geekzter · geekzter · Jul 12, 2020 · Jul 10, 2020 · Jul 10, 2020 · Jul 10, 2020
diff --git a/pipelines/templates/vdc-terraform-apply.yml b/pipelines/templates/vdc-terraform-apply.yml
@@ -221,6 +221,15 @@ stages:
           inputs:
             terraformVersion: '$(terraformVersion)'
 
+        - ${{ if eq(length(parameters.vdcArtifactPipeline),0) }}:
+          # Unpin version e.g. "= 2.17" -> "~> 2.17", but only in CI build
+          - pwsh: |
+              (Get-Content ./provider.tf) -replace "version *= `" *= +(?<eol>[^,]+$)",'version = "~> ${eol}' | Out-File provider.tf
+              Get-Content ./provider.tf
+            displayName: 'Unpin Terraform provider version'
+            enabled: ${{ not(parameters.testMode) }}
+            workingDirectory: '$(terraformDirectory)'
+
         - ${{ if gt(length(parameters.vdcArtifactPipeline),0) }}:
           - bash: |
               chmod +x *_x?
@@ -302,6 +311,15 @@ stages:
           inputs:
             terraformVersion: '$(terraformVersion)'
 
+        - ${{ if eq(length(parameters.vdcArtifactPipeline),0) }}:
+          # Unpin version e.g. "= 2.17" -> "~> 2.17", but only in CI build
+          - pwsh: |
+              (Get-Content ./provider.tf) -replace "version *= `" *= +(?<eol>[^,]+$)",'version = "~> ${eol}' | Out-File provider.tf
+              Get-Content ./provider.tf
+            displayName: 'Unpin Terraform provider version'
+            enabled: ${{ not(parameters.testMode) }}
+            workingDirectory: '$(terraformDirectory)'
+
         # Deallocate/Stop MV's to force tf_deploy.ps1 to test for stopped VM's
         # Stopped VM's do not allow extensions to be installed
         - task: AzureResourceGroupDeployment@2
@@ -805,6 +823,15 @@ stages:
           inputs:
             terraformVersion: '$(terraformVersion)'
 
+        - ${{ if eq(length(parameters.vdcArtifactPipeline),0) }}:
+          # Unpin version e.g. "= 2.17" -> "~> 2.17", but only in CI build
+          - pwsh: |
+              (Get-Content ./provider.tf) -replace "version *= `" *= +(?<eol>[^,]+$)",'version = "~> ${eol}' | Out-File provider.tf
+              Get-Content ./provider.tf
+            displayName: 'Unpin Terraform provider version'
+            enabled: ${{ not(parameters.testMode) }}
+            workingDirectory: '$(terraformDirectory)'
+
         - task: AzureCLI@2
           name: terraformConfig
           displayName: 'Terraform destroy'

diff --git a/pipelines/vdc-terraform-apply-nobackend.yml b/pipelines/vdc-terraform-apply-nobackend.yml
@@ -63,11 +63,9 @@ jobs:
         scriptType: 'pscore'
         scriptLocation: 'inlineScript'
         inlineScript: |
-          # List environment variables (debug)
-          if ((${env:system.debug} -eq "true") -or ($env:system_debug -eq "true") -or ($env:SYSTEM_DEBUG -eq "true")) {
-            Get-ChildItem -Path Env:ARM_* | Sort-Object -Property Name
-          }
-
+          # List environment variables
+          Get-ChildItem -Path Env: -Recurse -Include ARM_*,TF_* | Sort-Object -Property Name
+
           # This will write version info as output variable
           $(scriptDirectory)/get_tf_version.ps1 -version preferred
         addSpnToEnvironment: true
@@ -115,6 +113,7 @@ jobs:
       env:
         TF_VAR_default_create_timeout: '$(jobTimeOutMinutes)m'
         TF_VAR_default_delete_timeout: '$(jobTimeOutMinutes)m'
+        TF_VAR_resource_suffix: $(TF_VAR_resource_suffix) # Fix case
 
 # Clean up resources, in the event 'terraform destroy' fails   
 - job: 'CleanUp'

diff --git a/pipelines/vdc-terraform-apply-simple-ci.yml b/pipelines/vdc-terraform-apply-simple-ci.yml
@@ -63,10 +63,8 @@ jobs:
         scriptType: 'pscore'
         scriptLocation: 'inlineScript'
         inlineScript: |
-          # List environment variables (debug)
-          if ((${env:system.debug} -eq "true") -or ($env:system_debug -eq "true") -or ($env:SYSTEM_DEBUG -eq "true")) {
-            Get-ChildItem -Path Env:ARM_* | Sort-Object -Property Name
-          }
+          # List environment variables
+          Get-ChildItem -Path Env: -Recurse -Include ARM_*,TF_* | Sort-Object -Property Name
 
           # This will write version info as output variable
           $(scriptDirectory)/get_tf_version.ps1 -version preferred
@@ -124,6 +122,7 @@ jobs:
         workingDirectory: '$(terraformDirectory)'
       env:
         TF_VAR_default_create_timeout: '$(jobTimeOutMinutes)m'
+        TF_VAR_resource_suffix: $(TF_VAR_resource_suffix) # Fix case
 
     - task: AzureCLI@2
       name: terraformReApply
@@ -146,6 +145,7 @@ jobs:
       env:
         TF_VAR_default_create_timeout: '$(jobTimeOutMinutes)m'
         TF_VAR_default_update_timeout: '$(jobTimeOutMinutes)m'
+        TF_VAR_resource_suffix: $(TF_VAR_resource_suffix) # Fix case
 
     - task: AzureCLI@2
       name: terraformDestroy
@@ -167,6 +167,7 @@ jobs:
         workingDirectory: '$(terraformDirectory)'
       env:
         TF_VAR_default_delete_timeout: '$(jobTimeOutMinutes)m'
+        TF_VAR_resource_suffix: $(TF_VAR_resource_suffix) # Fix case
 
 # Clean up resources, in the event 'terraform destroy' fails   
 - job: 'CleanUp'

diff --git a/scripts/erase.ps1 b/scripts/erase.ps1
@@ -27,7 +27,7 @@ param (
     $DeploymentName,
 
     [parameter(Mandatory=$false,ParameterSetName="Suffix")]
-    [string]
+    [string[]]
     $Suffix,
 
     [parameter(Mandatory=$false,ParameterSetName="Workspace")]
@@ -59,7 +59,7 @@ $application = "Automated VDC"
 
 . (Join-Path (Split-Path $MyInvocation.MyCommand.Path -Parent) functions.ps1)
 
-if ($ClearTerraformState -and $PSBoundParameters.ContainsKey('Workspace')) {
+if ($ClearTerraformState -and ($PSCmdlet.ParameterSetName -ieq "Workspace")) {
     try {
         # Local backend, prompt the user to clear
         if (!$Force) {
@@ -116,7 +116,15 @@ if ($Destroy) {
             $tagQuery = $tagQuery -replace "\]", " && tags.deployment == '${DeploymentName}']"
         }
         "Suffix" {
-            $tagQuery = $tagQuery -replace "\]", " && tags.suffix == '${Suffix}']"
+            $suffixQuery = "("
+            foreach ($suff in $Suffix) {
+                if ($suffixQuery -ne "(") {
+                    $suffixQuery += " || "
+                }
+                $suffixQuery += "tags.suffix == '${suff}'"
+            }
+            $suffixQuery += ")"
+            $tagQuery = $tagQuery -replace "\]", " && $suffixQuery]"
         }
         "Workspace" {
             $tagQuery = $tagQuery -replace "\]", " && tags.workspace == '${Workspace}']"

diff --git a/scripts/tf_deploy.ps1 b/scripts/tf_deploy.ps1
@@ -91,7 +91,7 @@ try {
         Invoke-Expression "`$env:$properCaseName = `$env:$($tfvar.Name)"  
     } 
     if (($Trace -gt 0) -or (${env:system.debug} -eq "true")) {
-        Get-ChildItem -Path Env: -Recurse -Include ARM_*,TF_VAR_* | Sort-Object -Property Name
+        Get-ChildItem -Path Env: -Recurse -Include ARM_*,TF_* | Sort-Object -Property Name
     }
 
     # Print version info

diff --git a/terraform/modules/iis-app/main.tf b/terraform/modules/iis-app/main.tf
@@ -461,7 +461,7 @@ resource "azurerm_lb" "app_db_lb" {
 }
 
 resource "azurerm_lb_backend_address_pool" "app_db_backend_pool" {
-  name                         = "BackendPool1"
+  name                         = "app_db_vms"
   resource_group_name          = azurerm_resource_group.app_rg.name
   loadbalancer_id              = azurerm_lb.app_db_lb.id
 }
@@ -499,7 +499,7 @@ resource "azurerm_network_interface" "app_db_if" {
   count                        = var.app_db_vm_number
 
   ip_configuration {
-    name                       = "app_db_ipconfig"
+    name                       = "app_db${count.index+1}_ipconfig"
     subnet_id                  = var.data_subnet_id
     private_ip_address         = element(var.app_db_vms, count.index)
     private_ip_address_allocation = "Static"

diff --git a/terraform/modules/paas-app/main.tf b/terraform/modules/paas-app/main.tf
@@ -16,7 +16,7 @@ data http localpublicip {
 }
 data http localpublicprefix {
 # Get public IP prefix of the machine running this terraform template
-  url                          = "https://stat.ripe.net/data/network-info/data.json?resource=${chomp(data.http.localpublicip.body)}"
+  url                          = "https://stat.ripe.net/data/network-info/data.json?resource=${local.publicip}"
 }
 
 data azurerm_client_config current {}
@@ -39,6 +39,7 @@ locals {
   linux_fx_version             = var.container_registry != null && var.container != null ? "DOCKER|${data.azurerm_container_registry.vdc_images.0.login_server}/${var.container}" : "DOCKER|appsvcsample/python-helloworld:latest"
   resource_group_name_short    = substr(lower(replace(var.resource_group_name,"-","")),0,20)
   password                     = ".Az9${random_string.password.result}"
+  publicip                     = chomp(data.http.localpublicip.body)
   publicprefix                 = jsondecode(chomp(data.http.localpublicprefix.body)).data.prefix
   vanity_hostname              = var.vanity_fqdn != null ? element(split(".",var.vanity_fqdn),0) : null
   vdc_resource_group_name      = "${element(split("/",var.vdc_resource_group_id),length(split("/",var.vdc_resource_group_id))-1)}"
@@ -788,8 +789,18 @@ resource null_resource enable_sql_public_network_access {
   }
 }
 
-resource azurerm_sql_firewall_rule tfclient {
-  name                         = "TerraformClientRule"
+resource azurerm_sql_firewall_rule tfclientip {
+  name                         = "TerraformClientIpRule"
+  resource_group_name          = azurerm_resource_group.app_rg.name
+  server_name                  = azurerm_sql_server.app_sqlserver.name
+  start_ip_address             = local.publicip
+  end_ip_address               = local.publicip
+
+  depends_on                   = [null_resource.enable_sql_public_network_access]
+}
+
+resource azurerm_sql_firewall_rule tfclientipprefix {
+  name                         = "TerraformClientIpPrefixRule"
   resource_group_name          = azurerm_resource_group.app_rg.name
   server_name                  = azurerm_sql_server.app_sqlserver.name
   start_ip_address             = cidrhost(local.publicprefix,0)
@@ -898,7 +909,8 @@ resource null_resource disable_sql_public_network_access {
   count                        = var.enable_private_link && var.disable_public_database_access ? 1 : 0
   depends_on                   = [
                                   azurerm_private_dns_a_record.sql_server_dns_record,
-                                  azurerm_sql_firewall_rule.tfclient,
+                                  azurerm_sql_firewall_rule.tfclientip,
+                                  azurerm_sql_firewall_rule.tfclientipprefix,
                                   null_resource.grant_sql_access
                                  ]
 }

diff --git a/terraform/provider.tf b/terraform/provider.tf
@@ -4,12 +4,34 @@
 # This provider block uses the following environment variables: 
 # ARM_SUBSCRIPTION_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET and ARM_TENANT_ID
 #
-provider "azurerm" {
-    version = "~> 2.17"
+provider azurerm {
+    # Freeze version until this issue is fixed:
+    # https://github.com/terraform-providers/terraform-provider-azurerm/issues/7691
+    version = "~> 2.17, != 2.18"
     features {
         virtual_machine {
             # Don't do this in production
             delete_os_disk_on_deletion = true
         }
     }
 }
+
+provider dns {
+    version = "~> 2.2"
+}
+
+provider external {
+    version = "~> 1.2"
+}
+
+provider http {
+    version = "~> 1.2"
+}
+
+provider null {
+    version = "~> 2.1"
+}
+
+provider random {
+    version = "~> 2.3"
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -229,7 +229,7 @@ variable vdc_oms_solutions {
   # "LogicAppsManagement",
   # "LogManagement",
   # "Microsoft365Analytics",
-    "NetworkMonitoring",
+  # "NetworkMonitoring",
   # "Office365",
     "ProcessInvestigator",
   # "SCOMAssessment",