",%0A + "*.symantec.com",%0A + "*.symcb.com",%0A + "*.d-trust.net",%0A ]%0A%0A + protocol {%0A + port = 80%0A + type = "Http"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_application_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_application_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Devops-VM-Dependencies-FQDNs"%0A + priority = 202%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + name = "allow-azure-ad-join"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "enterpriseregistration.windows.net",%0A + "pas.windows.net",%0A + "login.microsoftonline.com",%0A + "device.login.microsoftonline.com",%0A + "autologon.microsoftazuread-sso.com",%0A + "manage-beta.microsoft.com",%0A + "manage.microsoft.com",%0A + "aadcdn.msauth.net",%0A + "aadcdn.msftauth.net",%0A + "aadcdn.msftauthimages.net",%0A + "*.wns.windows.com",%0A + "*.sts.microsoft.com",%0A + "*.manage-beta.microsoft.com",%0A + "*.manage.microsoft.com",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A + rule {%0A + name = "allow-vm-dependencies-and-tools"%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A + target_fqdns = [%0A + "aka.ms",%0A + "go.microsoft.com",%0A + "download.microsoft.com",%0A + "edge.microsoft.com",%0A + "fs.microsoft.com",%0A + "wdcp.microsoft.com",%0A + "wdcpalt.microsoft.com",%0A + "msedge.api.cdp.microsoft.com",%0A + "winatp-gw-cane.microsoft.com",%0A + "*.google.com",%0A + "*.live.com",%0A + "*.bing.com",%0A + "*.msappproxy.net",%0A + "*.delivery.mp.microsoft.com",%0A + "*.data.microsoft.com",%0A + "*.blob.storage.azure.net",%0A + "*.blob.core.windows.net",%0A + "*.dl.delivery.mp.microsoft.com",%0A + "*.prod.do.dsp.mp.microsoft.com",%0A + "*.update.microsoft.com",%0A + "*.windowsupdate.com",%0A + "*.apps.qualys.com",%0A + "*.bootstrapcdn.com",%0A + "*.jsdelivr.net",%0A + "*.jquery.com",%0A + "*.msecnd.net",%0A ]%0A%0A + protocol {%0A + port = 443%0A + type = "Https"%0A }%0A }%0A }%0A%0A # module.firewall[0].azurerm_firewall_network_rule_collection.windows_vm_devops will be created%0A + resource "azurerm_firewall_network_rule_collection" "windows_vm_devops" {%0A + action = "Allow"%0A + azure_firewall_name = (known after apply)%0A + id = (known after apply)%0A + name = "Windows-VM-Connectivity-Requirements"%0A + priority = 202%0A + resource_group_name = (known after apply)%0A%0A + rule {%0A + destination_addresses = [%0A + "20.118.99.224",%0A + "40.83.235.53",%0A + "23.102.135.246",%0A + "51.4.143.248",%0A + "23.97.0.13",%0A + "52.126.105.2",%0A ]%0A + destination_ports = [%0A + "*",%0A ]%0A + name = "allow-kms-activation"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A + rule {%0A + destination_addresses = [%0A + "*",%0A ]%0A + destination_ports = [%0A + "123",%0A ]%0A + name = "allow-ntp"%0A + protocols = [%0A + "TCP",%0A + "UDP",%0A ]%0A + source_addresses = [%0A + "10.240.10.128/26",%0A ]%0A }%0A }%0A%0A # module.firewall[0].azurerm_log_analytics_workspace.law[0] must be replaced%0A-/+ resource "azurerm_log_analytics_workspace" "law" {%0A - cmk_for_query_forced = false -> null%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-log-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ primary_shared_key = (sensitive value)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ retention_in_days = 30 -> (known after apply)%0A ~ secondary_shared_key = (sensitive value)%0A - tags = {} -> null%0A ~ workspace_id = "1078050b-bb19-4c6a-b738-dcd477a290a6" -> (known after apply)%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.firewall[0].azurerm_monitor_diagnostic_setting.this must be replaced%0A-/+ resource "azurerm_monitor_diagnostic_setting" "this" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2|sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" -> (known after apply)%0A ~ log_analytics_destination_type = "AzureDiagnostics" -> (known after apply)%0A ~ log_analytics_workspace_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/sec-baseline-1-hub-westus3-log-eslz2" -> (known after apply)%0A ~ name = "sec-baseline-1-hub-westus3-fw-eslz2-diagnostic-settings" # forces replacement -> (known after apply) # forces replacement%0A ~ target_resource_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2" # forces replacement -> (known after apply) # forces replacement%0A%0A - log {%0A - category_group = "allLogs" -> null%0A - enabled = true -> null%0A%0A - retention_policy {%0A - days = 0 -> null%0A - enabled = false -> null%0A }%0A }%0A%0A # (2 unchanged blocks hidden)%0A }%0A%0A # module.firewall[0].azurerm_public_ip.firewall_pip must be replaced%0A-/+ resource "azurerm_public_ip" "firewall_pip" {%0A + fqdn = (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/publicIPAddresses/sec-baseline-1-hub-westus3-pip-eslz2-fw" -> (known after apply)%0A ~ ip_address = "20.25.176.182" -> (known after apply)%0A - ip_tags = {} -> null%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-pip-eslz2-fw" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "firewall"%0A }%0A - zones = [] -> null%0A # (6 unchanged attributes hidden)%0A }%0A%0A # module.network.azurecaf_name.caf_name_vnet must be replaced%0A-/+ resource "azurecaf_name" "caf_name_vnet" {%0A ~ id = "pvwuveykntdcxsyc" -> (known after apply)%0A name = "eslz2"%0A ~ prefixes = [ # forces replacement%0A "sec-baseline-1-hub",%0A - "westus3",%0A + "wus2",%0A ]%0A ~ result = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ results = {} -> (known after apply)%0A # (7 unchanged attributes hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[0] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet" -> (known after apply)%0A name = "AzureFirewallSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_subnet.this[1] must be replaced%0A-/+ resource "azurerm_subnet" "this" {%0A ~ enforce_private_link_endpoint_network_policies = false -> (known after apply)%0A ~ enforce_private_link_service_network_policies = false -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet" -> (known after apply)%0A name = "AzureBastionSubnet"%0A ~ private_endpoint_network_policies_enabled = true -> (known after apply)%0A ~ private_link_service_network_policies_enabled = true -> (known after apply)%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A - service_endpoint_policy_ids = [] -> null%0A - service_endpoints = [] -> null%0A ~ virtual_network_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A # (1 unchanged attribute hidden)%0A }%0A%0A # module.network.azurerm_virtual_network.this must be replaced%0A-/+ resource "azurerm_virtual_network" "this" {%0A ~ dns_servers = [] -> (known after apply)%0A - flow_timeout_in_minutes = 0 -> null%0A ~ guid = "67186602-4a08-41e1-a5df-acc468e04a1e" -> (known after apply)%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ location = "westus3" -> "westus2" # forces replacement%0A ~ name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" # forces replacement -> (known after apply) # forces replacement%0A ~ resource_group_name = "sec-baseline-1-hub-westus3-rg-eslz2" # forces replacement -> (known after apply) # forces replacement%0A ~ subnet = [%0A - {%0A - address_prefix = "10.242.0.0/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureFirewallSubnet"%0A - name = "AzureFirewallSubnet"%0A - security_group = ""%0A },%0A - {%0A - address_prefix = "10.242.0.64/26"%0A - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod/subnets/AzureBastionSubnet"%0A - name = "AzureBastionSubnet"%0A - security_group = ""%0A },%0A ] -> (known after apply)%0A tags = {%0A "Environment" = "prod"%0A "Owner" = "cloudops@contoso.com"%0A "Project" = "[Scenario 1: HUB] App Service Landing Zone Accelerator"%0A "Terraform" = "true"%0A "module" = "network"%0A }%0A # (1 unchanged attribute hidden)%0A }%0A%0APlan: 21 to add, 0 to change, 17 to destroy.%0A%0AChanges to Outputs:%0A ~ bastion_name = "sec-baseline-1-hub-westus3-vnet-eslz2" -> (known after apply)%0A ~ firewall_private_ip = "10.242.0.4" -> (known after apply)%0A ~ firewall_rules = {%0A ~ azure_monitor = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Azure-Monitor-FQDNs" -> (known after apply)%0A ~ core = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Core-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/applicationRuleCollections/Devops-VM-Dependencies-FQDNs" -> (known after apply)%0A ~ windows_vm_devops_net = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/azureFirewalls/sec-baseline-1-hub-westus3-fw-eslz2/networkRuleCollections/Windows-VM-Connectivity-Requirements" -> (known after apply)%0A }%0A ~ rg_name = "sec-baseline-1-hub-westus3-rg-eslz2" -> (known after apply)%0A ~ vnet_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ~ vnet_name = "sec-baseline-1-hub-westus3-vnet-eslz2-prod" -> (known after apply)%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform HUB Multi-tenant Secure Baseline

github-actions[bot] commented 10 months ago

Terraform Format and Style πŸ–Œ``

Terraform Initialization βš™οΈsuccess

Terraform Validation πŸ€–success

Validation Output ``` Success! The configuration is valid. ```

Terraform Plan πŸ“–success

Show Plan ``` [command]/home/runner/work/_temp/abcea004-0e83-4518-a1e1-5bcfbb0c7e79/terraform-bin show -no-color tfplan Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment must be replaced -/+ resource "azurerm_role_assignment" "vm_admin_role_assignment" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-devops-dev/providers/Microsoft.Authorization/roleAssignments/f2e026d0-363c-61bf-9b76-6f4fc5f99763" -> (known after apply) ~ name = "f2e026d0-363c-61bf-9b76-6f4fc5f99763" -> (known after apply) ~ principal_id = "d3acf0ca-d629-423b-a06b-7fab838e7c5d" -> "bda41c64-1493-4d8d-b4b5-7135159d4884" # forces replacement ~ principal_type = "User" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4" -> (known after apply) + skip_service_principal_aad_check = (known after apply) # (2 unchanged attributes hidden) } # module.jumpbox_vm[0].azurerm_role_assignment.vm_admin_role_assignment must be replaced -/+ resource "azurerm_role_assignment" "vm_admin_role_assignment" { ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-jumpbox-dev/providers/Microsoft.Authorization/roleAssignments/2092f264-8305-4a03-fe8c-f0881043467c" -> (known after apply) ~ name = "2092f264-8305-4a03-fe8c-f0881043467c" -> (known after apply) ~ principal_id = "d3acf0ca-d629-423b-a06b-7fab838e7c5d" -> "bda41c64-1493-4d8d-b4b5-7135159d4884" # forces replacement ~ principal_type = "User" -> (known after apply) ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4" -> (known after apply) + skip_service_principal_aad_check = (known after apply) # (2 unchanged attributes hidden) } # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place ~ resource "azurerm_subnet" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment" name = "hostingEnvironment" # (9 unchanged attributes hidden) ~ delegation { name = "Microsoft.Web/serverFarms" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/action", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", ] name = "Microsoft.Web/hostingEnvironments" } } } Plan: 2 to add, 1 to change, 2 to destroy. Changes to Outputs: + shared-vms = { + devops = { + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-devops-dev" + ip = "10.0.2.4" } + jumpbox = { + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-jumpbox-dev" + ip = "10.0.3.4" } } ::debug::Terraform exited with code 0. ::debug::stdout: %0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A ~ update in-place%0A-/+ destroy and then create replacement%0A%0ATerraform will perform the following actions:%0A%0A # module.devops_vm[0].azurerm_role_assignment.vm_admin_role_assignment must be replaced%0A-/+ resource "azurerm_role_assignment" "vm_admin_role_assignment" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-devops-dev/providers/Microsoft.Authorization/roleAssignments/f2e026d0-363c-61bf-9b76-6f4fc5f99763" -> (known after apply)%0A ~ name = "f2e026d0-363c-61bf-9b76-6f4fc5f99763" -> (known after apply)%0A ~ principal_id = "d3acf0ca-d629-423b-a06b-7fab838e7c5d" -> "bda41c64-1493-4d8d-b4b5-7135159d4884" # forces replacement%0A ~ principal_type = "User" -> (known after apply)%0A ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4" -> (known after apply)%0A + skip_service_principal_aad_check = (known after apply)%0A # (2 unchanged attributes hidden)%0A }%0A%0A # module.jumpbox_vm[0].azurerm_role_assignment.vm_admin_role_assignment must be replaced%0A-/+ resource "azurerm_role_assignment" "vm_admin_role_assignment" {%0A ~ id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-jumpbox-dev/providers/Microsoft.Authorization/roleAssignments/2092f264-8305-4a03-fe8c-f0881043467c" -> (known after apply)%0A ~ name = "2092f264-8305-4a03-fe8c-f0881043467c" -> (known after apply)%0A ~ principal_id = "d3acf0ca-d629-423b-a06b-7fab838e7c5d" -> "bda41c64-1493-4d8d-b4b5-7135159d4884" # forces replacement%0A ~ principal_type = "User" -> (known after apply)%0A ~ role_definition_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4" -> (known after apply)%0A + skip_service_principal_aad_check = (known after apply)%0A # (2 unchanged attributes hidden)%0A }%0A%0A # module.vnetSpoke[0].azurerm_subnet.this[0] will be updated in-place%0A ~ resource "azurerm_subnet" "this" {%0A id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/network-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Network/virtualNetworks/secure-baseline-2-ase-wus2-vnet-lzademo-dev/subnets/hostingEnvironment"%0A name = "hostingEnvironment"%0A # (9 unchanged attributes hidden)%0A%0A ~ delegation {%0A name = "Microsoft.Web/serverFarms"%0A%0A ~ service_delegation {%0A ~ actions = [%0A - "Microsoft.Network/virtualNetworks/subnets/action",%0A + "Microsoft.Network/virtualNetworks/subnets/join/action",%0A + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",%0A ]%0A name = "Microsoft.Web/hostingEnvironments"%0A }%0A }%0A }%0A%0APlan: 2 to add, 1 to change, 2 to destroy.%0A%0AChanges to Outputs:%0A + shared-vms = {%0A + devops = {%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-devops-dev"%0A + ip = "10.0.2.4"%0A }%0A + jumpbox = {%0A + id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/shared-secure-baseline-2-ase-wus2-rg-lzademo/providers/Microsoft.Compute/virtualMachines/vm-jumpbox-dev"%0A + ip = "10.0.3.4"%0A }%0A }%0A ::debug::stderr: ::debug::exitcode: 0 ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-ase/terraform, Workflow: Scenario 2: Terraform Single-tenant ASEv3 Secure Baseline