[Examples] Deploy Management Resources
This page describes how to deploy your Azure landing zone with the Management resources created in the current Subscription context, using the default configuration settings.
In this example, we take the default configuration and make the following changes:
- Set
deploy_management_resourcesto enable creation of the default Management resources,including:- Resource Group to contain all Management resources.
- Log Analytics workspace to use for centralized logging.
- Automation Account to enable additional capabilities as part of the included Solutions for Azure Monitor.
- Recommended Solutions for Azure Monitor.
- Set the
subscription_id_managementvalue to ensure the Subscription is moved to the correct Management Group, and policies are updated with the correct values.
The module updates the parameters and enforcement_mode for a number of Policy Assignments, to enable features within Log Analytics and Sentinel including but not limited to:
- Enable monitoring for VMs (including Arc enabled);
- Enable monitoring for VMSS;
- Enable Azure Defender for various supported services;
- much more...
IMPORTANT: Ensure the module version is set to the latest, and don't forget to run
terraform initif upgrading to a later version of the module.
To create the Management resources, deploy_management_resources must be set to true, and the subscription_id_management is also required.
TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 190 resources to be created by the module for this example.
To keep this example simple, the root module for this example is based on a single file:
# We strongly recommend using the required_providers block to set the
# Azure Provider source and version being used.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.107"
}
}
}
provider "azurerm" {
features {}
}
# You can use the azurerm_client_config data resource to dynamically
# extract connection settings from the provider configuration.
data "azurerm_client_config" "core" {}
# Call the caf-enterprise-scale module directly from the Terraform Registry
# pinning to the latest version
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
default_location = "<YOUR_LOCATION>"
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = data.azurerm_client_config.core.tenant_id
root_id = "myorg"
root_name = "My Organization"
deploy_management_resources = true
subscription_id_management = data.azurerm_client_config.core.subscription_id
}
You have successfully created the default Management Group resource hierarchy, along with the recommended Azure Policy and Access control (IAM) settings for your Azure landing zone.
You have also assigned the current Subscription from your provider configuration to the management Management Group.
Check the following Policy Assignments to see how these have been configured with default settings for parameters and enforcement mode:
- Scope =
rootDeploy-MDFC-ConfigDeploy-VM-MonitoringDeploy-VMSS-MonitoringDeploy-AzActivity-LogDeploy-Resource-Diag
- Scope =
managementDeploy-Log-Analytics
You may want to Deploy Management Resources With Custom Settings to change some of these settings.
The following shows the Deploy-AzActivity-Log Policy Assignment with a user-defined value set by the module for the logAnalytics parameter.
You will see that this value matches the resource ID of the Log Analytics workspace deployed by this module.
When reviewing the Policy Assignment compliance, you will see that some Policies may need remediation.
You should also have the following resources deployed in your assigned Management Subscription:
If you are using Archetype Exclusions or custom Archetypes in your code, make sure to not disable Log Analytics or Security Center policies if you require policy integration using this module. The relationship between the resources deployed and the Policy parameters is dependent on specific Policy Assignments being used.
Go to our next example to learn how to deploy the Management resources with custom settings.
To learn more about module configuration using input variables, please refer to the Module Variables documentation.
Looking for further inspiration? Why not try some of our other examples?
- Home
- User guide
- Video guides
-
Examples
- Level 100
- Level 200
-
Level 300
- Deploy connectivity resources with custom settings (Hub and Spoke)
- Deploy connectivity resources with custom settings (Virtual WAN)
- Deploy with Zero Trust network principles (Hub and Spoke)
- Deploy identity resources with custom settings
- Deploy management resources with custom settings
- Expand built-in archetype definitions
- Create custom policies, initiatives and assignments
- Override module role assignments
- Control policy enforcement mode
- Policy assignments with user assigned managed identities
- Level 400
- Frequently Asked Questions
- Troubleshooting
- Contributing