https://github.com/Azure/terraform-azurerm-lz-vending
Terraform module to deploy landing zone subscriptions (and much more) in Azure
https://github.com/Azure/terraform-azurerm-lz-vending
azapi-modules azure azurerm-modules terraform terraform-module
Last synced: about 2 months ago
JSON representation
Terraform module to deploy landing zone subscriptions (and much more) in Azure
- Host: GitHub
- URL: https://github.com/Azure/terraform-azurerm-lz-vending
- Owner: Azure
- License: mit
- Created: 2022-05-25T15:42:59.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2025-04-28T16:20:03.000Z (about 2 months ago)
- Last Synced: 2025-04-30T12:23:56.473Z (about 2 months ago)
- Topics: azapi-modules, azure, azurerm-modules, terraform, terraform-module
- Language: Go
- Homepage: https://registry.terraform.io/modules/Azure/lz-vending/azurerm
- Size: 6.8 MB
- Stars: 183
- Watchers: 16
- Forks: 89
- Open Issues: 24
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
- Support: SUPPORT.md
Awesome Lists containing this project
- jimsghstars - Azure/terraform-azurerm-lz-vending - Terraform module to deploy landing zone subscriptions (and much more) in Azure (Go)
README
# Terraform landing zone vending module for Azure
[](http://isitmaintained.com/project/Azure/terraform-azurerm-lz-vending "Average time to resolve an issue")
[](http://isitmaintained.com/project/Azure/terraform-azurerm-lz-vending "Percentage of issues still open")
[](https://scorecard.dev/viewer/?uri=github.com/Azure/terraform-azurerm-lz-vending)
## Overview
The landing zone Terraform module is designed to accelerate deployment of individual landing zones within an Azure tenant.
We use the [AzAPI](https://registry.terraform.io/providers/azure/azapi/latest) provider to create the subscription and deploy the resources in a single `terraform apply` step.
The module is designed to be instantiated many times, once for each desired landing zone.
This is currently split logically into the following capabilities:
- Subscription creation and management group placement
- Networking - deploy multiple vnets with:
- Hub & spoke connectivity (peering to a hub network)
- vWAN connectivity
- Mesh peering (peering between spokes)
- Role assignments
- Resource provider (and feature) registration
- Resource group creation
- User assigned managed identity creation
- Federated credential configuration for GitHub Actions, Terraform Cloud, and other providers.
> When creating virtual network peerings, be aware of the [limit of peerings per virtual network](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#azure-resource-manager-virtual-networking-limits).
We would like feedback on what's missing in the module.
Please raise an [issue](https://github.com/Azure/terraform-azurerm-lz-vending/issues) if you have any suggestions.
## Change log
Please see the [GitHub releases pages](https://github.com/Azure/terraform-azurerm-lz-vending/releases) for change log information.
## Notes
Please see the content in the [wiki](https://github.com/Azure/terraform-azurerm-lz-vending/wiki) for more detailed information.
## Example
The below example created a landing zone subscription with two virtual networks.
One virtual network is in the default location of the subscription, the other is in a different location.
The virtual networks are peered with the supplied hub network resource ids, they are also peered with each other using the mesh peering option.
```terraform
module "lz_vending" {
source = "Azure/lz-vending/azurerm"
version = "" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
# Set the default location for resources
location = "westeurope"
# subscription variables
subscription_alias_enabled = true
subscription_billing_scope = "/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456"
subscription_display_name = "my-subscription-display-name"
subscription_alias_name = "my-subscription-alias"
subscription_workload = "Production"
# management group association variables
subscription_management_group_association_enabled = true
subscription_management_group_id = "Corp"
# virtual network variables
virtual_network_enabled = true
virtual_networks = {
one = {
name = "my-vnet"
address_space = ["192.168.1.0/24"]
hub_peering_enabled = true
hub_network_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-hub-network-rg/providers/Microsoft.Network/virtualNetworks/my-hub-network"
mesh_peering_enabled = true
}
two = {
name = "my-vnet2"
location = "northeurope"
address_space = ["192.168.2.0/24"]
hub_peering_enabled = true
hub_network_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-hub-network-rg/providers/Microsoft.Network/virtualNetworks/my-hub-network2"
mesh_peering_enabled = true
}
}
umi_enabled = true
umi_name = "umi"
umi_resource_group_name = "rg-identity"
umi_role_assignments = {
myrg-contrib = {
definition = "Contributor"
relative_scope = "/resourceGroups/MyRg"
}
}
resource_group_creation_enabled = true
resource_groups = {
nwrg = {
name = "NetworkWatcherRG"
location = "westeurope"
}
myrg = {
name = "MyRg"
location = "westeurope"
}
}
# role assignments
role_assignment_enabled = true
role_assignments = {
# using role definition name, created at subscription scope
contrib_user_sub = {
principal_id = "00000000-0000-0000-0000-000000000000"
definition = "Contributor"
relative_scope = ""
},
# using a custom role definition
custdef_sub_scope = {
principal_id = "11111111-1111-1111-1111-111111111111"
definition = "/providers/Microsoft.Management/MyMg/providers/Microsoft.Authorization/roleDefinitions/ffffffff-ffff-ffff-ffff-ffffffffffff"
relative_scope = ""
},
# using relative scope (to the created or supplied subscription)
rg_owner = {
principal_id = "00000000-0000-0000-0000-000000000000"
definition = "Owner"
relative_scope = "/resourceGroups/MyRg"
},
}
}
```
## Documentation
## Requirements
The following requirements are needed by this module:
- [terraform](#requirement\_terraform) (~> 1.10)
- [azapi](#requirement\_azapi) (~> 2.2)
- [time](#requirement\_time) (~> 0.9)
## Modules
The following Modules are called:
Source: ./modules/budget
Version:
### [networksecuritygroup](#module\_networksecuritygroup)
Source: ./modules/networksecuritygroup
Version:
### [resourcegroup](#module\_resourcegroup)
Source: ./modules/resourcegroup
Version:
### [resourceproviders](#module\_resourceproviders)
Source: ./modules/resourceprovider
Version:
### [roleassignment](#module\_roleassignment)
Source: ./modules/roleassignment
Version:
### [roleassignment\_umi](#module\_roleassignment\_umi)
Source: ./modules/roleassignment
Version:
### [routetable](#module\_routetable)
Source: ./modules/routetable
Version:
### [subscription](#module\_subscription)
Source: ./modules/subscription
Version:
### [usermanagedidentity](#module\_usermanagedidentity)
Source: ./modules/usermanagedidentity
Version:
### [virtualnetwork](#module\_virtualnetwork)
Source: ./modules/virtualnetwork
Version:
## Required Inputs
The following input variables are required:
### [location](#input\_location)
Description: The default location of resources created by this module.
Virtual networks will be created in this location unless overridden by the `location` attribute.
Type: `string`
## Optional Inputs
The following input variables are optional (have default values):
### [budget\_enabled](#input\_budget\_enabled)
Description: Whether to create budgets.
If enabled, supply the list of budgets in `var.budgets`.
Type: `bool`
Default: `false`
### [budgets](#input\_budgets)
Description: Map of budgets to create for the subscription.
- `amount` - The total amount of cost to track with the budget.
- `time_grain` - The time grain for the budget. Must be one of Annually, BillingAnnual, BillingMonth, BillingQuarter, Monthly, or Quarterly.
- `time_period_start` - The start date for the budget.
- `time_period_end` - The end date for the budget.
- `relative_scope` - (optional) Scope relative to the created subscription. Omit, or leave blank for subscription scope.
- `notifications` - (optional) The notifications to create for the budget.
- `enabled` - Whether the notification is enabled.
- `operator` - The operator for the notification. Must be one of GreaterThan or GreaterThanOrEqualTo.
- `threshold` - The threshold for the notification. Must be between 0 and 1000.
- `threshold_type` - The threshold type for the notification. Must be one of Actual or Forecasted.
- `contact_emails` - The contact emails for the notification.
- `contact_roles` - The contact roles for the notification.
- `contact_groups` - The contact groups for the notification.
- `locale` - The locale for the notification. Must be in the format xx-xx.
time\_period\_start and time\_period\_end must be UTC in RFC3339 format, e.g. 2018-05-13T07:44:12Z.
Example value:
```terraform
subscription_budgets = {
budget1 = {
amount = 150
time_grain = "Monthly"
time_period_start = "2024-01-01T00:00:00Z"
time_period_end = "2027-12-31T23:59:59Z"
notifications = {
eightypercent = {
enabled = true
operator = "GreaterThan"
threshold = 80
threshold_type = "Actual"
contact_emails = ["[email protected]"]
}
budgetexceeded = {
enabled = true
operator = "GreaterThan"
threshold = 120
threshold_type = "Forecasted"
contact_roles = ["Owner"]
}
}
}
}
```
Type:
```hcl
map(object({
amount = number
time_grain = string
time_period_start = string
time_period_end = string
relative_scope = optional(string, "")
notifications = optional(map(object({
enabled = bool
operator = string
threshold = number
threshold_type = optional(string, "Actual")
contact_emails = optional(list(string), [])
contact_roles = optional(list(string), [])
contact_groups = optional(list(string), [])
locale = optional(string, "en-us")
})), {})
}))
```
Default: `{}`
### [disable\_telemetry](#input\_disable\_telemetry)
Description: To disable tracking, we have included this variable with a simple boolean flag.
The default value is `false` which does not disable the telemetry.
If you would like to disable this tracking, then simply set this value to true and this module will not create the telemetry tracking resources and therefore telemetry tracking will be disabled.
For more information, see the [wiki](https://aka.ms/lz-vending/tf/telemetry)
E.g.
```terraform
module "lz_vending" {
source = "Azure/lz-vending/azurerm"
version = "" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
# ... other module variables
disable_telemetry = true
}
```
Type: `bool`
Default: `false`
### [network\_security\_group\_enabled](#input\_network\_security\_group\_enabled)
Description: Whether to create network security groups and security rules in the target subscription. Requires `var.network_security_groups`.
Type: `bool`
Default: `false`
### [network\_security\_groups](#input\_network\_security\_groups)
Description: A map of the network security groups to create. The map key must be known at the plan stage, e.g. must not be calculated and known only after apply.
### Required fields
- `name`: The name of the network security group. Changing this forces a new resource to be created. [required]
- `resource_group_name`: The resource group name to create the network security group in. This assumes the resource group is within the subscription being used or created during the lz-vending module call. Changing this forces a new resource to be created. [required]
### Location
- `location`: The supported Azure location where the resource exists. Changing this forces a new resource to be created.
### Tags
- `tags`: A map of tags to apply to the virtual network. [optional - default empty]
### Security Rules
- `security_rules` - (Optional) A map of security rules to create within the network network security group. The value is an object with the following fields:
- `access` - (Required) Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.
- `description` - (Optional) A description for this rule. Restricted to 140 characters.
- `destination_address_prefix` - (Optional) CIDR or destination IP range or * to match any IP. Tags such as `VirtualNetwork`, `AzureLoadBalancer` and `Internet` can also be used. Besides, it also supports all available Service Tags like ‘Sql.WestEurope‘, ‘Storage.EastUS‘, etc. You can list the available service tags with the CLI: ```shell az network list-service-tags --location westcentralus
```. For further information please see [Azure CLI
- `destination_address_prefixes` - (Optional) List of destination address prefixes. Tags may not be used. This is required if `destination_address_prefix` is not specified.
- `destination_application_security_group_ids` - (Optional) A List of destination Application Security Group IDs
- `destination_port_range` - (Optional) Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any. This is required if `destination_port_ranges` is not specified.
- `destination_port_ranges` - (Optional) List of destination ports or port ranges. This is required if `destination_port_range` is not specified.
- `direction` - (Required) The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.
- `name` - (Required) The name of the security rule. This needs to be unique across all Rules in the Network Security Group. Changing this forces a new resource to be created.
- `priority` - (Required) Specifies the priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.
- `protocol` - (Required) Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, `Esp`, `Ah` or `*` (which matches all).
- `source_address_prefix` - (Optional) CIDR or source IP range or * to match any IP. Tags such as `VirtualNetwork`, `AzureLoadBalancer` and `Internet` can also be used. This is required if `source_address_prefixes` is not specified.
- `source_address_prefixes` - (Optional) List of source address prefixes. Tags may not be used. This is required if `source_address_prefix` is not specified.
- `source_application_security_group_ids` - (Optional) A List of source Application Security Group IDs
- `source_port_range` - (Optional) Source Port or Range. Integer or range between `0` and `65535` or `*` to match any. This is required if `source_port_ranges` is not specified.
- `source_port_ranges` - (Optional) List of source ports or port ranges. This is required if `source_port_range` is not specified.
Type:
```hcl
map(object({
name = string
location = optional(string)
resource_group_name = string
tags = optional(map(string))
security_rules = optional(map(object({
access = string
description = optional(string)
destination_address_prefix = optional(string)
destination_address_prefixes = optional(set(string))
destination_application_security_group_ids = optional(set(string))
destination_port_range = optional(string)
destination_port_ranges = optional(set(string))
direction = string
name = string
priority = number
protocol = string
source_address_prefix = optional(string)
source_address_prefixes = optional(set(string))
source_application_security_group_ids = optional(set(string))
source_port_range = optional(string)
source_port_ranges = optional(set(string))
})))
}))
```
Default: `{}`
### [resource\_group\_creation\_enabled](#input\_resource\_group\_creation\_enabled)
Description: Whether to create additional resource groups in the target subscription. Requires `var.resource_groups`.
Type: `bool`
Default: `false`
### [resource\_groups](#input\_resource\_groups)
Description: A map of the resource groups to create. The value is an object with the following attributes:
- `name` - the name of the resource group
- `location` - the location of the resource group
- `tags` - (optional) a map of type string
We recommend that you include an entry to create the NetworkWatcherRG resource group so that this is managed by Terraform.
Type:
```hcl
map(object({
name = string
location = string
tags = optional(map(string), {})
}))
```
Default: `{}`
### [role\_assignment\_enabled](#input\_role\_assignment\_enabled)
Description: Whether to create role assignments.
If enabled, supply the list of role assignments in `var.role_assignments`.
Type: `bool`
Default: `false`
### [role\_assignments](#input\_role\_assignments)
Description: Supply a map of objects containing the details of the role assignments to create.
Object fields:
- `principal_id`: The directory/object id of the principal to assign the role to.
- `definition`: The role definition to assign. Either use the name or the role definition resource id.
- `relative_scope`: (optional) Scope relative to the created subscription. Omit, or leave blank for subscription scope.
- `condition`: (optional) A condition to apply to the role assignment. See [Conditions Custom Security Attributes](https://learn.microsoft.com/azure/role-based-access-control/conditions-custom-security-attributes) for more details.
- `condition_version`: (optional) The version of the condition syntax. See [Conditions Custom Security Attributes](https://learn.microsoft.com/azure/role-based-access-control/conditions-custom-security-attributes) for more details.
- `principal_type`: (optional) The type of the principal. Can be `"User"`, `"Group"`, `"Device"`, `"ForeignGroup"`, or `"ServicePrincipal"`.
- `definition_lookup_enabled`: (optional) Whether to look up the role definition resource id from the role definition name. If disabled, the `definition` must be a role definition resource id. Default is `true`.
E.g.
```terraform
role_assignments = {
# Example using role definition name:
contributor_user = {
principal_id = "00000000-0000-0000-0000-000000000000",
definition = "Contributor",
relative_scope = "",
condition = "(!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})",
condition_version = "2.0",
},
# Example using role definition id and RG scope:
myrg_custom_role = {
principal_id = "11111111-1111-1111-1111-111111111111",
definition = "/providers/Microsoft.Management/managementGroups/mymg/providers/Microsoft.Authorization/roleDefinitions/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
relative_scope = "/resourceGroups/MyRg",
}
}
```
Type:
```hcl
map(object({
principal_id = string,
definition = string,
relative_scope = optional(string, "")
condition = optional(string)
condition_version = optional(string)
principal_type = optional(string)
definition_lookup_enabled = optional(bool, true)
}))
```
Default: `{}`
### [route\_table\_enabled](#input\_route\_table\_enabled)
Description: Whether to create route tables and routes in the target subscription. Requires `var.route_tables`.
Type: `bool`
Default: `false`
### [route\_tables](#input\_route\_tables)
Description: A map defining route tables and their associated routes to be created:
- `name` (required): The name of the route table.
- `location` (required): The location of the resource group.
- `resource_group_name` (required): The name of the resource group.
- `bgp_route_propagation_enabled` (optional): Boolean that controls whether routes learned by BGP are propagated to the route table. Default is `true`.
- `tags` (optional): A map of key-value pairs for tags associated with the route table.
- `routes` (optional): A map defining routes for the route table. Each route object has the following properties:
- `name` (required): The name of the route.
- `address_prefix` (required): The address prefix for the route.
- `next_hop_type` (required): The type of next hop for the route.
- `next_hop_in_ip_address` (required): The next hop IP address for the route.
Type:
```hcl
map(object({
name = string
location = string
resource_group_name = string
bgp_route_propagation_enabled = optional(bool, true)
tags = optional(map(string))
routes = optional(map(object({
name = string
address_prefix = string
next_hop_type = string
next_hop_in_ip_address = string
})))
}))
```
Default: `{}`
### [subscription\_alias\_enabled](#input\_subscription\_alias\_enabled)
Description: Whether to create a new subscription using the subscription alias resource.
If enabled, the following must also be supplied:
- `subscription_alias_name`
- `subscription_display_name`
- `subscription_billing_scope`
- `subscription_workload`
Optionally, supply the following to enable the placement of the subscription into a management group:
- `subscription_management_group_id`
- `subscription_management_group_association_enabled`
If disabled, supply the `subscription_id` variable to use an existing subscription instead.
> **Note**: When the subscription is destroyed, this module will try to remove the NetworkWatcherRG resource group using `az cli`.
> This requires the `az cli` tool be installed and authenticated.
> If the command fails for any reason, the provider will attempt to cancel the subscription anyway.
Type: `bool`
Default: `false`
### [subscription\_alias\_name](#input\_subscription\_alias\_name)
Description: The name of the subscription alias.
The string must be comprised of a-z, A-Z, 0-9, - and \_.
The maximum length is 63 characters.
You may also supply an empty string if you do not want to create a new subscription alias.
In this scenario, `subscription_enabled` should be set to `false` and `subscription_id` must be supplied.
Type: `string`
Default: `null`
### [subscription\_billing\_scope](#input\_subscription\_billing\_scope)
Description: The billing scope for the new subscription alias.
A valid billing scope starts with `/providers/Microsoft.Billing/billingAccounts/` and is case sensitive.
E.g.
- For CustomerLed and FieldLed, e.g. MCA - `/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/billingProfiles/{billingProfileName}/invoiceSections/{invoiceSectionName}`
- For PartnerLed, e.g. MPA - `/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/customers/{customerName}`
- For Legacy EA - `/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/enrollmentAccounts/{enrollmentAccountName}`
You may also supply an empty string if you do not want to create a new subscription alias.
In this scenario, `subscription_enabled` should be set to `false` and `subscription_id` must be supplied.
Type: `string`
Default: `null`
### [subscription\_display\_name](#input\_subscription\_display\_name)
Description: The display name of the subscription alias.
The string must be comprised of a-z, A-Z, 0-9, -, \_ and space.
The maximum length is 63 characters.
You may also supply an empty string if you do not want to create a new subscription alias.
In this scenario, `subscription_enabled` should be set to `false` and `subscription_id` must be supplied.
Type: `string`
Default: `null`
### [subscription\_id](#input\_subscription\_id)
Description: An existing subscription id.
Use this when you do not want the module to create a new subscription.
But do want to manage the management group membership.
A GUID should be supplied in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
All letters must be lowercase.
When using this, `subscription_management_group_association_enabled` should be enabled,
and `subscription_management_group_id` should be supplied.
You may also supply an empty string if you want to create a new subscription alias.
In this scenario, `subscription_alias_enabled` should be set to `true` and the following other variables must be supplied:
- `subscription_alias_name`
- `subscription_alias_display_name`
- `subscription_alias_billing_scope`
- `subscription_alias_workload`
Type: `string`
Default: `null`
### [subscription\_management\_group\_association\_enabled](#input\_subscription\_management\_group\_association\_enabled)
Description: Whether to create the management group association resource.
If enabled, the `subscription_management_group_id` must also be supplied.
Type: `bool`
Default: `false`
### [subscription\_management\_group\_id](#input\_subscription\_management\_group\_id)
Description: The destination management group ID for the new subscription.
**Note:** Do not supply the display name.
The management group ID forms part of the Azure resource ID. E.g.,
`/providers/Microsoft.Management/managementGroups/{managementGroupId}`.
Type: `string`
Default: `null`
### [subscription\_register\_resource\_providers\_and\_features](#input\_subscription\_register\_resource\_providers\_and\_features)
Description: The map of resource providers to register.
The map keys are the resource provider namespace, e.g. `Microsoft.Compute`.
The map values are a list of provider features to enable.
Leave the value empty to not register any resource provider features.
The default values are taken from [Hashicorp's AzureRM provider](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/resourceproviders/required.go).
Type: `map(set(string))`
Default:
```json
{
"Microsoft.AVS": [],
"Microsoft.ApiManagement": [],
"Microsoft.AppPlatform": [],
"Microsoft.Authorization": [],
"Microsoft.Automation": [],
"Microsoft.Blueprint": [],
"Microsoft.BotService": [],
"Microsoft.Cache": [],
"Microsoft.Cdn": [],
"Microsoft.CognitiveServices": [],
"Microsoft.Compute": [],
"Microsoft.ContainerInstance": [],
"Microsoft.ContainerRegistry": [],
"Microsoft.ContainerService": [],
"Microsoft.CostManagement": [],
"Microsoft.CustomProviders": [],
"Microsoft.DBforMariaDB": [],
"Microsoft.DBforMySQL": [],
"Microsoft.DBforPostgreSQL": [],
"Microsoft.DataLakeAnalytics": [],
"Microsoft.DataLakeStore": [],
"Microsoft.DataMigration": [],
"Microsoft.DataProtection": [],
"Microsoft.Databricks": [],
"Microsoft.DesktopVirtualization": [],
"Microsoft.DevTestLab": [],
"Microsoft.Devices": [],
"Microsoft.DocumentDB": [],
"Microsoft.EventGrid": [],
"Microsoft.EventHub": [],
"Microsoft.GuestConfiguration": [],
"Microsoft.HDInsight": [],
"Microsoft.HealthcareApis": [],
"Microsoft.KeyVault": [],
"Microsoft.Kusto": [],
"Microsoft.Logic": [],
"Microsoft.MachineLearningServices": [],
"Microsoft.Maintenance": [],
"Microsoft.ManagedIdentity": [],
"Microsoft.ManagedServices": [],
"Microsoft.Management": [],
"Microsoft.Maps": [],
"Microsoft.MarketplaceOrdering": [],
"Microsoft.MixedReality": [],
"Microsoft.Network": [],
"Microsoft.NotificationHubs": [],
"Microsoft.OperationalInsights": [],
"Microsoft.OperationsManagement": [],
"Microsoft.PolicyInsights": [],
"Microsoft.PowerBIDedicated": [],
"Microsoft.RecoveryServices": [],
"Microsoft.Relay": [],
"Microsoft.Resources": [],
"Microsoft.Search": [],
"Microsoft.Security": [],
"Microsoft.SecurityInsights": [],
"Microsoft.ServiceBus": [],
"Microsoft.ServiceFabric": [],
"Microsoft.Sql": [],
"Microsoft.Storage": [],
"Microsoft.StreamAnalytics": [],
"Microsoft.Web": [],
"microsoft.insights": []
}
```
### [subscription\_register\_resource\_providers\_enabled](#input\_subscription\_register\_resource\_providers\_enabled)
Description: Whether to register resource providers for the subscription.
Use `var.subscription_register_resource_providers_and_features` to customize registration.
Type: `bool`
Default: `false`
### [subscription\_tags](#input\_subscription\_tags)
Description: A map of tags to assign to the newly created subscription.
Only valid when `subsciption_alias_enabled` is set to `true`.
Example value:
```terraform
subscription_tags = {
mytag = "myvalue"
mytag2 = "myvalue2"
}
```
Type: `map(string)`
Default: `{}`
### [subscription\_update\_existing](#input\_subscription\_update\_existing)
Description: Whether to update an existing subscription with the supplied tags and display name.
If enabled, the following must also be supplied:
- `subscription_id`
Type: `bool`
Default: `false`
### [subscription\_workload](#input\_subscription\_workload)
Description: The billing scope for the new subscription alias.
The workload type can be either `Production` or `DevTest` and is case sensitive.
You may also supply an empty string if you do not want to create a new subscription alias.
In this scenario, `subscription_enabled` should be set to `false` and `subscription_id` must be supplied.
Type: `string`
Default: `null`
### [umi\_enabled](#input\_umi\_enabled)
Description: Whether to enable the creation of a user-assigned managed identity.
Requires `umi.name` and `umi.resosurce_group_name` to be non-empty.
Type: `bool`
Default: `false`
### [user\_managed\_identities](#input\_user\_managed\_identities)
Description: A map of user-managed identities to create. The map key must be known at the plan stage, e.g. must not be calculated and known only after apply. The value is a map of attributes.
### Required fields
- `name`: The name of the user-assigned managed identity. [required]
- `resource_group_name`: The name of the resource group to create the user-assigned managed identity in. [required]
### Optional fields
- `location`: The location of the user-assigned managed identity. [optional]
- `tags`: The tags to apply to the user-assigned managed identity. [optional]
### Resource group values [DEPRECATED]
**Note:** The creation of resource groups should be done using the resource module, in v6.0.0 these variables will be retired.
- `resource_group_creation_enabled`: Whether to create a resource group for the user managed identity. [optional - default `true`]
- `resource_group_tags`: The tags to apply to the user-assigned managed identity resource group, if we create it. [optional]
- `resource_group_lock_enabled`: Whether to enable resource group lock for the user-assigned managed identity resource group. [optional]
- `resource_group_lock_name`: The name of the resource group lock for the user-assigned managed identity resource group, if blank will be set to `lock-`. [optional]
### Role Based Access Control (RBAC)
The following fields are used to configure role assignments for the user-assigned managed identity.
- `role_assignments`: A map of role assignments to create for the user-assigned managed identity. [optional] - See `role_assignments` variable for details.
### Federated Credentials
The following fields are used to configure federated identity credentials, using OpenID Connect, for use in GitHub actions, Azure DevOps pipelines, and Terraform Cloud.
#### GitHub Actions
- `federated_credentials_github`: A map of federated credentials to create for the user-assigned managed identity. [optional]
- `name` - the name of the federated credential resource, the last segment of the Azure resource id.
- `organization` - the name of the GitHub organization, e.g. `Azure` in `https://github.com/Azure/terraform-azurerm-lz-vending`.
- `repository` - the name of the GitHub respository, e.g. `terraform-azurerm-lz-vending` in `https://github.com/Azure/terraform-azurerm-lz-vending`.
- `entity` - one of 'environment', 'pull\_request', 'tag', or 'branch'
- `value` - identifies the `entity` type, e.g. `main` when using entity is `branch`. Should be blank when `entity` is `pull_request`.
#### Terraform Cloud
- `federated_credentials_terraform_cloud`: A map of federated credentials to create for the user-assigned managed identity. [optional]
- `name` - the name of the federated credential resource, the last segment of the Azure resource id.
- `organization` - the name of the Terraform Cloud organization.
- `project` - the name of the Terraform Cloud project.
- `workspace` - the name of the Terraform Cloud workspace.
- `run_phase` - one of `plan`, or `apply`.
#### Advanced Federated Credentials
- `federated_credentials_advanced`: A map of federated credentials to create for the user-assigned managed identity. [optional]
- `name`: The name of the federated credential resource, the last segment of the Azure resource id.
- `subject_identifier`: The subject of the token.
- `issuer_url`: The URL of the token issuer, should begin with `https://`
- `audience`: (optional) The token audience, defaults to `api://AzureADTokenExchange`.
Type:
```hcl
map(object({
name = string
resource_group_name = string
location = optional(string)
tags = optional(map(string), {})
resource_group_creation_enabled = optional(bool, true)
resource_group_tags = optional(map(string), {})
resource_group_lock_enabled = optional(bool, true)
resource_group_lock_name = optional(string)
role_assignments = optional(map(object({
definition = string
relative_scope = optional(string, "")
condition = optional(string)
condition_version = optional(string)
principal_type = optional(string)
definition_lookup_enabled = optional(bool, true)
})), {})
federated_credentials_github = optional(map(object({
name = optional(string)
organization = string
repository = string
entity = string
value = optional(string)
})), {})
federated_credentials_terraform_cloud = optional(map(object({
name = optional(string)
organization = string
project = string
workspace = string
run_phase = string
})), {})
federated_credentials_advanced = optional(map(object({
name = string
subject_identifier = string
issuer_url = string
audiences = optional(set(string), ["api://AzureADTokenExchange"])
})), {})
}))
```
Default: `{}`
### [virtual\_network\_enabled](#input\_virtual\_network\_enabled)
Description: Enables and disables the virtual network submodule.
Type: `bool`
Default: `false`
### [virtual\_networks](#input\_virtual\_networks)
Description: A map of the virtual networks to create. The map key must be known at the plan stage, e.g. must not be calculated and known only after apply.
### Required fields
- `name`: The name of the virtual network. [required]
- `address_space`: The address space of the virtual network as a list of strings in CIDR format, e.g. `["192.168.0.0/24", "10.0.0.0/24"]`. [required]
- `resource_group_name`: The name of the resource group to create the virtual network in. [required]
### DNS servers
- `dns_servers`: A list of DNS servers to use for the virtual network, e.g. `["192.168.0.1", "10.0.0.1"]`. If empty will use the Azure default DNS. [optional - default empty list]
### DDOS protection plan
- `ddos_protection_enabled`: Whether to enable ddos protection. [optional]
- `ddos_protection_plan_id`: The resource ID of the protection plan to attach the vnet. [optional - but required if ddos\_protection\_enabled is `true`]
### Location
- `location`: The location of the virtual network (and resource group if creation is enabled). [optional, will use `var.location` if not specified or empty string]
> Note at least one of `location` or `var.location` must be specified.
> If both are empty then the module will fail.
#### Subnets
- `subnets` - (Optional) A map of subnets to create in the virtual network. The value is an object with the following fields:
- `name` - The name of the subnet.
- `address_prefixes` - The IPv4 address prefixes to use for the subnet in CIDR format.
- `nat_gateway` - (Optional) An object with the following fields:
- `id` - The ID of the NAT Gateway which should be associated with the Subnet. Changing this forces a new resource to be created.
- `network_security_group` - (Optional) An object with the following fields:
- `id` - The ID of the Network Security Group which should be associated with the Subnet. Changing this forces a new association to be created.
- `key_reference` - The name of the var.network\_security\_group map key that should be associated with the subnet once it has been provisioned. If you are passing in an `id` value, this will not be used.
- `private_endpoint_network_policies_enabled` - (Optional) Enable or Disable network policies for the private endpoint on the subnet. Setting this to true will Enable the policy and setting this to false will Disable the policy. Defaults to true.
- `private_link_service_network_policies_enabled` - (Optional) Enable or Disable network policies for the private link service on the subnet. Setting this to true will Enable the policy and setting this to false will Disable the policy. Defaults to true.
- `route_table` - (Optional) An object with the following fields which are mutually exclusive, choose either an external route table or the generated route table:
- `id` - The ID of the Route Table which should be associated with the Subnet. Changing this forces a new association to be created.
- `key_reference` - The name of the var.route\_tables map key that should be associated with the subnet once it has been provisioned. If you are passing in an `id` value, this will not be used.
- `default_outbound_access_enabled` - (Optional) Whether to allow internet access from the subnet. Defaults to `false`.
- `service_endpoints` - (Optional) The list of Service endpoints to associate with the subnet.
- `service_endpoint_policies` - (Optional) The list of Service Endpoint Policy objects with the resource id to associate with the subnet.
- `id` - The ID of the endpoint policy that should be associated with the subnet.
- `service_endpoint_policy_assignment_enabled` - (Optional) Should the Service Endpoint Policy be assigned to the subnet? Default `true`.
- `delegation` - (Optional) An object with the following fields:
- `name` - The name of the delegation.
- `service_delegation` - An object with the following fields:
- `name` - The name of the service delegation.
- `actions` - A list of actions that should be delegated, the list is specific to the service being delegated.
### Hub network peering values
The following values configure bi-directional hub & spoke peering for the given virtual network:
- `hub_peering_enabled`: Whether to enable hub peering. [optional]
- `hub_peering_direction`: The direction of the peering. [optional - allowed values are: `tohub`, `fromhub` or `both` - default `both`]
- `hub_network_resource_id`: The resource ID of the hub network to peer with. [optional - but required if hub\_peering\_enabled is `true`]
- `hub_peering_name_tohub`: The name of the peering to the hub network. [optional - leave empty to use calculated name]
- `hub_peering_name_fromhub`: The name of the peering from the hub network. [optional - leave empty to use calculated name]
#### Hub network peering options
The following values configure the options for the hub network peering. These are configurable in each direction:
- `allow_forwarded_traffic`: Whether to allow forwarded traffic for the peering. [optional - default `true`]
- `allow_gateway_transit`: Whether to allow gateway transit for the peering. [optional - default `false` (outbound) or `true` (inbound)]
- `allow_virtual_network_access`: Whether to allow virtual network access for the peering. [optional - default `true`]
- `do_not_verify_remote_gateways`: Whether to not verify remote gateways for the peering. [optional - default `false`]
- `enable_only_ipv6_peering`: Whether to enable only IPv6 peering. [optional - default `false`]
- `local_peered_address_spaces`: A list of local address spaces to peer with. [optional - default empty and only used if `peer_complete_vnets` is `false`]
- `local_peered_subnets`: A list of local subnets to peer with. [optional - default empty and only used if `peer_complete_vnets` is `false`]
- `peer_complete_vnets`: Whether to peer complete virtual networks. [optional - default `true`]
- `remote_peered_address_spaces`: A list of remote address spaces to peer with. [optional - default empty and only used if `peer_complete_vnets` is `false`]
- `remote_peered_subnets`: A list of remote subnets to peer with. [optional - default empty and only used if `peer_complete_vnets` is `false`]
- `use_remote_gateways`: Whether to use remote gateways for the peering. [optional - default `true` (outbound) or `false` (inbound)]
### Mesh peering values
Mesh peering is the capability to create a bi-directional peerings between all supplied virtual networks in `var.virtual_networks`.
Peerings will only be created between virtual networks with the `mesh_peering_enabled` value set to `true`.
- `mesh_peering_enabled`: Whether to enable mesh peering for this virtual network. Must be enabled on more than one virtual network for any peerings to be created. [optional]
- `mesh_peering_allow_forwarded_traffic`: Whether to allow forwarded traffic for the mesh peering. [optional - default false]
### Resource group values [DEPRECATED]
**Note:** The creation of resource groups should be done using the resource module, in v6.0.0 these variables will be retired from the virtual network objects.
The default is that a resource group will be created for each resource\_group\_name specified in the `var.virtual_networks` map.
It is possible to use a pre-existing resource group by setting `resource_group_creation_enabled` to `false`.
We recommend using resource groups aligned to the region of the virtual network,
however if you want multiple virtual networks in more than one location to share a resource group,
only one of the virtual networks should have `resource_group_creation_enabled` set to `true`.
- `resource_group_creation_enabled`: Whether to create a resource group for the virtual network. [optional - default `true`]
- `resource_group_lock_enabled`: Whether to create a `CanNotDelete` resource lock on the resource group. [optional - default `true`]
- `resource_group_lock_name`: The name of the resource lock. [optional - leave empty to use calculated name]
- `resource_group_tags`: A map of tags to apply to the resource group, e.g. `{ mytag = "myvalue", mytag2 = "myvalue2" }`. [optional - default empty]
### Virtual WAN values
- `vwan_associated_routetable_resource_id`: The resource ID of the route table to associate with the virtual network. [optional - leave empty to use `defaultRouteTable` on hub]
- `vwan_connection_enabled`: Whether to create a connection to a Virtual WAN. [optional - default false]
- `vwan_connection_name`: The name of the connection to the Virtual WAN. [optional - leave empty to use calculated name]
- `vwan_hub_resource_id`: The resource ID of the hub to connect to. [optional - but required if vwan\_connection\_enabled is `true`]
- `vwan_propagated_routetables_labels`: A list of labels of route tables to propagate to the virtual network. [optional - leave empty to use `["default"]`]
- `vwan_propagated_routetables_resource_ids`: A list of resource IDs of route tables to propagate to the virtual network. [optional - leave empty to use `defaultRouteTable` on hub]
- `vwan_security_configuration`: A map of security configuration values for VWAN hub connection - see below. [optional - default empty]
- `secure_internet_traffic`: Whether to forward internet-bound traffic to the destination specified in the routing policy. [optional - default `false`]
- `secure_private_traffic`: Whether to all internal traffic to the destination specified in the routing policy. Not compatible with `routing_intent_enabled`. [optional - default `false`]
- `routing_intent_enabled`: Enable to use with a Virtual WAN hub with routing intent enabled. Routing intent on hub is configured outside this module. [optional - default `false`]
### Tags
- `tags`: A map of tags to apply to the virtual network. [optional - default empty]
Type:
```hcl
map(object({
name = string
address_space = list(string)
resource_group_name = string
location = optional(string)
dns_servers = optional(list(string), [])
flow_timeout_in_minutes = optional(number)
ddos_protection_enabled = optional(bool, false)
ddos_protection_plan_id = optional(string)
subnets = optional(map(object(
{
name = string
address_prefixes = list(string)
nat_gateway = optional(object({
id = string
}))
network_security_group = optional(object({
id = optional(string)
key_reference = optional(string)
}))
private_endpoint_network_policies = optional(string, "Enabled")
private_link_service_network_policies_enabled = optional(bool, true)
route_table = optional(object({
id = optional(string)
key_reference = optional(string)
}))
default_outbound_access_enabled = optional(bool, false)
service_endpoints = optional(set(string))
service_endpoint_policies = optional(map(object({
id = string
})))
delegations = optional(list(
object(
{
name = string
service_delegation = object({
name = string
})
}
)
))
}
)), {})
hub_network_resource_id = optional(string)
hub_peering_enabled = optional(bool, false)
hub_peering_direction = optional(string, "both")
hub_peering_name_tohub = optional(string)
hub_peering_options_tohub = optional(object({
allow_forwarded_traffic = optional(bool, true)
allow_gateway_transit = optional(bool, false)
allow_virtual_network_access = optional(bool, true)
do_not_verify_remote_gateways = optional(bool, false)
enable_only_ipv6_peering = optional(bool, false)
local_peered_address_spaces = optional(list(string), [])
local_peered_subnets = optional(list(string), [])
peer_complete_vnets = optional(bool, true)
remote_peered_address_spaces = optional(list(string), [])
remote_peered_subnets = optional(list(string), [])
use_remote_gateways = optional(bool, true)
}), {})
hub_peering_name_fromhub = optional(string)
hub_peering_options_fromhub = optional(object({
allow_forwarded_traffic = optional(bool, true)
allow_gateway_transit = optional(bool, true)
allow_virtual_network_access = optional(bool, true)
do_not_verify_remote_gateways = optional(bool, false)
enable_only_ipv6_peering = optional(bool, false)
local_peered_address_spaces = optional(list(string), [])
local_peered_subnets = optional(list(string), [])
peer_complete_vnets = optional(bool, true)
remote_peered_address_spaces = optional(list(string), [])
remote_peered_subnets = optional(list(string), [])
use_remote_gateways = optional(bool, false)
}), {})
mesh_peering_enabled = optional(bool, false)
mesh_peering_allow_forwarded_traffic = optional(bool, false)
resource_group_creation_enabled = optional(bool, true)
resource_group_lock_enabled = optional(bool, true)
resource_group_lock_name = optional(string)
resource_group_tags = optional(map(string), {})
vwan_associated_routetable_resource_id = optional(string)
vwan_connection_enabled = optional(bool, false)
vwan_connection_name = optional(string)
vwan_hub_resource_id = optional(string)
vwan_propagated_routetables_labels = optional(list(string), [])
vwan_propagated_routetables_resource_ids = optional(list(string), [])
vwan_security_configuration = optional(object({
secure_internet_traffic = optional(bool, false)
secure_private_traffic = optional(bool, false)
routing_intent_enabled = optional(bool, false)
}), {})
tags = optional(map(string), {})
}))
```
Default: `{}`
### [wait\_for\_subscription\_before\_subscription\_operations](#input\_wait\_for\_subscription\_before\_subscription\_operations)
Description: The duration to wait after vending a subscription before performing subscription operations.
Type:
```hcl
object({
create = optional(string, "30s")
destroy = optional(string, "0s")
})
```
Default: `{}`
### [wait\_for\_umi\_before\_umi\_role\_assignment\_operations](#input\_wait\_for\_umi\_before\_umi\_role\_assignment\_operations)
Description: The duration to wait after creating a user managed identity before performing role assignment operations.
Type:
```hcl
object({
create = optional(string, "30s")
destroy = optional(string, "0s")
})
```
Default: `{}`
## Resources
The following resources are used by this module:
- [azapi_resource.telemetry_root](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource) (resource)
- [time_sleep.wait_for_umi_before_umi_role_assignment_operations](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) (resource)
## Outputs
The following outputs are exported:
### [budget\_resource\_id](#output\_budget\_resource\_id)
Description: The created budget resource IDs, expressed as a map.
### [management\_group\_subscription\_association\_id](#output\_management\_group\_subscription\_association\_id)
Description: The management\_group\_subscription\_association\_id output is the ID of the management group subscription association.
Value will be null if `var.subscription_management_group_association_enabled` is false.
### [resource\_group\_resource\_ids](#output\_resource\_group\_resource\_ids)
Description: The created resource group IDs, expressed as a map.
### [route\_table\_resource\_ids](#output\_route\_table\_resource\_ids)
Description: The created route table resource IDs, expressed as a map.
### [subscription\_id](#output\_subscription\_id)
Description: The subscription\_id is the Azure subscription id that resources have been deployed into.
### [subscription\_resource\_id](#output\_subscription\_resource\_id)
Description: The subscription\_resource\_id is the Azure subscription resource id that resources have been deployed into
### [umi\_client\_ids](#output\_umi\_client\_ids)
Description: The client id of the user managed identity.
Value will be null if `var.umi_enabled` is false.
### [umi\_principal\_ids](#output\_umi\_principal\_ids)
Description: The principal id of the user managed identity, sometimes known as the object id.
Value will be null if `var.umi_enabled` is false.
### [umi\_resource\_ids](#output\_umi\_resource\_ids)
Description: The Azure resource id of the user managed identity.
Value will be null if `var.umi_enabled` is false.
### [umi\_tenant\_ids](#output\_umi\_tenant\_ids)
Description: The tenant id of the user managed identity.
Value will be null if `var.umi_enabled` is false.
### [virtual\_network\_resource\_group\_ids](#output\_virtual\_network\_resource\_group\_ids)
Description: A map of resource group ids, keyed by the var.virtual\_networks input map. Only populated if the virtualnetwork submodule is enabled.
### [virtual\_network\_resource\_ids](#output\_virtual\_network\_resource\_ids)
Description: A map of virtual network resource ids, keyed by the var.virtual\_networks input map. Only populated if the virtualnetwork submodule is enabled.
## Telemetry
When you deploy one or more modules using the landing zone vending module, Microsoft can identify the installation of said module with the deployed Azure resources.
Microsoft can correlate these resources used to support the software.
Microsoft collects this information to provide the best experiences with their products and to operate their business.
The telemetry is collected through customer usage attribution.
The data is collected and governed by Microsoft's privacy policies.
If you don't wish to send usage data to Microsoft, details on how to turn it off can be found [here](https://github.com/Azure/terraform-azurerm-lz-vending/wiki/Telemetry).
## Contributing
This project welcomes contributions and suggestions.
Most contributions require you to agree to a Contributor License Agreement (CLA)
declaring that you have the right to, and actually do, grant us the rights to use your contribution.
For details, visit [https://cla.opensource.microsoft.com](https://cla.opensource.microsoft.com).
When you submit a pull request, a CLA bot will automatically determine whether you need to provide
a CLA and decorate the PR appropriately (e.g., status check, comment).
Simply follow the instructions provided by the bot.
You will only need to do this once across all repos using our CLA.
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
## Developing the Module
See [DEVELOPER.md](https://github.com/Azure/terraform-azurerm-lz-vending/blob/main/DEVELOPER.md).
## Trademarks
This project may contain trademarks or logos for projects, products, or services.
Authorized use of Microsoft trademarks or logos is subject to and must follow
[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/legal/intellectualproperty/trademarks/usage/general).
Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
Any use of third-party trademarks or logos are subject to those third-party's policies.