12 KiB
Azure landing zones Terraform module
Detailed information about how to use, configure and extend this module can be found on our Wiki:
‼ Notice of upcoming breaking changes
We are planning to make some breaking changes to the module in the next release (Q4 2024).
- Module defaults will updated to deploy zone redundant SKUs by default - this applies to:
- Firewall
- Public IP
- Virtual Network Gateway
We will publish guidance on how to avoid re-deployment of existing resources nearer the time.
Overview
The Azure landing zones Terraform module is designed to accelerate deployment of platform resources based on the Azure landing zones conceptual architecture using Terraform.
This is currently split logically into the following capabilities within the module (links to further guidance on the Wiki):
Module capability | Scope | Design area |
---|---|---|
Core Resources | Management group and subscription organization | Resource organization |
Management Resources | Management subscription | Management |
Connectivity Resources | Connectivity subscription | Network topology and connectivity |
Identity Resources | Identity subscription | Identity and access management |
Using a very simple initial configuration, the module will deploy a management group hierarchy based on the above diagram.
This includes the recommended governance baseline, applied using Azure Policy and Access control (IAM) resources deployed at the management group scope.
The default configuration can be easily extended to meet differing requirements, and includes the ability to deploy platform resources in the management
and connectivity
subscriptions.
NOTE: In addition to setting input variables to control which resources are deployed, the module requires setting a Provider Configuration block to enable deployment across multiple subscriptions.
Although resources are logically grouped to simplify operations, the modular design of the module also allows resources to be deployed using different Terraform workspaces. This allows customers to address concerns around managing large state files, or assigning granular permissions to pipelines based on the principle of least privilege. (more information coming soon in the Wiki)
Terraform versions
This module has been tested using Terraform 1.7.0
and AzureRM Provider 3.107.0
as a baseline, and various versions to up the latest at time of release.
In some cases, individual versions of the AzureRM provider may cause errors.
If this happens, we advise upgrading to the latest version and checking our troubleshooting guide before raising an issue.
Usage
We recommend starting with the following configuration in your root module to learn what resources are created by the module and how it works.
This will deploy the core components only.
NOTE: For production use we highly recommend using the Terraform Registry and pinning to the latest stable version, as per the example below. Pinning to the
main
branch in GitHub will give you the latest updates quicker, but increases the likelihood of unplanned changes to your environment and unforeseen issues.
main.tf
# Configure Terraform to set the required AzureRM provider
# version and features{} block.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.107"
}
}
}
provider "azurerm" {
features {}
}
# Get the current client configuration from the AzureRM provider.
# This is used to populate the root_parent_id variable with the
# current Tenant ID used as the ID for the "Tenant Root Group"
# management group.
data "azurerm_client_config" "core" {}
# Use variables to customize the deployment
variable "root_id" {
type = string
default = "es"
}
variable "root_name" {
type = string
default = "Enterprise-Scale"
}
variable "default_location" {
type = string
}
# Declare the Azure landing zones Terraform module
# and provide a base configuration.
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
default_location = var.default_location
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = data.azurerm_client_config.core.tenant_id
root_id = var.root_id
root_name = var.root_name
}
NOTE: For additional guidance on how to customize your deployment using the advanced configuration options for this module, please refer to our User Guide and the additional examples in our documentation.
Permissions
Please refer to our Module Permissions guide on the Wiki.
Examples
The following list outlines some of our most popular examples:
For the complete list of our latest examples, please refer to our Examples page on the Wiki.
Release notes
Please see the releases page for the latest module updates.
Upgrade guides
For upgrade guides from previous versions, please refer to the following links: