feat: security management group (#106)

* feat: security management group

* formatting

* fix bicep tests

Author: jaredfholgate

.github/workflows/end-to-end-test.yml

@@ -242,9 +242,21 @@ jobs:
 
           $Inputs["apply_approvers"] = @()
           $Inputs["root_parent_management_group_id"] = ""
-          $Inputs["subscription_id_connectivity"] = "${{ vars.ARM_SUBSCRIPTION_ID }}"
-          $Inputs["subscription_id_identity"] = "${{ vars.ARM_SUBSCRIPTION_ID }}"
-          $Inputs["subscription_id_management"] = "${{ vars.ARM_SUBSCRIPTION_ID }}"
+
+          if($infrastructureAsCode -eq "terraform") {
+            $Inputs["subscription_ids"] = @{
+              management = "${{ vars.ARM_SUBSCRIPTION_ID }}"
+              connectivity = "${{ vars.ARM_SUBSCRIPTION_ID }}"
+              identity = "${{ vars.ARM_SUBSCRIPTION_ID }}"
+              security = "${{ vars.ARM_SUBSCRIPTION_ID }}"
+            }
+          }
+
+          if($infrastructureAsCode -eq "bicep") {
+            $Inputs["subscription_id_connectivity"] = "${{ vars.ARM_SUBSCRIPTION_ID }}"
+            $Inputs["subscription_id_identity"] = "${{ vars.ARM_SUBSCRIPTION_ID }}"
+            $Inputs["subscription_id_management"] = "${{ vars.ARM_SUBSCRIPTION_ID }}"
+          }
 
           $Inputs["parent_management_group_display_name"] = "Tenant Root Group"
           $Inputs["child_management_group_display_name"] = "E2E Test"

alz/azuredevops/locals.tf

@@ -29,7 +29,8 @@ locals {
 }
 
 locals {
-  target_subscriptions = distinct([var.subscription_id_connectivity, var.subscription_id_identity, var.subscription_id_management])
+  target_subscriptions_legacy = distinct([var.subscription_id_connectivity, var.subscription_id_identity, var.subscription_id_management])
+  target_subscriptions        = length(var.subscription_ids) > 0 ? distinct(values(var.subscription_ids)) : local.target_subscriptions_legacy
 }
 
 locals {

alz/azuredevops/variables.tf

@@ -14,30 +14,48 @@ variable "root_parent_management_group_id" {
   default     = ""
 }
 
+variable "subscription_ids" {
+  description = "The list of subscription IDs to deploy the Platform Landing Zones into"
+  type        = map(string)
+  default     = {}
+  nullable    = false
+  validation {
+    condition     = length(var.subscription_ids) == 0 || alltrue([for id in values(var.subscription_ids) : can(regex("^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})$", id))])
+    error_message = "All subscription IDs must be valid GUIDs"
+  }
+  validation {
+    condition     = length(var.subscription_ids) == 0 || alltrue([for id in keys(var.subscription_ids) : contains(["management", "connectivity", "identity", "security"], id)])
+    error_message = "The keys of the subscription_ids map must be one of 'management', 'connectivity', 'identity' or 'security'"
+  }
+}
+
 variable "subscription_id_connectivity" {
-  description = "The identifier of the Connectivity Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Connectivity Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_connectivity))
-    error_message = "The bootstrap subscription ID must be a valid GUID"
+    condition     = var.subscription_id_connectivity == null || can(regex("^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})$", var.subscription_id_connectivity))
+    error_message = "The subscription ID must be a valid GUID"
   }
 }
 
 variable "subscription_id_identity" {
-  description = "The identifier of the Identity Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Identity Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_identity))
-    error_message = "The bootstrap subscription ID must be a valid GUID"
+    condition     = var.subscription_id_identity == null || can(regex("^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})$", var.subscription_id_identity))
+    error_message = "The subscription ID must be a valid GUID"
   }
 }
 
 variable "subscription_id_management" {
-  description = "The identifier of the Management Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Management Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_management))
-    error_message = "The bootstrap subscription ID must be a valid GUID"
+    condition     = var.subscription_id_management == null || can(regex("^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})$", var.subscription_id_management))
+    error_message = "The subscription ID must be a valid GUID"
   }
 }
 

alz/github/locals.tf

@@ -36,7 +36,8 @@ locals {
 }
 
 locals {
-  target_subscriptions = distinct([var.subscription_id_connectivity, var.subscription_id_identity, var.subscription_id_management])
+  target_subscriptions_legacy = distinct([var.subscription_id_connectivity, var.subscription_id_identity, var.subscription_id_management])
+  target_subscriptions        = length(var.subscription_ids) > 0 ? distinct(values(var.subscription_ids)) : local.target_subscriptions_legacy
 }
 
 locals {

alz/github/variables.tf

@@ -14,29 +14,47 @@ variable "root_parent_management_group_id" {
   default     = ""
 }
 
+variable "subscription_ids" {
+  description = "The list of subscription IDs to deploy the Platform Landing Zones into"
+  type        = map(string)
+  default     = {}
+  nullable    = false
+  validation {
+    condition     = length(var.subscription_ids) == 0 || alltrue([for id in values(var.subscription_ids) : can(regex("^[0-9a-fA-F-]{36}$", id))])
+    error_message = "All subscription IDs must be valid GUIDs"
+  }
+  validation {
+    condition     = length(var.subscription_ids) == 0 || alltrue([for id in keys(var.subscription_ids) : contains(["management", "connectivity", "identity", "security"], id)])
+    error_message = "The keys of the subscription_ids map must be one of 'management', 'connectivity', 'identity' or 'security'"
+  }
+}
+
 variable "subscription_id_connectivity" {
-  description = "The identifier of the Connectivity Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Connectivity Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_connectivity))
+    condition     = var.subscription_id_connectivity == null || can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_connectivity))
     error_message = "The bootstrap subscription ID must be a valid GUID"
   }
 }
 
 variable "subscription_id_identity" {
-  description = "The identifier of the Identity Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Identity Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_identity))
+    condition     = var.subscription_id_identity == null || can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_identity))
     error_message = "The bootstrap subscription ID must be a valid GUID"
   }
 }
 
 variable "subscription_id_management" {
-  description = "The identifier of the Management Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Management Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_management))
+    condition     = var.subscription_id_management == null || can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_management))
     error_message = "The bootstrap subscription ID must be a valid GUID"
   }
 }

alz/local/locals.tf

@@ -17,7 +17,8 @@ locals {
 }
 
 locals {
-  target_subscriptions = distinct([var.subscription_id_connectivity, var.subscription_id_identity, var.subscription_id_management])
+  target_subscriptions_legacy = distinct([var.subscription_id_connectivity, var.subscription_id_identity, var.subscription_id_management])
+  target_subscriptions        = length(var.subscription_ids) > 0 ? distinct(values(var.subscription_ids)) : local.target_subscriptions_legacy
 }
 
 locals {

alz/local/variables.tf

@@ -14,29 +14,47 @@ variable "root_parent_management_group_id" {
   default     = ""
 }
 
+variable "subscription_ids" {
+  description = "The list of subscription IDs to deploy the Platform Landing Zones into"
+  type        = map(string)
+  default     = {}
+  nullable    = false
+  validation {
+    condition     = length(var.subscription_ids) == 0 || alltrue([for id in values(var.subscription_ids) : can(regex("^[0-9a-fA-F-]{36}$", id))])
+    error_message = "All subscription IDs must be valid GUIDs"
+  }
+  validation {
+    condition     = length(var.subscription_ids) == 0 || alltrue([for id in keys(var.subscription_ids) : contains(["management", "connectivity", "identity", "security"], id)])
+    error_message = "The keys of the subscription_ids map must be one of 'management', 'connectivity', 'identity' or 'security'"
+  }
+}
+
 variable "subscription_id_connectivity" {
-  description = "The identifier of the Connectivity Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Connectivity Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_connectivity))
+    condition     = var.subscription_id_connectivity == null || can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_connectivity))
     error_message = "The bootstrap subscription ID must be a valid GUID"
   }
 }
 
 variable "subscription_id_identity" {
-  description = "The identifier of the Identity Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Identity Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_identity))
+    condition     = var.subscription_id_identity == null || can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_identity))
     error_message = "The bootstrap subscription ID must be a valid GUID"
   }
 }
 
 variable "subscription_id_management" {
-  description = "The identifier of the Management Subscription"
+  description = "DEPRECATED (use subscription_ids instead): The identifier of the Management Subscription"
   type        = string
+  default     = null
   validation {
-    condition     = can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_management))
+    condition     = var.subscription_id_management == null || can(regex("^[0-9a-fA-F-]{36}$", var.subscription_id_management))
     error_message = "The bootstrap subscription ID must be a valid GUID"
   }
 }