Coalfire created reference architecture for FedRAMP Azure builds. This repository is used as a parent directory to deploy Coalfire-CF/terraform-azurerm-<service>
modules.
Learn more at Coalfire OpenSource.
Get our SSP Templates and Reference Architecture Design Document Template
contributor
subscription accessDirectory | Purpose |
---|---|
shellscripts/ |
Deployment and VM Extension scripts |
terraform/prod/us-tx/ |
Disaster Recovery region terraform files |
terraform/prod/us-va/ |
Primary region terraform files |
terraform/prod/global-vars.tf |
Global variables |
terraform/prod/us-va/app/ |
Application plane terraform files |
terraform/prod/us-va/mgmt/ |
Management plane terraform files |
terraform/prod/us-va/region-setup/ |
Management plane region-setup terraform files |
terraform/prod/us-va/mgmt/security-core |
Management plane security-core terraform files |
terraform/prod/us-va/regional-vars.tf |
Regional variables |
terraform/prod/us-va/remote-data.tf |
Remote Data from state files. Uncomment as more infrastructure is deployed |
terraform/prod/global-vars.tf
variablesterraform/prod/us-va/regional-vars.tf
variables, if applicableaz login
. You may have to change the cloud if you receive an error. az cloud set --name AzureUSGovernment
terraform/prod/us-va/security-core
and run terraform init
and terraform plan
. If everything looks good run terraform apply
.terraform/prod/us-va/region-setup
and run terraform init
and terraform plan
. If everything looks good run terraform apply
.mgmt
and app
resources in a similar fashion. Order of deployment is below.Each module, e.g. region-setup
, has a README file that provides deployment steps, dependencies, and other notes on each component in the environment.
Add their PIP or use VPN IP CIDR to access and deploy resources, otherwise the user cannot access Key Vaults, storage account with the state files or the bastion hosts.
Re-run terraform apply
on the bastion folder to add the new PIP to the bastion NSG.
Re-run terraform apply
on the key-vault, security-core, and region-setup folder to add the new admin's GUID to the Admin roles
For Azure Government cloud
az cloud set --name AzureUSGovernment
By default, AZCLI is configured for commercial cloud. If you need to switch back from another selection:
az cloud set --name AzureCloud
Log into the Azure Tenant with your Azure Active Directory (AAD) credentials.
az login
Follow the instructions in the terminal to log in via web portal with your credentials.
Upon a successful login you should see output similar to this.
[
{
"cloudName": "AzureCloud",
"id": "REDACTED",
"isDefault": true,
"name": "Azure subscription 1",
"state": "Enabled",
"tenantId": "REDACTED",
"user": {
"name": "[email protected]",
"type": "user"
}
}
]
Set a specific subscription
az account set --subscription {GUID}
No requirements.
No providers.
No modules.
No resources.
No inputs.
No outputs.
If you're interested in contributing to our projects, please review the Contributing Guidelines. And send an email to our team to receive a copy of our CLA and start the onboarding process.
Copyright © 2024 Coalfire Systems Inc.