github Azure/terraform-azurerm-lz-vending v6.0.0
on GitHub

16 hours ago

What's New in v6.0.0

🔄 What's Changed

  • Removes the resource group and lock provisioning capability from the virtual network and user assigned identity submodules.
  • Changed the network security group, route table, and user assigned identity submodules to use parent_id instead of subscription id and resource group name.
  • For the virtual network, network security group, route table, and user assigned identity sub modules added the following keys, where one must be provided: resource_group_key and resource_group_name_existing.

🐛 Bug Fixes

🔄 Migration Notes

This migration guidance is for users that were leveraging the resource group and resource group lock creation option within the virtual network and user assigned identity submodules. If you were already using the resource group module to provision all resource groups, no migration steps are required. Migration steps 4-5 apply to updates required for your route table and network security group objects.

  1. Change the terraform-azurerm-lz-vending version to 6.0.0.
  2. Add new resource group objects to the resource_groups map and set the root module variable resource_group_creation_enabled to true.
  3. Remove the resource_group_creation_enabled, resource_group_name, resource_group_lock_enabled, and resource_group_lock_name attributes from your virtual networks and user managed identity objects.
  4. For virtual networks, user managed identities, route tables and network security groups, change the resource_group_name attribute to resource_group_key and change the value to the key name that corresponds to the object in the resource_groups map. This is to maintain consistency throughout the submodules.
  5. If you do not wish to manage the resource group creation with this module at all, then you may specify the resource_group_name_existing attribute instead to leverage an already existing resource group within the subscription. This module first checks for the resource_group_key and then the resource_group_name_existing as a fallback.
  6. Add Terraform moved blocks for your resource group and resource group locks as shown below.

Note

Below is a breakdown of the changes you should make for each module.

Resource Group Module

We have removed the resource group and lock provisioning capability from the virtual network and user assigned identity submodules. Add new resource group objects to the resource_groups map and set the root module variable resource_group_creation_enabled to true. 

resource_group_creation_enabled = true
resource_groups = {
  vnetrg = {
    name         = local.network_rg
    location     = var.location
    lock_enabled = true
    lock_name    = "lock-network-${local.component_name}-01"
  }
  mainrg = {
    name     = local.application_rg
    location = var.location
  }
  identityrg = {
    name         = local.identity_rg
    location     = var.location
    lock_enabled = true
    lock_name    = "lock-umi-${local.component_name}-plan-01"
  }
}

Add Terraform moved blocks for your resource group and resource group locks as shown below. 

# VNET
moved {
  from = module.lz_vending.module.virtualnetwork[0].azapi_resource.rg["<resource-group-name-value>"]
  to   = module.lz_vending.module.resourcegroup["<resource-groups-map-key-name>"].azapi_resource.rg
}
# VNET LOCK
moved {
  from = module.lz_vending.module.virtualnetwork[0].azapi_resource.rg_lock["<resource-group-lock-name-value>"]
  to   = module.lz_vending.module.resourcegroup["<resource-groups-map-key-name>"].azapi_resource.rg_lock[0]
}
# UMI
moved {
  from = module.lz_vending.module.usermanagedidentity["<user-managed-identity-map-key-name>"].azapi_resource.rg[0]
  to   = module.lz_vending.module.resourcegroup["<resource-groups-map-key-name>"].azapi_resource.rg
}
# UMI LOCK
moved {
  from = module.lz_vending.module.usermanagedidentity["<user-managed-identity-map-key-name>"].azapi_resource.rg_lock[0]
  to   = module.lz_vending.module.resourcegroup["<resource-groups-map-key-name>"].azapi_resource.rg_lock[0]
}

Virtual Network Module

For virtual networks change the resource_group_name attribute to resource_group_key and change the value to the key name that corresponds to the object in the resource_groups map. This is to maintain consistency throughout the submodules.

NOTE: If you do not wish to manage the resource group creation with this module at all, then you may specify the resource_group_name_existing attribute instead to leverage an already existing resource group within the subscription. This module first checks for the resource_group_key and then the resource_group_name_existing as a fallback. 

virtual_network_enabled = true
virtual_networks = {
  primary = {
    name                    = "vnet-${local.component_name}-01"
    address_space           = [var.spoke_vnet_address_space]
    resource_group_key      = "vnetrg"
    hub_peering_enabled     = true
    hub_network_resource_id = var.hub_network_id
    hub_peering_direction   = "both"
    dns_servers             = []
    subnets = {
      subnet1 = {
        name = "snet-${local.component_name}-01"
        #address_prefix                               = module.ip_calc.address_prefixes["default"]
        address_prefixes                              = [module.ip_calc.address_prefixes["default"]]
        private_endpoint_network_policies             = "Disabled"
        private_link_service_network_policies_enabled = false
        route_table = {
          key_reference = "HubNetwork"
        }
        network_security_group = {
          key_reference = "default"
        }
        service_endpoints               = []
        default_outbound_access_enabled = false
      }
      subnet2 = {
        name = "snet-${local.component_name}-pe-02"
        #address_prefix                               = module.ip_calc.address_prefixes["private_endpoint"]
        address_prefixes                              = [module.ip_calc.address_prefixes["private_endpoint"]]
        private_endpoint_network_policies             = "Disabled"
        private_link_service_network_policies_enabled = false
        default_outbound_access_enabled               = false
        service_endpoints                             = []
        delegations                                   = []
      }
    }
    hub_peering_options_tohub = {
      allow_forwarded_traffic      = true
      allow_gateway_transit        = false
      allow_virtual_network_access = true
      peer_complete_vnets          = true
      use_remote_gateways          = false
    }
    hub_peering_options_fromhub = {
      allow_forwarded_traffic      = true
      allow_gateway_transit        = false
      allow_virtual_network_access = true
      peer_complete_vnets          = true
      use_remote_gateways          = false
    }
  }
}

Route Table Module

For route tables change the resource_group_name attribute to resource_group_key and change the value to the key name that corresponds to the object in the resource_groups map. This is to maintain consistency throughout the submodules.

NOTE: If you do not wish to manage the resource group creation with this module at all, then you may specify the resource_group_name_existing attribute instead to leverage an already existing resource group within the subscription. This module first checks for the resource_group_key and then the resource_group_name_existing as a fallback. 

route_table_enabled = true
route_tables = {
  HubNetwork = {
    name                          = "rt-${local.component_name}-01"
    location                      = var.location
    resource_group_key            = "vnetrg"
    bgp_route_propagation_enabled = false
    routes = {
      FirewallDefaultRoute = {
        name                   = "${var.application_short_name}-to-firewall"
        address_prefix         = "0.0.0.0/0"
        next_hop_type          = "VirtualAppliance"
        next_hop_in_ip_address = var.hub_fw_ip
      }
    }
  }
}

Network Security Group Module

For network security groups, change the resource_group_name attribute to resource_group_key and change the value to the key name that corresponds to the object in the resource_groups map. This is to maintain consistency throughout the submodules.

NOTE: If you do not wish to manage the resource group creation with this module at all, then you may specify the resource_group_name_existing attribute instead to leverage an already existing resource group within the subscription. This module first checks for the resource_group_key and then the resource_group_name_existing as a fallback. 

network_security_group_enabled = true
network_security_groups = {
  default = {
    name               = "nsg-${local.component_name}-01"
    location           = var.location
    resource_group_key = "vnetrg"
    security_rules = {
      allow_outbound = {
        name                         = "allow-spoke-outbound"
        priority                     = 100
        direction                    = "Outbound"
        access                       = "Allow"
        protocol                     = "Tcp"
        source_port_ranges           = ["80", "443"]
        destination_port_ranges      = ["80", "443"]
        source_address_prefixes      = [var.spoke_vnet_address_space]
        destination_address_prefixes = [var.hub_network_address_prefix]
        description                  = "Allow spoke outbound traffic to FW"
      }
      allow_inbound = {
        name                         = "allow-spoke-inbound"
        priority                     = 100
        direction                    = "Inbound"
        access                       = "Allow"
        protocol                     = "Tcp"
        source_port_ranges           = ["80", "443"]
        destination_port_ranges      = ["80", "443"]
        source_address_prefixes      = [var.hub_network_address_prefix]
        destination_address_prefixes = [var.spoke_vnet_address_space]
        description                  = "Allow spoke inbound traffic to FW"
      }
    }
  }
}

User Managed Identity Module

For user managed identities change the resource_group_name attribute to resource_group_key and change the value to the key name that corresponds to the object in the resource_groups map. This is to maintain consistency throughout the submodules.

NOTE: If you do not wish to manage the resource group creation with this module at all, then you may specify the resource_group_name_existing attribute instead to leverage an already existing resource group within the subscription. This module first checks for the resource_group_key and then the resource_group_name_existing as a fallback. 

umi_enabled = true
user_managed_identities = {
  plan = {
    name               = "umi-${local.component_name}-plan-01"
    location           = var.location
    resource_group_key = "identityrg"
    tags               = local.tags
    role_assignments = {
      reader = {
        definition      = "Reader"
        relative_scope  = ""
        use_random_uuid = true
      }
    }
  },
  apply = {
    name               = "umi-${local.component_name}-apply-01"
    location           = var.location
    resource_group_key = "identityrg"
    tags               = local.tags
    role_assignments = {
      apply = {
        definition      = "Contributor"
        relative_scope  = ""
        use_random_uuid = true
      }
    }
  },
  app = {
    name               = "umi-${local.component_name}-app-01"
    location           = var.location
    resource_group_key = "mainrg"
    tags               = local.tags
  }
}
Check out latest releases or
releases around Azure/terraform-azurerm-lz-vending v6.0.0

Don't miss a new terraform-azurerm-lz-vending release

NewReleases is sending notifications on new releases.

Get notifications