Merge pull request #1 from bcgov/vend

Add terraform-azure-lz-project-set with history

.github/README.md

@@ -0,0 +1,25 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

.github/workflows/terraform-docs.yaml

@@ -0,0 +1,25 @@
+name: Generate terraform docs
+permissions:
+  contents: write
+  actions: write
+  pull-requests: write
+on:
+  - pull_request
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Render terraform docs inside the README.md and push changes back to PR branch
+        uses: terraform-docs/gh-actions@v1.1.0
+        with:
+          working-dir: .
+          output-file: README.md
+          output-method: inject
+          git-push: "true"
+          recursive: true
+          recursive-path: .

README.md

@@ -1,3 +1,29 @@
 # azure-lz-terraform-modules
 
 A collection of terraform modules used across Azure LZ deployments
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

ipam/README.md

@@ -0,0 +1,25 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

terraform-azure-lz-project-set/README.md

@@ -0,0 +1,56 @@
+# terraform-azure-lz-project-set
+
+This Terraform module is designed to provision and manage a set of Azure landing zones (subscriptions) tailored for different environments such as development, testing, production, and tools.
+
+For each environment, the module will create a subscription, a network resource group, and a virtual network. Each virtual network is connected to a central virtual WAN hub, enhancing connectivity across the Azure landing zone.
+
+## Terraform module documentation
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) | >= 1.13.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.109.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.109.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_lz_vending"></a> [lz\_vending](#module\_lz\_vending) | Azure/lz-vending/azurerm | 4.1.3 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_management_group.project_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
+| [azurerm_management_group.landing_zones](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_common_tags"></a> [common\_tags](#input\_common\_tags) | Common tags to apply to all resources | `map(string)` | <pre>{<br>  "deployedBy": "Terraform"<br>}</pre> | no |
+| <a name="input_license_plate"></a> [license\_plate](#input\_license\_plate) | The license plate identifier for the project | `string` | n/a | yes |
+| <a name="input_lz_management_group_id"></a> [lz\_management\_group\_id](#input\_lz\_management\_group\_id) | The ID of the management group for landing zones | `string` | n/a | yes |
+| <a name="input_primary_location"></a> [primary\_location](#input\_primary\_location) | The primary location for resources | `string` | `"canadacentral"` | no |
+| <a name="input_project_set_name"></a> [project\_set\_name](#input\_project\_set\_name) | The name of the project set | `string` | n/a | yes |
+| <a name="input_secondary_location"></a> [secondary\_location](#input\_secondary\_location) | The secondary location for resources | `string` | `"canadaeast"` | no |
+| <a name="input_subscription_billing_scope"></a> [subscription\_billing\_scope](#input\_subscription\_billing\_scope) | The billing scope for the subscription | `string` | n/a | yes |
+| <a name="input_subscriptions"></a> [subscriptions](#input\_subscriptions) | Configuration details for each subscription | <pre>map(object({<br>    name : string<br>    display_name : string<br>    budget_amount : optional(number, 0)<br>    network : object({<br>      enabled : bool<br>      address_space : list(string)<br>      dns_servers : optional(list(string))<br>    })<br>    tags : optional(map(string), {})<br>  }))</pre> | n/a | yes |
+| <a name="input_vwan_hub_resource_id"></a> [vwan\_hub\_resource\_id](#input\_vwan\_hub\_resource\_id) | The resource ID for the virtual WAN hub | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_management_group_id"></a> [management\_group\_id](#output\_management\_group\_id) | The management group ID for the project set. |
+| <a name="output_subscription_ids"></a> [subscription\_ids](#output\_subscription\_ids) | The subscription IDs of each landing zone created. |
+<!-- END_TF_DOCS -->

terraform-azure-lz-project-set/main.tf

@@ -0,0 +1,109 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.109.0"
+    }
+    azapi = {
+      source  = "azure/azapi"
+      version = ">= 1.13.1"
+    }
+  }
+}
+
+data "azurerm_management_group" "landing_zones" {
+  name = var.lz_management_group_id
+}
+
+# create a management group for the project set
+resource "azurerm_management_group" "project_set" {
+  name                       = var.license_plate
+  display_name               = "${var.license_plate}: ${var.project_set_name}"
+  parent_management_group_id = data.azurerm_management_group.landing_zones.id
+}
+
+module "lz_vending" {
+  source  = "Azure/lz-vending/azurerm"
+  version = "4.1.3"
+
+  for_each = var.subscriptions
+
+  # Set the default location for resources
+  location = var.primary_location
+
+  # subscription variables
+  subscription_alias_enabled = true
+  subscription_billing_scope = var.subscription_billing_scope
+  subscription_display_name  = "${var.license_plate}-${each.value.name}"
+  subscription_alias_name    = "${var.license_plate}-${each.value.name}"
+  subscription_workload      = "Production"
+  subscription_tags          = each.value.tags
+
+  network_watcher_resource_group_enabled = true
+
+  # management group association variables
+  subscription_management_group_association_enabled = true
+  subscription_management_group_id                  = var.license_plate
+
+  # virtual network variables
+  virtual_network_enabled = each.value.network.enabled
+  virtual_networks = each.value.network.enabled ? {
+    vwan_spoke = {
+      name                    = "${var.license_plate}-${each.value.name}-vwan-spoke"
+      address_space           = each.value.network.address_space
+      resource_group_name     = "${var.license_plate}-${each.value.name}-networking"
+      vwan_connection_enabled = true
+      vwan_hub_resource_id    = var.vwan_hub_resource_id
+      vwan_security_configuration = {
+        routing_intent_enabled = true
+      }
+      dns_servers = try(each.value.network.dns_servers, null)
+      tags        = var.common_tags
+    }
+  } : {}
+
+  # budget_enabled = each.value.budget_amount > 0
+
+  # "/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry"
+  # / Api Version "2021-10-01"): PUT
+  # https://management.azure.com/subscriptions/60e89f81-a15c-4d7a-9be3-c3795a33a277/providers/Microsoft.Consumption/budgets/registry
+  # --------------------------------------------------------------------------------
+  # RESPONSE 401: 401 Unauthorized
+  # ERROR CODE: RBACAccessDenied
+  # --------------------------------------------------------------------------------
+  # {
+  #   "error": {
+  #     "code": "RBACAccessDenied",
+  #     "message": "The client does not have authorization to perform action. Request ID: d97e8d78-6829-42f3-b0a8-671f1eb4da7e"
+  #   }
+  # }
+  # --------------------------------------------------------------------------------
+
+  # Disable budgets for now due to RBAC access denied above
+  budget_enabled = false
+
+  budgets = each.value.budget_amount > 0 ? {
+    registry = {
+      amount            = each.value.budget_amount
+      time_grain        = "Monthly"
+      time_period_start = formatdate("YYYY-MM-01'T'00:00:00Z", timestamp())
+      time_period_end   = formatdate("YYYY-MM-01'T'00:00:00Z", timeadd(timestamp(), "87600h")) // 10 years from now
+      notifications = {
+        eightypercent = {
+          enabled        = true
+          operator       = "GreaterThan"
+          threshold      = 80
+          threshold_type = "Actual"
+          contact_groups = ["Owner"]
+        }
+        budgetexceeded = {
+          enabled        = true
+          operator       = "GreaterThan"
+          threshold      = 100
+          threshold_type = "Forecasted"
+          contact_groups = ["Owner"]
+        }
+      }
+    }
+  } : {}
+}

terraform-azure-lz-project-set/outputs.tf

@@ -0,0 +1,9 @@
+output "management_group_id" {
+  value       = azurerm_management_group.project_set.id
+  description = "The management group ID for the project set."
+}
+
+output "subscription_ids" {
+  value       = { for k, v in module.lz_vending : k => v.subscription_id }
+  description = "The subscription IDs of each landing zone created."
+}

terraform-azure-lz-project-set/variables.tf

@@ -0,0 +1,63 @@
+variable "primary_location" {
+  description = "The primary location for resources"
+  type        = string
+  default     = "canadacentral"
+}
+
+variable "secondary_location" {
+  description = "The secondary location for resources"
+  type        = string
+  default     = "canadaeast"
+}
+
+variable "subscription_billing_scope" {
+  description = "The billing scope for the subscription"
+  type        = string
+}
+
+variable "lz_management_group_id" {
+  description = "The ID of the management group for landing zones"
+  type        = string
+}
+
+variable "vwan_hub_resource_id" {
+  description = "The resource ID for the virtual WAN hub"
+  type        = string
+}
+
+variable "license_plate" {
+  description = "The license plate identifier for the project"
+  type        = string
+  validation {
+    condition     = can(regex("^[a-z][a-z0-9]{5}$", var.license_plate))
+    error_message = "The license plate must start with a letter, contain only lowercase letters and numbers, and be exactly 6 characters long."
+  }
+}
+
+variable "project_set_name" {
+  description = "The name of the project set"
+  type        = string
+}
+
+variable "subscriptions" {
+  description = "Configuration details for each subscription"
+  type = map(object({
+    name : string
+    display_name : string
+    budget_amount : optional(number, 0)
+    network : object({
+      enabled : bool
+      address_space : list(string)
+      dns_servers : optional(list(string))
+    })
+    tags : optional(map(string), {})
+  }))
+}
+
+variable "common_tags" {
+  description = "Common tags to apply to all resources"
+  type        = map(string)
+  default = {
+    deployedBy = "Terraform"
+  }
+}