⚠️ Warning⚠️ This module is still in development but is ready for initial testing and feedback via GitHub Issues.
- This repository contains a Terraform module for deploying Azure Landing Zones (ALZs).
- Make sure to review the examples.
The following requirements are needed by this module:
The following providers are used by this module:
The following resources are used by this module:
- alz_policy_role_assignments.this (resource)
- azurerm_management_group.this (resource)
- azurerm_management_group_policy_assignment.this (resource)
- azurerm_management_group_subscription_association.this (resource)
- azurerm_management_group_template_deployment.telemetry (resource)
- azurerm_policy_definition.this (resource)
- azurerm_policy_set_definition.this (resource)
- azurerm_role_assignment.this (resource)
- azurerm_role_definition.this (resource)
- random_id.telem (resource)
- time_sleep.before_management_group_creation (resource)
- time_sleep.before_policy_assignments (resource)
- time_sleep.before_policy_role_assignments (resource)
- alz_archetype.this (data source)
- alz_archetype_keys.this (data source)
- azurerm_subscription.this (data source)
The following input variables are required:
Description: The archetype of the management group.
This should be one of the built in archetypes, or a custom one defined in one of the lib_dirs.
Type: string
Description: The default location for resources in this management group. Used for policy managed identities.
Type: string
Description: The display name of the management group.
Type: string
Description: The id of the management group. This must be unique and cannot be changed after creation.
Type: string
Description: The resource id of the parent management group. Use the tenant id to create a child of the tenant root group.
The azurerm_client_config data source from the AzureRM provider is useful to get the tenant id.
Type: string
The following input variables are optional (have default values):
Description: The resource id of the default log analytics workspace to use for policy parameters.
Type: string
Default: null
Description: Resource group id for the private dns zones to use in policy parameters.
Type: string
Default: null
Description: A map of delays to apply to the creation and destruction of resources.
Included to work around some race conditions in Azure.
Type:
object({
before_management_group = optional(object({
create = optional(string, "30s")
destroy = optional(string, "0s")
}), {})
before_policy_assignments = optional(object({
create = optional(string, "30s")
destroy = optional(string, "0s")
}), {})
before_policy_role_assignments = optional(object({
create = optional(string, "60s")
destroy = optional(string, "0s")
}), {})
})Default: {}
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: A map of policy assignment objects to modify the ALZ archetype with.
You only need to specify the properties you want to change.
The key is the name of the policy assignment.
The value is a map of the properties of the policy assignment.
enforcement_mode- (Optional) The enforcement mode of the policy assignment. Possible values areDefaultandDoNotEnforce.identity- (Optional) The identity of the policy assignment. Possible values areSystemAssignedandUserAssigned.identity_ids- (Optional) A set of ids of the user assigned identities to assign to the policy assignment.non_compliance_message- (Optional) A set of non compliance message objects to use for the policy assignment. Each object has the following properties:message- (Required) The non compliance message.policy_definition_reference_id- (Optional) The reference id of the policy definition to use for the non compliance message.
parameters- (Optional) A JSON string of parameters to use for the policy assignment. E.g.jsonencode({"param1": "value1", "param2": 2}).resource_selectors- (Optional) A list of resource selector objects to use for the policy assignment. Each object has the following properties:name- (Required) The name of the resource selector.selectors- (Optional) A list of selector objects to use for the resource selector. Each object has the following properties:kind- (Required) The kind of the selector. Allowed values are:resourceLocation,resourceType,resourceWithoutLocation.resourceWithoutLocationcannot be used in the same resource selector asresourceLocation.in- (Optional) A set of strings to include in the selector.not_in- (Optional) A set of strings to exclude from the selector.
overrides- (Optional) A list of override objects to use for the policy assignment. Each object has the following properties:kind- (Required) The kind of the override.value- (Required) The value of the override. Supported values are policy effects: https://learn.microsoft.com/azure/governance/policy/concepts/effects.selectors- (Optional) A list of selector objects to use for the override. Each object has the following properties:kind- (Required) The kind of the selector.in- (Optional) A set of strings to include in the selector.not_in- (Optional) A set of strings to exclude from the selector.
Type:
map(object({
enforcement_mode = optional(string, null)
identity = optional(string, null)
identity_ids = optional(list(string), null)
parameters = optional(string, null)
non_compliance_message = optional(set(object({
message = string
policy_definition_reference_id = optional(string, null)
})), null)
resource_selectors = optional(list(object({
name = string
selectors = optional(list(object({
kind = string
in = optional(set(string), null)
not_in = optional(set(string), null)
})), [])
})))
overrides = optional(list(object({
kind = string
value = string
selectors = optional(list(object({
kind = string
in = optional(set(string), null)
not_in = optional(set(string), null)
})), [])
})))
}))Default: {}
Description: A map of role assignments to associated principals and role definitions to the management group.
The key is the your reference for the role assignment. The value is a map of the properties of the role assignment.
role_definition_id- (Optional) The id of the role definition to assign to the principal. Conflicts withrole_definition_name.role_definition_idandrole_definition_nameare mutually exclusive and one of them must be supplied.role_definition_name- (Optional) The name of the role definition to assign to the principal. Conflicts withrole_definition_id.principal_id- (Required) The id of the principal to assign the role definition to.description- (Optional) The description of the role assignment.
Type:
map(object({
role_definition_id = optional(string, "")
role_definition_name = optional(string, "")
principal_id = string
description = optional(string, null)
}))Default: {}
Description: A set of subscription ids to move under this management group.
Type: set(string)
Default: []
The following outputs are exported:
Description: The resource id of the created management group.
No modules.
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.