Updates for Azure Policy add

2023-06-20 10:29:54 -05:00
parent 27c2712af1
commit 47a204b73f
4 changed files with 50 additions and 401 deletions
--- a/quickstart/101-virtual-network-manager-create-mesh/main.tf
+++ b/quickstart/101-virtual-network-manager-create-mesh/main.tf
@@ -58,14 +58,56 @@ resource "azurerm_network_manager_network_group" "network_group" {
  network_manager_id = azurerm_network_manager.network_manager_instance.id
 }

-# Add the three virtual networks to the network group as static members
+# Add the 3 virtual networks to a network group as dynamic members with Azure Policy

-resource "azurerm_network_manager_static_member" "static_members" {
-  count = 3
+resource "random_pet" "network_group_policy_name" {
+  prefix = "network-group-policy"
+}

-  name                      = "static-member-0${count.index}"
-  network_group_id          = azurerm_network_manager_network_group.network_group.id
-  target_virtual_network_id = azurerm_virtual_network.vnet[count.index].id
+resource "azurerm_policy_definition" "network_group_policy" {
+  name         = "${random_pet.network_group_policy_name.id}"
+  policy_type  = "Custom"
+  mode         = "Microsoft.Network.Data"
+  display_name = "Policy Definition for Network Group"
+
+  metadata = <<METADATA
+    {
+      "category": "Azure Virtual Network Manager"
+    }
+  METADATA
+
+  policy_rule = <<POLICY_RULE
+    {
+      "if": {
+        "allOf": [
+          {
+              "field": "type",
+              "equals": "Microsoft.Network/virtualNetworks"
+          },
+          {
+            "allOf": [
+              {
+              "field": "Name",
+              "contains": "vnet"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "addToNetworkGroup",
+        "details": {
+          "networkGroupId": "${azurerm_network_manager_network_group.network_group.id}"
+        }
+      }
+    }
+  POLICY_RULE
+}
+
+resource "azurerm_subscription_policy_assignment" "azure_policy_assignment" {
+  name                 = "${random_pet.network_group_policy_name.id}-policy-assignment"
+  policy_definition_id = azurerm_policy_definition.network_group_policy.id
+  subscription_id      = data.azurerm_subscription.current.id
 }

 # Create a connectivity configuration
--- a/quickstart/101-virtual-network-manager-create-mesh/readme.md
+++ b/quickstart/101-virtual-network-manager-create-mesh/readme.md
@@ -10,7 +10,8 @@ This template deploys an Azure Virtual Network Manager instance with a connectiv
 - [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
 - [azurerm_virtual_network_manager](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager)
 - [azurerm_network_manager_network_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_network_group)
- [azurerm_network_manager_static_member](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_static_member)
+- [azurerm_policy_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition)
+- [azurerm_subscription_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_policy_assignment)
 - [azurerm_network_manager_connectivity_configuration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_connectivity_configuration)
 - [azurerm_network_manager_deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_deployment)

--- a/quickstart/101-virtual-network-manager-create/101-full/main.tf
+++ b/quickstart/101-virtual-network-manager-create/101-full/main.tf
@@ -1,180 +0,0 @@
-terraform {
-  required_providers {
-    azurerm = {
-      source = "hashicorp/azurerm"
-      version = "3.56.0"
-    }
-  }
-}
-
-provider "azurerm" {
-  features {}
-}
-
-# Define variables
-
-variable "region" {
-    type        = string
-    default     = "eastus"
-}
-
-variable "subscriptionID" {
-    type        = string
-    default     = "6a5f35e9-6951-499d-a36b-83c6c6eed44a"
-}
-variable "resourceGroup" {
-    type        = string
-    default     = "rg-learn-eastus-001"
-}
-
-variable "networkManager" {
-    type        = string
-    default     = "nm-learn-eastus-001"
-}
-
-variable "networkGroup" {
-    type      = string
-    default   = "ng-learn-eastus-001"
-}
-
-variable "configurationName" {
-    type      = string
-    default   = "connectivityconfig"
-}
-
-variable "connectivityTopology" {
-    type      = string
-    default   = "Mesh"
-}
-
-variable "targetRegion" {
-    type      = string
-    default   = "eastus"
-}
-
-variable "commitType"{ 
-    type      = string
-    default   = "connectivity"
-}
-
-# Create the Resource Group
-
-resource "azurerm_resource_group" "rg" {
-  name     = var.resourceGroup
-  location = var.region
-}
-
-# Create a Virtual Network Manager instance
-
-data "azurerm_subscription" "current" {
-}
-
-resource "azurerm_network_manager" "networkManager" {
-  name                = var.networkManager
-  location            = var.region
-  resource_group_name = var.resourceGroup
-  scope {
-    subscription_ids = [data.azurerm_subscription.current.id]
-  }
-  scope_accesses = ["Connectivity", "SecurityAdmin"]
-  description    = "example network manager"
-  tags = {
-    foo = "bar"
-  }
-}
-
-# Create three virtual networks
-resource "azurerm_virtual_network" "vnet_001" {
-  name                = "vnet-learn-prod-eastus-001"
-  resource_group_name = var.resourceGroup
-  location            = var.region
-  address_space       = ["10.0.0.0/16"]
-  depends_on = [azurerm_resource_group.rg]
-}
-
-resource "azurerm_virtual_network" "vnet_002" {
-  name                = "vnet-learn-prod-eastus-002"
-  resource_group_name = var.resourceGroup
-  location            = var.region
-  address_space       = ["10.1.0.0/16"]
-  depends_on = [azurerm_resource_group.rg]
-}
-
-resource "azurerm_virtual_network" "vnet_003" {
-  name                = "vnet-learn-test-eastus-003"
-  resource_group_name = var.resourceGroup
-  location            = var.region
-  address_space       = ["10.2.0.0/16"]
-  depends_on = [azurerm_resource_group.rg]
-}
-
-# Add a subnet to each virtual network
-
-resource "azurerm_subnet" "subnet_vnet_001" {
-  name                 = "default"
-  virtual_network_name = azurerm_virtual_network.vnet_001.name
-  resource_group_name  = var.resourceGroup
-  address_prefixes     = ["10.0.0.0/24"]
-  depends_on = [azurerm_virtual_network.vnet_001]
-}
-
-resource "azurerm_subnet" "subnet_vnet_002" {
-  name                 = "default"
-  virtual_network_name = azurerm_virtual_network.vnet_002.name
-  resource_group_name  = var.resourceGroup
-  address_prefixes     = ["10.1.0.0/24"]
-  depends_on = [azurerm_virtual_network.vnet_002]
-}
-
-resource "azurerm_subnet" "subnet_vnet_003" {
-  name                 = "default"
-  virtual_network_name = azurerm_virtual_network.vnet_003.name
-  resource_group_name  = var.resourceGroup
-  address_prefixes     = ["10.2.0.0/24"]
-  depends_on = [azurerm_virtual_network.vnet_003]
-}
-
-# Create a network group
-
-resource "null_resource" "ng_create" {
-  provisioner "local-exec" {
-    command = "az network manager group create --name ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup}"
-  }
-  depends_on = [azurerm_network_manager.networkManager]
-}
-
-# Define membership for a mesh configuration 
-
-resource "null_resource" "static_members"{
-  provisioner "local-exec"{
-    command="az network manager group static-member create --name vnet-02 --network-group ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup} --resource-id /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/virtualnetworks/vnet-learn-prod-eastus-002"
-  }
-  depends_on=[null_resource.ng_create]
-}
-
-resource "null_resource" "static_members01"{
-  provisioner "local-exec"{
-    command="az network manager group static-member create --name vnet-01 --network-group ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup} --resource-id /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/virtualnetworks/vnet-learn-prod-eastus-001"
-  }
-  depends_on=[null_resource.ng_create]
-}
-
-# Create a connectivity configuration
-resource "null_resource" "connectivityConfig"{
-  provisioner "local-exec"{
-    command="az network manager connect-config create --configuration-name ${var.configurationName} --applies-to-groups network-group-id=/subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/${var.networkGroup} --connectivity-topology ${var.connectivityTopology} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup}"
-  }
-  depends_on=[null_resource.ng_create]
-}
-
-# Commit deployment
-resource "null_resource" "commitDeployment"{
-  provisioner "local-exec"{
-    command="az network manager post-commit --network-manager-name ${var.networkManager} --commit-type ${var.commitType} --configuration-ids /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/networkManagers/${var.networkManager}/connectivityConfigurations/${var.configurationName} --target-locations ${var.targetRegion} --resource-group ${var.resourceGroup}"
-  }
-  depends_on=[null_resource.ng_create]
-}
-
-
-
-
--- a/quickstart/101-virtual-network-manager-create/101-full/qs-avnm-terraform.md
+++ b/quickstart/101-virtual-network-manager-create/101-full/qs-avnm-terraform.md
@@ -1,214 +0,0 @@
-<!-- 
-To write a Terraform quickstart, follow the steps in this template and remove all HTML comments.
-->
-
---
-title: 'Quickstart: <!-- What the code does. Start with a verb and include the terms Azure and Terraform. -->'
-description: <!-- "Learn how to ..." -->
-keywords: <!-- Space-separated terms associated with article - include azure, devops, terraform. -->
-ms.topic: quickstart
-ms.date: <!-- MM/DD/YYYY -->
-ms.custom: devx-track-terraform
-author: <!-- Your GitHub ID. -->
-ms.author: <!-- Your Microsoft alias. -->
---
-
-# Quickstart: <!-- H1 generally has the same value as the title metadata field. -->
-
-<!-- Update the Terraform and Terraform provider information to show the customer what the 
-article code was tested with. -->
-
-Article tested with the following Terraform and Terraform provider versions:
-
- [Terraform v1.2.7](https://releases.hashicorp.com/terraform/)
- [AzureRM Provider v.3.20.0](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)
-
-<!-- 
-Introductory paragraph. Keep it short and to the point. 
-Link to devhub index page of underlying technology where appropriate.
-
-Example:
-This article shows how to deploy an Azure MySQL Flexible Server Database in a virtual network (VNet) using Terraform.
-->
-
-This article shows how to use Terraform to ...
-
-[!INCLUDE [Terraform abstract](~/azure-dev-docs-pr/articles/terraform/includes/abstract.md)]
-
-<!-- 
-Bullet list of tasks the customer will do in the article.
-->
-
-In this article, you learn how to:
-
-> [!div class="checklist"]
-
-<!-- 
-Add several bullets to highlight what the customer will do in the article. 
-->
-> * Task 1
-> * Task 2
-> * Task n
-
-<!--
-Update the directory of the following "Note" to tell the customer the GitHub root 
-directory of the source code.
-->
-
-> [!NOTE]
-> The example code in this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/...). See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform)
-
-<!--
-This template shows a standard example of H2 sections for a Terraform article:
-
-## Prerequisites
-## Implement the Terraform code
-## Initialize Terraform
-## Create a Terraform execution plan
-## Apply a Terraform execution plan
-## Verify the results
-## Clean up resources
-## Troubleshoot Terraform on Azure
-## Next steps
-
-Your article might have additional sections throughout that are not illustrated in this example. 
-->
-
-## Prerequisites
-
-[!INCLUDE [open-source-devops-prereqs-azure-subscription.md](~/azure-dev-docs-pr/articles/includes/open-source-devops-prereqs-azure-subscription.md)]
-
- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure)
-
-<!-- 
-Add bullets for any article-specific includes or download/install URLs and commands.
-->
-
-## Implement the Terraform code
-
-<!--
-In the CRR (cross-repo reference) statements below, "terraform_samples" refers to the 
-code repository. terraform_samples is defined in the repo's .openpublishing.publish.config.json
-file. This definition exists in the azure-dev-docs-pr and azure-docs-pr repos. If you're
-working in a different repo and need help creating this, reach out to the Terraform documentation 
-team to have this created for you. In each CRR statement, the value after "terraform_samples"
-is the directory on the code repo in which the file you want to copy exists. The examples
-should help clarify how you need to enter these statements, but if you need assistance,
- the Terraform documentation team can help.
-
-All Terraform procedural articles (quickstart, tutorial) should have a minimum of 4 files:
-
-* providers.tf - declares the provider block
-* main.tf -  declares resource group and your other code resources
-* variables.tf - defines resource group name prefix, location, and any other vars you need
-* outputs.tf - outputs randomly generated resource group name
-
-->
-
-1. Create a directory in which to test and run the sample Terraform code and make it the current directory.
-
-1. Create a file named `providers.tf` and insert the following code:
-
-    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/providers.tf-->)]
-    <!--
-    EXAMPLE: [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/providers.tf)]
-    -->
-
-1. Create a file named `main.tf` and insert the following code:
-
-    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/main.tf-->)]
-    <!--
-    EXAMPLE: [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/main.tf)]
-    -->
-
-1. Create a file named `variables.tf` and insert the following code:
-
-    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/variables.tf-->)]
-    <!--
-    EXAMPLE: [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/variables.tf)]
-    -->
-
-1. Create a file named `outputs.tf` and insert the following code:
-
-    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/outputs.tf-->)]
-    <!--
-    EXAMPLE: [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/outputs.tf)]
-    -->
-
-<!--
-If you have additional TF files, use the following 2 lines for each additional file. 
-->
-
-1. Create a file named <!-- filename.tf --> and insert the following code:
-
-    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/<file> -->)]
-
-## Initialize Terraform
-
-[!INCLUDE [terraform-init.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-init.md)]
-
-## Create a Terraform execution plan
-
-[!INCLUDE [terraform-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan.md)]
-
-## Apply a Terraform execution plan
-
-[!INCLUDE [terraform-apply-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-apply-plan.md)]
-
-<!-- The following section is optional and used in cases where you have the customer create 
-and apply a plan, followed by making some changes, and now you want the customer to create 
-and apply a new execution plan based on the changes.
-
-[!INCLUDE [terraform-plan-recreate.md](includes/terraform-plan-recreate.md)]
-->
-
-## Verify the results
-
-<!-- 
-Customers have consistently requested that they have the ability to verify if the steps worked. 
-Here you would specify steps to do that task.
-For example, you might tell the user to run a specific command and what they should see as output 
-or go to the portal to view a resource that should have been created.
-->
-
-## Clean up resources
-
-<!-- 
-All articles should allow the customer to reverse what they've done in the article. 
-
-In most cases, you need only include the file below that shows the customer how to 
-destroy the resources created previously.
-
-However, in some more advanced cases, you might have the customer do more steps prior 
-to implementing the code.
-
-An example is the article to create a VMSS from a Packer image.
-
-In that example, the customer creates the image, then implements and runs the code.
-
-In situations like that, you include the same file as shown below and add the extra 
-steps required to reverse any actions the customer did in creating Azure resources.
-
-See the following example where H3 sections are used to separate each cleanup step:
-https://learn.microsoft.com/azure/developer/terraform/create-vm-scaleset-network-disks-using-packer-hcl#8-clean-up-resources
-->
-
-[!INCLUDE [terraform-plan-destroy.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan-destroy.md)]
-
-## Troubleshoot Terraform on Azure
-
-<!-- 
-This step should NOT be numbered as it's only done by the customer if they run into problems.
-->
-
-[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot)
-
-## Next steps
-
-<!-- 
-Only one (1) URL is allowed here.
-If there is no logical next article, link to the Azure service being documented in your article.
-->
-
-> [!div class="nextstepaction"] 
-> <!-- [<Article title> or "Learn more about <Azure service>"](<url>) -->