ALZ Terraform Module
⚠️ Warning⚠️ This module is still in development but is ready for initial testing and feedback via GitHub Issues.
- This repository contains a Terraform module for deploying Azure Landing Zones (ALZs).
- Make sure to review the examples.
Requirements
The following requirements are needed by this module:
Providers
The following providers are used by this module:
Resources
The following resources are used by this module:
- alz_policy_role_assignments.this (resource)
- azurerm_management_group.this (resource)
- azurerm_management_group_policy_assignment.this (resource)
- azurerm_management_group_subscription_association.this (resource)
- azurerm_policy_definition.this (resource)
- azurerm_policy_set_definition.this (resource)
- azurerm_role_assignment.this (resource)
- azurerm_role_definition.this (resource)
- time_sleep.before_management_group_creation (resource)
- time_sleep.before_policy_assignments (resource)
- time_sleep.before_policy_role_assignments (resource)
- alz_archetype.this (data source)
- alz_archetype_keys.this (data source)
- azurerm_subscription.this (data source)
Required Inputs
The following input variables are required:
base_archetype
Description: The archetype of the management group.
This should be one of the built in archetypes, or a custom one defined in one of the lib_dirs.
Type: string
default_location
Description: The default location for resources in this management group. Used for policy managed identities.
Type: string
display_name
Description: The display name of the management group.
Type: string
id
Description: The id of the management group. This must be unique and cannot be changed after creation.
Type: string
parent_id
Description: The id of the parent management group. Use the tenant id to create a child of the tenant root group.
The azurerm_client_config data source from the AzureRM provider is useful to get the tenant id.
Type: string
Optional Inputs
The following input variables are optional (have default values):
default_log_analytics_workspace_id
Description: The resource id of the default log analytics workspace to use for policy parameters.
Type: string
Default: null
default_private_dns_zone_resource_group_id
Description: Resource group id for the private dns zones to use in policy parameters.
Type: string
Default: null
delays
Description: A map of delays to apply to the creation and destruction of resources.
Included to work around some race conditions in Azure.
Type:
object({
before_management_group = optional(object({
create = optional(string, "30s")
destroy = optional(string, "0s")
}), {})
before_policy_assignments = optional(object({
create = optional(string, "30s")
destroy = optional(string, "0s")
}), {})
before_policy_role_assignments = optional(object({
create = optional(string, "60s")
destroy = optional(string, "0s")
}), {})
})Default: {}
policy_assignments_to_add
Description: A map of policy assignment objects to add or update the alz archetype with.
When updating a policy assignment, you only need to specify the properties you want to change.
The key is the name of the policy assignment.
The value is a map of the properties of the policy assignment.
display_name- (Optional) The display name of the policy assignment.enforcement_mode- (Optional) The enforcement mode of the policy assignment. Possible values areDefaultandDoNotEnforce.identity- (Optional) The identity of the policy assignment. Possible values areSystemAssignedandUserAssigned.identity_ids- (Optional) A set of ids of the user assigned identities to assign to the policy assignment.non_compliance_message- (Optional) A set of non compliance message objects to use for the policy assignment. Each object has the following properties:message- (Required) The non compliance message.policy_definition_reference_id- (Optional) The reference id of the policy definition to use for the non compliance message.
parameters- (Optional) A JSON string of parameters to use for the policy assignment. Usejsonencode()to convert a map of the parameter names to values.policy_definition_id- (Optional) The id of the policy definition to assign to the policy assignment. Conflicts withpolicy_definition_nameandpolicy_set_definition_name.policy_definition_name- (Optional) The name of the policy definition to assign to the policy assignment. Conflicts withpolicy_definition_idandpolicy_set_definition_name.policy_set_definition_name- (Optional) The name of the policy set definition to assign to the policy assignment. Conflicts withpolicy_definition_idandpolicy_definition_name.
Type:
map(object({
display_name = optional(string, null)
enforcement_mode = optional(string, null)
identity = optional(string, null)
identity_ids = optional(list(string), null)
policy_definition_id = optional(string, null)
policy_definition_name = optional(string, null)
policy_set_definition_name = optional(string, null)
parameters = optional(string, null)
non_compliance_message = optional(set(object({
message = string
policy_definition_reference_id = optional(string, null)
})), null)
}))Default: {}
policy_assignments_to_remove
Description: A set of policy assignment names to remove from the base_archetype.
Type: set(string)
Default: []
policy_definitions_to_add
Description: A set of policy definition names to add to the base_archetype.
The definition must exist in one of the loaded lib directories.
Type: set(string)
Default: []
policy_definitions_to_remove
Description: A set of policy definition names to remove from the base_archetype.
Type: set(string)
Default: []
policy_set_definitions_to_add
Description: A set of policy set definition names to add to the base_archetype.
The definition must exist in one of the loaded lib directories.
Type: set(string)
Default: []
policy_set_definitions_to_remove
Description: A set of policy set definition names to remove from the base_archetype.
Type: set(string)
Default: []
role_assignments
Description: n/a
Type:
map(object({
role_definition_id = optional(string, "")
role_definition_name = optional(string, "")
principal_id = string
description = optional(string, null)
}))Default: {}
role_definitions_to_add
Description: A set of role definition names to add to the base_archetype.
The definition must exist in one of the loaded lib directories.
Type: set(string)
Default: []
role_definitions_to_remove
Description: A set of role definition names to remove from the base_archetype.
Type: set(string)
Default: []
subscription_ids
Description: A set of subscription ids to move under this management group.
Type: set(string)
Default: []
Outputs
The following outputs are exported:
management_group_name
Description: The id of the management group.
Modules
No modules.
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.