Detailed information about how to use, configure and extend this module can be found on our Wiki:

• Home
• User Guide
• Examples
• Frequently Asked Questions
• Troubleshooting
• Contributing

The Azure landing zones Terraform module is designed to accelerate deployment of platform resources based on the Azure landing zones conceptual architecture using Terraform.

This is currently split logically into the following capabilities within the module (links to further guidance on the Wiki):

Using a very simple initial configuration, the module will deploy a management group hierarchy based on the above diagram. This includes the recommended governance baseline, applied using Azure Policy and Access control (IAM) resources deployed at the management group scope. The default configuration can be easily extended to meet differing requirements, and includes the ability to deploy platform resources in the management and connectivity subscriptions.

NOTE: In addition to setting input variables to control which resources are deployed, the module requires setting a Provider Configuration block to enable deployment across multiple subscriptions.

Although resources are logically grouped to simplify operations, the modular design of the module also allows resources to be deployed using different Terraform workspaces. This allows customers to address concerns around managing large state files, or assigning granular permissions to pipelines based on the principle of least privilege. (more information coming soon in the Wiki)

This module has been tested using Terraform 0.15.1 and AzureRM Provider 3.18.0 as a baseline, and various versions to up the latest at time of release. In some cases, individual versions of the AzureRM provider may cause errors. If this happens, we advise upgrading to the latest version and checking our troubleshooting guide before raising an issue.

We recommend starting with the following configuration in your root module to learn what resources are created by the module and how it works.

This will deploy the core components only.

NOTE: For production use we highly recommend using the Terraform Registry and pinning to the latest stable version, as per the example below. Pinning to the main branch in GitHub will give you the latest updates quicker, but increases the likelihood of unplanned changes to your environment and unforeseen issues.

# Configure Terraform to set the required AzureRM provider
# version and features{} block.

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.18.0"
    }
  }
}

provider "azurerm" {
  features {}
}

# Get the current client configuration from the AzureRM provider.
# This is used to populate the root_parent_id variable with the
# current Tenant ID used as the ID for the "Tenant Root Group"
# management group.

data "azurerm_client_config" "core" {}

# Use variables to customize the deployment

variable "root_id" {
  type    = string
  default = "es"
}

variable "root_name" {
  type    = string
  default = "Enterprise-Scale"
}

# Declare the Azure landing zones Terraform module
# and provide a base configuration.

module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "2.4.1"

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }

  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = var.root_id
  root_name      = var.root_name

}

NOTE: For additional guidance on how to customize your deployment using the advanced configuration options for this module, please refer to our User Guide and the additional examples in our documentation.

Please refer to our Module Permissions guide on the Wiki.

The following list outlines some of our most popular examples:

• Examples - Level 100
  • Deploy Default Configuration
  • Deploy Demo Landing Zone Archetypes
• Examples - Level 200
  • Deploy Custom Landing Zone Archetypes
  • Deploy Connectivity Resources
  • Deploy Identity Resources
  • Deploy Management Resources
  • Assign a Built-in Policy
• Examples - Level 300
  • Deploy Connectivity Resources With Custom Settings
  • Deploy Identity Resources With Custom Settings
  • Deploy Management Resources With Custom Settings
  • Expand Built-in Archetype Definitions
  • Create Custom Policies, Policy Sets and Assignments

For the complete list of our latest examples, please refer to our Examples page on the Wiki.

Please see the releases page for the latest module updates.

For upgrade guides from previous versions, please refer to the following links:

• Upgrade from v1.1.4 to v2.0.0
• Upgrade from v0.4.0 to v1.0.0
• Upgrade from v0.3.3 to v0.4.0
• Upgrade from v0.1.2 to v0.2.0
• Upgrade from v0.0.8 to v0.1.0

NOTE: The following statement is applicable from release v2.0.0 onwards

When you deploy one or more modules using the Azure landing zones Terraform module, Microsoft can identify the installation of said module/s with the deployed Azure resources. Microsoft can correlate these resources used to support the software. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through customer usage attribution. The data is collected and governed by Microsoft's privacy policies.

If you don't wish to send usage data to Microsoft, details on how to turn it off can be found here.

• MIT License

• Contributing
  • Raising an Issue
  • Feature Requests
  • Contributing to Code
  • Contributing to Documentation