search

Azure / terraform-azurerm-alz-management

Terraform module to deploy Azure Landing Zone Management resources.
https://registry.terraform.io/modules/Azure/alz-management/azurerm/latest
MIT License
9 stars 6 forks source link

readme

:warning: WARNING!
This repository is no longer maintained. Please use the terraform-azurerm-avm-ptn-alz-management repository for the updated code.

terraform-azurerm-alz-management

This module deploys a Log Analytics Workspace in Azure with Log Analytics Solutions and a linked Azure Automation Account.

Features

Example

module "alz-management" {
  source  = "Azure/alz-management/azurerm"
  version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints

  automation_account_name      = "aa-prod-eus-001"
  location                     = "eastus"
  log_analytics_workspace_name = "law-prod-eus-001"
  resource_group_name          = "rg-management-eus-001"
}

Enable or Disable Tracing Tags

We're using BridgeCrew Yor and yorbox to help manage tags consistently across infrastructure as code (IaC) frameworks. This adds accountability for the code responsible for deploying the particular Azure resources. In this module you might see tags like:

resource "azurerm_resource_group" "management" {
  count = var.resource_group_creation_enabled ? 1 : 0

  location = var.location
  name     = var.resource_group_name
  tags = merge(var.tags, (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
    avm_git_commit           = "ba28d2019d124ec455bed690e553fe9c7e4e2780"
    avm_git_file             = "main.tf"
    avm_git_last_modified_at = "2023-05-15 11:25:58"
    avm_git_org              = "Azure"
    avm_git_repo             = "terraform-azurerm-alz-management"
    avm_yor_name             = "management"
    avm_yor_trace            = "00a12560-70eb-4d00-81b9-d4059bc7ed62"
  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
}

To enable tracing tags, set the tracing_tags_enabled variable to true:

module "example" {
  source  = "Azure/alz-management/azurerm"
  version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints

  automation_account_name      = "aa-prod-eus-001"
  location                     = "eastus"
  log_analytics_workspace_name = "law-prod-eus-001"
  resource_group_name          = "rg-management-eus-001"

  tracing_tags_enabled = true
}

The tracing_tags_enabled is defaulted to false.

To customize the prefix for your tracing tags, set the tracing_tags_prefix variable value in your Terraform configuration:

module "example" {
  source  = "Azure/alz-management/azurerm"
  version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints

  automation_account_name      = "aa-prod-eus-001"
  location                     = "eastus"
  log_analytics_workspace_name = "law-prod-eus-001"
  resource_group_name          = "rg-management-eus-001"

  tracing_tags_enabled = true
  tracing_tags_prefix  = "custom_prefix_"
}

The actual applied tags would be:

{
  custom_prefix_git_commit           = "ba28d2019d124ec455bed690e553fe9c7e4e2780"
  custom_prefix_git_file             = "main.tf"
  custom_prefix_git_last_modified_at = "2023-05-15 11:25:58"
  custom_prefix_git_org              = "Azure"
  custom_prefix_git_repo             = "terraform-azurerm-alz-management"
  custom_prefix_yor_trace            = "00a12560-70eb-4d00-81b9-d4059bc7ed62"
}

Contributing

Pre-Commit, Pr-Check, and Test

We assumed that you have setup service principal's credentials in your environment variables like below:

export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

On Windows Powershell:

$env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
$env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
$env:ARM_CLIENT_ID="<service_principal_appid>"
$env:ARM_CLIENT_SECRET="<service_principal_password>"

We provide a docker image to run the pre-commit checks and tests for you: mcr.microsoft.com/azterraform:latest

To run the pre-commit task, we can run the following command:

docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

On Windows Powershell:

docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

NOTE: If an error occurs in Powershell that indicates Argument or block definition required for unit-fixture/locals.tf and/or unit-fixture/variables.tf, the issue could be that the symlink is not configured properly. This can be fixed as described in this link:

git config core.symlinks true

Then switch branches, or execute git reset:

git reset --hard HEAD

In pre-commit task, we will:

  1. Run terraform fmt -recursive command for your Terraform code.
  2. Run terrafmt fmt -f command for markdown files and go code files to ensure that the Terraform code embedded in these files are well formatted.
  3. Run go mod tidy and go mod vendor for test folder to ensure that all the dependencies have been synced.
  4. Run gofmt for all go code files.
  5. Run gofumpt for all go code files.
  6. Run terraform-docs on README.md file, then run markdown-table-formatter to format markdown tables in README.md.

Then we can run the pr-check task to check whether our code meets our pipeline's requirements (We strongly recommend you run the following command before you commit):

docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

On Windows Powershell:

docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

To run the e2e-test, we can run the following command:

docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

On Windows Powershell:

docker run --rm -v ${pwd}:/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

Requirements

Name Version
terraform >= 1.3
azurerm >= 3.0, < 4.0

Providers

Name Version
azurerm >= 3.0, < 4.0

Modules

No modules.

Resources

Name Type
azurerm_automation_account.management resource
azurerm_log_analytics_linked_service.management resource
azurerm_log_analytics_solution.management resource
azurerm_log_analytics_workspace.management resource
azurerm_resource_group.management resource

Inputs

Name Description Type Default Required
automation_account_encryption The encryption configuration for the Azure Automation Account. 
object({
    key_vault_key_id          = string
    user_assigned_identity_id = optional(string, null)
  })
 null no
automation_account_identity The identity to assign to the Azure Automation Account. 
object({
    type         = string
    identity_ids = optional(set(string), null)
  })
 null no
automation_account_local_authentication_enabled Whether or not local authentication is enabled for the Azure Automation Account. bool true no
automation_account_location The Azure region of the Azure Automation Account to deploy. This suppports overriding the location variable in specific cases. string null no
automation_account_name The name of the Azure Automation Account to create. string n/a yes
automation_account_public_network_access_enabled Whether or not public network access is enabled for the Azure Automation Account. bool true no
automation_account_sku_name The name of the SKU for the Azure Automation Account to create. string "Basic" no
linked_automation_account_creation_enabled A boolean flag to determine whether to deploy the Azure Automation Account linked to the Log Analytics Workspace or not. bool true no
location The Azure region where the resources will be deployed. string n/a yes
log_analytics_solution_plans The Log Analytics Solution Plans to create. 
list(object({
    product   = string
    publisher = optional(string, "Microsoft")
  }))
 
[
  {
    "product": "OMSGallery/AgentHealthAssessment",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/AntiMalware",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/ChangeTracking",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/ContainerInsights",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/Security",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/SecurityInsights",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/ServiceMap",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/SQLAdvancedThreatProtection",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/SQLAssessment",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/SQLVulnerabilityAssessment",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/Updates",
    "publisher": "Microsoft"
  },
  {
    "product": "OMSGallery/VMInsights",
    "publisher": "Microsoft"
  }
]
 no
log_analytics_workspace_allow_resource_only_permissions Whether or not to allow resource-only permissions for the Log Analytics Workspace. bool true no
log_analytics_workspace_cmk_for_query_forced Whether or not to force the use of customer-managed keys for query in the Log Analytics Workspace. bool null no
log_analytics_workspace_daily_quota_gb The daily ingestion quota in GB for the Log Analytics Workspace. number null no
log_analytics_workspace_internet_ingestion_enabled Whether or not internet ingestion is enabled for the Log Analytics Workspace. bool true no
log_analytics_workspace_internet_query_enabled Whether or not internet query is enabled for the Log Analytics Workspace. bool true no
log_analytics_workspace_local_authentication_disabled Whether or not local authentication is disabled for the Log Analytics Workspace. bool false no
log_analytics_workspace_name The name of the Log Analytics Workspace to create. string n/a yes
log_analytics_workspace_reservation_capacity_in_gb_per_day The reservation capacity in GB per day for the Log Analytics Workspace. number null no
log_analytics_workspace_retention_in_days The number of days to retain data for the Log Analytics Workspace. number 30 no
log_analytics_workspace_sku The SKU to use for the Log Analytics Workspace. string "PerGB2018" no
resource_group_creation_enabled A boolean flag to determine whether to deploy the Azure Resource Group or not. bool true no
resource_group_name The name of the Azure Resource Group where the resources will be created. string n/a yes
tags A map of tags to apply to the resources created. map(string) {} no
tracing_tags_enabled Whether enable tracing tags that generated by BridgeCrew Yor. bool false no
tracing_tags_prefix Default prefix for generated tracing tags string "avm_" no

Outputs

Name Description
automation_account A curated output of the Azure Automation Account.
log_analytics_workspace A curated output of the Log Analytics Workspace.
resource_group A curated output of the Azure Resource Group.