This module is the first step for deploying the Coalfire-Azure-RAMPpak FedRAMP Framework. It will create the core resources needed to deploy the rest of the environment.
Learn more at Coalfire OpenSource.
- New Azure Commercial or Gov Subscription
- Resource group
- Vnet
- Private DNS zone if desired
- Entra ID Diagnostic logs
- Storage account to store the terraform state files
- Key Vault
- Log Analytics workspace
- Subscription diagnostics monitor
Update /coalfire-azure-pak/terraform/prod/global-vars.tf
file variables:
Name | Description | Sample |
---|---|---|
subscription_id | The Azure subscription ID where resources are being deployed into. This should be the subscription for the management plane | 00000000-0000-0000-0000-000000000000 |
tenant_id | The Azure tenant ID that owns the deployed resources. Found in Entra ID properties tab in the portal | 00000000-0000-0000-0000-000000000000 |
app_subscription_ids | The Azure subscription IDs for client application subscriptions. This should be the subscription for the application plane | ["00000000-0000-0000-0000-000000000000"] |
app_abbreviation | two or three digit abbreviation for app resource naming | "CF" |
cidrs_for_remote_access | List of CIDRs that will be allowed to access the resources | [""] |
admin_principal_ids" | List of admin principal IDs that will be set as admins on resources. Found on each users properties in Entra ID | ["00000000-0000-0000-0000-000000000000"] |
The folder you will deploy from. Most of the folder calls from the vars the only updates you need to make are enable logs or Entra ID permissions. If you're developing/testing it's probably best to turn these off because of existing permissions/log conflicts. For a new environment you should enable these.
- Ensure the
backend "azurerm"
portion of thetstate.tf
file is commented out for initial deployment. The state file will be created as part of this apply and we will migrate the state file to the newly created storage account. - Ensure
remote-data.tf
file is commented out for initial deployment. This file will be used to access information in the state as the deployment progresses. - Login to the Azure CLI:
az login
. If your subscription is in Azure Gov change the cloud first with:az login --environment AzureUSGovernment
- Change directories to the
/coalfire-azure-pak/terraform/prod/us-va/security-core
directory. - Run
terraform init
. - Run
terraform plan
to review the resources being created. - If everything looks correct in the plan output, run
terraform apply
.
Warning It does take some time for the initial key vault permissions to propagate. If you get a 400 error about the Customer Managed Key for the state storage account, wait a few minutes and try again. The deployment should complete successfully.
Now that the storage account exists you need to migrate the local state file to the remote state storage account.
- Uncomment the
backend "azurerm"
portion of thetstate.tf
file. - update the
resource_group_name
,storage_account_name
andcontainer_name
variables to match the newly created storage account. - Run
terraform init
to initialize the backend. You will be prompted to migrate the state file. Select yes. - Run
terraform apply
to migrate the state file to the remote storage account. - Delete the
terraform.tfstate
andterraform.tfstate.backup
files. - Uncomment the
remote-data.tf
file for theCore
block only. - Commit changes and push to repo.
provider "azurerm" {
features {}
}
module "core" {
source = "github.com/Coalfire-CF/terraform-azurerm-security-core"
subscription_id = var.subscription_id
resource_prefix = local.resource_prefix
location_abbreviation = var.location_abbreviation
location = var.location
app_abbreviation = var.app_abbreviation
tenant_id = var.tenant_id
regional_tags = var.regional_tags
global_tags = merge(var.global_tags, local.global_local_tags)
core_rg_name = "${local.resource_prefix}-core-rg"
cidrs_for_remote_access = var.cidrs_for_remote_access
ip_for_remote_access = var.ip_for_remote_access
admin_principal_ids = var.admin_principal_ids
private_dns_zone_name = var.domain_name
app_subscription_ids = var.app_subscription_ids
enable_sub_logs = false
enable_aad_logs = false
enable_aad_permissions = false
custom_private_dns_zones = [var.domain_name]
azure_private_dns_zones = [
"privatelink.azurecr.us",
"privatelink.database.usgovcloudapi.net",
"privatelink.blob.core.usgovcloudapi.net",
"privatelink.table.core.usgovcloudapi.net",
"privatelink.queue.core.usgovcloudapi.net",
"privatelink.file.core.usgovcloudapi.net",
"privatelink.postgres.database.usgovcloudapi.net"
]
# uncomment and rerun terraform apply after the networks are created if you're using FWs
#fw_virtual_network_subnet_ids = data.terraform_remote_state.usgv_mgmt_vnet.outputs.usgv_mgmt_vnet_subnet_ids["${local.resource_prefix}-bastion-sn-1"] #Uncomment and rerun terraform apply after the mgmt-network is created
}
No requirements.
Name | Version |
---|---|
azuread | n/a |
azurerm | n/a |
tls | n/a |
Name | Source | Version |
---|---|---|
core_kv | github.com/Coalfire-CF/terraform-azurerm-key-vault | n/a |
diag_la_queries_sa | github.com/Coalfire-CF/terraform-azurerm-diagnostics | n/a |
diag_law | github.com/Coalfire-CF/terraform-azurerm-diagnostics | n/a |
diag_sub | github.com/Coalfire-CF/terraform-azurerm-diagnostics | n/a |
diag_tf_state_sa | github.com/Coalfire-CF/terraform-azurerm-diagnostics | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
admin_principal_ids | admin principal ids | set(string) |
n/a | yes |
app_abbreviation | The prefix for the blob storage account names | string |
n/a | yes |
app_subscription_ids | The Azure subscription IDs for org microservices | map(any) |
n/a | yes |
azure_private_dns_zones | List of Private DNS zones to create. | list(string) |
[ |
no |
cidrs_for_remote_access | admin ciders | list(any) |
n/a | yes |
core_rg_name | Resource group name for core security services | string |
"core-rg-1" |
no |
custom_private_dns_zones | List of custom private DNS zones to create. | list(string) |
[] |
no |
dr_location | The Azure location/region for DR resources. | string |
"usgovtexas" |
no |
enable_aad_logs | Enable/Disable Entra ID logging | bool |
true |
no |
enable_aad_permissions | Enable/Disable provisioning basic Entra ID level permissions. | bool |
true |
no |
enable_sub_logs | Enable/Disable subscription level logging | bool |
true |
no |
global_tags | Global level tags | map(string) |
n/a | yes |
ip_for_remote_access | This is the same as 'cidrs_for_remote_access' but without the /32 on each of the files. The 'ip_rules' in the storage account will not accept a '/32' address and I gave up trying to strip and convert the values over | list(any) |
n/a | yes |
location | The Azure location/region to create resources in | string |
n/a | yes |
location_abbreviation | The Azure location/region in 4 letter code | string |
n/a | yes |
private_dns_zone_name | The name of the Private DNS Zone. Must be a valid domain name. | string |
null |
no |
regional_tags | Regional level tags | map(string) |
n/a | yes |
resource_prefix | Name prefix used for resources | string |
n/a | yes |
subscription_id | The Azure subscription ID where resources are being deployed into | string |
n/a | yes |
tenant_id | The Azure tenant ID that owns the deployed resources | string |
n/a | yes |
Name | Description |
---|---|
ad-cmk_id | AD SA CMK ID |
ars-cmk_id | Azure Recovery Services SA CMK ID |
avd-cmk_id | Azure Virtual Desktop CMK ID |
cloudshell-cmk_id | Cloudshell SA CMK ID |
core_kv_id | Value of the Core Key Vault ID |
core_kv_name | Name of the Core Key vault |
core_la_id | value of the core log analytics workspace id |
core_la_primaryKey | value of the core log analytics workspace primary key |
core_la_secondaryKey | value of the core log analytics workspace secondary key |
core_la_workspace_id | value of the core log analytics workspace id |
core_la_workspace_name | value of the core log analytics workspace name |
core_private_dns_zone_id | Private DNS Zone IDs |
core_private_dns_zones | Private DNS Zone names |
core_rg_name | Name of the core resource group |
core_xadm_ssh_public_key | Value of the SSH public key for xadm |
docs-cmk_id | Docs SA CMK ID |
flowlog-cmk_id | Flowlogs SA CMK ID |
install-cmk_id | Installs SA CMK ID |
law_queries-cmk_id | Log Analytics Workspace Queries SA CMK ID |
tstate-cmk_id | Terraform State SA CMK ID |
Copyright © 2023 Coalfire Systems Inc.