docs: Updated READMEs to reflect Terraform UDR implementation in main (…

…#133)

* docs: remove note about  workload profile not being available in azurerm provider

* docs: remove note about lack of workload profile in aca-internal readme

* docs: update tf deployment instructions with workload profiles

* docs: update formatting of vars

* docs: add missing variables to tf readme

* docs: wording updates to readme

README.md

@@ -25,10 +25,6 @@ This repo contains the Azure landing zone accelerator's reference implementation
 
 *More reference implementation scenarios will be added as they become available.*
 
-
-> :information_source: **NOTE**: The official Terraform AzureRM provider does not currently support the new [Azure Container Apps workload profiles, more networking features, and jobs](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/generally-available-azure-container-apps-workload-profiles-more/ba-p/3913345). The Terraform implementation in the main branch is referring to the older [V1.1.0 implementation](https://github.com/Azure/aca-landing-zone-accelerator/tree/V1.1.0/scenarios/aca-internal/terraform), which is not using workload profiles therefore the egress network traffic is not secured through an Azure Firewall. 
-> For a Terraform implementation using the [AzAPI provider](https://learn.microsoft.com/azure/developer/terraform/overview-azapi-provider) of the Secure Baseline Scenario, please check out the [udr-implementation-azapi branch](https://github.com/Azure/aca-landing-zone-accelerator/tree/feature/udr-implementation-azapi/scenarios/aca-internal/terraform). Once the AzureRM provider provides support for workload profiles in Azure Container Apps, a full Terraform implementation using the AzureRM provider will be become available in the main branch. 
-
 ## Provide feedback
 
 Please use GitHub issues if you have any feedback or requests on how we can improve these reference implementations.

scenarios/aca-internal/README.md

@@ -44,8 +44,6 @@ This reference implementation is provided with the following infrastructure as c
 :arrow_forward: [Bicep-based deployment guide](./bicep)
 
 :arrow_forward: [Terraform-based deployment guide](./terraform)
-> :information_source: **NOTE**: The official Terraform AzureRM provider does not currently support the new [Azure Container Apps workload profiles, more networking features, and jobs](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/generally-available-azure-container-apps-workload-profiles-more/ba-p/3913345). The Terraform implementation in the main branch is referring to the older [V1.1.0 implementation](https://github.com/Azure/aca-landing-zone-accelerator/tree/V1.1.0/scenarios/aca-internal/terraform), which is not using workload profiles therefore the egress network traffic is not secured through an Azure Firewall. 
-> For a Terraform implementation using the [AzAPI provider](https://learn.microsoft.com/azure/developer/terraform/overview-azapi-provider) of the Secure Baseline Scenario, please check out the [udr-implementation-azapi branch](https://github.com/Azure/aca-landing-zone-accelerator/tree/feature/udr-implementation-azapi/scenarios/aca-internal/terraform). Once the AzureRM provider provides support for workload profiles in Azure Container Apps, a full Terraform implementation using the AzureRM provider will be become available in the main branch. 
 
 Alternatively, you can quickly deploy the current LZA directly in your Azure subscription by hitting the button below
 

scenarios/aca-internal/terraform/README.md

@@ -2,11 +2,6 @@
 
 This is the Terraform-based deployment guide for [Scenario 1: Azure Container Apps - Internal environment secure baseline](../README.md).
 
-## :information_source: Important Note
- The official Terraform AzureRM provider does not currently support the new [Azure Container Apps workload profiles, more networking features, and jobs](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/generally-available-azure-container-apps-workload-profiles-more/ba-p/3913345). The Terraform implementation in the main branch is referring to the older [V1.1.0 implementation](https://github.com/Azure/aca-landing-zone-accelerator/tree/V1.1.0/scenarios/aca-internal/terraform), which is not using workload profiles therefore the egress network traffic is not secured through an Azure Firewall. 
-
-For a Terraform implementation using the [AzAPI provider](https://learn.microsoft.com/azure/developer/terraform/overview-azapi-provider) of the Secure Baseline Scenario, please check out the [udr-implementation-azapi branch](https://github.com/Azure/aca-landing-zone-accelerator/tree/feature/udr-implementation-azapi/scenarios/aca-internal/terraform). Once the AzureRM provider provides support for workload profiles in Azure Container Apps, a full Terraform implementation using the AzureRM provider will be become available in the main branch. 
-
 ## Prerequisites 
 
 This is the starting point for the instructions on deploying this reference implementation. There is required access and tooling you'll need in order to accomplish this.
@@ -108,26 +103,47 @@ The table below summurizes the avaialble parameters and the possible values that
    | :---- | :---------- | :------ | :--------- |
    | `workloadName` |A suffix that will be used to name resources in a pattern similar to `<resourceAbbreviation>-<applicationName>`. Must be less than 11 characters long, alphanumeric with dashes. | **lzaaca** | **app-svc-01** |
    | `environment` | The short name of the environment. Up to eight characters long. | **dev** | **qa**, **uat**, **prod** |
+   | `location` | The name of the deployment region. | **northeurope** | **eastus**, **westus2**, **eastus2** |
    | `tags` | Resource tags that you wish to add to all resources. | *none* | `"value": {`<br>`"Environment": "qa",`<br>`"CostCenter": CS004"`<br>`}` |
    | `enableTelemetry` | Enables or disabled telemetry collection | **true** | **false** |
+   | `ddosProtectionPlanId` | ID of DDOS Protection Plan for hub vnet | **none** | **abc123** |
+   | `containerAppsSecurityRules` | NSG rules for ACA subnet | **See TF Vars file** | **See TF Vars file** |
+   | `appGatewaySecurityRules` | NSG rules for Application Gateway | **See TF Vars file** | **See TF Vars file** |
    | `hubResourceGroupName` | The name of the hub resource group to create the hub resources in. | *none*. This results in a new resource group being created. | **rg-byo-hub-academo**. This results in `rg-byo-hub-academo` being used. *This must be an empty resource group, do not use an existing resource group used for other purposes.* |
    | `spokeResourceGroupName` | The name of the spoke resource group to create the spoke resources in. | *none*. This results in a new resource group being created. | **rg-byo-spoke-academo**. This results in `rg-byo-spoke-academo` being used. *This must be an empty resource group, do not use an existing resource group used for other purposes.* |
-   | `vnetAddressPrefixes` | An array of string. The address prefixes to use for the hub virtual network. | `["10.0.0.0/24"]` | `["10.100.0.0/24"]` |
+   | `supportingResourceGroupName` | The name of the supporting resource group to create the supporting resources in. | *none*. This results in a new resource group being created. | **rg-byo-support-academo**. This results in `rg-byo-support-academo` being used. *This must be an empty resource group, do not use an existing resource group used for other purposes.* |
+   | `hubVnetAddressPrefixes` | An array of strings. The address prefixes to use for the hub virtual network. | `["10.0.0.0/24"]` | `["10.100.0.0/24"]` |
+   | `gatewaySubnetAddressPrefix` | A string. The address prefix to use for the gateway subnet in the virtual network. | `"10.0.0.0/24"` | `"10.100.0.0/24"` |
+   | `azureFirewallSubnetAddressPrefix` | A string. The address prefix to use for the Azure Firewall subnet in the virtual network. | `""10.0.0.64/26""` | `""10.0.0.64/26""` |
+   | `bastionSubnetAddressPrefixes` | An array of strings. The address prefixes to use for the Azure Bastion subnet in the virtual network. | `["10.0.0.128/26"]` | `["10.0.0.128/26"]` |
+   | `azureFirewallSubnetManagementAddressPrefix` | A string. The address prefix to use for the Azure Firewall Management subnet in the virtual network. | `"10.0.0.192/26"` | `"10.0.0.192/26"` |
+   | `spokeVNetAddressPrefixes` | An array of string. The address prefixes to use for the spoke virtual network. | `["10.1.0.0/22"]` | `["10.101.0./22"]` |
+   | `vmJumpBoxSubnetAddressPrefix` | CIDR of the spoke infrastructure subnet. Must be a subset of the spoke CIDR ranges. | **10.1.2.32/27** | **10.1.2.32/27** |
+   | `infraSubnetAddressPrefix` | CIDR of the spoke infrastructure subnet. Must be a subset of the spoke CIDR ranges. | **10.1.0.0/27** | **10.101.0.0/27** |
+   | `infraSubnetName` | Name of spoke infrastructure subnet | **snet-infra** | **snet-infra** |
+   | `privateEndpointsSubnetAddressPrefix` | CIDR of the spoke private endpoint subnet. Must be a subset of the spoke CIDR ranges. | **10.1.2.0/27** | **10.101.2.0/27** |
+   | `privateEndpointsSubnetName` | Name of spoke private endpoint subnet | **snet-pep** | **snet-pep** |
+   | `applicationGatewaySubnetAddressPrefix` | CIDR of the spoke Application Gateway subnet. Must be a subset of the spoke CIDR ranges. | **10.1.3.0/24** | **10.101.3.0/24** |
+   | `applicationGatewaySubnetName` | Name of spoke Application Gateway subnet | **snet-agw** | **snet-agw** |
+   | `gatewaySubnetAddressPrefix` | CIDR of the Gateway subnet. Must be a subset of the spoke CIDR ranges. | **10.1.3.0/24** | **10.101.3.0/24** |
+   | `gatewaySubnetName` | Name of Gateway subnet | **GatewaySubnet** | **GatewaySubnet** |
+   | `azureFirewallSubnetName` | Name of Azure Firewall subnet | **AzureFirewallSubnet** | **AzureFirewallSubnet** |
    | `enableBastion` | Controls if Azure Bastion is deployed. | `true` | false` |
-   | `bastionSubnetAddressPrefix` | CIDR to use for the Azure Bastion subnet. Must be a subset of the hub CIDR ranges. | **10.0.0.128/26** | **10.100.2.0/26** |
    | `vmSize` | The size of the virtual machine to create for the jump box. | `Standard_B2ms` | Any one of: [VM sizes](https://learn.microsoft.om/azure/virtual-machines/sizes) |
-   | `vmAdminUsername` | The username to use for the jump box. | **azureuser** | `jumpboxadmin` |
+   | `vmAdminUsername` | The username to use for the jump box. | **vmadmin** | `jumpboxadmin` |
    | `vmAdminPassword` | The password to use for the jump box admin user. | **Password123** :stop_sign: You *should* change this. | Any cryptographically strong password of your choosing. |
    | `vmLinuxSshAuthorizedKeys` | The SSH public key to use for the jump box (if VM is Linux) | *unusable/garbage value* | Any SSH keys you wish in the form of **ssh-rsa AAAAB6NzC...P38/oqQv description**|
    | `vmJumpboxOSType` | The type of OS for the deployed jump box. | **linux** | **windows** |
    | `vmJumpBoxSubnetAddressPrefix` | CIDR to use for the jump box subnet. must be a subset of the hub CIDR ranges. | **10.1.2.32/27** | **10.100.3.128/25** |
-   | `spokeVNetAddressPrefixes` | An array of string. The address prefixes to use for the spoke virtual network. | `["10.1.0.0/22"]` | `["10.101.0./22"]` |
-   | `spokeInfraSubnetAddressPrefix` | CIDR of the spoke infrastructure subnet. Must be a subset of the spoke CIDR ranges. | **10.1.0.0/23** | **10.101.0.0/23** |
-   | `spokePrivateEndpointsSubnetAddressPrefix` | CIDR of the spoke private endpoint subnet. Must be a subset of the spoke CIDR ranges. | **10.1.2.0/4** | **10.101.2.0/24** |
-   | `spokeApplicationGatewaySubnetAddressPrefix` | CIDR of the spoke Application Gateway subnet. Must be a subset of the spoke CIDR ranges. | **10.1.3.0/24** | **10.101.3.0/24** |
    | `enableApplicationInsights` | Controls if Application Insights is deployed and configured. | **true** | **false** |
+   | `aRecords` | A Records for App Gateway DNS | **[]** | **[]** |
+   | `appGatewayCertificatePath` | App Gateway Certificate Path | **configuration/acahello.demoapp.com.pfx** | **configuration/acahello.demoapp.com.pfx** |
+   | `appGatewayCertificateKeyName` | App Gateway Certificate Key Name | **agwcert** | **agwcert** |
+   | `appGatewayFQDN` | App Gateway FQDN | **acahello.demoapp.com** | **acahello.demoapp.com** |
    | `deployHelloWorldSample` | Deploy a simple, sample application to the infrastructure. If you prefer to deploy the more comprehensive, Dapr-enabled sample app, this needs to be disabled | **true** | **false**, because you plan on deploying the Dapr-enabled application instead. |
-   | `clientIP` | If you'd like to deploy the architecture with Application Gateway without having to deploy Application Gateway separately, this should be set to the Public IP address of the machine executing the deployment | "" | 192.168.1.1 |
+   | `helloWorldContainerAppName` | Name for ACA | **none** | **ca-hello-world** |
+   | `clientIP` | If you'd like to deploy the architecture with Application Gateway without having to deploy Application Gateway separately, this should be set to the Public IP address of the machine executing the deployment | **""** | 192.168.1.1 |
+   | `workloadProfiles` | If you'd like to use workload profiles, you need to set field which is an array of objects with name, workload_profile_type, minimum_count and maximum_count fields. | *none* | `[{`<br>`name = "general-purpose", `<br>` workload_profile_type = "D4", `<br>` minimum_count = 1,  `<br>` maximum_count = 3 `<br>` }]` |
 
 
 #### Deploy