CAF Module and bug fixes (#250)

* rg name

* switch to array

* storage account test

* deployment script storage

* trying 0.7.1

* empty sufix

* fix rg empty condition

* fix space

* change trim to length

* another test

* resource share user

* fix conditions for rg

* apply better naming

* search servie caf

* fix ai naming and add empty string feature

* fix name for open ai

* fix locals issue

* it's a holiday today

* validate empty string

* virtual network and nsg

* deployment script net

* private endpoint subnets

* fix typo

* shorter names

* gateways and ips

* fix key names

* Update infra/main.tf

Co-authored-by: Copilot <[email protected]>

* Update infra/variables.tf

Co-authored-by: Copilot <[email protected]>

* terraform formatting

* more formatting

* moving naming into a separate file

---------

Co-authored-by: Copilot <[email protected]>

Author: sbaidachni

infra/main.ai.tf

@@ -3,18 +3,18 @@ module "azure_open_ai" {
   # checkov:skip=CKV_AZURE_236: The Power Platform AI Search connector only supports service principal, API key, or interactive auth. 
   # checkov:skip=CKV_TF_1: Using published module version for maintainability. See decision-log/001-avm-usage-and-version.md for details.
   source                             = "Azure/avm-res-cognitiveservices-account/azurerm"
-  version                            = "0.8.0"
+  version                            = "0.7.1"
   kind                               = "OpenAI"
   location                           = var.location
-  name                               = "aoai${random_string.name.id}"
+  name                               = azurecaf_name.main_names.results["azurerm_cognitive_account"]
   resource_group_name                = local.resource_group_name
   enable_telemetry                   = true
   sku_name                           = "S0"
   local_auth_enabled                 = true
   cognitive_deployments              = var.cognitive_deployments
   public_network_access_enabled      = false
   outbound_network_access_restricted = true
-  fqdns                              = ["aoai${random_string.name.id}.openai.azure.com"]
+  fqdns                              = ["${azurecaf_name.main_names.results["azurerm_cognitive_account"]}.openai.azure.com"]
 
   network_acls = {
     default_action = "Deny"
@@ -31,7 +31,7 @@ module "azure_open_ai" {
 
   private_endpoints = {
     pe_endpoint = {
-      name                            = "pe_endpoint_${random_string.name.id}"
+      name                            = "pe-${azurecaf_name.main_names.results["azurerm_cognitive_account"]}"
       private_service_connection_name = "pe_endpoint_connection"
       subnet_resource_id              = local.pe_primary_subnet_id
     }

infra/main.naming.tf

@@ -0,0 +1,85 @@
+# Unique naming for Azure resources using Azure CAF naming conventions
+
+locals {
+  # Organization suffixes and prefixes are optional, and we need to form an array of non-empty values only
+  org_prefix = compact([var.org_naming.org_prefix])
+  org_suffix = compact([var.org_naming.org_environment, var.org_naming.org_suffix])
+}
+
+# Generate unique names for primary resources
+resource "azurecaf_name" "main_names" {
+  name = var.org_naming.workload_name
+  resource_types = [
+    "azurerm_resource_group",
+    "azurerm_storage_account",
+    "azurerm_search_service",
+    "azurerm_cognitive_account",
+    "azurerm_virtual_network",
+    "azurerm_network_security_group",
+    "azurerm_virtual_network_gateway",
+    "azurerm_public_ip"
+  ]
+  prefixes      = local.org_prefix
+  suffixes      = local.org_suffix
+  random_length = 4
+  # use_slug = false
+  clean_input = true
+}
+
+# Generate unique names for failover resources
+resource "azurecaf_name" "failover_names" {
+  name = var.org_naming.workload_name
+  resource_types = [
+    "azurerm_virtual_network",
+    "azurerm_network_security_group",
+    "azurerm_virtual_network_gateway",
+    "azurerm_public_ip"
+  ]
+  prefixes      = local.org_prefix
+  suffixes      = concat(local.org_suffix, ["failover"])
+  random_length = 4
+  # use_slug = false
+  clean_input = true
+}
+
+# Generate unique names for primary private endpoint subnet
+resource "azurecaf_name" "main_pe_subnet_names" {
+  name = var.org_naming.workload_name
+  resource_types = [
+    "azurerm_subnet"
+  ]
+  prefixes      = concat(["pe"], local.org_prefix)
+  suffixes      = concat(local.org_suffix, ["primary"])
+  random_length = 4
+  # use_slug = false
+  clean_input = true
+}
+
+# Generate unique names for failover private endpoint subnet
+resource "azurecaf_name" "failover_pe_subnet_names" {
+  name = var.org_naming.workload_name
+  resource_types = [
+    "azurerm_subnet"
+  ]
+  prefixes      = concat(["pe"], local.org_prefix)
+  suffixes      = concat(local.org_suffix, ["failover"])
+  random_length = 4
+  # use_slug = false
+  clean_input = true
+}
+
+# Generate unique names for Azure Deployment Script related resources
+resource "azurecaf_name" "deployment_script_names" {
+  name = var.org_naming.workload_name
+  resource_types = [
+    "azurerm_storage_account",
+    "azurerm_network_security_group",
+    "azurerm_subnet",
+    "azurerm_user_assigned_identity"
+  ]
+  prefixes      = local.org_prefix
+  suffixes      = concat(local.org_suffix, ["script"])
+  random_length = 4
+  # use_slug = false
+  clean_input = true
+}

infra/main.network.tf

@@ -57,7 +57,7 @@ data "azurerm_resources" "vnets" {
 resource "azurerm_virtual_network" "primary_virtual_network" {
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                = "power-platform-primary-vnet-${random_string.name.id}"
+  name                = azurecaf_name.main_names.results["azurerm_virtual_network"]
   resource_group_name = local.resource_group_name
   location            = var.primary_location
   address_space       = var.primary_vnet_address_spaces
@@ -67,7 +67,7 @@ resource "azurerm_virtual_network" "primary_virtual_network" {
 resource "azurerm_virtual_network" "failover_virtual_network" {
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                = "power-platform-failover-vnet-${random_string.name.id}"
+  name                = azurecaf_name.failover_names.results["azurerm_virtual_network"]
   resource_group_name = local.resource_group_name
   location            = var.failover_location
   address_space       = var.failover_vnet_address_spaces
@@ -98,7 +98,7 @@ resource "azurerm_subnet_nat_gateway_association" "primary_subnet_nat" {
   count = local.create_network_infrastructure ? 0 : 1
 
   subnet_id      = azurerm_subnet.primary_subnet[0].id
-  nat_gateway_id = azurerm_nat_gateway.nat_gateways["primary"].id
+  nat_gateway_id = azurerm_nat_gateway.primary_nat_gateway[0].id
 }
 
 # Create failover subnets as first-class resources
@@ -125,15 +125,15 @@ resource "azurerm_subnet_nat_gateway_association" "failover_subnet_nat" {
   count = local.create_network_infrastructure ? 0 : 1
 
   subnet_id      = azurerm_subnet.failover_subnet[0].id
-  nat_gateway_id = azurerm_nat_gateway.nat_gateways["failover"].id
+  nat_gateway_id = azurerm_nat_gateway.failover_nat_gateway[0].id
 }
 
 # Create dedicated private endpoint subnets without delegations
 resource "azurerm_subnet" "pe_primary_subnet" {
   count = local.create_network_infrastructure ? 0 : 1
 
   # checkov:skip=CKV2_AZURE_31:"Ensure VNET subnet is configured with a Network Security Group (NSG)
-  name                 = "pe-primary-subnet"
+  name                 = azurecaf_name.main_pe_subnet_names.results["azurerm_subnet"]
   resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.primary_virtual_network[0].name
   address_prefixes     = var.primary_pe_subnet_address_spaces
@@ -147,7 +147,7 @@ resource "azurerm_subnet" "pe_failover_subnet" {
   # checkov:skip=CKV2_AZURE_31:"Ensure VNET subnet is configured with a Network Security Group (NSG)
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                 = "pe-failover-subnet"
+  name                 = azurecaf_name.failover_pe_subnet_names.results["azurerm_subnet"]
   resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.failover_virtual_network[0].name
   address_prefixes     = var.failover_pe_subnet_address_spaces
@@ -183,7 +183,7 @@ resource "azurerm_subnet_nat_gateway_association" "github_runner_primary_subnet_
   count = var.deploy_github_runner && local.create_network_infrastructure == false ? 1 : 0
 
   subnet_id      = azurerm_subnet.github_runner_primary_subnet[0].id
-  nat_gateway_id = azurerm_nat_gateway.nat_gateways["primary"].id
+  nat_gateway_id = azurerm_nat_gateway.primary_nat_gateway[0].id
 }
 
 resource "azurerm_subnet" "github_runner_failover_subnet" {
@@ -210,55 +210,71 @@ resource "azurerm_subnet_nat_gateway_association" "github_runner_failover_subnet
   count = var.deploy_github_runner && local.create_network_infrastructure == false ? 1 : 0
 
   subnet_id      = azurerm_subnet.github_runner_failover_subnet[0].id
-  nat_gateway_id = azurerm_nat_gateway.nat_gateways["failover"].id
+  nat_gateway_id = azurerm_nat_gateway.failover_nat_gateway[0].id
 }
 
 # Create public IP addresses for NAT gateways
-resource "azurerm_public_ip" "nat_gateway_ips" {
-  for_each = local.create_network_infrastructure ? {} : {
-    primary  = var.primary_location
-    failover = var.failover_location
-  }
+resource "azurerm_public_ip" "primary_nat_gateway_ip" {
+  count               = local.create_network_infrastructure ? 0 : 1
+  name                = azurecaf_name.main_names.results["azurerm_public_ip"]
+  location            = var.primary_location
+  resource_group_name = local.resource_group_name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+  tags                = var.tags
+}
 
-  name                = "${each.key}-nat-gateway-ip"
-  location            = each.value
+resource "azurerm_public_ip" "failover_nat_gateway_ip" {
+  count               = local.create_network_infrastructure ? 0 : 1
+  name                = azurecaf_name.failover_names.results["azurerm_public_ip"]
+  location            = var.failover_location
   resource_group_name = local.resource_group_name
   allocation_method   = "Static"
   sku                 = "Standard"
   tags                = var.tags
 }
 
-resource "azurerm_nat_gateway" "nat_gateways" {
-  for_each = local.create_network_infrastructure ? {} : {
-    primary  = var.primary_location
-    failover = var.failover_location
-  }
+resource "azurerm_nat_gateway" "primary_nat_gateway" {
+  count               = local.create_network_infrastructure ? 0 : 1
+  location            = var.primary_location
+  name                = azurecaf_name.main_names.results["azurerm_virtual_network_gateway"]
+  resource_group_name = local.resource_group_name
+  sku_name            = "Standard"
+  tags                = var.tags
 
-  location            = each.value
-  name                = "${each.key}-nat-gateway"
+  # Associate the public IP address with the NAT gateway
+  depends_on = [azurerm_public_ip.primary_nat_gateway_ip]
+}
+
+resource "azurerm_nat_gateway" "failover_nat_gateway" {
+  count               = local.create_network_infrastructure ? 0 : 1
+  location            = var.failover_location
+  name                = azurecaf_name.failover_names.results["azurerm_virtual_network_gateway"]
   resource_group_name = local.resource_group_name
   sku_name            = "Standard"
   tags                = var.tags
 
   # Associate the public IP address with the NAT gateway
-  depends_on = [azurerm_public_ip.nat_gateway_ips]
+  depends_on = [azurerm_public_ip.failover_nat_gateway_ip]
 }
 
 # Associate public IP addresses with NAT gateways
-resource "azurerm_nat_gateway_public_ip_association" "nat_gateway_ip_associations" {
-  for_each = local.create_network_infrastructure ? {} : {
-    primary  = var.primary_location
-    failover = var.failover_location
-  }
+resource "azurerm_nat_gateway_public_ip_association" "primary_nat_gateway_ip_association" {
+  count                = local.create_network_infrastructure ? 0 : 1
+  nat_gateway_id       = azurerm_nat_gateway.primary_nat_gateway[0].id
+  public_ip_address_id = azurerm_public_ip.primary_nat_gateway_ip[0].id
+}
 
-  nat_gateway_id       = azurerm_nat_gateway.nat_gateways[each.key].id
-  public_ip_address_id = azurerm_public_ip.nat_gateway_ips[each.key].id
+resource "azurerm_nat_gateway_public_ip_association" "failover_nat_gateway_ip_association" {
+  count                = local.create_network_infrastructure ? 0 : 1
+  nat_gateway_id       = azurerm_nat_gateway.failover_nat_gateway[0].id
+  public_ip_address_id = azurerm_public_ip.failover_nat_gateway_ip[0].id
 }
 
 resource "azurerm_subnet" "deployment_script_container_subnet" {
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                 = "deploymentscript-subnet"
+  name                 = azurecaf_name.deployment_script_names.results["azurerm_subnet"]
   resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.primary_virtual_network[0].name
   address_prefixes     = var.deployment_script_subnet_address_spaces
@@ -278,7 +294,7 @@ resource "azurerm_subnet_nat_gateway_association" "deployment_script_nat" {
   count = local.create_network_infrastructure ? 0 : 1
 
   subnet_id      = azurerm_subnet.deployment_script_container_subnet[0].id
-  nat_gateway_id = azurerm_nat_gateway.nat_gateways["primary"].id
+  nat_gateway_id = azurerm_nat_gateway.primary_nat_gateway[0].id
 }
 
 # ============================================================================
@@ -289,7 +305,7 @@ resource "azurerm_subnet_nat_gateway_association" "deployment_script_nat" {
 resource "azurerm_network_security_group" "power_platform_primary_nsg" {
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                = "power-platform-primary-nsg-${random_string.name.id}"
+  name                = azurecaf_name.main_names.results["azurerm_network_security_group"]
   location            = var.primary_location
   resource_group_name = local.resource_group_name
   tags                = var.tags
@@ -351,7 +367,7 @@ resource "azurerm_network_security_group" "power_platform_primary_nsg" {
 resource "azurerm_network_security_group" "power_platform_failover_nsg" {
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                = "power-platform-failover-nsg-${random_string.name.id}"
+  name                = azurecaf_name.failover_names.results["azurerm_network_security_group"]
   location            = var.failover_location
   resource_group_name = local.resource_group_name
   tags                = var.tags
@@ -413,7 +429,7 @@ resource "azurerm_network_security_group" "power_platform_failover_nsg" {
 resource "azurerm_network_security_group" "private_endpoint_primary_nsg" {
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                = "private-endpoint-primary-nsg-${random_string.name.id}"
+  name                = azurecaf_name.main_pe_subnet_names.results["azurerm_subnet"]
   location            = var.primary_location
   resource_group_name = local.resource_group_name
   tags                = var.tags
@@ -449,7 +465,7 @@ resource "azurerm_network_security_group" "private_endpoint_primary_nsg" {
 resource "azurerm_network_security_group" "private_endpoint_failover_nsg" {
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                = "private-endpoint-failover-nsg-${random_string.name.id}"
+  name                = azurecaf_name.failover_pe_subnet_names.results["azurerm_subnet"]
   location            = var.failover_location
   resource_group_name = local.resource_group_name
   tags                = var.tags
@@ -558,7 +574,7 @@ resource "azurerm_network_security_group" "github_runner_nsg" {
 resource "azurerm_network_security_group" "deployment_script_nsg" {
   count = local.create_network_infrastructure ? 0 : 1
 
-  name                = "deployment-script-nsg-${random_string.name.id}"
+  name                = azurecaf_name.deployment_script_names.results["azurerm_network_security_group"]
   location            = var.primary_location
   resource_group_name = local.resource_group_name
   tags                = var.tags

infra/main.search.tf

@@ -1,11 +1,7 @@
-locals {
-  search_name = replace("ais${random_string.name.id}", "/[^a-z0-9-]/", "")
-}
-
 resource "azurerm_search_service" "ai_search" {
   # checkov:skip=CKV_AZURE_209: Deploying with minimal infrastructure for evaluation. Update partition_count and replica_count for production scenarios.
   # checkov:skip=CKV_AZURE_208: Deploying with minimal infrastructure for evaluation. Update partition_count and replica_count for production scenarios.
-  name                          = local.search_name
+  name                          = azurecaf_name.main_names.results["azurerm_search_service"]
   location                      = var.primary_location
   resource_group_name           = local.resource_group_name
   sku                           = var.ai_search_config.sku
@@ -29,14 +25,14 @@ resource "azurerm_search_service" "ai_search" {
 # Primary region private endpoint
 resource "azurerm_private_endpoint" "primary_endpoint" {
   location            = azurerm_search_service.ai_search.location
-  name                = "private-endpoint-primary-${local.search_name}"
+  name                = "pe-primary-${azurecaf_name.main_names.results["azurerm_search_service"]}"
   resource_group_name = local.resource_group_name
   subnet_id           = local.pe_primary_subnet_id
   tags                = var.tags
 
   private_service_connection {
     is_manual_connection           = false
-    name                           = "private-connection-primary-${local.search_name}"
+    name                           = "pc-primary-${azurecaf_name.main_names.results["azurerm_search_service"]}"
     private_connection_resource_id = azurerm_search_service.ai_search.id
     subresource_names              = ["searchService"]
   }
@@ -47,14 +43,14 @@ resource "azurerm_private_endpoint" "primary_endpoint" {
 # Failover region private endpoint
 resource "azurerm_private_endpoint" "failover_endpoint" {
   location            = local.failover_virtual_network_location
-  name                = "private-endpoint-failover-${local.search_name}"
+  name                = "pe-failover-${azurecaf_name.main_names.results["azurerm_search_service"]}"
   resource_group_name = local.resource_group_name
   subnet_id           = local.pe_failover_subnet_id
   tags                = var.tags
 
   private_service_connection {
     is_manual_connection           = false
-    name                           = "private-connection-failover-${local.search_name}"
+    name                           = "pc-failover-${azurecaf_name.main_names.results["azurerm_search_service"]}"
     private_connection_resource_id = azurerm_search_service.ai_search.id
     subresource_names              = ["searchService"]
   }

infra/main.search_configuration.tf

@@ -19,7 +19,7 @@ resource "azurerm_storage_account" "deployment_container" {
   # checkov:skip=CKV2_AZURE_38: Enabling soft delete for deployment container protection
   # checkov:skip=CKV2_AZURE_47: Blob anonymous access required for deployment scripts
   # checkov:skip=CKV2_AZURE_1: Customer managed encryption not needed for temporary deployment container
-  name                     = "deploycontainer${random_string.name.id}"
+  name                     = azurecaf_name.deployment_script_names.results["azurerm_storage_account"]
   resource_group_name      = local.resource_group_name
   location                 = local.resource_group_location
   account_tier             = "Standard"

infra/main.security.tf

@@ -6,7 +6,7 @@
 data "azurerm_subscription" "current" {}
 
 resource "azurerm_user_assigned_identity" "script_identity" {
-  name                = "deployment-script-identity"
+  name                = azurecaf_name.deployment_script_names.results["azurerm_user_assigned_identity"]
   resource_group_name = local.resource_group_name
   location            = local.resource_group_location
   tags                = var.tags