terraform-azurerm-caf-enter.../resources.management_groups.tf

# The following resource blocks and for_each logic are used
# to ensure Management Group deployment respects the
# hierarchical dependencies between Management Groups and
# their parents. A local variable is used to merge the
# response from each block to return the configuration
# data from the module in a single object.
# Azure only supports a Management Group depth of 6 levels.

resource "azurerm_management_group" "level_1" {
  for_each = local.azurerm_management_group_level_1

  name                       = each.value.id
  display_name               = each.value.display_name
  parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"
  subscription_ids           = each.value.subscription_ids

}

resource "azurerm_management_group" "level_2" {
  for_each = local.azurerm_management_group_level_2

  name                       = each.value.id
  display_name               = each.value.display_name
  parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"
  subscription_ids           = each.value.subscription_ids

  depends_on = [azurerm_management_group.level_1]

}

resource "azurerm_management_group" "level_3" {
  for_each = local.azurerm_management_group_level_3

  name                       = each.value.id
  display_name               = each.value.display_name
  parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"
  subscription_ids           = each.value.subscription_ids

  depends_on = [azurerm_management_group.level_2]

}

resource "azurerm_management_group" "level_4" {
  for_each = local.azurerm_management_group_level_4

  name                       = each.value.id
  display_name               = each.value.display_name
  parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"
  subscription_ids           = each.value.subscription_ids

  depends_on = [azurerm_management_group.level_3]

}

resource "azurerm_management_group" "level_5" {
  for_each = local.azurerm_management_group_level_5

  name                       = each.value.id
  display_name               = each.value.display_name
  parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"
  subscription_ids           = each.value.subscription_ids

  depends_on = [azurerm_management_group.level_4]

}

resource "azurerm_management_group" "level_6" {
  for_each = local.azurerm_management_group_level_6

  name                       = each.value.id
  display_name               = each.value.display_name
  parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"
  subscription_ids           = each.value.subscription_ids

  depends_on = [azurerm_management_group.level_5]

}

# This will deploy Diagnostic Settings for the Management Groups
# when the input variable deploy_diagnostics_for_mg is true
resource "azapi_resource" "diag_settings" {
  for_each                  = local.azapi_mg_diagnostics
  type                      = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"
  name                      = "toLA"
  parent_id                 = each.key
  schema_validation_enabled = false
  body = {
    properties = {
      logAnalyticsDestinationType = "null"
      logs = [
        {
          category = "Administrative"
          enabled  = true
        },
        {
          category = "Policy"
          enabled  = true
        }
      ]
      workspaceId = local.template_file_variables.log_analytics_workspace_resource_id
    }
  }
  depends_on = [
    time_sleep.after_azurerm_management_group,
    azurerm_management_group.level_1,
    azurerm_management_group.level_2,
    azurerm_management_group.level_3,
    azurerm_management_group.level_4,
    azurerm_management_group.level_5,
    azurerm_management_group.level_6,
  ]
}

# This is used when strict_subscription_association is set to true
resource "azurerm_management_group_subscription_association" "enterprise_scale" {
  for_each = local.azurerm_management_group_subscription_association_enterprise_scale

  management_group_id = each.value.management_group_id
  subscription_id     = each.value.subscription_id

  depends_on = [
    time_sleep.after_azurerm_management_group,
    azurerm_management_group.level_1,
    azurerm_management_group.level_2,
    azurerm_management_group.level_3,
    azurerm_management_group.level_4,
    azurerm_management_group.level_5,
    azurerm_management_group.level_6,
  ]
}

resource "time_sleep" "after_azurerm_management_group" {
  depends_on = [
    azurerm_management_group.level_1,
    azurerm_management_group.level_2,
    azurerm_management_group.level_3,
    azurerm_management_group.level_4,
    azurerm_management_group.level_5,
    azurerm_management_group.level_6,
  ]
  triggers = {
    "azurerm_management_group_level_1" = jsonencode(keys(azurerm_management_group.level_1))
    "azurerm_management_group_level_2" = jsonencode(keys(azurerm_management_group.level_2))
    "azurerm_management_group_level_3" = jsonencode(keys(azurerm_management_group.level_3))
    "azurerm_management_group_level_4" = jsonencode(keys(azurerm_management_group.level_4))
    "azurerm_management_group_level_5" = jsonencode(keys(azurerm_management_group.level_5))
    "azurerm_management_group_level_6" = jsonencode(keys(azurerm_management_group.level_6))
  }

  create_duration  = local.create_duration_delay["after_azurerm_management_group"]
  destroy_duration = local.destroy_duration_delay["after_azurerm_management_group"]
}
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`# The following resource blocks and for_each logic are used`
			`# to ensure Management Group deployment respects the`
			`# hierarchical dependencies between Management Groups and`
			`# their parents. A local variable is used to merge the`
			`# response from each block to return the configuration`
			`# data from the module in a single object.`
			`# Azure only supports a Management Group depth of 6 levels.`

			`resource "azurerm_management_group" "level_1" {`
Refactor for_each logic on resources 2020-10-09 15:45:50 +03:00			`for_each = local.azurerm_management_group_level_1`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
Fix for scoped deployments 2020-10-01 13:05:02 +03:00			`name = each.value.id`
			`display_name = each.value.display_name`
Make es_root_parent_id mandatory 2020-10-03 22:46:52 +03:00			`parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"`
Fix for scoped deployments 2020-10-01 13:05:02 +03:00			`subscription_ids = each.value.subscription_ids`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
			`}`

			`resource "azurerm_management_group" "level_2" {`
Refactor for_each logic on resources 2020-10-09 15:45:50 +03:00			`for_each = local.azurerm_management_group_level_2`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
			`name = each.value.id`
			`display_name = each.value.display_name`
Fix to allow null es_root_parent_id input 2020-10-02 12:50:33 +03:00			`parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"`
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`subscription_ids = each.value.subscription_ids`

			`depends_on = [azurerm_management_group.level_1]`

			`}`

			`resource "azurerm_management_group" "level_3" {`
Refactor for_each logic on resources 2020-10-09 15:45:50 +03:00			`for_each = local.azurerm_management_group_level_3`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
			`name = each.value.id`
			`display_name = each.value.display_name`
Fix to allow null es_root_parent_id input 2020-10-02 12:50:33 +03:00			`parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"`
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`subscription_ids = each.value.subscription_ids`

			`depends_on = [azurerm_management_group.level_2]`

			`}`

			`resource "azurerm_management_group" "level_4" {`
Refactor for_each logic on resources 2020-10-09 15:45:50 +03:00			`for_each = local.azurerm_management_group_level_4`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
			`name = each.value.id`
			`display_name = each.value.display_name`
Fix to allow null es_root_parent_id input 2020-10-02 12:50:33 +03:00			`parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"`
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`subscription_ids = each.value.subscription_ids`

			`depends_on = [azurerm_management_group.level_3]`

			`}`

			`resource "azurerm_management_group" "level_5" {`
Refactor for_each logic on resources 2020-10-09 15:45:50 +03:00			`for_each = local.azurerm_management_group_level_5`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
			`name = each.value.id`
			`display_name = each.value.display_name`
Fix to allow null es_root_parent_id input 2020-10-02 12:50:33 +03:00			`parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"`
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`subscription_ids = each.value.subscription_ids`

			`depends_on = [azurerm_management_group.level_4]`

			`}`

			`resource "azurerm_management_group" "level_6" {`
Refactor for_each logic on resources 2020-10-09 15:45:50 +03:00			`for_each = local.azurerm_management_group_level_6`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
			`name = each.value.id`
			`display_name = each.value.display_name`
Fix to allow null es_root_parent_id input 2020-10-02 12:50:33 +03:00			`parent_management_group_id = "${local.provider_path.management_groups}${each.value.parent_management_group_id}"`
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`subscription_ids = each.value.subscription_ids`

			`depends_on = [azurerm_management_group.level_5]`

			`}`
Library template update automation, and bug fixes (#44) - Update Unit and E2E test pipelines to use YML templates and dynamic matrix generation. - Add custom PS module for `Enterprise Scale Library Tools` to handle automated library template updates. - Add script and GitHub Action to enable automated library template updates from [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale) repository using a CI pipeline. - Add offline ProviderApiVersions cache in `Enterprise Scale Library Tools` to negate the need for Azure credentials. - Update Library Templates (automated) using new CI process. - Manual remediations to updated library templates to ensure full compatibility with Terraform (needs to be fixed at source to prevent regression). - Update Policy Assignments and archetypes to provide parity with [WingTip reference Enterprise-Scale foundations](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md). - Update Resource definitions in base module to use `name` field instead of `properties.displayName` to allow setting a more "human-friendly" displayName on policies and roles. - Fix bug where duplicate roles are created at the same scope for policy assignments with managed identity. - Add customizable delay between deployment of different resource types to reduce deployment errors due to caching and replication in the Azure API (Improvement to help Fix #37). - Update `root_parent_id` validation regex to include support for additional supported characters (Fix #43). 2021-03-06 22:29:26 +03:00
Diag settings mg (#603) Co-authored-by: Luis Chaves <luchaves@microsoft.com> Co-authored-by: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> 2023-03-01 18:13:14 +03:00			`# This will deploy Diagnostic Settings for the Management Groups`
feat!: ama (#968) 2024-06-17 15:01:21 +03:00			`# when the input variable deploy_diagnostics_for_mg is true`
Diag settings mg (#603) Co-authored-by: Luis Chaves <luchaves@microsoft.com> Co-authored-by: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> 2023-03-01 18:13:14 +03:00			`resource "azapi_resource" "diag_settings" {`
fix(management): azapi_resource.diag_settings (#1027) 2024-07-12 18:36:04 +03:00			`for_each = local.azapi_mg_diagnostics`
			`type = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"`
			`name = "toLA"`
			`parent_id = each.key`
			`schema_validation_enabled = false`
			`body = {`
Diag settings mg (#603) Co-authored-by: Luis Chaves <luchaves@microsoft.com> Co-authored-by: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> 2023-03-01 18:13:14 +03:00			`properties = {`
			`logAnalyticsDestinationType = "null"`
			`logs = [`
			`{`
			`category = "Administrative"`
			`enabled = true`
			`},`
			`{`
			`category = "Policy"`
			`enabled = true`
			`}`
			`]`
			`workspaceId = local.template_file_variables.log_analytics_workspace_resource_id`
			`}`
fix(management): azapi_resource.diag_settings (#1027) 2024-07-12 18:36:04 +03:00			`}`
Diag settings mg (#603) Co-authored-by: Luis Chaves <luchaves@microsoft.com> Co-authored-by: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> 2023-03-01 18:13:14 +03:00			`depends_on = [`
			`time_sleep.after_azurerm_management_group,`
			`azurerm_management_group.level_1,`
			`azurerm_management_group.level_2,`
			`azurerm_management_group.level_3,`
			`azurerm_management_group.level_4,`
			`azurerm_management_group.level_5,`
			`azurerm_management_group.level_6,`
			`]`
			`}`

Add support for relaxed mg sub assoc (#427) * feat: Initial support for relaxed mg sub association * docs: add docs for mg_sub_association * fix: reference to local * docs: update following review * fix: subscription_ids null if in relaxed mode * fix: incorrect map and object key names * style: update key name to reflect standards * fix: move resource block to correct place * test: add mg sub association to test 3 * docs: add new tf resource * style: fmt * fix: incorrect depends_on * fix: add missing var prefix from variable reference * fix: azurerm resource type typo * fix: map object key name * fix: incorrect subscription resource id * Add updates to baseline_values.json * docs: spelling, thanks @jtracey93 * Update for consistent style and add to outputs * Add updates to baseline_values.json Co-authored-by: github-actions <action@github.com> Co-authored-by: Kevin Rowlandson <kevin.rowlandson@microsoft.com> 2022-07-15 13:59:47 +03:00			`# This is used when strict_subscription_association is set to true`
			`resource "azurerm_management_group_subscription_association" "enterprise_scale" {`
			`for_each = local.azurerm_management_group_subscription_association_enterprise_scale`

			`management_group_id = each.value.management_group_id`
			`subscription_id = each.value.subscription_id`

			`depends_on = [`
feat!: implement hub network mesh peering (#429) 2022-08-12 16:24:31 +03:00			`time_sleep.after_azurerm_management_group,`
			`azurerm_management_group.level_1,`
			`azurerm_management_group.level_2,`
			`azurerm_management_group.level_3,`
			`azurerm_management_group.level_4,`
			`azurerm_management_group.level_5,`
			`azurerm_management_group.level_6,`
Add support for relaxed mg sub assoc (#427) * feat: Initial support for relaxed mg sub association * docs: add docs for mg_sub_association * fix: reference to local * docs: update following review * fix: subscription_ids null if in relaxed mode * fix: incorrect map and object key names * style: update key name to reflect standards * fix: move resource block to correct place * test: add mg sub association to test 3 * docs: add new tf resource * style: fmt * fix: incorrect depends_on * fix: add missing var prefix from variable reference * fix: azurerm resource type typo * fix: map object key name * fix: incorrect subscription resource id * Add updates to baseline_values.json * docs: spelling, thanks @jtracey93 * Update for consistent style and add to outputs * Add updates to baseline_values.json Co-authored-by: github-actions <action@github.com> Co-authored-by: Kevin Rowlandson <kevin.rowlandson@microsoft.com> 2022-07-15 13:59:47 +03:00			`]`
			`}`

Library template update automation, and bug fixes (#44) - Update Unit and E2E test pipelines to use YML templates and dynamic matrix generation. - Add custom PS module for `Enterprise Scale Library Tools` to handle automated library template updates. - Add script and GitHub Action to enable automated library template updates from [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale) repository using a CI pipeline. - Add offline ProviderApiVersions cache in `Enterprise Scale Library Tools` to negate the need for Azure credentials. - Update Library Templates (automated) using new CI process. - Manual remediations to updated library templates to ensure full compatibility with Terraform (needs to be fixed at source to prevent regression). - Update Policy Assignments and archetypes to provide parity with [WingTip reference Enterprise-Scale foundations](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md). - Update Resource definitions in base module to use `name` field instead of `properties.displayName` to allow setting a more "human-friendly" displayName on policies and roles. - Fix bug where duplicate roles are created at the same scope for policy assignments with managed identity. - Add customizable delay between deployment of different resource types to reduce deployment errors due to caching and replication in the Azure API (Improvement to help Fix #37). - Update `root_parent_id` validation regex to include support for additional supported characters (Fix #43). 2021-03-06 22:29:26 +03:00			`resource "time_sleep" "after_azurerm_management_group" {`
			`depends_on = [`
			`azurerm_management_group.level_1,`
			`azurerm_management_group.level_2,`
			`azurerm_management_group.level_3,`
			`azurerm_management_group.level_4,`
			`azurerm_management_group.level_5,`
			`azurerm_management_group.level_6,`
			`]`
			`triggers = {`
			`"azurerm_management_group_level_1" = jsonencode(keys(azurerm_management_group.level_1))`
			`"azurerm_management_group_level_2" = jsonencode(keys(azurerm_management_group.level_2))`
			`"azurerm_management_group_level_3" = jsonencode(keys(azurerm_management_group.level_3))`
			`"azurerm_management_group_level_4" = jsonencode(keys(azurerm_management_group.level_4))`
			`"azurerm_management_group_level_5" = jsonencode(keys(azurerm_management_group.level_5))`
			`"azurerm_management_group_level_6" = jsonencode(keys(azurerm_management_group.level_6))`
			`}`

			`create_duration = local.create_duration_delay["after_azurerm_management_group"]`
			`destroy_duration = local.destroy_duration_delay["after_azurerm_management_group"]`
			`}`