Comments (8)
Hey @DevSecNinja - we are considering this: see #132
from terraform-azurerm-lz-vending.
Thanks @DevSecNinja will close in favor of #132
from terraform-azurerm-lz-vending.
Seems a fair ask @DevSecNinja ... Will discuss with @matt-FFFFFF to see what we can do to help 👍🏻
from terraform-azurerm-lz-vending.
Hi @DevSecNinja
I'm happy to investigate this change.
Please can you share how you are establishing this in config? The reason we create both hub peerings with the LZ vending module is that the subscription ID (and therefore resource ID of vnet) is not known until after the sub alias resource has been created. Therefore it made sense to us to leave the peering configuration to the lz-vending module. Can you provide a sample of how you have this wired up? Have you used the outputs of the lz-vending module to populate the list of spoke_virtual_network_resource_ids
? If so how have you ensured the vnets are peered to the correct hub?
Furthermore, in terms of privileges. I have seen a custom role used that is only able to manage peerings for the hub network. We document the required permissions here: https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#permissions
from terraform-azurerm-lz-vending.
Thanks @matt-FFFFFF! Sure, I've added the VNET IDs statically to spoke_virtual_network_resource_ids
in the CAF module with a comment to 'prettify' that. (It's a small test environment) I have my subscription IDs and names in a separate JSON file, so I should be able to use that as input. But it's not as nice.
Can the vending module also provision the Private DNS resources that are provisioned when using spoke_virtual_network_resource_ids
in the CAF module? If yes, that would convince me to move the peering over to the vending module.
Thanks!
from terraform-azurerm-lz-vending.
Hey @DevSecNinja - we are considering this: see #132
Thanks for creating that! But doesn't that introduce the same 'challenges' as what we have now with this inbound/outbound peering situation? As in, we need to keep track of something (either created VNETs or private DNS zones) that comes from the other module? In this case, the Private DNS zones that are created in the ES CAF module and VNET linked to the spoke VNET from the vending module.
Not sure which approach I like more. What do you think?
from terraform-azurerm-lz-vending.
Good point!
The CAF ES module provides outputs for all created resources, including the hub network resource ID in order to create the peering in the first place 😄
In terms of order of operations, we see that the platform would be created first. Therefore the vnet and pDNS zone resource IDs are already known.
In terms of the subs that are created by LZ vending, out assumption is that these subscriptions should be created afterwards.
If the modules exist in the same state, or if the LZ vending module can access the state of the ES CAF module, then the resource IDs for the hub resources can be mapped into the lz vending module.
We document how to do this here: https://github.com/Azure/terraform-azurerm-lz-vending/wiki/Example-4-Integration-with-ALZ-module#locals
Does this work @DevSecNinja?
from terraform-azurerm-lz-vending.
Thanks @matt-FFFFFF, in combination with the private DNS linking that could work!
from terraform-azurerm-lz-vending.
Related Issues (20)
- bug: telemetry deployment fails HOT 4
- bug: When routing intent is enabled in the module subsequent runs attempt to remove the route table association and propagation HOT 8
- bug: virtual networks can't scale if using virtual_network_resource_ids output HOT 14
- bug: documentation not correct HOT 2
- bug: Lack of compatibility between variable `umi_federated_credentials_advanced` and `federated_credentials_advanced` for `audience` sub-variable HOT 2
- bug: dependency on resource provider registration in virtual network module HOT 7
- bug: no tags deployed with NetworkWatcherRG HOT 6
- bug: subscription_use_azapi not available on version 3.4.2 HOT 2
- bug: VirtualNetwork module not dependent on ResourceProvider module. HOT 9
- bug: subscription_tags in Yaml Data file HOT 4
- bug: Can no longer create UMI Role Assignments in v4.0.0 HOT 1
- bug: Hub/Spoke configuration when using YAML data files
- feat: change subscription_alias_name to optional HOT 6
- bug: hub_peering_direction not initiating peering HOT 2
- bug: creating subscription with invalid character in tag value HOT 1
- bug: Invalid API Version Parameter when assigning RBAC assignment HOT 2
- bug: hub_peering_use_remote_gateways should not try to enable use_remote_gateways for both the spoke and the hub network with a single setting HOT 4
- bug: Resources are created before the subscription is fully in the destination management group HOT 3
- feat: Allow lifecycle exclusions for Tags
- feat: Be able to add Partner ID to Subscriptions HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-azurerm-lz-vending.