Updates for Azure Policy add

2023-06-20 10:29:54 -05:00 · 2023-06-20 10:29:54 -05:00 · 47a204b73f
commit 47a204b73f
parent 27c2712af1
4 changed files with 50 additions and 401 deletions
--- a/quickstart/101-virtual-network-manager-create-mesh/main.tf
+++ b/quickstart/101-virtual-network-manager-create-mesh/main.tf
@ -58,14 +58,56 @@ resource "azurerm_network_manager_network_group" "network_group" {
  network_manager_id = azurerm_network_manager.network_manager_instance.id
 }
-# Add the three virtual networks to the network group as static members
+# Add the 3 virtual networks to a network group as dynamic members with Azure Policy
-resource "azurerm_network_manager_static_member" "static_members" {
+resource "random_pet" "network_group_policy_name" {
-  count = 3
+  prefix = "network-group-policy"
 }
-  name                      = "static-member-0${count.index}"
+resource "azurerm_policy_definition" "network_group_policy" {
-  network_group_id          = azurerm_network_manager_network_group.network_group.id
+  name         = "${random_pet.network_group_policy_name.id}"
-  target_virtual_network_id = azurerm_virtual_network.vnet[count.index].id
+  policy_type  = "Custom"
  mode         = "Microsoft.Network.Data"
  display_name = "Policy Definition for Network Group"
  metadata = <<METADATA
    {
      "category": "Azure Virtual Network Manager"
    }
  METADATA
  policy_rule = <<POLICY_RULE
    {
      "if": {
        "allOf": [
          {
              "field": "type",
              "equals": "Microsoft.Network/virtualNetworks"
          },
          {
            "allOf": [
              {
              "field": "Name",
              "contains": "vnet"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "addToNetworkGroup",
        "details": {
          "networkGroupId": "${azurerm_network_manager_network_group.network_group.id}"
        }
      }
    }
  POLICY_RULE
 }
 resource "azurerm_subscription_policy_assignment" "azure_policy_assignment" {
  name                 = "${random_pet.network_group_policy_name.id}-policy-assignment"
  policy_definition_id = azurerm_policy_definition.network_group_policy.id
  subscription_id      = data.azurerm_subscription.current.id
 }
 # Create a connectivity configuration
--- a/quickstart/101-virtual-network-manager-create-mesh/readme.md
+++ b/quickstart/101-virtual-network-manager-create-mesh/readme.md
@ -10,7 +10,8 @@ This template deploys an Azure Virtual Network Manager instance with a connectiv
 - [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
 - [azurerm_virtual_network_manager](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager)
 - [azurerm_network_manager_network_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_network_group)
- [azurerm_network_manager_static_member](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_static_member)
+- [azurerm_policy_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition)
 - [azurerm_subscription_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription_policy_assignment)
 - [azurerm_network_manager_connectivity_configuration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_connectivity_configuration)
 - [azurerm_network_manager_deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_manager_deployment)
--- a/quickstart/101-virtual-network-manager-create/101-full/main.tf
+++ b/quickstart/101-virtual-network-manager-create/101-full/main.tf
@ -1,180 +0,0 @@
 terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.56.0"
    }
  }
 }
 provider "azurerm" {
  features {}
 }
 # Define variables
 variable "region" {
    type        = string
    default     = "eastus"
 }
 variable "subscriptionID" {
    type        = string
    default     = "6a5f35e9-6951-499d-a36b-83c6c6eed44a"
 }
 variable "resourceGroup" {
    type        = string
    default     = "rg-learn-eastus-001"
 }
 variable "networkManager" {
    type        = string
    default     = "nm-learn-eastus-001"
 }
 variable "networkGroup" {
    type      = string
    default   = "ng-learn-eastus-001"
 }
 variable "configurationName" {
    type      = string
    default   = "connectivityconfig"
 }
 variable "connectivityTopology" {
    type      = string
    default   = "Mesh"
 }
 variable "targetRegion" {
    type      = string
    default   = "eastus"
 }
 variable "commitType"{ 
    type      = string
    default   = "connectivity"
 }
 # Create the Resource Group
 resource "azurerm_resource_group" "rg" {
  name     = var.resourceGroup
  location = var.region
 }
 # Create a Virtual Network Manager instance
 data "azurerm_subscription" "current" {
 }
 resource "azurerm_network_manager" "networkManager" {
  name                = var.networkManager
  location            = var.region
  resource_group_name = var.resourceGroup
  scope {
    subscription_ids = [data.azurerm_subscription.current.id]
  }
  scope_accesses = ["Connectivity", "SecurityAdmin"]
  description    = "example network manager"
  tags = {
    foo = "bar"
  }
 }
 # Create three virtual networks
 resource "azurerm_virtual_network" "vnet_001" {
  name                = "vnet-learn-prod-eastus-001"
  resource_group_name = var.resourceGroup
  location            = var.region
  address_space       = ["10.0.0.0/16"]
  depends_on = [azurerm_resource_group.rg]
 }
 resource "azurerm_virtual_network" "vnet_002" {
  name                = "vnet-learn-prod-eastus-002"
  resource_group_name = var.resourceGroup
  location            = var.region
  address_space       = ["10.1.0.0/16"]
  depends_on = [azurerm_resource_group.rg]
 }
 resource "azurerm_virtual_network" "vnet_003" {
  name                = "vnet-learn-test-eastus-003"
  resource_group_name = var.resourceGroup
  location            = var.region
  address_space       = ["10.2.0.0/16"]
  depends_on = [azurerm_resource_group.rg]
 }
 # Add a subnet to each virtual network
 resource "azurerm_subnet" "subnet_vnet_001" {
  name                 = "default"
  virtual_network_name = azurerm_virtual_network.vnet_001.name
  resource_group_name  = var.resourceGroup
  address_prefixes     = ["10.0.0.0/24"]
  depends_on = [azurerm_virtual_network.vnet_001]
 }
 resource "azurerm_subnet" "subnet_vnet_002" {
  name                 = "default"
  virtual_network_name = azurerm_virtual_network.vnet_002.name
  resource_group_name  = var.resourceGroup
  address_prefixes     = ["10.1.0.0/24"]
  depends_on = [azurerm_virtual_network.vnet_002]
 }
 resource "azurerm_subnet" "subnet_vnet_003" {
  name                 = "default"
  virtual_network_name = azurerm_virtual_network.vnet_003.name
  resource_group_name  = var.resourceGroup
  address_prefixes     = ["10.2.0.0/24"]
  depends_on = [azurerm_virtual_network.vnet_003]
 }
 # Create a network group
 resource "null_resource" "ng_create" {
  provisioner "local-exec" {
    command = "az network manager group create --name ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup}"
  }
  depends_on = [azurerm_network_manager.networkManager]
 }
 # Define membership for a mesh configuration 
 resource "null_resource" "static_members"{
  provisioner "local-exec"{
    command="az network manager group static-member create --name vnet-02 --network-group ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup} --resource-id /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/virtualnetworks/vnet-learn-prod-eastus-002"
  }
  depends_on=[null_resource.ng_create]
 }
 resource "null_resource" "static_members01"{
  provisioner "local-exec"{
    command="az network manager group static-member create --name vnet-01 --network-group ${var.networkGroup} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup} --resource-id /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/virtualnetworks/vnet-learn-prod-eastus-001"
  }
  depends_on=[null_resource.ng_create]
 }
 # Create a connectivity configuration
 resource "null_resource" "connectivityConfig"{
  provisioner "local-exec"{
    command="az network manager connect-config create --configuration-name ${var.configurationName} --applies-to-groups network-group-id=/subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/${var.networkGroup} --connectivity-topology ${var.connectivityTopology} --network-manager-name ${var.networkManager} --resource-group ${var.resourceGroup}"
  }
  depends_on=[null_resource.ng_create]
 }
 # Commit deployment
 resource "null_resource" "commitDeployment"{
  provisioner "local-exec"{
    command="az network manager post-commit --network-manager-name ${var.networkManager} --commit-type ${var.commitType} --configuration-ids /subscriptions/${var.subscriptionID}/resourceGroups/${var.resourceGroup}/providers/Microsoft.Network/networkManagers/${var.networkManager}/connectivityConfigurations/${var.configurationName} --target-locations ${var.targetRegion} --resource-group ${var.resourceGroup}"
  }
  depends_on=[null_resource.ng_create]
 }
--- a/quickstart/101-virtual-network-manager-create/101-full/qs-avnm-terraform.md
+++ b/quickstart/101-virtual-network-manager-create/101-full/qs-avnm-terraform.md
@ -1,214 +0,0 @@
 <!-- 
 To write a Terraform quickstart, follow the steps in this template and remove all HTML comments.
 -->
 ---
 title: 'Quickstart: <!-- What the code does. Start with a verb and include the terms Azure and Terraform. -->'
 description: <!-- "Learn how to ..." -->
 keywords: <!-- Space-separated terms associated with article - include azure, devops, terraform. -->
 ms.topic: quickstart
 ms.date: <!-- MM/DD/YYYY -->
 ms.custom: devx-track-terraform
 author: <!-- Your GitHub ID. -->
 ms.author: <!-- Your Microsoft alias. -->
 ---
 # Quickstart: <!-- H1 generally has the same value as the title metadata field. -->
 <!-- Update the Terraform and Terraform provider information to show the customer what the 
 article code was tested with. -->
 Article tested with the following Terraform and Terraform provider versions:
 - [Terraform v1.2.7](https://releases.hashicorp.com/terraform/)
 - [AzureRM Provider v.3.20.0](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)
 <!-- 
 Introductory paragraph. Keep it short and to the point. 
 Link to devhub index page of underlying technology where appropriate.
 Example:
 This article shows how to deploy an Azure MySQL Flexible Server Database in a virtual network (VNet) using Terraform.
 -->
 This article shows how to use Terraform to ...
 [!INCLUDE [Terraform abstract](~/azure-dev-docs-pr/articles/terraform/includes/abstract.md)]
 <!-- 
 Bullet list of tasks the customer will do in the article.
 -->
 In this article, you learn how to:
 > [!div class="checklist"]
 <!-- 
 Add several bullets to highlight what the customer will do in the article. 
 -->
 > * Task 1
 > * Task 2
 > * Task n
 <!--
 Update the directory of the following "Note" to tell the customer the GitHub root 
 directory of the source code.
 -->
 > [!NOTE]
 > The example code in this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/...). See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform)
 <!--
 This template shows a standard example of H2 sections for a Terraform article:
 ## Prerequisites
 ## Implement the Terraform code
 ## Initialize Terraform
 ## Create a Terraform execution plan
 ## Apply a Terraform execution plan
 ## Verify the results
 ## Clean up resources
 ## Troubleshoot Terraform on Azure
 ## Next steps
 Your article might have additional sections throughout that are not illustrated in this example. 
 -->
 ## Prerequisites
 [!INCLUDE [open-source-devops-prereqs-azure-subscription.md](~/azure-dev-docs-pr/articles/includes/open-source-devops-prereqs-azure-subscription.md)]
 - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure)
 <!-- 
 Add bullets for any article-specific includes or download/install URLs and commands.
 -->
 ## Implement the Terraform code
 <!--
 In the CRR (cross-repo reference) statements below, "terraform_samples" refers to the 
 code repository. terraform_samples is defined in the repo's .openpublishing.publish.config.json
 file. This definition exists in the azure-dev-docs-pr and azure-docs-pr repos. If you're
 working in a different repo and need help creating this, reach out to the Terraform documentation 
 team to have this created for you. In each CRR statement, the value after "terraform_samples"
 is the directory on the code repo in which the file you want to copy exists. The examples
 should help clarify how you need to enter these statements, but if you need assistance,
 the Terraform documentation team can help.
 All Terraform procedural articles (quickstart, tutorial) should have a minimum of 4 files:
 * providers.tf - declares the provider block
 * main.tf -  declares resource group and your other code resources
 * variables.tf - defines resource group name prefix, location, and any other vars you need
 * outputs.tf - outputs randomly generated resource group name
 -->
 1. Create a directory in which to test and run the sample Terraform code and make it the current directory.
 1. Create a file named `providers.tf` and insert the following code:
    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/providers.tf-->)]
    <!--
    EXAMPLE: [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/providers.tf)]
    -->
 1. Create a file named `main.tf` and insert the following code:
    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/main.tf-->)]
    <!--
    EXAMPLE: [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/main.tf)]
    -->
 1. Create a file named `variables.tf` and insert the following code:
    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/variables.tf-->)]
    <!--
    EXAMPLE: [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/variables.tf)]
    -->
 1. Create a file named `outputs.tf` and insert the following code:
    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/outputs.tf-->)]
    <!--
    EXAMPLE: [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/outputs.tf)]
    -->
 <!--
 If you have additional TF files, use the following 2 lines for each additional file. 
 -->
 1. Create a file named <!-- filename.tf --> and insert the following code:
    [!code-terraform[master](<!-- ~/terraform_samples/<path-to-file>/<file> -->)]
 ## Initialize Terraform
 [!INCLUDE [terraform-init.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-init.md)]
 ## Create a Terraform execution plan
 [!INCLUDE [terraform-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan.md)]
 ## Apply a Terraform execution plan
 [!INCLUDE [terraform-apply-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-apply-plan.md)]
 <!-- The following section is optional and used in cases where you have the customer create 
 and apply a plan, followed by making some changes, and now you want the customer to create 
 and apply a new execution plan based on the changes.
 [!INCLUDE [terraform-plan-recreate.md](includes/terraform-plan-recreate.md)]
 -->
 ## Verify the results
 <!-- 
 Customers have consistently requested that they have the ability to verify if the steps worked. 
 Here you would specify steps to do that task.
 For example, you might tell the user to run a specific command and what they should see as output 
 or go to the portal to view a resource that should have been created.
 -->
 ## Clean up resources
 <!-- 
 All articles should allow the customer to reverse what they've done in the article. 
 In most cases, you need only include the file below that shows the customer how to 
 destroy the resources created previously.
 However, in some more advanced cases, you might have the customer do more steps prior 
 to implementing the code.
 An example is the article to create a VMSS from a Packer image.
 In that example, the customer creates the image, then implements and runs the code.
 In situations like that, you include the same file as shown below and add the extra 
 steps required to reverse any actions the customer did in creating Azure resources.
 See the following example where H3 sections are used to separate each cleanup step:
 https://learn.microsoft.com/azure/developer/terraform/create-vm-scaleset-network-disks-using-packer-hcl#8-clean-up-resources
 -->
 [!INCLUDE [terraform-plan-destroy.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan-destroy.md)]
 ## Troubleshoot Terraform on Azure
 <!-- 
 This step should NOT be numbered as it's only done by the customer if they run into problems.
 -->
 [Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot)
 ## Next steps
 <!-- 
 Only one (1) URL is allowed here.
 If there is no logical next article, link to the Azure service being documented in your article.
 -->
 > [!div class="nextstepaction"] 
 > <!-- [<Article title> or "Learn more about <Azure service>"](<url>) -->