From 670e03b2133f5437010430499ea95183cb89482e Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Thu, 23 Jan 2025 18:46:56 +0000 Subject: [PATCH 01/12] Initial resources for temporary environment 01 --- .azuredevops/templates/steps/tf_destroy.yaml | 15 +++++++++++++++ infrastructure/modules/container-registry/main.tf | 2 +- infrastructure/modules/event-hub/main.tf | 2 +- infrastructure/modules/function-app/main.tf | 2 +- infrastructure/modules/function-app/variables.tf | 14 ++++++++++---- infrastructure/modules/key-vault/main.tf | 2 +- .../modules/postgresql-flexible/main.tf | 2 +- infrastructure/modules/sql-server/main.tf | 2 +- infrastructure/modules/storage/main.tf | 4 ++-- infrastructure/modules/storage/variables.tf | 9 +++++---- 10 files changed, 38 insertions(+), 16 deletions(-) create mode 100644 .azuredevops/templates/steps/tf_destroy.yaml diff --git a/.azuredevops/templates/steps/tf_destroy.yaml b/.azuredevops/templates/steps/tf_destroy.yaml new file mode 100644 index 00000000..2da52188 --- /dev/null +++ b/.azuredevops/templates/steps/tf_destroy.yaml @@ -0,0 +1,15 @@ +--- + +steps: + - template: tf_init.yaml + + - task: TerraformTaskV4@4 + name: TerraformDestroy + displayName: Terraform Destroy - $(ENVIRONMENT) environment + continueOnError: false + inputs: + provider: azurerm + command: destroy + workingDirectory: $(TF_DIRECTORY) + commandOptions: -var-file=$(tfVarsFile) + environmentServiceNameAzureRM: $(SERVICE_CONNECTION) diff --git a/infrastructure/modules/container-registry/main.tf b/infrastructure/modules/container-registry/main.tf index c66f0ae0..d0067c5c 100644 --- a/infrastructure/modules/container-registry/main.tf +++ b/infrastructure/modules/container-registry/main.tf @@ -19,7 +19,7 @@ resource "azurerm_container_registry" "acr" { -------------------------------------------------------------------------------------------------- */ module "private_endpoint_container_registry" { - count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0 + count = var.private_endpoint_properties != null ? 1 : 0 source = "../private-endpoint" diff --git a/infrastructure/modules/event-hub/main.tf b/infrastructure/modules/event-hub/main.tf index d77e32e8..669a64f6 100644 --- a/infrastructure/modules/event-hub/main.tf +++ b/infrastructure/modules/event-hub/main.tf @@ -69,7 +69,7 @@ resource "azurerm_eventhub_consumer_group" "consumer_group" { -------------------------------------------------------------------------------------------------- */ module "private_endpoint_eventhub" { - count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0 + count = var.private_endpoint_properties != null ? 1 : 0 source = "../private-endpoint" diff --git a/infrastructure/modules/function-app/main.tf b/infrastructure/modules/function-app/main.tf index a4f8639e..ed6720cd 100644 --- a/infrastructure/modules/function-app/main.tf +++ b/infrastructure/modules/function-app/main.tf @@ -58,7 +58,7 @@ resource "azurerm_linux_function_app" "function_app" { -------------------------------------------------------------------------------------------------- */ module "private_endpoint" { - count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0 + count = var.private_endpoint_properties != null ? 1 : 0 source = "../private-endpoint" diff --git a/infrastructure/modules/function-app/variables.tf b/infrastructure/modules/function-app/variables.tf index 4978edfc..77a10ac5 100644 --- a/infrastructure/modules/function-app/variables.tf +++ b/infrastructure/modules/function-app/variables.tf @@ -143,10 +143,16 @@ variable "private_endpoint_properties" { private_service_connection_is_manual = optional(bool, false) }) - validation { - condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) - error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." - } + # Validation rule does not work when var.private_endpoint_properties is null + # validation { + # condition = (var.private_endpoint_properties == null || + # var.private_endpoint_properties.private_endpoint_enabled == false || ( + # var.private_endpoint_properties != null && + # length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + # length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) + # ) + # error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + # } } variable "public_network_access_enabled" { diff --git a/infrastructure/modules/key-vault/main.tf b/infrastructure/modules/key-vault/main.tf index 4befc8db..37da8370 100644 --- a/infrastructure/modules/key-vault/main.tf +++ b/infrastructure/modules/key-vault/main.tf @@ -24,7 +24,7 @@ resource "azurerm_key_vault" "keyvault" { -------------------------------------------------------------------------------------------------- */ module "private_endpoint_keyvault" { - count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0 + count = var.private_endpoint_properties != null ? 1 : 0 source = "../private-endpoint" diff --git a/infrastructure/modules/postgresql-flexible/main.tf b/infrastructure/modules/postgresql-flexible/main.tf index c62be548..897a1a3c 100644 --- a/infrastructure/modules/postgresql-flexible/main.tf +++ b/infrastructure/modules/postgresql-flexible/main.tf @@ -74,7 +74,7 @@ resource "azurerm_postgresql_flexible_server_configuration" "postgresql_flexible -------------------------------------------------------------------------------------------------- */ module "private_endpoint_postgresql_flexible_server" { - count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0 + count = var.private_endpoint_properties != null ? 1 : 0 source = "../private-endpoint" diff --git a/infrastructure/modules/sql-server/main.tf b/infrastructure/modules/sql-server/main.tf index 22d9a508..4f04c18f 100644 --- a/infrastructure/modules/sql-server/main.tf +++ b/infrastructure/modules/sql-server/main.tf @@ -41,7 +41,7 @@ resource "azurerm_mssql_firewall_rule" "firewall_rule" { Private Endpoint Configuration for SQL Server -------------------------------------------------------------------------------------------------- */ module "private_endpoint_sql_server" { - count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0 + count = var.private_endpoint_properties != null ? 1 : 0 source = "../private-endpoint" diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf index a16947af..adbdca1a 100644 --- a/infrastructure/modules/storage/main.tf +++ b/infrastructure/modules/storage/main.tf @@ -28,7 +28,7 @@ resource "azurerm_storage_container" "container" { -------------------------------------------------------------------------------------------------- */ module "private_endpoint_blob_storage" { - count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0 + count = var.private_endpoint_properties != null ? 1 : 0 source = "../private-endpoint" @@ -53,7 +53,7 @@ module "private_endpoint_blob_storage" { } module "private_endpoint_queue_storage" { - count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0 + count = var.private_endpoint_properties != null ? 1 : 0 source = "../private-endpoint" diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf index 9fd1f7c5..b3862cf7 100644 --- a/infrastructure/modules/storage/variables.tf +++ b/infrastructure/modules/storage/variables.tf @@ -65,10 +65,11 @@ variable "private_endpoint_properties" { private_service_connection_is_manual = optional(bool, false) }) - validation { - condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids_blob) > 0 && length(var.private_endpoint_properties.private_dns_zone_ids_queue) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) - error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." - } + # Validation rule does not work when var.private_endpoint_properties is null + # validation { + # condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids_blob) > 0 && length(var.private_endpoint_properties.private_dns_zone_ids_queue) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) + # error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + # } } variable "public_network_access_enabled" { From 8afed1d39a1bc73f27150eb99e196657d5f13bf8 Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Tue, 28 Jan 2025 17:17:40 +0000 Subject: [PATCH 02/12] Test dynaminc PL variables --- .azuredevops/templates/steps/tf_destroy.yaml | 2 +- .azuredevops/templates/steps/tf_plan.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/templates/steps/tf_destroy.yaml b/.azuredevops/templates/steps/tf_destroy.yaml index 2da52188..14983763 100644 --- a/.azuredevops/templates/steps/tf_destroy.yaml +++ b/.azuredevops/templates/steps/tf_destroy.yaml @@ -11,5 +11,5 @@ steps: provider: azurerm command: destroy workingDirectory: $(TF_DIRECTORY) - commandOptions: -var-file=$(tfVarsFile) + commandOptions: -var-file=$(tfVarsFile) -var=$(ENVIRONMENT) environmentServiceNameAzureRM: $(SERVICE_CONNECTION) diff --git a/.azuredevops/templates/steps/tf_plan.yaml b/.azuredevops/templates/steps/tf_plan.yaml index 436e28b8..c575ef2c 100644 --- a/.azuredevops/templates/steps/tf_plan.yaml +++ b/.azuredevops/templates/steps/tf_plan.yaml @@ -19,7 +19,7 @@ steps: provider: azurerm command: plan workingDirectory: $(TF_DIRECTORY) - commandOptions: -input=false -var-file=$(tfVarsFile) -out=$(Build.ArtifactStagingDirectory)/$(ENVIRONMENT).tfplan + commandOptions: -input=false -var-file=$(tfVarsFile) -var=$(ENVIRONMENT) -out=$(Build.ArtifactStagingDirectory)/$(ENVIRONMENT).tfplan environmentServiceNameAzureRM: $(SERVICE_CONNECTION) - task: PublishBuildArtifacts@1 From ea4090f8a06a06ceab570ee023d22bbc42bf862c Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Tue, 28 Jan 2025 17:32:56 +0000 Subject: [PATCH 03/12] Test dynaminc PL variables --- .azuredevops/templates/steps/tf_destroy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/templates/steps/tf_destroy.yaml b/.azuredevops/templates/steps/tf_destroy.yaml index 14983763..a9d320e4 100644 --- a/.azuredevops/templates/steps/tf_destroy.yaml +++ b/.azuredevops/templates/steps/tf_destroy.yaml @@ -11,5 +11,5 @@ steps: provider: azurerm command: destroy workingDirectory: $(TF_DIRECTORY) - commandOptions: -var-file=$(tfVarsFile) -var=$(ENVIRONMENT) + commandOptions: -var-file=$(tfVarsFile) -var="environment=$(ENVIRONMENT)" environmentServiceNameAzureRM: $(SERVICE_CONNECTION) From de563752df3df1a7285af1c564f3e2ef34e00478 Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Tue, 28 Jan 2025 17:35:35 +0000 Subject: [PATCH 04/12] Test dynaminc PL variables --- .azuredevops/templates/steps/tf_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/templates/steps/tf_plan.yaml b/.azuredevops/templates/steps/tf_plan.yaml index c575ef2c..04e203d7 100644 --- a/.azuredevops/templates/steps/tf_plan.yaml +++ b/.azuredevops/templates/steps/tf_plan.yaml @@ -19,7 +19,7 @@ steps: provider: azurerm command: plan workingDirectory: $(TF_DIRECTORY) - commandOptions: -input=false -var-file=$(tfVarsFile) -var=$(ENVIRONMENT) -out=$(Build.ArtifactStagingDirectory)/$(ENVIRONMENT).tfplan + commandOptions: -input=false -var-file=$(tfVarsFile) -var="environment=$(ENVIRONMENT)" -out=$(Build.ArtifactStagingDirectory)/$(ENVIRONMENT).tfplan environmentServiceNameAzureRM: $(SERVICE_CONNECTION) - task: PublishBuildArtifacts@1 From 916aa75d5343b1f747d98fc8f46e47611c09c908 Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Wed, 29 Jan 2025 11:31:20 +0000 Subject: [PATCH 05/12] Test dynaminc PL variables --- .azuredevops/templates/steps/tf_plan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/templates/steps/tf_plan.yaml b/.azuredevops/templates/steps/tf_plan.yaml index 04e203d7..d67ff634 100644 --- a/.azuredevops/templates/steps/tf_plan.yaml +++ b/.azuredevops/templates/steps/tf_plan.yaml @@ -19,7 +19,7 @@ steps: provider: azurerm command: plan workingDirectory: $(TF_DIRECTORY) - commandOptions: -input=false -var-file=$(tfVarsFile) -var="environment=$(ENVIRONMENT)" -out=$(Build.ArtifactStagingDirectory)/$(ENVIRONMENT).tfplan + commandOptions: -input=false -var-file=$(tfVarsFile) $(tfCommandOptions) -out=$(Build.ArtifactStagingDirectory)/$(ENVIRONMENT).tfplan environmentServiceNameAzureRM: $(SERVICE_CONNECTION) - task: PublishBuildArtifacts@1 From 4d28eeada6ac6b3c5608adad58a0ed2772d50c01 Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Fri, 31 Jan 2025 16:09:44 +0000 Subject: [PATCH 06/12] remove private endpoint variable validation in ACR module --- infrastructure/modules/container-registry/variables.tf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/infrastructure/modules/container-registry/variables.tf b/infrastructure/modules/container-registry/variables.tf index 8c0f3bf0..8bf9b20d 100644 --- a/infrastructure/modules/container-registry/variables.tf +++ b/infrastructure/modules/container-registry/variables.tf @@ -29,10 +29,11 @@ variable "private_endpoint_properties" { private_service_connection_is_manual = optional(bool, false) }) - validation { - condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) - error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." - } + # Validation rule does not work when var.private_endpoint_properties is null + # validation { + # condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) + # error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + # } } variable "public_network_access_enabled" { From d61d1244827159f58f0754f6334c5ace4f4500bf Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Fri, 31 Jan 2025 17:33:42 +0000 Subject: [PATCH 07/12] Add destroy stage --- .azuredevops/templates/steps/tf_destroy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/templates/steps/tf_destroy.yaml b/.azuredevops/templates/steps/tf_destroy.yaml index a9d320e4..9bf80c1e 100644 --- a/.azuredevops/templates/steps/tf_destroy.yaml +++ b/.azuredevops/templates/steps/tf_destroy.yaml @@ -11,5 +11,5 @@ steps: provider: azurerm command: destroy workingDirectory: $(TF_DIRECTORY) - commandOptions: -var-file=$(tfVarsFile) -var="environment=$(ENVIRONMENT)" + commandOptions: -var-file=$(tfVarsFile) $(tfCommandOptions) -var="environment=$(ENVIRONMENT)" environmentServiceNameAzureRM: $(SERVICE_CONNECTION) From fe2b92513d7aa4e9fe1dffd11c3bfc3f240f8322 Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Fri, 7 Feb 2025 16:16:40 +0000 Subject: [PATCH 08/12] Remove surplus data object --- infrastructure/modules/sql-server/rbac.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/infrastructure/modules/sql-server/rbac.tf b/infrastructure/modules/sql-server/rbac.tf index 94fa4c71..e98c817f 100644 --- a/infrastructure/modules/sql-server/rbac.tf +++ b/infrastructure/modules/sql-server/rbac.tf @@ -9,8 +9,6 @@ module "rbac_assignments" { scope = var.storage_account_id } -data "azurerm_client_config" "current" {} - locals { rbac_roles = { storage_account_contributor = "Storage Account Contributor" From dbdf861832a225c6b79f0fbc1d9ac9d3231353a2 Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Mon, 10 Feb 2025 20:43:08 +0000 Subject: [PATCH 09/12] Add/reformat private endpoint variable validation --- .../modules/container-registry/variables.tf | 17 +++++++++++----- .../modules/event-grid-topic/variables.tf | 9 ++++++++- infrastructure/modules/event-hub/variables.tf | 9 ++++++++- .../modules/function-app/variables.tf | 20 ++++++++++--------- infrastructure/modules/key-vault/variables.tf | 13 ++++++++++++ .../modules/postgresql-flexible/variables.tf | 13 ++++++++++++ .../modules/sql-server/variables.tf | 13 ++++++++++++ infrastructure/modules/storage/variables.tf | 15 ++++++++++---- 8 files changed, 89 insertions(+), 20 deletions(-) diff --git a/infrastructure/modules/container-registry/variables.tf b/infrastructure/modules/container-registry/variables.tf index 8bf9b20d..ed0e09c2 100644 --- a/infrastructure/modules/container-registry/variables.tf +++ b/infrastructure/modules/container-registry/variables.tf @@ -29,11 +29,18 @@ variable "private_endpoint_properties" { private_service_connection_is_manual = optional(bool, false) }) - # Validation rule does not work when var.private_endpoint_properties is null - # validation { - # condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) - # error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." - # } + # Validate that if private_endpoint_enabled is true, private_dns_zone_ids and private_endpoint_subnet_id are both provided + validation { + condition = ( + can(var.private_endpoint_properties == null) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && + can(length(var.private_endpoint_properties.private_dns_zone_ids)) && + length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && + length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) + error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + } } variable "public_network_access_enabled" { diff --git a/infrastructure/modules/event-grid-topic/variables.tf b/infrastructure/modules/event-grid-topic/variables.tf index cf6f83d9..7caae1d9 100644 --- a/infrastructure/modules/event-grid-topic/variables.tf +++ b/infrastructure/modules/event-grid-topic/variables.tf @@ -50,7 +50,14 @@ variable "private_endpoint_properties" { }) validation { - condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) + condition = ( + can(var.private_endpoint_properties == null) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && + can(length(var.private_endpoint_properties.private_dns_zone_ids)) && + length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && + length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." } } diff --git a/infrastructure/modules/event-hub/variables.tf b/infrastructure/modules/event-hub/variables.tf index 6b62ee7d..288864c8 100644 --- a/infrastructure/modules/event-hub/variables.tf +++ b/infrastructure/modules/event-hub/variables.tf @@ -84,7 +84,14 @@ variable "private_endpoint_properties" { }) validation { - condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids_eventhub) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) + condition = ( + can(var.private_endpoint_properties == null) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && + can(length(var.private_endpoint_properties.private_dns_zone_ids)) && + length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && + length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." } } diff --git a/infrastructure/modules/function-app/variables.tf b/infrastructure/modules/function-app/variables.tf index 6c53c58c..3ef9e2e1 100644 --- a/infrastructure/modules/function-app/variables.tf +++ b/infrastructure/modules/function-app/variables.tf @@ -184,15 +184,17 @@ variable "private_endpoint_properties" { }) # Validation rule does not work when var.private_endpoint_properties is null - # validation { - # condition = (var.private_endpoint_properties == null || - # var.private_endpoint_properties.private_endpoint_enabled == false || ( - # var.private_endpoint_properties != null && - # length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && - # length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) - # ) - # error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." - # } + validation { + condition = ( + can(var.private_endpoint_properties == null) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && + can(length(var.private_endpoint_properties.private_dns_zone_ids)) && + length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && + length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) + error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + } } variable "public_network_access_enabled" { diff --git a/infrastructure/modules/key-vault/variables.tf b/infrastructure/modules/key-vault/variables.tf index 526b0524..3dae5708 100644 --- a/infrastructure/modules/key-vault/variables.tf +++ b/infrastructure/modules/key-vault/variables.tf @@ -48,6 +48,19 @@ variable "private_endpoint_properties" { private_endpoint_resource_group_name = optional(string, "") private_service_connection_is_manual = optional(bool, false) }) + + # Validation rule does not work when var.private_endpoint_properties is null + validation { + condition = ( + can(var.private_endpoint_properties == null) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && + can(length(var.private_endpoint_properties.private_dns_zone_ids)) && + length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && + length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) + error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + } } variable "public_network_access_enabled" { diff --git a/infrastructure/modules/postgresql-flexible/variables.tf b/infrastructure/modules/postgresql-flexible/variables.tf index 8810238c..c5071727 100644 --- a/infrastructure/modules/postgresql-flexible/variables.tf +++ b/infrastructure/modules/postgresql-flexible/variables.tf @@ -152,6 +152,19 @@ variable "private_endpoint_properties" { private_endpoint_resource_group_name = optional(string, "") private_service_connection_is_manual = optional(bool, false) }) + + # Validation rule does not work when var.private_endpoint_properties is null + validation { + condition = ( + can(var.private_endpoint_properties == null) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && + can(length(var.private_endpoint_properties.private_dns_zone_ids)) && + length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && + length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) + error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + } } diff --git a/infrastructure/modules/sql-server/variables.tf b/infrastructure/modules/sql-server/variables.tf index f0835c9d..bd21a514 100644 --- a/infrastructure/modules/sql-server/variables.tf +++ b/infrastructure/modules/sql-server/variables.tf @@ -57,6 +57,19 @@ variable "private_endpoint_properties" { private_endpoint_resource_group_name = optional(string, "") private_service_connection_is_manual = optional(bool, false) }) + + # Validation rule does not work when var.private_endpoint_properties is null + validation { + condition = ( + can(var.private_endpoint_properties == null) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && + can(length(var.private_endpoint_properties.private_dns_zone_ids)) && + length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && + length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) + error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + } } variable "public_network_access_enabled" { diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf index b8fe3c8b..8c991d5c 100644 --- a/infrastructure/modules/storage/variables.tf +++ b/infrastructure/modules/storage/variables.tf @@ -78,10 +78,17 @@ variable "private_endpoint_properties" { }) # Validation rule does not work when var.private_endpoint_properties is null - # validation { - # condition = var.private_endpoint_properties.private_endpoint_enabled == false || (length(var.private_endpoint_properties.private_dns_zone_ids_blob) > 0 && length(var.private_endpoint_properties.private_dns_zone_ids_queue) > 0 && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0) - # error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." - # } + validation { + condition = ( + can(var.private_endpoint_properties == null) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || + (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && + can(length(var.private_endpoint_properties.private_dns_zone_ids)) && + length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && + length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) + error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + } } variable "public_network_access_enabled" { From 6ba531ac082a5168d2edc8d197545bf4ea2938eb Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Mon, 10 Feb 2025 21:05:36 +0000 Subject: [PATCH 10/12] Add/reformat private endpoint variable validation --- infrastructure/modules/sql-server/variables.tf | 6 +++--- infrastructure/modules/storage/variables.tf | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/infrastructure/modules/sql-server/variables.tf b/infrastructure/modules/sql-server/variables.tf index bd21a514..aa3cf78c 100644 --- a/infrastructure/modules/sql-server/variables.tf +++ b/infrastructure/modules/sql-server/variables.tf @@ -64,11 +64,11 @@ variable "private_endpoint_properties" { can(var.private_endpoint_properties == null) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && - can(length(var.private_endpoint_properties.private_dns_zone_ids)) && - length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_dns_zone_ids_sql)) && + length(var.private_endpoint_properties.private_dns_zone_ids_sql) > 0 && can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) - error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + error_message = "Both private_dns_zone_ids_sql and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." } } diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf index 8c991d5c..2fb555f6 100644 --- a/infrastructure/modules/storage/variables.tf +++ b/infrastructure/modules/storage/variables.tf @@ -83,8 +83,10 @@ variable "private_endpoint_properties" { can(var.private_endpoint_properties == null) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && - can(length(var.private_endpoint_properties.private_dns_zone_ids)) && - length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_dns_zone_ids_blob)) && + length(var.private_endpoint_properties.private_dns_zone_ids_blob) > 0 && + can(length(var.private_endpoint_properties.private_dns_zone_ids_queue)) && + length(var.private_endpoint_properties.private_dns_zone_ids_queue) > 0 && can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." From 6ba08a5fc225edf50e68c41d8f0d12fd302df82b Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Mon, 10 Feb 2025 21:05:54 +0000 Subject: [PATCH 11/12] Add/reformat private endpoint variable validation --- infrastructure/modules/event-hub/variables.tf | 6 +++--- infrastructure/modules/key-vault/variables.tf | 4 ++-- infrastructure/modules/postgresql-flexible/variables.tf | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/infrastructure/modules/event-hub/variables.tf b/infrastructure/modules/event-hub/variables.tf index 288864c8..30d56f0b 100644 --- a/infrastructure/modules/event-hub/variables.tf +++ b/infrastructure/modules/event-hub/variables.tf @@ -88,11 +88,11 @@ variable "private_endpoint_properties" { can(var.private_endpoint_properties == null) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && - can(length(var.private_endpoint_properties.private_dns_zone_ids)) && - length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_dns_zone_ids_eventhub)) && + length(var.private_endpoint_properties.private_dns_zone_ids_eventhub) > 0 && can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) - error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + error_message = "Both private_dns_zone_ids_eventhub and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." } } diff --git a/infrastructure/modules/key-vault/variables.tf b/infrastructure/modules/key-vault/variables.tf index 3dae5708..34fd79d4 100644 --- a/infrastructure/modules/key-vault/variables.tf +++ b/infrastructure/modules/key-vault/variables.tf @@ -55,8 +55,8 @@ variable "private_endpoint_properties" { can(var.private_endpoint_properties == null) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && - can(length(var.private_endpoint_properties.private_dns_zone_ids)) && - length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_dns_zone_ids_keyvault)) && + length(var.private_endpoint_properties.private_dns_zone_ids_keyvault) > 0 && can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." diff --git a/infrastructure/modules/postgresql-flexible/variables.tf b/infrastructure/modules/postgresql-flexible/variables.tf index c5071727..ac080638 100644 --- a/infrastructure/modules/postgresql-flexible/variables.tf +++ b/infrastructure/modules/postgresql-flexible/variables.tf @@ -159,11 +159,11 @@ variable "private_endpoint_properties" { can(var.private_endpoint_properties == null) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == false) || (can(var.private_endpoint_properties.private_endpoint_enabled) && var.private_endpoint_properties.private_endpoint_enabled == true && - can(length(var.private_endpoint_properties.private_dns_zone_ids)) && - length(var.private_endpoint_properties.private_dns_zone_ids) > 0 && + can(length(var.private_endpoint_properties.private_dns_zone_ids_postgresql)) && + length(var.private_endpoint_properties.private_dns_zone_ids_postgresql) > 0 && can(length(var.private_endpoint_properties.private_endpoint_subnet_id)) && length(var.private_endpoint_properties.private_endpoint_subnet_id) > 0)) - error_message = "Both private_dns_zone_ids and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." + error_message = "Both private_dns_zone_ids_postgresql and private_endpoint_subnet_id must be provided if private_endpoint_enabled is true." } } From cf2c948c16f8358b90dbc5199d7c243cacc58be7 Mon Sep 17 00:00:00 2001 From: Richard Kingston Date: Tue, 25 Feb 2025 13:19:36 +0000 Subject: [PATCH 12/12] Add delete statefile --- .azuredevops/templates/steps/tf_destroy.yaml | 24 +++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.azuredevops/templates/steps/tf_destroy.yaml b/.azuredevops/templates/steps/tf_destroy.yaml index 9bf80c1e..2b62c27b 100644 --- a/.azuredevops/templates/steps/tf_destroy.yaml +++ b/.azuredevops/templates/steps/tf_destroy.yaml @@ -1,5 +1,10 @@ --- +parameters: + - name: tfCommandOptions + type: string + default: '' + steps: - template: tf_init.yaml @@ -11,5 +16,22 @@ steps: provider: azurerm command: destroy workingDirectory: $(TF_DIRECTORY) - commandOptions: -var-file=$(tfVarsFile) $(tfCommandOptions) -var="environment=$(ENVIRONMENT)" + commandOptions: -var-file=$(tfVarsFile) ${{ parameters.tfCommandOptions }} -var="environment=$(ENVIRONMENT)" environmentServiceNameAzureRM: $(SERVICE_CONNECTION) + + - task: AzureCLI@2 + displayName: Clean-up Backend + inputs: + azureSubscription: $(SERVICE_CONNECTION) + scriptLocation: inlineScript + scriptType: bash + workingDirectory: $(tfExecutionDir) + inlineScript: | + # Check if the backend configuration file exists and if it does, delete it: + container_exists=$(az storage container exists --name $(BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME) --account-name $(BACKEND_AZURE_STORAGE_ACCOUNT_NAME) --auth-mode login --output tsv) + if [ "$container_exists" == "True" ]; then + echo "##[debug] Container $(BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME) exists, deleting it..." + #az storage container delete --name $(BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME) --account-name $(BACKEND_AZURE_STORAGE_ACCOUNT_NAME) --resource-group $(BACKEND_AZURE_RESOURCE_GROUP_NAME) --auth-mode login --yes + else + echo "##[debug] Container $(BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME) does not exist." + fi