From 7274244ef8093970f3125af9de451e75bc7f139a Mon Sep 17 00:00:00 2001 From: jonclyde <35006633+jonclyde@users.noreply.github.com> Date: Mon, 2 May 2022 19:03:59 +0100 Subject: [PATCH 1/4] Add advanced_vpn_settings variable attribute Following this page led to a terraform error for a missing "advanced_vpn_settings" attribute, which is a recently added attribute to the variables.tf of the Azure Landing Zone module. Updated settings.connectivity.tf example in this documentation page to include advanced_vpn_settings, as per the default values specified in variables.tf of the module. This resolves the TF error. --- ...nectivity-Resources-With-Custom-Settings.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md index 5df353dcc..cd3ea34f3 100644 --- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md @@ -187,6 +187,15 @@ locals { address_prefix = "10.100.1.0/24" gateway_sku_expressroute = "ErGw2AZ" gateway_sku_vpn = "" + advanced_vpn_settings = { + enable_bgp = null + active_active = null + private_ip_address_allocation = "" + default_local_network_gateway_id = "" + vpn_client_configuration = [] + bgp_settings = [] + custom_route = [] + } } } azure_firewall = { @@ -226,6 +235,15 @@ locals { address_prefix = "10.101.1.0/24" gateway_sku_expressroute = "" gateway_sku_vpn = "VpnGw2AZ" + advanced_vpn_settings = { + enable_bgp = null + active_active = null + private_ip_address_allocation = "" + default_local_network_gateway_id = "" + vpn_client_configuration = [] + bgp_settings = [] + custom_route = [] + } } } azure_firewall = { From 13b671fe3583358ccb83402275e2d8bca2334fe5 Mon Sep 17 00:00:00 2001 From: jonclyde <35006633+jonclyde@users.noreply.github.com> Date: Mon, 2 May 2022 19:14:32 +0100 Subject: [PATCH 2/4] Add enable_defender_for_containers attribute Following this page led to a terraform error for a missing "enable_defender_for_containers" attribute. Updated settings.management.tf example in this documentation page to include enable_defender_for_containers , with a value of true. This resolves the TF error. --- ...amples]-Deploy-Management-Resources-With-Custom-Settings.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md index 8a17e9945..81853343e 100644 --- a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md @@ -192,6 +192,7 @@ locals { enable_defender_for_sql_servers = true enable_defender_for_sql_server_vms = true enable_defender_for_storage = true + enable_defender_for_containers = true } } } @@ -293,4 +294,4 @@ Looking for further inspiration? Why not try some of our other [examples][wiki_e [archetype_exclusions]: ./%5BExamples%5D-Expand-Built-in-Archetype-Definitions#to-enable-the-exclusion-function "Wiki - Expand Built-in Archetype Definitions # To enable the exclusion function" [custom_archetypes]: ./%5BUser-Guide%5D-Archetype-Definitions "[User Guide] Archetype Definitions" -[azure_tag_support]: https://docs.microsoft.com/azure/azure-resource-manager/management/tag-support "Tag support for Azure resources" \ No newline at end of file +[azure_tag_support]: https://docs.microsoft.com/azure/azure-resource-manager/management/tag-support "Tag support for Azure resources" From cdef0e546c41117543ce2933d2bfbf828005636e Mon Sep 17 00:00:00 2001 From: Matt White Date: Mon, 9 May 2022 08:38:13 +0100 Subject: [PATCH 3/4] Updtae module references to v2.0.1 --- ...s]-Deploy-Connectivity-Resources-With-Custom-Settings.md | 2 +- docs/wiki/[Examples]-Deploy-Connectivity-Resources.md | 2 +- .../[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md | 2 +- docs/wiki/[Examples]-Deploy-Default-Configuration.md | 2 +- docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md | 2 +- ...mples]-Deploy-Identity-Resources-With-Custom-Settings.md | 2 +- docs/wiki/[Examples]-Deploy-Identity-Resources.md | 2 +- ...les]-Deploy-Management-Resources-With-Custom-Settings.md | 2 +- docs/wiki/[Examples]-Deploy-Management-Resources.md | 2 +- docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md | 6 +++--- .../[Examples]-Expand-built-in-archetype-definitions.md | 2 +- docs/wiki/[Examples]-Override-Module-Role-Assignments.md | 2 +- docs/wiki/[User-Guide]-Getting-Started.md | 2 +- docs/wiki/[User-Guide]-Provider-Configuration.md | 6 +++--- 14 files changed, 18 insertions(+), 18 deletions(-) diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md index cd3ea34f3..10b4841e9 100644 --- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md @@ -142,7 +142,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md index 11ad27ac5..7e2665072 100644 --- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md @@ -65,7 +65,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md index d9c134990..b67ebf533 100644 --- a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md +++ b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md @@ -94,7 +94,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Default-Configuration.md b/docs/wiki/[Examples]-Deploy-Default-Configuration.md index 828ffafb1..1f1f99c85 100644 --- a/docs/wiki/[Examples]-Deploy-Default-Configuration.md +++ b/docs/wiki/[Examples]-Deploy-Default-Configuration.md @@ -44,7 +44,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md index 1f9db762f..a26e1ff27 100644 --- a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md +++ b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md @@ -51,7 +51,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md index 69ce1208b..6441cb01a 100644 --- a/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md @@ -100,7 +100,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Identity-Resources.md b/docs/wiki/[Examples]-Deploy-Identity-Resources.md index c7d972fcd..6f231e596 100644 --- a/docs/wiki/[Examples]-Deploy-Identity-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Identity-Resources.md @@ -58,7 +58,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md index 81853343e..9053c1346 100644 --- a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md @@ -130,7 +130,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources.md b/docs/wiki/[Examples]-Deploy-Management-Resources.md index dd86bbfe9..3e037ce69 100644 --- a/docs/wiki/[Examples]-Deploy-Management-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Management-Resources.md @@ -59,7 +59,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md index a07efe312..d065ee490 100644 --- a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md +++ b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md @@ -12,7 +12,7 @@ The extra code needed to extend your configuration, is the following: module "enterprise_scale_nested_landing_zone" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm @@ -134,7 +134,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm @@ -183,7 +183,7 @@ module "enterprise_scale" { module "enterprise_scale_nested_landing_zone" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md index 6b00b8d6c..051e4585c 100644 --- a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md +++ b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md @@ -96,7 +96,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md index 7594f35e0..cf0eb7d15 100644 --- a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md +++ b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md @@ -102,7 +102,7 @@ data "azurerm_client_config" "core" {} module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[User-Guide]-Getting-Started.md b/docs/wiki/[User-Guide]-Getting-Started.md index 8e8e445d6..21c36b6f1 100644 --- a/docs/wiki/[User-Guide]-Getting-Started.md +++ b/docs/wiki/[User-Guide]-Getting-Started.md @@ -71,7 +71,7 @@ Copy and paste the following 'module' block into your Terraform configuration, i ```hcl module "caf-enterprise-scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm diff --git a/docs/wiki/[User-Guide]-Provider-Configuration.md b/docs/wiki/[User-Guide]-Provider-Configuration.md index 4b8b775e0..db5ef2a7a 100644 --- a/docs/wiki/[User-Guide]-Provider-Configuration.md +++ b/docs/wiki/[User-Guide]-Provider-Configuration.md @@ -69,7 +69,7 @@ provider "azurerm" { module "caf-enterprise-scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm @@ -149,7 +149,7 @@ provider "azurerm" { module "caf-enterprise-scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm @@ -207,7 +207,7 @@ data "azurerm_client_config" "connectivity" { # Map each module provider to their corresponding `azurerm` provider using the providers input object module "enterprise_scale" { source = "Azure/caf-enterprise-scale/azurerm" - version = "2.0.0" + version = "2.0.1" providers = { azurerm = azurerm From 1e329b36d079b79b11c733fdd940de492444e863 Mon Sep 17 00:00:00 2001 From: Matt White Date: Mon, 9 May 2022 08:56:51 +0100 Subject: [PATCH 4/4] Update docs for MS defender for containers --- ...nagement-Resources-With-Custom-Settings.md | 8 +++---- docs/wiki/[User-Guide]-Module-Variables.md | 3 +-- ...riables]-configure_management_resources.md | 24 +++++++------------ 3 files changed, 12 insertions(+), 23 deletions(-) diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md index 9053c1346..f4b397454 100644 --- a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md @@ -166,6 +166,7 @@ locals { enable_monitoring_for_arc = true enable_monitoring_for_vm = true enable_monitoring_for_vmss = true + enable_sentinel = true enable_solution_for_agent_health_assessment = true enable_solution_for_anti_malware = true enable_solution_for_azure_activity = true @@ -174,25 +175,22 @@ locals { enable_solution_for_sql_assessment = true enable_solution_for_updates = true enable_solution_for_vm_insights = true - enable_sentinel = true } } security_center = { enabled = true config = { email_security_contact = var.security_alerts_email_address - enable_defender_for_acr = true enable_defender_for_app_services = true enable_defender_for_arm = true + enable_defender_for_containers = true enable_defender_for_dns = true enable_defender_for_key_vault = true - enable_defender_for_kubernetes = true enable_defender_for_oss_databases = true enable_defender_for_servers = true - enable_defender_for_sql_servers = true enable_defender_for_sql_server_vms = true + enable_defender_for_sql_servers = true enable_defender_for_storage = true - enable_defender_for_containers = true } } } diff --git a/docs/wiki/[User-Guide]-Module-Variables.md b/docs/wiki/[User-Guide]-Module-Variables.md index 7f67d4fab..8b43823c1 100644 --- a/docs/wiki/[User-Guide]-Module-Variables.md +++ b/docs/wiki/[User-Guide]-Module-Variables.md @@ -213,12 +213,11 @@ Default: enabled = true config = { email_security_contact = "security_contact@replace_me" - enable_defender_for_acr = true enable_defender_for_app_services = true enable_defender_for_arm = true + enable_defender_for_containers = true enable_defender_for_dns = true enable_defender_for_key_vault = true - enable_defender_for_kubernetes = true enable_defender_for_oss_databases = true enable_defender_for_servers = true enable_defender_for_sql_servers = true diff --git a/docs/wiki/[Variables]-configure_management_resources.md b/docs/wiki/[Variables]-configure_management_resources.md index 9009461ab..0ced5867d 100644 --- a/docs/wiki/[Variables]-configure_management_resources.md +++ b/docs/wiki/[Variables]-configure_management_resources.md @@ -31,16 +31,15 @@ If specified, will customize the "Management" landing zone settings and resource enabled = true config = { email_security_contact = "security_contact@replace_me" - enable_defender_for_acr = true enable_defender_for_app_services = true enable_defender_for_arm = true + enable_defender_for_containers = true enable_defender_for_dns = true enable_defender_for_key_vault = true - enable_defender_for_kubernetes = true enable_defender_for_oss_databases = true enable_defender_for_servers = true - enable_defender_for_sql_servers = true enable_defender_for_sql_server_vms = true + enable_defender_for_sql_servers = true enable_defender_for_storage = true } } @@ -80,12 +79,11 @@ object({ enabled = bool config = object({ email_security_contact = string - enable_defender_for_acr = bool enable_defender_for_app_services = bool enable_defender_for_arm = bool enable_defender_for_dns = bool enable_defender_for_key_vault = bool - enable_defender_for_kubernetes = bool + enable_defender_for_containers = bool enable_defender_for_oss_databases = bool enable_defender_for_servers = bool enable_defender_for_sql_servers = bool @@ -235,16 +233,15 @@ security_center = { enabled = true config = { email_security_contact = "security_contact@replace_me" - enable_defender_for_acr = true - enable_defender_for_app_services = true enable_defender_for_arm = true + enable_defender_for_containers = true + enable_defender_for_app_services = true enable_defender_for_dns = true enable_defender_for_key_vault = true - enable_defender_for_kubernetes = true enable_defender_for_oss_databases = true enable_defender_for_servers = true - enable_defender_for_sql_server_vms = true enable_defender_for_sql_servers = true + enable_defender_for_sql_server_vms = true enable_defender_for_storage = true } } @@ -262,11 +259,6 @@ The `config` (`object`) input allows you to set the following configuration item Specifies the email address to be used as the security contact in Microsoft Defender for Cloud. -##### `settings.security_center.enable_defender_for_acr` - -Enables the the Standard pricing tier for `ContainerRegistry` using the "Configure Azure Defender for container registries to be enabled" policy. -This is deployed to all in-scope subscriptions using the `DeployIfNotExists` policy effect. - ##### `settings.security_center.enable_defender_for_app_services` Enables the the Standard pricing tier for `AppServices` using the "Configure Azure Defender for App Service to be enabled" policy. @@ -287,9 +279,9 @@ This is deployed to all in-scope subscriptions using the `DeployIfNotExists` pol Enables the the Standard pricing tier for `KeyVaults` using the "Configure Azure Defender for Key Vaults to be enabled" policy. This is deployed to all in-scope subscriptions using the `DeployIfNotExists` policy effect. -##### `settings.security_center.enable_defender_for_kubernetes` +##### `settings.security_center.enable_defender_for_containers` -Enables Microsoft Defender for Cloud for all in-scope Azure Kubernetes Service clusters using the "Configure Azure Defender for Kubernetes to be enabled" policy. +Enables Microsoft Defender for Cloud for all in-scope Azure Kubernetes Service clusters using the "Configure Microsoft Defender for Containers to be enabled" policy. This is deployed to all in-scope clusters using the `DeployIfNotExists` policy effect. ##### `settings.security_center.enable_defender_for_oss_databases`