Skip to content

Latest commit

 

History

History
369 lines (287 loc) · 29.2 KB

File metadata and controls

369 lines (287 loc) · 29.2 KB

Terraform Module for Cloud Adoption Framework Enterprise-scale

Build Status GitHub release (latest SemVer)

Detailed information about how to use, configure and extend this module can be found on our Wiki:

Overview

The Terraform Module for Cloud Adoption Framework Enterprise-scale provides an opinionated approach for deploying and managing the core platform capabilities of Cloud Adoption Framework enterprise-scale landing zone architecture using Terraform.

Depending on selected options, this module can deploy different groups of resources as needed.

This is currently split logically into the following capabilities:

These resources can be deployed to multiple Subscriptions by setting the Provider Configuration on the module block.

The following sections outline the different resource types deployed and managed by this module, depending on the configuration options specified.

Core resources

The core capability of this module deploys the foundations of the Cloud Adoption Framework enterprise-scale landing zone architecture, with a focus on the central resource hierarchy and governance:

Enterprise-scale Core Landing Zones Architecture

The following resource types are deployed and managed by this module when using the core capabilities:

Azure Resource Terraform Resource
Management Groups Microsoft.Management/managementGroups azurerm_management_group
Management Group Subscriptions Microsoft.Management/managementGroups/subscriptions azurerm_management_group
Policy Assignments Microsoft.Authorization/policyAssignments azurerm_management_group_policy_assignment
Policy Definitions Microsoft.Authorization/policyDefinitions azurerm_policy_definition
Policy Set Definitions Microsoft.Authorization/policySetDefinitions azurerm_policy_set_definition
Role Assignments Microsoft.Authorization/roleAssignments azurerm_role_assignment
Role Definitions Microsoft.Authorization/roleDefinitions azurerm_role_definition

The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation based on the example below.

NOTE: None of these resources are deployed at the Subscription scope, however Terraform still requires a Subscription to establish an authenticated session with Azure.

Management resources

From release v0.2.0 onwards, the module includes new functionality to enable deployment of Management and monitoring resources into the current Subscription context. This brings the benefit of being able to manage the full lifecycle of these resources using Terraform, with native integration into the corresponding Policy Assignments to ensure full policy compliance.

Enterprise-scale Management Landing Zone Architecture

The following resource types are deployed and managed by this module when the Management resources capabilities are enabled:

Azure Resource Terraform Resource
Resource Groups Microsoft.Resources/resourceGroups azurerm_resource_group
Log Analytics Workspace Microsoft.OperationalInsights/workspaces azurerm_log_analytics_workspace
Log Analytics Solutions Microsoft.OperationsManagement/solutions azurerm_log_analytics_solution
Automation Account Microsoft.Automation/automationAccounts azurerm_automation_account
Log Analytics Linked Service Microsoft.OperationalInsights/workspaces /linkedServices azurerm_log_analytics_linked_service

Please refer to the Deploy Management Resources page on our Wiki for more information about how to use this capability.

Connectivity resources

From release v0.4.0 onwards, the module includes new functionality to enable deployment of Network topology and connectivity resources into the current Subscription context. This is currently limited to the Hub & Spoke network topology, but the addition of Virtual WAN capabilities is on our roadmap (date TBC).

Enterprise-scale Connectivity Landing Zone Architecture

NOTE: The module currently only configures the networking hub, and dependent resources for the Connectivity Subscription. To ensure we achieve the right balance of managing resources via Terraform vs. Azure Policy, we are still working on how best to handle the creation of spoke Virtual Networks and Virtual Network Peering. Improving this story is our next priority on the product roadmap.

The following resource types are deployed and managed by this module when the Connectivity resources capabilities are enabled:

Azure Resource Terraform Resource
Resource Groups Microsoft.Resources/resourceGroups azurerm_resource_group
Virtual Networks Microsoft.Network/virtualNetworks azurerm_virtual_network
Subnets Microsoft.Network/virtualNetworks/subnets azurerm_subnet
Virtual Network Gateways Microsoft.Network/virtualNetworkGateways azurerm_virtual_network_gateway
Azure Firewalls Microsoft.Network/azureFirewalls azurerm_firewall
Public IP Addresses Microsoft.Network/publicIPAddresses azurerm_public_ip
DDoS Protection Plans Microsoft.Network/ddosProtectionPlans azurerm_network_ddos_protection_plan
DNS Zones (pending) Microsoft.Network/dnsZones azurerm_dns_zone
Virtual Network Peerings (pending) Microsoft.Network/virtualNetworks/virtualNetworkPeerings azurerm_virtual_network_peering

Please refer to the Deploy Connectivity Resources page on our Wiki for more information about how to use this capability.

Identity resources

From release v0.4.0 onwards, the module includes new functionality to enable deployment of Identity and access management resources into the current Subscription context.

Enterprise-scale Identity Landing Zone Architecture

No additional resources are deployed by this capability, however policy settings relating to the Identity Management Group can now be easily updated via the configure_identity_resources input variable.

Please refer to the Deploy Identity Resources page on our Wiki for more information about how to use this capability.

Terraform versions

This module has been tested using Terraform 0.15.0 and AzureRM Provider 2.77.0 as a baseline, and various versions to up the most recent at the time of release. In some cases, individual versions of the AzureRM provider may cause errors. If this happens, we advise upgrading to the latest version and checking our troubleshooting guide before raising an issue.

Usage

As a basic starting point, we recommend starting with the following configuration in your root module.

This will deploy the core components only.

NOTE: For production use we highly recommend using the Terraform Registry and pinning to the latest stable version, as per the example below. Pinning to the main branch in GitHub will give you the latest updates quicker, but increases the likelihood of unplanned changes to your environment and unforeseen issues.

main.tf

# Configure Terraform to set the required AzureRM provider
# version and features{} block.

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 2.77.0"
    }
  }
}

provider "azurerm" {
  features {}
}

# Get the current client configuration from the AzureRM provider.
# This is used to populate the root_parent_id variable with the
# current Tenant ID used as the ID for the "Tenant Root Group"
# Management Group.

data "azurerm_client_config" "core" {}

# Use variables to customize the deployment

variable "root_id" {
  type    = string
  default = "es"
}

variable "root_name" {
  type    = string
  default = "Enterprise-Scale"
}

# Declare the Terraform Module for Cloud Adoption Framework
# Enterprise-scale and provide a base configuration.

module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "1.1.0"

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }

  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = var.root_id
  root_name      = var.root_name

}

For additional guidance on how to customize your deployment using the advanced configuration options for this module, please refer to our User Guide and the additional examples in our documentation.

Permissions

Please refer to our Module Permissions guide on the Wiki.

Examples

For the latest examples, please refer to our Examples guide on the Wiki.

Release Notes

Release v1.1.0 introduces the following changes:

{
  settings = {
    # (1 unchanged element hidden)
    security_center = {
      # (1 unchanged element hidden)
      config = {
        # (7 unchanged elements hidden)
        enable_defender_for_oss_databases  = true
        # (4 unchanged elements hidden)
      }
    }
  }
  # (3 unchanged elements hidden)
}

For upgrade guides from previous versions, please refer to the following links:

License

Contributing