testing bicep cicd - added new oidc client id for read-only access, t…

[JinLee794]

Description

This pull request includes various changes related to different scenarios, workflows, and configuration files. The most important changes include adding new deployment parameter files for different scenarios, removing GitHub Actions workflow files, and updating Terraform and Bicep configuration files.

Deployment and configuration changes:

• scenarios/secure-baseline-multitenant/bicep/parameters/ase-zone-redundant.parameters.jsonc: Added a new deployment parameter file for the "ASE Zone Redundant Multitenant" scenario.
• scenarios/secure-baseline-multitenant/bicep/parameters/appsvc.parameters.json: Added a new deployment parameter file for the "ASE Zone Redundant Multitenant" scenario.
• .psrule/ps-rule.yaml: Added a new section to the PSRule configuration file.

Workflow changes:

• .github/workflows/scenario2.bicep.yml: Removed a GitHub Actions workflow file for the "Scenario 2: Bicep Single-tenant ASEv3 Secure Baseline" scenario.
• .github/workflows/scenario1.terraform.yml: Added a new job to the Terraform CI/CD process and updated the workflow name, branch, and paths. [1] [2] [3] [4]
• .github/workflows/scenario1.terraform.spoke.yml: Removed the entire content of the .github/workflows/scenario1.terraform.spoke.yml file.
• .github/workflows/.template.bicep.yml: Added a new workflow file that triggers on a workflow_call event and includes inputs for module path, Bicep parameter path, destroy flag, and region.
• .github/workflows/scenario1.bicep.yml: Added a new workflow called "Scenario 1: Bicep Multi-Tenant ASEv3 Secure Baseline" and defined its behavior, triggers, permissions, environment variables, and jobs. (.github/workflows/scenario1.bicep.yml)

Documentation changes:

• scenarios/secure-baseline-multitenant/terraform/spoke/README.md: Updated the azurerm provider version and added a new input variable for the hub virtual network in the spoke module's README.md file. [1] [2]
• scenarios/secure-baseline-multitenant/terraform/hub/README.md: Updated the version of the azurerm provider in the hub module's README.md file.
• README.md: Updated the pipeline status table to include a new badge for the Bicep Multi-Tenant ASEv3 Secure Baseline scenario.

Please note that the order of importance is subjective and can vary based on the context and requirements of the project.

Pipeline references

Pipeline

Type of Change

Please delete options that are not relevant.

• [x] Bugfix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [x] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [x] Update to documentation

Checklist

• [x] I'm sure there are no other open Pull Requests for the same update/change
• [x] My corresponding pipelines / checks run clean and green without any errors or warnings
• [x] My code follows the style guidelines of this project
• [x] I have commented my code, particularly in hard-to-understand areas
• [x] I have made corresponding changes to the documentation (readme)
• [x] I did format my code

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # azurerm_log_analytics_workspace.law has been deleted - resource "azurerm_log_analytics_workspace" "law" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/log-eslz2-prod" -> null name = "log-eslz2-prod" tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } # (13 unchanged attributes hidden) } # azurerm_resource_group.spoke has been deleted - resource "azurerm_resource_group" "spoke" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2" - location = "westus3" -> null - name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor has been deleted - resource "azurerm_user_assigned_identity" "contributor" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz2-contributor" name = "sec-baseline-1-spoke-westus3-msi-eslz2-contributor" - principal_id = "e1faacd3-0ee7-40f6-8bc2-93a34fcc9ade" -> null tags = {} # (4 unchanged attributes hidden) } # azurerm_user_assigned_identity.reader has been deleted - resource "azurerm_user_assigned_identity" "reader" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz2-reader" -> null name = "sec-baseline-1-spoke-westus3-msi-eslz2-reader" - principal_id = "507305dc-fa3f-423c-8f54-817c9130c141" -> null tags = {} # (4 unchanged attributes hidden) } # module.app_configuration[0].azurerm_app_configuration.this has been deleted - resource "azurerm_app_configuration" "this" { - endpoint = "https://sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461.azconfig.io" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-configuration" } # (11 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "app-config-private-endpoint" - private_ip_address = "10.240.11.4" -> null # (3 unchanged attributes hidden) } } # module.app_service.azurerm_application_insights.this has been deleted - resource "azurerm_application_insights" "this" { - connection_string = (sensitive value) -> null id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz2-prod" - instrumentation_key = (sensitive value) -> null name = "sec-baseline-1-spoke-westus3-appi-eslz2-prod" tags = {} # (14 unchanged attributes hidden) } # module.app_service.azurerm_service_plan.this has been deleted - resource "azurerm_service_plan" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/serverfarms/westus3-plan-eslz2-prod" -> null name = "westus3-plan-eslz2-prod" tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-service" } # (10 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] has been deleted - resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> null name = "wafpolicymicrosoftdefaultruleset21" tags = {} # (6 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor has been deleted - resource "azurerm_cdn_frontdoor_profile" "frontdoor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod" -> null - name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod" -> null - sku_name = "Premium_AzureFrontDoor" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "frontdoor" } # (3 unchanged attributes hidden) } # module.key_vault.azurerm_key_vault.this has been deleted - resource "azurerm_key_vault" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.KeyVault/vaults/kv-eslz2-prod-5461" -> null - name = "kv-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "key-vault" } - vault_uri = "https://kv-eslz2-prod-5461.vault.azure.net/" -> null # (12 unchanged attributes hidden) # (1 unchanged block hidden) } # module.key_vault.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz2-prod-5461" name = "pe-kv-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-kv-eslz2-prod-5461" - private_ip_address = "10.240.11.6" -> null # (3 unchanged attributes hidden) } } # module.network.azurerm_virtual_network.this has been deleted - resource "azurerm_virtual_network" "this" { - address_space = [ - "10.240.0.0/20", ] -> null - dns_servers = [] -> null - flow_timeout_in_minutes = 0 -> null - guid = "f5bc915a-58f2-4120-8b83-ea778b9c19ab" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod" -> null - location = "westus3" -> null - name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" -> null - resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" -> null - subnet = [ - { - address_prefix = "10.240.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm" - name = "serverFarm" - security_group = "" }, - { - address_prefix = "10.240.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress" - name = "ingress" - security_group = "" }, - { - address_prefix = "10.240.10.128/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops" - name = "devops" - security_group = "" }, - { - address_prefix = "10.240.11.0/24" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink" - name = "privateLink" - security_group = "" }, ] -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "network" } -> null } # module.private_dns_zones[0].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.azurewebsites.net" -> null - number_of_record_sets = 5 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.azurewebsites.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[1].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.database.windows.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.database.windows.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[2].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.azconfig.io" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.azconfig.io." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[3].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.vaultcore.azure.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.vaultcore.azure.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[4].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.redis.cache.windows.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.redis.cache.windows.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.redis_cache[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" - private_ip_address = "10.240.11.7" -> null # (3 unchanged attributes hidden) } } # module.redis_cache[0].azurerm_redis_cache.this has been deleted - resource "azurerm_redis_cache" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" -> null - primary_connection_string = (sensitive value) -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "redis" } # (20 unchanged attributes hidden) # (1 unchanged block hidden) } # module.sql_database[0].azurerm_mssql_database.this[0] has been deleted - resource "azurerm_mssql_database" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461/databases/sample-db" - name = "sample-db" -> null tags = {} # (15 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.sql_database[0].azurerm_mssql_server.this has been deleted - resource "azurerm_mssql_server" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "sql-database" } # (10 unchanged attributes hidden) # (1 unchanged block hidden) } # module.sql_database[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" - private_ip_address = "10.240.11.5" -> null # (3 unchanged attributes hidden) } } # module.user_defined_routes[0].azurerm_route_table.this has been deleted - resource "azurerm_route_table" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/routeTables/route-egress-lockdown" -> null - name = "route-egress-lockdown" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "user-defined-routes" } # (5 unchanged attributes hidden) } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this has been deleted - resource "azurerm_windows_web_app" "this" { - default_hostname = "eslz2.azurewebsites.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/sites/eslz2" -> null - name = "eslz2" -> null tags = {} # (19 unchanged attributes hidden) - identity { # (2 unchanged attributes hidden) } # (2 unchanged blocks hidden) } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot has been deleted - resource "azurerm_windows_web_app_slot" "slot" { - default_hostname = "eslz2-staging.azurewebsites.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/sites/eslz2/slots/staging" -> null - name = "staging" -> null tags = {} # (17 unchanged attributes hidden) - identity { # (2 unchanged attributes hidden) } # (1 unchanged block hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app has been deleted - resource "azurerm_cdn_frontdoor_endpoint" "web_app" { - host_name = "eslz2-prod-5461-gtf0cycnfsftaqc3.z01.azurefd.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/afdEndpoints/eslz2-prod-5461" -> null name = "eslz2-prod-5461" tags = {} # (2 unchanged attributes hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app has been deleted - resource "azurerm_cdn_frontdoor_origin" "web_app" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/originGroups/eslz2-prod-5461/origins/eslz2-prod-5461" -> null name = "eslz2-prod-5461" # (10 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app has been deleted - resource "azurerm_cdn_frontdoor_origin_group" "web_app" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/originGroups/eslz2-prod-5461" -> null name = "eslz2-prod-5461" # (3 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2" name = "pe-eslz2" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-eslz2" - private_ip_address = "10.240.0.68" -> null # (3 unchanged attributes hidden) } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging" name = "pe-eslz2-staging" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-eslz2-staging" - private_ip_address = "10.240.0.69" -> null # (3 unchanged attributes hidden) } } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = "log-eslz2-prod" + primary_shared_key = (sensitive value) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" } + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus3" + name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-msi-eslz2-contributor" + principal_id = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-msi-eslz2-reader" + principal_id = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tenant_id = (known after apply) } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus3" + name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "app-configuration" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + records = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_service.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = "sec-baseline-1-spoke-westus3-appi-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus3" + maximum_elastic_worker_count = (known after apply) + name = "westus3-plan-eslz2-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "S1" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "app-service" } + worker_count = 1 + zone_balancing_enabled = false } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "frontdoor" } } # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}" + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" } + metric { + category = "AllMetrics" + enabled = false } } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus3" + name = "kv-eslz2-prod-5461" + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "key-vault" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "kv-eslz2-prod-5461" + records = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = "pe-kv-eslz2-prod-5461" + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "pe-kv-eslz2-prod-5461" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "serverFarm" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "ingress" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "devops" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "privateLink" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet = (known after apply) + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } } # module.network.azurerm_virtual_network_peering.target_to_this[0] will be created + resource "azurerm_virtual_network_peering" "target_to_this" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-eslz2" + remote_virtual_network_id = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + use_remote_gateways = false + virtual_network_name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.network.azurerm_virtual_network_peering.this_to_target[0] will be created + resource "azurerm_virtual_network_peering" "this_to_target" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-eslz2" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + use_remote_gateways = false + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.openai[0].azurecaf_name.caf_name_oai will be created + resource "azurecaf_name" "caf_name_oai" { + clean_input = true + id = (known after apply) + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_cognitive_account" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.openai[0].azurecaf_name.priv_endpoint will be created + resource "azurecaf_name" "priv_endpoint" { + clean_input = true + id = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.openai[0].azurerm_cognitive_account.this will be created + resource "azurerm_cognitive_account" "this" { + custom_subdomain_name = (known after apply) + endpoint = (known after apply) + id = (known after apply) + kind = "OpenAI" + local_auth_enabled = true + location = "westus3" + name = (known after apply) + outbound_network_access_restricted = false + primary_access_key = (sensitive value) + public_network_access_enabled = false + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + secondary_access_key = (sensitive value) + sku_name = "S0" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "openai" } + identity { + principal_id = (known after apply) + tenant_id = (known after apply) + type = "SystemAssigned" } + network_acls { + default_action = "Deny" + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } } } # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created + resource "azurerm_cognitive_deployment" "this" { + cognitive_account_id = (known after apply) + id = (known after apply) + name = "gpt-35-turbo" + version_upgrade_option = "OnceNewDefaultVersionAvailable" + model { + format = "OpenAI" + name = "gpt-35-turbo" + version = "0613" } + scale { + capacity = 1 + type = "Standard" } } # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created + resource "azurerm_cognitive_deployment" "this" { + cognitive_account_id = (known after apply) + id = (known after apply) + name = "text-embedding-ada-002" + version_upgrade_option = "OnceNewDefaultVersionAvailable" + model { + format = "OpenAI" + name = "text-embedding-ada-002" + version = "2" } + scale { + capacity = 1 + type = "Standard" } } # module.private_dns_zones[0].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[1].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[2].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[3].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[4].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.redis.cache.windo ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # azurerm_log_analytics_workspace.law has been deleted - resource "azurerm_log_analytics_workspace" "law" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/log-eslz2-prod" -> null name = "log-eslz2-prod" tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } # (13 unchanged attributes hidden) } # azurerm_resource_group.spoke has been deleted - resource "azurerm_resource_group" "spoke" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2" - location = "westus3" -> null - name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor has been deleted - resource "azurerm_user_assigned_identity" "contributor" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz2-contributor" name = "sec-baseline-1-spoke-westus3-msi-eslz2-contributor" - principal_id = "e1faacd3-0ee7-40f6-8bc2-93a34fcc9ade" -> null tags = {} # (4 unchanged attributes hidden) } # azurerm_user_assigned_identity.reader has been deleted - resource "azurerm_user_assigned_identity" "reader" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz2-reader" -> null name = "sec-baseline-1-spoke-westus3-msi-eslz2-reader" - principal_id = "507305dc-fa3f-423c-8f54-817c9130c141" -> null tags = {} # (4 unchanged attributes hidden) } # module.app_configuration[0].azurerm_app_configuration.this has been deleted - resource "azurerm_app_configuration" "this" { - endpoint = "https://sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461.azconfig.io" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-configuration" } # (11 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "app-config-private-endpoint" - private_ip_address = "10.240.11.4" -> null # (3 unchanged attributes hidden) } } # module.app_service.azurerm_application_insights.this has been deleted - resource "azurerm_application_insights" "this" { - connection_string = (sensitive value) -> null id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz2-prod" - instrumentation_key = (sensitive value) -> null name = "sec-baseline-1-spoke-westus3-appi-eslz2-prod" tags = {} # (14 unchanged attributes hidden) } # module.app_service.azurerm_service_plan.this has been deleted - resource "azurerm_service_plan" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/serverfarms/westus3-plan-eslz2-prod" -> null name = "westus3-plan-eslz2-prod" tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-service" } # (10 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] has been deleted - resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> null name = "wafpolicymicrosoftdefaultruleset21" tags = {} # (6 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor has been deleted - resource "azurerm_cdn_frontdoor_profile" "frontdoor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod" -> null - name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod" -> null - sku_name = "Premium_AzureFrontDoor" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "frontdoor" } # (3 unchanged attributes hidden) } # module.key_vault.azurerm_key_vault.this has been deleted - resource "azurerm_key_vault" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.KeyVault/vaults/kv-eslz2-prod-5461" -> null - name = "kv-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "key-vault" } - vault_uri = "https://kv-eslz2-prod-5461.vault.azure.net/" -> null # (12 unchanged attributes hidden) # (1 unchanged block hidden) } # module.key_vault.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz2-prod-5461" name = "pe-kv-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-kv-eslz2-prod-5461" - private_ip_address = "10.240.11.6" -> null # (3 unchanged attributes hidden) } } # module.network.azurerm_virtual_network.this has been deleted - resource "azurerm_virtual_network" "this" { - address_space = [ - "10.240.0.0/20", ] -> null - dns_servers = [] -> null - flow_timeout_in_minutes = 0 -> null - guid = "f5bc915a-58f2-4120-8b83-ea778b9c19ab" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod" -> null - location = "westus3" -> null - name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" -> null - resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" -> null - subnet = [ - { - address_prefix = "10.240.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm" - name = "serverFarm" - security_group = "" }, - { - address_prefix = "10.240.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress" - name = "ingress" - security_group = "" }, - { - address_prefix = "10.240.10.128/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops" - name = "devops" - security_group = "" }, - { - address_prefix = "10.240.11.0/24" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink" - name = "privateLink" - security_group = "" }, ] -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "network" } -> null } # module.private_dns_zones[0].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.azurewebsites.net" -> null - number_of_record_sets = 5 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.azurewebsites.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[1].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.database.windows.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.database.windows.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[2].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.azconfig.io" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.azconfig.io." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[3].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.vaultcore.azure.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.vaultcore.azure.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[4].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.redis.cache.windows.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.redis.cache.windows.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.redis_cache[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" - private_ip_address = "10.240.11.7" -> null # (3 unchanged attributes hidden) } } # module.redis_cache[0].azurerm_redis_cache.this has been deleted - resource "azurerm_redis_cache" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" -> null - primary_connection_string = (sensitive value) -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "redis" } # (20 unchanged attributes hidden) # (1 unchanged block hidden) } # module.sql_database[0].azurerm_mssql_database.this[0] has been deleted - resource "azurerm_mssql_database" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461/databases/sample-db" - name = "sample-db" -> null tags = {} # (15 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.sql_database[0].azurerm_mssql_server.this has been deleted - resource "azurerm_mssql_server" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "sql-database" } # (10 unchanged attributes hidden) # (1 unchanged block hidden) } # module.sql_database[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" - private_ip_address = "10.240.11.5" -> null # (3 unchanged attributes hidden) } } # module.user_defined_routes[0].azurerm_route_table.this has been deleted - resource "azurerm_route_table" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/routeTables/route-egress-lockdown" -> null - name = "route-egress-lockdown" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "user-defined-routes" } # (5 unchanged attributes hidden) } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this has been deleted - resource "azurerm_windows_web_app" "this" { - default_hostname = "eslz2.azurewebsites.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/sites/eslz2" -> null - name = "eslz2" -> null tags = {} # (19 unchanged attributes hidden) - identity { # (2 unchanged attributes hidden) } # (2 unchanged blocks hidden) } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot has been deleted - resource "azurerm_windows_web_app_slot" "slot" { - default_hostname = "eslz2-staging.azurewebsites.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/sites/eslz2/slots/staging" -> null - name = "staging" -> null tags = {} # (17 unchanged attributes hidden) - identity { # (2 unchanged attributes hidden) } # (1 unchanged block hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app has been deleted - resource "azurerm_cdn_frontdoor_endpoint" "web_app" { - host_name = "eslz2-prod-5461-gtf0cycnfsftaqc3.z01.azurefd.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/afdEndpoints/eslz2-prod-5461" -> null name = "eslz2-prod-5461" tags = {} # (2 unchanged attributes hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app has been deleted - resource "azurerm_cdn_frontdoor_origin" "web_app" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/originGroups/eslz2-prod-5461/origins/eslz2-prod-5461" -> null name = "eslz2-prod-5461" # (10 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app has been deleted - resource "azurerm_cdn_frontdoor_origin_group" "web_app" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/originGroups/eslz2-prod-5461" -> null name = "eslz2-prod-5461" # (3 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2" name = "pe-eslz2" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-eslz2" - private_ip_address = "10.240.0.68" -> null # (3 unchanged attributes hidden) } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging" name = "pe-eslz2-staging" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-eslz2-staging" - private_ip_address = "10.240.0.69" -> null # (3 unchanged attributes hidden) } } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = "log-eslz2-prod" + primary_shared_key = (sensitive value) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" } + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus3" + name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-msi-eslz2-contributor" + principal_id = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-msi-eslz2-reader" + principal_id = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tenant_id = (known after apply) } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus3" + name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "app-configuration" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + records = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_service.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = "sec-baseline-1-spoke-westus3-appi-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus3" + maximum_elastic_worker_count = (known after apply) + name = "westus3-plan-eslz2-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "S1" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "app-service" } + worker_count = 1 + zone_balancing_enabled = false } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + request_body_check_enabled = true + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "frontdoor" } } # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}" + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" } + metric { + category = "AllMetrics" + enabled = false } } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus3" + name = "kv-eslz2-prod-5461" + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "key-vault" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "kv-eslz2-prod-5461" + records = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = "pe-kv-eslz2-prod-5461" + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "pe-kv-eslz2-prod-5461" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "serverFarm" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "ingress" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "devops" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "privateLink" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet = (known after apply) + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } } # module.network.azurerm_virtual_network_peering.target_to_this[0] will be created + resource "azurerm_virtual_network_peering" "target_to_this" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-eslz2" + remote_virtual_network_id = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + use_remote_gateways = false + virtual_network_name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.network.azurerm_virtual_network_peering.this_to_target[0] will be created + resource "azurerm_virtual_network_peering" "this_to_target" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-eslz2" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + use_remote_gateways = false + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.openai[0].azurecaf_name.caf_name_oai will be created + resource "azurecaf_name" "caf_name_oai" { + clean_input = true + id = (known after apply) + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_cognitive_account" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.openai[0].azurecaf_name.priv_endpoint will be created + resource "azurecaf_name" "priv_endpoint" { + clean_input = true + id = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.openai[0].azurerm_cognitive_account.this will be created + resource "azurerm_cognitive_account" "this" { + custom_subdomain_name = (known after apply) + endpoint = (known after apply) + id = (known after apply) + kind = "OpenAI" + local_auth_enabled = true + location = "westus3" + name = (known after apply) + outbound_network_access_restricted = false + primary_access_key = (sensitive value) + public_network_access_enabled = false + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + secondary_access_key = (sensitive value) + sku_name = "S0" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "openai" } + identity { + principal_id = (known after apply) + tenant_id = (known after apply) + type = "SystemAssigned" } + network_acls { + default_action = "Deny" + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } } } # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created + resource "azurerm_cognitive_deployment" "this" { + cognitive_account_id = (known after apply) + id = (known after apply) + name = "gpt-35-turbo" + version_upgrade_option = "OnceNewDefaultVersionAvailable" + model { + format = "OpenAI" + name = "gpt-35-turbo" + version = "0613" } + scale { + capacity = 1 + type = "Standard" } } # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created + resource "azurerm_cognitive_deployment" "this" { + cognitive_account_id = (known after apply) + id = (known after apply) + name = "text-embedding-ada-002" + version_upgrade_option = "OnceNewDefaultVersionAvailable" + model { + format = "OpenAI" + name = "text-embedding-ada-002" + version = "2" } + scale { + capacity = 1 + type = "Standard" } } # module.private_dns_zones[0].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[1].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[2].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[3].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[4].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # azurerm_log_analytics_workspace.law has been deleted - resource "azurerm_log_analytics_workspace" "law" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.OperationalInsights/workspaces/log-eslz2-prod" -> null name = "log-eslz2-prod" tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } # (13 unchanged attributes hidden) } # azurerm_resource_group.spoke has been deleted - resource "azurerm_resource_group" "spoke" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2" - location = "westus3" -> null - name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor has been deleted - resource "azurerm_user_assigned_identity" "contributor" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz2-contributor" name = "sec-baseline-1-spoke-westus3-msi-eslz2-contributor" - principal_id = "e1faacd3-0ee7-40f6-8bc2-93a34fcc9ade" -> null tags = {} # (4 unchanged attributes hidden) } # azurerm_user_assigned_identity.reader has been deleted - resource "azurerm_user_assigned_identity" "reader" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sec-baseline-1-spoke-westus3-msi-eslz2-reader" -> null name = "sec-baseline-1-spoke-westus3-msi-eslz2-reader" - principal_id = "507305dc-fa3f-423c-8f54-817c9130c141" -> null tags = {} # (4 unchanged attributes hidden) } # module.app_configuration[0].azurerm_app_configuration.this has been deleted - resource "azurerm_app_configuration" "this" { - endpoint = "https://sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461.azconfig.io" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.AppConfiguration/configurationStores/sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-configuration" } # (11 unchanged attributes hidden) } # module.app_configuration[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "app-config-private-endpoint" - private_ip_address = "10.240.11.4" -> null # (3 unchanged attributes hidden) } } # module.app_service.azurerm_application_insights.this has been deleted - resource "azurerm_application_insights" "this" { - connection_string = (sensitive value) -> null id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Insights/components/sec-baseline-1-spoke-westus3-appi-eslz2-prod" - instrumentation_key = (sensitive value) -> null name = "sec-baseline-1-spoke-westus3-appi-eslz2-prod" tags = {} # (14 unchanged attributes hidden) } # module.app_service.azurerm_service_plan.this has been deleted - resource "azurerm_service_plan" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/serverfarms/westus3-plan-eslz2-prod" -> null name = "westus3-plan-eslz2-prod" tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "app-service" } # (10 unchanged attributes hidden) } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] has been deleted - resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/wafpolicymicrosoftdefaultruleset21" -> null name = "wafpolicymicrosoftdefaultruleset21" tags = {} # (6 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor has been deleted - resource "azurerm_cdn_frontdoor_profile" "frontdoor" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod" -> null - name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod" -> null - sku_name = "Premium_AzureFrontDoor" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "frontdoor" } # (3 unchanged attributes hidden) } # module.key_vault.azurerm_key_vault.this has been deleted - resource "azurerm_key_vault" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.KeyVault/vaults/kv-eslz2-prod-5461" -> null - name = "kv-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "key-vault" } - vault_uri = "https://kv-eslz2-prod-5461.vault.azure.net/" -> null # (12 unchanged attributes hidden) # (1 unchanged block hidden) } # module.key_vault.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-kv-eslz2-prod-5461" name = "pe-kv-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-kv-eslz2-prod-5461" - private_ip_address = "10.240.11.6" -> null # (3 unchanged attributes hidden) } } # module.network.azurerm_virtual_network.this has been deleted - resource "azurerm_virtual_network" "this" { - address_space = [ - "10.240.0.0/20", ] -> null - dns_servers = [] -> null - flow_timeout_in_minutes = 0 -> null - guid = "f5bc915a-58f2-4120-8b83-ea778b9c19ab" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod" -> null - location = "westus3" -> null - name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" -> null - resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" -> null - subnet = [ - { - address_prefix = "10.240.0.0/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/serverFarm" - name = "serverFarm" - security_group = "" }, - { - address_prefix = "10.240.0.64/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/ingress" - name = "ingress" - security_group = "" }, - { - address_prefix = "10.240.10.128/26" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/devops" - name = "devops" - security_group = "" }, - { - address_prefix = "10.240.11.0/24" - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-spoke-westus3-vnet-eslz2-prod/subnets/privateLink" - name = "privateLink" - security_group = "" }, ] -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "network" } -> null } # module.private_dns_zones[0].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.azurewebsites.net" -> null - number_of_record_sets = 5 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.azurewebsites.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[1].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.database.windows.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.database.windows.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[2].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.azconfig.io" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.azconfig.io." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[3].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.vaultcore.azure.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.vaultcore.azure.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.private_dns_zones[4].azurerm_private_dns_zone.this has been deleted - resource "azurerm_private_dns_zone" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net" -> null - max_number_of_record_sets = 25000 -> null - max_number_of_virtual_network_links = 1000 -> null - max_number_of_virtual_network_links_with_registration = 100 -> null - name = "privatelink.redis.cache.windows.net" -> null - number_of_record_sets = 2 -> null - resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" -> null - tags = { - "Environment" = "prod" - "Owner" = "cloudops@contoso.com" - "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" - "Terraform" = "true" - "module" = "private-dns-zone" } -> null - soa_record { - email = "azureprivatedns-host.microsoft.com" -> null - expire_time = 2419200 -> null - fqdn = "privatelink.redis.cache.windows.net." -> null - host_name = "azureprivatedns.net" -> null - minimum_ttl = 10 -> null - refresh_time = 3600 -> null - retry_time = 300 -> null - serial_number = 1 -> null - tags = {} -> null - ttl = 3600 -> null } } # module.redis_cache[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" - private_ip_address = "10.240.11.7" -> null # (3 unchanged attributes hidden) } } # module.redis_cache[0].azurerm_redis_cache.this has been deleted - resource "azurerm_redis_cache" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cache/redis/sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-redis-eslz2-prod-5461" -> null - primary_connection_string = (sensitive value) -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "redis" } # (20 unchanged attributes hidden) # (1 unchanged block hidden) } # module.sql_database[0].azurerm_mssql_database.this[0] has been deleted - resource "azurerm_mssql_database" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461/databases/sample-db" - name = "sample-db" -> null tags = {} # (15 unchanged attributes hidden) # (3 unchanged blocks hidden) } # module.sql_database[0].azurerm_mssql_server.this has been deleted - resource "azurerm_mssql_server" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Sql/servers/sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" -> null - name = "sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "sql-database" } # (10 unchanged attributes hidden) # (1 unchanged block hidden) } # module.sql_database[0].azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" name = "pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-sec-baseline-1-spoke-westus3-sql-eslz2-prod-5461" - private_ip_address = "10.240.11.5" -> null # (3 unchanged attributes hidden) } } # module.user_defined_routes[0].azurerm_route_table.this has been deleted - resource "azurerm_route_table" "this" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/routeTables/route-egress-lockdown" -> null - name = "route-egress-lockdown" -> null tags = { "Environment" = "prod" "Owner" = "cloudops@contoso.com" "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" "Terraform" = "true" "module" = "user-defined-routes" } # (5 unchanged attributes hidden) } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app.this has been deleted - resource "azurerm_windows_web_app" "this" { - default_hostname = "eslz2.azurewebsites.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/sites/eslz2" -> null - name = "eslz2" -> null tags = {} # (19 unchanged attributes hidden) - identity { # (2 unchanged attributes hidden) } # (2 unchanged blocks hidden) } # module.app_service.module.windows_web_app[0].azurerm_windows_web_app_slot.slot has been deleted - resource "azurerm_windows_web_app_slot" "slot" { - default_hostname = "eslz2-staging.azurewebsites.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Web/sites/eslz2/slots/staging" -> null - name = "staging" -> null tags = {} # (17 unchanged attributes hidden) - identity { # (2 unchanged attributes hidden) } # (1 unchanged block hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_endpoint.web_app has been deleted - resource "azurerm_cdn_frontdoor_endpoint" "web_app" { - host_name = "eslz2-prod-5461-gtf0cycnfsftaqc3.z01.azurefd.net" -> null - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/afdEndpoints/eslz2-prod-5461" -> null name = "eslz2-prod-5461" tags = {} # (2 unchanged attributes hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_origin.web_app has been deleted - resource "azurerm_cdn_frontdoor_origin" "web_app" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/originGroups/eslz2-prod-5461/origins/eslz2-prod-5461" -> null name = "eslz2-prod-5461" # (10 unchanged attributes hidden) # (1 unchanged block hidden) } # module.frontdoor.module.endpoint[0].azurerm_cdn_frontdoor_origin_group.web_app has been deleted - resource "azurerm_cdn_frontdoor_origin_group" "web_app" { - id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Cdn/profiles/sec-baseline-1-spoke-westus3-fd-eslz2-prod/originGroups/eslz2-prod-5461" -> null name = "eslz2-prod-5461" # (3 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.app_service.module.windows_web_app[0].module.private_endpoint.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2" name = "pe-eslz2" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-eslz2" - private_ip_address = "10.240.0.68" -> null # (3 unchanged attributes hidden) } } # module.app_service.module.windows_web_app[0].module.private_endpoint_slot.azurerm_private_endpoint.this has been deleted - resource "azurerm_private_endpoint" "this" { id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/spoke-sec-baseline-1-spoke-westus3-rg-eslz2/providers/Microsoft.Network/privateEndpoints/pe-eslz2-staging" name = "pe-eslz2-staging" tags = {} # (6 unchanged attributes hidden) - private_service_connection { name = "pe-eslz2-staging" - private_ip_address = "10.240.0.69" -> null # (3 unchanged attributes hidden) } } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # azurerm_log_analytics_workspace.law will be created + resource "azurerm_log_analytics_workspace" "law" { + allow_resource_only_permissions = true + daily_quota_gb = -1 + id = (known after apply) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = "log-eslz2-prod" + primary_shared_key = (sensitive value) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + retention_in_days = 30 + secondary_shared_key = (sensitive value) + sku = "PerGB2018" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" } + workspace_id = (known after apply) } # azurerm_resource_group.spoke will be created + resource "azurerm_resource_group" "spoke" { + id = (known after apply) + location = "westus3" + name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" } } # azurerm_user_assigned_identity.contributor will be created + resource "azurerm_user_assigned_identity" "contributor" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-msi-eslz2-contributor" + principal_id = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tenant_id = (known after apply) } # azurerm_user_assigned_identity.reader will be created + resource "azurerm_user_assigned_identity" "reader" { + client_id = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-msi-eslz2-reader" + principal_id = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + tenant_id = (known after apply) } # module.app_configuration[0].azurerm_app_configuration.this will be created + resource "azurerm_app_configuration" "this" { + endpoint = (known after apply) + id = (known after apply) + local_auth_enabled = false + location = "westus3" + name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + primary_read_key = (known after apply) + primary_write_key = (known after apply) + public_network_access = "Disabled" + purge_protection_enabled = true + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + secondary_read_key = (known after apply) + secondary_write_key = (known after apply) + sku = "standard" + soft_delete_retention_days = 7 + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "app-configuration" } } # module.app_configuration[0].azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + records = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + ttl = 300 + zone_name = "privatelink.azconfig.io" } # module.app_configuration[0].azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = "pe-sec-baseline-1-spoke-westus3-appcg-eslz2-prod-5461" + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "app-config-private-endpoint" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "configurationStores", ] } } # module.app_configuration[0].azurerm_role_assignment.data_owners[0] will be created + resource "azurerm_role_assignment" "data_owners" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Owner" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_configuration[0].azurerm_role_assignment.data_readers[0] will be created + resource "azurerm_role_assignment" "data_readers" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "App Configuration Data Reader" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.app_service.azurerm_application_insights.this will be created + resource "azurerm_application_insights" "this" { + app_id = (known after apply) + application_type = "web" + connection_string = (sensitive value) + daily_data_cap_in_gb = (known after apply) + daily_data_cap_notifications_disabled = (known after apply) + disable_ip_masking = false + force_customer_storage_for_profiler = false + id = (known after apply) + instrumentation_key = (sensitive value) + internet_ingestion_enabled = true + internet_query_enabled = true + local_authentication_disabled = false + location = "westus3" + name = "sec-baseline-1-spoke-westus3-appi-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + retention_in_days = 90 + sampling_percentage = 100 + workspace_id = (known after apply) } # module.app_service.azurerm_service_plan.this will be created + resource "azurerm_service_plan" "this" { + id = (known after apply) + kind = (known after apply) + location = "westus3" + maximum_elastic_worker_count = (known after apply) + name = "westus3-plan-eslz2-prod" + os_type = "Windows" + per_site_scaling_enabled = false + reserved = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "S1" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "app-service" } + worker_count = 1 + zone_balancing_enabled = false } # module.frontdoor.azurerm_cdn_frontdoor_firewall_policy.waf[0] will be created + resource "azurerm_cdn_frontdoor_firewall_policy" "waf" { + enabled = true + frontend_endpoint_ids = (known after apply) + id = (known after apply) + mode = "Prevention" + name = "wafpolicymicrosoftdefaultruleset21" + request_body_check_enabled = true + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "Premium_AzureFrontDoor" + managed_rule { + action = "Block" + type = "Microsoft_DefaultRuleSet" + version = "2.1" } } # module.frontdoor.azurerm_cdn_frontdoor_profile.frontdoor will be created + resource "azurerm_cdn_frontdoor_profile" "frontdoor" { + id = (known after apply) + name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + resource_guid = (known after apply) + response_timeout_seconds = 120 + sku_name = "Premium_AzureFrontDoor" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "frontdoor" } } # module.frontdoor.azurerm_cdn_frontdoor_security_policy.web_app_waf[0] will be created + resource "azurerm_cdn_frontdoor_security_policy" "web_app_waf" { + cdn_frontdoor_profile_id = (known after apply) + id = (known after apply) + name = "WAF-Security-Policy" + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = (known after apply) + association { + patterns_to_match = [ + "/*", ] + domain { + active = (known after apply) + cdn_frontdoor_domain_id = (known after apply) } } } } } # module.frontdoor.azurerm_monitor_diagnostic_setting.this[0] will be created + resource "azurerm_monitor_diagnostic_setting" "this" { + id = (known after apply) + log_analytics_destination_type = "AzureDiagnostics" + log_analytics_workspace_id = (known after apply) + name = "sec-baseline-1-spoke-westus3-fd-eslz2-prod-diagnostic-settings}" + target_resource_id = (known after apply) + enabled_log { + category_group = "allLogs" } + metric { + category = "AllMetrics" + enabled = false } } # module.key_vault.azurerm_key_vault.this will be created + resource "azurerm_key_vault" "this" { + access_policy = (known after apply) + enable_rbac_authorization = true + enabled_for_disk_encryption = true + id = (known after apply) + location = "westus3" + name = "kv-eslz2-prod-5461" + public_network_access_enabled = false + purge_protection_enabled = true + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + sku_name = "standard" + soft_delete_retention_days = 7 + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "key-vault" } + tenant_id = "449fbe1d-9c99-4509-9014-4fd5cf25b014" + vault_uri = (known after apply) + network_acls { + bypass = "AzureServices" + default_action = "Deny" } } # module.key_vault.azurerm_private_dns_a_record.this will be created + resource "azurerm_private_dns_a_record" "this" { + fqdn = (known after apply) + id = (known after apply) + name = "kv-eslz2-prod-5461" + records = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + ttl = 300 + zone_name = "privatelink.vaultcore.azure.net" } # module.key_vault.azurerm_private_endpoint.this will be created + resource "azurerm_private_endpoint" "this" { + custom_dns_configs = (known after apply) + id = (known after apply) + location = "westus3" + name = "pe-kv-eslz2-prod-5461" + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet_id = (known after apply) + private_service_connection { + is_manual_connection = false + name = "pe-kv-eslz2-prod-5461" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "vault", ] } } # module.key_vault.azurerm_role_assignment.secrets_officer[0] will be created + resource "azurerm_role_assignment" "secrets_officer" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets Officer" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.key_vault.azurerm_role_assignment.secrets_user[0] will be created + resource "azurerm_role_assignment" "secrets_user" { + id = (known after apply) + name = (known after apply) + principal_id = (known after apply) + principal_type = (known after apply) + role_definition_id = (known after apply) + role_definition_name = "Key Vault Secrets User" + scope = (known after apply) + skip_service_principal_aad_check = (known after apply) } # module.network.azurerm_subnet.this[0] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.0/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "serverFarm" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" + delegation { + name = "Microsoft.Web/serverFarms" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", ] + name = "Microsoft.Web/serverFarms" } } } # module.network.azurerm_subnet.this[1] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.0.64/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "ingress" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_subnet.this[2] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.10.128/26", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "devops" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_subnet.this[3] will be created + resource "azurerm_subnet" "this" { + address_prefixes = [ + "10.240.11.0/24", ] + enforce_private_link_endpoint_network_policies = (known after apply) + enforce_private_link_service_network_policies = (known after apply) + id = (known after apply) + name = "privateLink" + private_endpoint_network_policies_enabled = (known after apply) + private_link_service_network_policies_enabled = (known after apply) + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.network.azurerm_virtual_network.this will be created + resource "azurerm_virtual_network" "this" { + address_space = [ + "10.240.0.0/20", ] + dns_servers = (known after apply) + guid = (known after apply) + id = (known after apply) + location = "westus3" + name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + subnet = (known after apply) + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "network" } } # module.network.azurerm_virtual_network_peering.target_to_this[0] will be created + resource "azurerm_virtual_network_peering" "target_to_this" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "hub-to-spoke-eslz2" + remote_virtual_network_id = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + use_remote_gateways = false + virtual_network_name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.network.azurerm_virtual_network_peering.this_to_target[0] will be created + resource "azurerm_virtual_network_peering" "this_to_target" { + allow_forwarded_traffic = false + allow_gateway_transit = false + allow_virtual_network_access = true + id = (known after apply) + name = "spoke-to-hub-eslz2" + remote_virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + use_remote_gateways = false + virtual_network_name = "sec-baseline-1-spoke-westus3-vnet-eslz2-prod" } # module.openai[0].azurecaf_name.caf_name_oai will be created + resource "azurecaf_name" "caf_name_oai" { + clean_input = true + id = (known after apply) + passthrough = false + prefixes = [ + "sec-baseline-1-spoke", + "westus3", ] + random_length = 0 + resource_type = "azurerm_cognitive_account" + result = (known after apply) + results = (known after apply) + separator = "-" + suffixes = [ + "prod", ] + use_slug = true } # module.openai[0].azurecaf_name.priv_endpoint will be created + resource "azurecaf_name" "priv_endpoint" { + clean_input = true + id = (known after apply) + passthrough = false + random_length = 0 + resource_type = "azurerm_private_endpoint" + result = (known after apply) + results = (known after apply) + separator = "-" + use_slug = true } # module.openai[0].azurerm_cognitive_account.this will be created + resource "azurerm_cognitive_account" "this" { + custom_subdomain_name = (known after apply) + endpoint = (known after apply) + id = (known after apply) + kind = "OpenAI" + local_auth_enabled = true + location = "westus3" + name = (known after apply) + outbound_network_access_restricted = false + primary_access_key = (sensitive value) + public_network_access_enabled = false + resource_group_name = "spoke-sec-baseline-1-spoke-westus3-rg-eslz2" + secondary_access_key = (sensitive value) + sku_name = "S0" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "openai" } + identity { + principal_id = (known after apply) + tenant_id = (known after apply) + type = "SystemAssigned" } + network_acls { + default_action = "Deny" + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } + virtual_network_rules { + ignore_missing_vnet_service_endpoint = true + subnet_id = (known after apply) } } } # module.openai[0].azurerm_cognitive_deployment.this["gpt-35-turbo"] will be created + resource "azurerm_cognitive_deployment" "this" { + cognitive_account_id = (known after apply) + id = (known after apply) + name = "gpt-35-turbo" + version_upgrade_option = "OnceNewDefaultVersionAvailable" + model { + format = "OpenAI" + name = "gpt-35-turbo" + version = "0613" } + scale { + capacity = 1 + type = "Standard" } } # module.openai[0].azurerm_cognitive_deployment.this["text-embedding-ada-002"] will be created + resource "azurerm_cognitive_deployment" "this" { + cognitive_account_id = (known after apply) + id = (known after apply) + name = "text-embedding-ada-002" + version_upgrade_option = "OnceNewDefaultVersionAvailable" + model { + format = "OpenAI" + name = "text-embedding-ada-002" + version = "2" } + scale { + capacity = 1 + type = "Standard" } } # module.private_dns_zones[0].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azurewebsites.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[0].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.azurewebsites.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[1].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.vaultcore.azure.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[1].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.vaultcore.azure.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[2].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.database.windows.net" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[2].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.database.windows.net" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[3].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name = "privatelink.azconfig.io" + number_of_record_sets = (known after apply) + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + tags = { + "Environment" = "prod" + "Owner" = "cloudops@contoso.com" + "Project" = "[Scenario 1: SPOKE] App Service Landing Zone Accelerator" + "Terraform" = "true" + "module" = "private-dns-zone" } } # module.private_dns_zones[3].azurerm_private_dns_zone_virtual_network_link.this[0] will be created + resource "azurerm_private_dns_zone_virtual_network_link" "this" { + id = (known after apply) + name = "sec-baseline-1-hub-wus2-vnet-eslz2-prod" + private_dns_zone_name = "privatelink.azconfig.io" + registration_enabled = false + resource_group_name = "sec-baseline-1-hub-wus2-rg-eslz2" + virtual_network_id = "/subscriptions/864eb9d0-e9c4-4d6b-bf11-bd4cfde05e81/resourceGroups/sec-baseline-1-hub-wus2-rg-eslz2/providers/Microsoft.Network/virtualNetworks/sec-baseline-1-hub-wus2-vnet-eslz2-prod" } # module.private_dns_zones[4].azurerm_private_dns_zone.this will be created + resource "azurerm_private_dns_zone" "this" { + id = (known after apply) + max_number_of_record_sets = (known after apply) + max_number_of_virtual_network_links = (known after apply) + max_number_of_virtual_network_links_with_registration = (known after apply) + name ... ```

Output is too long and was truncated. You can read full Plan in Actions.

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/spoke, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline

[github-actions[bot]]

Terraform Format and Style 🖌``

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Terraform Plan 📖success

Show Plan

``` No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. ```

Pusher: @JinLee794, Action: pull_request, Working Directory: scenarios/secure-baseline-multitenant/terraform/hub, Workflow: Scenario 1: Terraform Multi-Tenant ASEv3 Secure Baseline