Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/webstean/azure-application-landing-zone

Andrew's module for creating an Azure Application Landing Zone
https://github.com/webstean/azure-application-landing-zone

application-landing-zone azure cac caf configuration terraform

Last synced: about 1 month ago
JSON representation

Andrew's module for creating an Azure Application Landing Zone

Awesome Lists containing this project

README 

          

# Andrew's module for creating an Azure Application Landing Zone

otherwise known as an environment (dev, test, sit, uat etc..)



[GitHub Repository](https://github.com/webstean/azure-application-landing-zone)



[Terraform Registry for this module](https://github.com/webstean/azure-application-landing-zone)



[Terraform Registry Home - my other modules](https://registry.terraform.io/namespaces/webstean)



[![Python][terraform-shield]][tf-version]

[![Latest][version-shield]][release-url]

[![Tests][test-shield]][test-url]

[![License][license-shield]][license-url]



This module creates what Microsoft's calls an [Application Landing Zone](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/ready) which you can think of an environment in which you applications and services can run, like DEV, TEST, SIT, UAT, PROD, etc.



This is apart of what Microsoft calls their [Well-Architected Framework](https://learn.microsoft.com/en-us/azure/well-architected/what-is-well-architected-framework).



This module will deploy many different types of resources including, but not limited to:

- One Public DNS Zone (unless the variable always\_create\_private\_link is set to "yes")

- One Virtual Network with preconfigure subnets and Bastion, which is used hosting resources in the Landing Zone

- Lots Private DNS for use with Private LInk (Only when the variable always\_create\_private\_link is set to "yes")

- Two User Assigned Identities, one in intended for humans and the other for services/applications

- One Static Web App, for hosting static contect, such as information on the created landing zone

- One Log Analytics Workspace (including a "web" Application Insights) for logging, monitoring, alerting and debugging

- One KeyVault which you should use, you should create your own KeyVault for secrets, such as passwords, certificates, etc.

- One SQL Server associated with one SQL Server Elastic Pool (these are free, until you put a database in them), configured for SQL Hyperscale

- One Cosmos DB Account

- One Azure Communication Service (ACS) for sending emails, SMSes and WhatsApp messages

- Three Storage Accounts (one for SQL Servers logs, one for files and one for the blobs)

- An Automation Account for running scripts, such as Azure CLI or PowerShell scripts either manually or via a schedule



and finally:

- One App Configuration preconfigured with all the landing zone deployments (SQL Server endpoints etc...)



You need to tell the module which Azure Resource Group to put everything in, as this won't be created by this module, in order to support [Azure Deployment Environments](https://learn.microsoft.com/en-us/azure/deployment-environments/overview-what-is-azure-deployment-environments)



Option, you can peer the Virtual Network into an existing vWAN Hub, which will allow you to connect to other Landing Zones and the Internet in general securelty via centralised infrastrucutre.

This infrastructure can be deployed via the



> [!IMPORTANT]

> ❗ This is important

>



> [!NOTE]

> ⚠️ Eventually this module will create an [Azure Network Perimeter](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts) around everything in the Landing Zone, further isolating it from other Landing Zone and the Internet in general.

>



> [!CAUTION]

> ℹ️ This module creates lots of resources, that SHOULD cost zero to very little money, but things change! BE CAREFUL, so you don't get **Bill Shocks**

>



![Azure Landing Zone](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/media/azure-landing-zone-architecture-diagram-hub-spoke.svg#lightbox)



Example:

```hcl

module "application-landing-zone" {

  source  = "webstean/azure-application-landing-zone/azurerm"

  version = "~>0.0, < 1.0"



  ## identity

  user_assigned_identity_graph_name        = null

  user_assigned_identity_landing_zone_name = module.application_landing_zone.user_assigned_identity_name  ## (high-privilege) for services/applications

  entra_group_unified_id                   = null

  entra_group_pag_id                       = data.azuread_group.cloud_operators.id                        ## (low-privilege)  for humans/admin users

  ## naming

  resource_group_name               = data.azurerm_resource_group.lz.name

  landing_zone_name                 = "play"

  project_name                      = "main"

  application_name                  = "webstean"

  ## sizing

  sku_name                          = "free"          ## other options are: basic, standard, premium or isolated

  size_name                         = "small"         ## other options are: medium, large or x-large

  location_key                      = "australiaeast" ## other supported options are: australiasoutheast, australiacentral

  private_endpoints_always_deployed = false ## other option is: true



  ## these are just use for the tags to be applied to each resource

  owner_service        = "unknown@myorg.com"          ## business owner  - email address, used for visbility & alerts

  owner_tech           = "unknown@myorg.com"          ## business owner  - email address, used for visbility & alerts

  cost_centre          = "unknown"                    ## from the accountants, its the owner's cost centre. Freeform text

  monitoring           = "not-monitored"              ## other options are: 24-7 or 8-5

  ##

  subscription_id                   = data.azurerm_client_config.current.subscription_id

  keyvault_name = module.azure-application-landing-zone-keyvault.key_vault_name



}

```

---

## License



Distributed under the Mozilla Public License Version 2.0 License. See [LICENSE](./LICENSE) for more information.



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | ~>1.0, < 2.0 |

|  [acme](#requirement\_acme) | ~>2.0, < 3.0 |

|  [alz](#requirement\_alz) | ~>0.0, < 1.0 |

|  [azapi](#requirement\_azapi) | ~> 2.0, < 3.0 |

|  [azuread](#requirement\_azuread) | ~> 3.0, < 4.0 |

|  [azurerm](#requirement\_azurerm) | ~>4.0, < 5.0 |

|  [random](#requirement\_random) | ~>3.0, < 4.0 |



## Resources



| Name | Type |

|------|------|

| [azapi_update_resource.comms-identity](https://registry.terraform.io/providers/azure/azapi/latest/docs/resources/update_resource) | resource |

| [azuread_service_principal.existing-apim](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |

| [azuread_service_principal.existing-dynamicserp](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |

| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |

| [azurerm_application_insights.web](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | resource |

| [azurerm_application_insights_snapshot_debugger.web](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights_snapshot_debugger) | resource |

| [azurerm_communication_service.comms](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/communication_service) | resource |

| [azurerm_communication_service_email_domain_association.comms](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/communication_service_email_domain_association) | resource |

| [azurerm_email_communication_service.comms](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/email_communication_service) | resource |

| [azurerm_email_communication_service_domain.comms](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/email_communication_service_domain) | resource |

| [azurerm_key_vault_key.comms_app_configuration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) | resource |

| [azurerm_key_vault_secret.primary-connection](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |

| [azurerm_key_vault_secret.primary-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |

| [azurerm_key_vault_secret.secondary-connection](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |

| [azurerm_key_vault_secret.secondary-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |

| [azurerm_monitor_diagnostic_setting.bastion1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |

| [azurerm_monitor_diagnostic_setting.bastion2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |

| [azurerm_monitor_diagnostic_setting.bastion_public_ip1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |

| [azurerm_monitor_diagnostic_setting.comms1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |

| [azurerm_monitor_diagnostic_setting.comms2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |

| [azurerm_monitor_workspace.grafana](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_workspace) | resource |

| [azurerm_nat_gateway.vnet-nat-gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway) | resource |

| [azurerm_nat_gateway_public_ip_association.vnet-nat-gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway_public_ip_association) | resource |

| [azurerm_network_security_group.any](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |

| [azurerm_network_security_group.anytcp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |

| [azurerm_network_security_group.bastion](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |

| [azurerm_network_security_group.dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |

| [azurerm_network_security_group.linux](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |

| [azurerm_network_security_group.tls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |

| [azurerm_network_security_group.unifi](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |

| [azurerm_network_security_group.windows](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |

| [azurerm_public_ip.vnet-nat-gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |

| [azurerm_role_assignment.application_insights_contributor1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |

| [azurerm_role_assignment.application_insights_contributor2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |

| [azurerm_role_assignment.application_insights_snapshot_debugger](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |

| [azurerm_role_assignment.grafana_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |

| [azurerm_role_assignment.grafana_viewer](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |

| [azurerm_subnet_nat_gateway_association.vnet-nat-gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) | resource |

| [azurerm_subnet_service_endpoint_storage_policy.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_service_endpoint_storage_policy) | resource |

| [random_id.ula_global_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |

| [random_string.naming_seed](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |

| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source |

| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |

| [azuread_domains.admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/domains) | data source |

| [azuread_domains.default](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/domains) | data source |

| [azuread_domains.initial](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/domains) | data source |

| [azuread_domains.root](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/domains) | data source |

| [azuread_domains.unmanaged](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/domains) | data source |

| [azuread_service_principal.existing-apim](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |

| [azuread_service_principal.existing-dynamicserp](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |

| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |

| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |

| [azurerm_management_group.root](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |

| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |

| [azurerm_role_definition.blob_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.blob_owner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.blob_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.file_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.owner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.queue_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.queue_processor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.queue_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.queue_sender](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.reader_and_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.smb_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.smb_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.storage_defender](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.table_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_role_definition.table_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |

| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |

| [azurerm_subscriptions.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscriptions) | data source |

| [http_http.public_ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [dns\_zone\_name](#input\_dns\_zone\_name) | This variable provides the name public DNS zones to of an existing controls the whether or not Microsoft telemetry is enabled for the AVM modules, that modeule will call.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
The default is true. | `string` | n/a | yes |

|  [org\_fullname](#input\_org\_fullname) | The full name (long form) for your organisation. This is used for more , for use in descriptive and display names.
This is intended to be a human readable name, so that it can be used in the Azure | `string` | n/a | yes |

|  [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group to deploy the resources into. This resource group needs to be already exist! | `string` | n/a | yes |

|  [subscription\_id](#input\_subscription\_id) | The Azure Subscription ID for the AzureRM, AzureAD, AzApi providers to use for their deployment.
This is the subscription where the resources will be deployed and whoever is running the module (terraform code) must have high-level permission to this subscription.
Typically this needs to be the following Azure RBAC roles: User Access Administrator and Contributor permissions.
If you using GitHub / Azure DevOps (ADO), then you should leverage OIDC to provide federation, instead of having to maintain secrets, which can be compromised. | `string` | n/a | yes |

|  [bypass\_ip\_cidr](#input\_bypass\_ip\_cidr) | (Required) bypass\_ip\_cidr (CIDR notation) is a list of IP addresses or CIDR ranges that should be allowed to bypass the firewall for Azure PaaS service like storage accounts, sql servers etc..
  This is typically used for management purposes, such as allowing access from a specific IP address or range of IP addresses, such as a management workstation or a specific network. | `list(string)` | `[]` | no |

|  [cost\_centre](#input\_cost\_centre) | Cost Centre for assigning resource costs, can be be anything number or string or combination (perhaps consider using an email address | `string` | `"unknown"` | no |

|  [data\_phi](#input\_data\_phi) | (Required) data\_phi (true or false) These resources will contain and/or process Personally Health Information (PHI)
Note, this WILL NOT enable priivate endppoints, since is conntrolled via the var.always\_enable\_private\_endpoints variable.
However, is does enable a lot of security services, that are typcially called "Defender" by Microsoft.
These services add a lot of values, such as vulnerability scanning, threat detection, security alerts, and more.
But, they come at a cost, so you need to be aware of that. | `string` | `"unknown"` | no |

|  [data\_pii](#input\_data\_pii) | (Required) data\_pii (true or false) These resources will contain and/or process Personally Identifiable Information (PII)
Note, this WILL NOT enable priivate endppoints, since is conntrolled via the var.always\_enable\_private\_endpoints variable.
However, is does enable a lot of security services, that are typcially called "Defender" by Microsoft.
These services add a lot of values, such as vulnerability scanning, threat detection, security alerts, and more.
But, they come at a cost, so you need to be aware of that. | `string` | `"unknown"` | no |

|  [enable\_telemetry](#input\_enable\_telemetry) | This variable controls whether or not Microsoft telemetry is enabled for the AVM modules, that modeule will call.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
The default is true. | `bool` | `false` | no |

|  [landing\_zone\_name](#input\_landing\_zone\_name) | (Required) environment\_name (freeform) must be one of ("core", "platform", "play", "dev", "test", "mvp", "uat", "sit", "preprod", "prod", "production", "live") so we can tell what each resource is being used for
This also coressponds to the Application Landing Zone that the resource/resources will be deployed into.
An application landing zone consist of a set of secure, compliant and container type resources, intended to support many applications, web sites and databases.
Some people in our opinion, over use landing zones and create too many of them, which makes it harder to manage.
We would suggest, you consider a landing\_zone as what you might call an environment: DEV, TEST, UAT, PreProd etc...
The default is "test" | `string` | `"test"` | no |

|  [location\_key](#input\_location\_key) | The Azure location where the resource is to be deployed into. This is a key into the local.regions map (see locals.tf), which contains the applicable Azure region information.
The local.tf is used to map the location\_key to the actual Azure region name, so that it can be used in the azurerm/azapi providers.
Unless you are using Australian regions, then you will need to customise the local.regions map to include your region amd alter the validation statements below, since they initially only support the Australia regions (australieast, australiasoutheast, australiacentral) | `string` | `"australiaeast"` | no |

|  [monitoring](#input\_monitoring) | Set the resource tags for all the resources, so you know what sort of monitoring the resources will be eligible for.
You can even use these tags, to only enrolled resources in certain monitoring solutions and what time alerts should be generated (anytime, office hours only).
You'll typically need to be comply with ITIL and other opertional frameworks and potentially enteprise requirements.
like Azure Monitor, Azure Log Analytics, Azure Application Insights etc...
The supported values are"24-7", "8-5" or "not-monitored"
The default is "not-monitored" which means that the resources will not be enrolled in any monitoring solution. | `string` | `"not-monitored"` | no |

|  [org\_shortname](#input\_org\_shortname) | The short name (abbreviation) of the entire organisation, use for naming Azure resources.
Avoid using exotic characters, so that it can be used in all sorts of places, like DNS names, Azure resource names, Azure AD display names etc... | `string` | `"org"` | no |

|  [owner\_service](#input\_owner\_service) | The name (preferably email address) of the service owner for contacting in a disaster or seeking guiandance.
This is intended to assist in complying with frameworks like ITIL, COBIT, ISO27001, NIST etc...
He basically tell who is responsible for the resource, so that if when these is a problem, we know who to contact.
This will appear in the owner tag of the resource, so that it can be easily found. | `string` | `"unknown@unknown.org"` | no |

|  [owner\_tech](#input\_owner\_tech) | The name (preferably email address) of the technicalwner for contacting in a disaster or seeking guiandance.
This is intended to assist in complying with frameworks like ITIL, COBIT, ISO27001, NIST etc...
He basically tell who is responsible for the resource, so that if when these is a problem, we know who to contact.
This will appear in the owner tag of the resource, so that it can be easily found. | `string` | `"unknown@unknown.org"` | no |

|  [private\_endpoints\_always\_deployed](#input\_private\_endpoints\_always\_deployed) | (Required) private\_endpoints\_always\_deployed (true or false) If private endpoints should be deployed, where available. This requires the sku\_name to be either "premium" or "isolated"
The use of Private Endpoints is typically a hardcore requirement for hosting real data. Any PEN test will almost always want Private Endpoints everywhere.
Looking at the Azure Pricing, you might think that Private Endpoints arn't that expensive. But you would be WROMG!
You are paying for the private endpoint basically for every second that it exists. It does not take long for these costs to add up.
Unless you are hosting real data (PII and PHI) then you should not use Private Endpoints, unless you want to waste money, and for really large organisation this might not be a concern.
We have as a separate configuration option for private endpoints, because sometimes people want to test private endpoints in DEV scenarios.
Technically private endpoint should never be needed, as any Azure endpoint is protected via Entra ID authentcation/authorisation, but this is a single point of failure. If Entra was misconfigured for example, your data would potneitally be exposed.
Hence, Prviate Endpoints are a good idea, by providing a 2nd layer of security (look up the swiss cheese approach to security. But they ultimately NOT CHEAP
The default is false And, it can only be set to true, unless the sku\_name is set to either "premium" or "isolated".
This is because Private Endpoints are typically only available for the higher end skus | `bool` | `false` | no |

|  [size\_name](#input\_size\_name) | (Required) The size\_name (only specific values) for the size of resources to be deployed.
This is an option for some resources, in addition to the SKU and the module makes decisions, which obviously just our opinion.
Feel free to adjust the module as you see fit, but we are pretty confident our resources are pretty reasonable for most circumstances.
The support vaalues are "small", "medium", "large" or "x-large"
Note: The larger the size the higher the cost! These cost differecnes can be very significant, so please be careful.
Currently the validation only support the use of the "small" SKU, please edit to use the others. | `string` | `"small"` | no |

|  [sku\_name](#input\_sku\_name) | (Required) The sku\_name (only specific values) of the resource to be created (free, basic, standard, premium or isolated)
The higher the sku, the more capabilities such as high availability and auto scalling are available.
These modules, determine which sku\_name corresponds to which actual Azure SKU, that you would like to deploy.
Obviously, this is subject to opinion, so whilst we are configdent our choices work well in most environments, you are free to adjust this module to so that you can use the same sku\_name across all modules.
The higher end skus (premium, isolated) are typically very expensive and totaly overkill for most applications.
Note: The free sku is only applicable to some resources and in some cases the resources created with the "free" sku may not actually be free, but should be very minimal cost.
The validation rules, only permit the use of the "free" and "basic" sku to prevent unintended consequences (ie a huge bill at the end of the month)
The module will happily create these higher SKU resource, so simply edit the validation rule (below) to leverage them. | `string` | `"free"` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [cost\_centre](#output\_cost\_centre) | Cost Centre for assigning resource costs, can be be anything number or string or combination (perhaps consider using an email address |

|  [data\_phi](#output\_data\_phi) | (Required) These resources will contain and/or process Personally Health Information (PHI) |

|  [data\_pii](#output\_data\_pii) | (Required) These resources will contain and/or process Personally Identifiable Information (PII) |

|  [landing\_zone\_name](#output\_landing\_zone\_name) | (Required) landing\_zone\_name must be one of ("core", "platform", "play", "dev", "test", "uat", "sit", "preprod", "prod", "live") so we can tell what each resource is being used for
This also coresponds to the Application Landing Zone that the resource/resources will be deployed into. |

|  [location\_key](#output\_location\_key) | The Azure location where the resource is to be deployed into. This is a key into the local.regions map, which contains the applicable Azure region information. |

|  [monitoring](#output\_monitoring) | Set the tags, that defines what sort of monitoring the resources will be eligible for |

|  [owner\_service](#output\_owner\_service) | The name (preferably email address) of the resource owner for contacting in a disaster or seeking guiandance |

|  [owner\_tech](#output\_owner\_tech) | The name (preferably email address) of the resource owner for contacting in a disaster or seeking guiandance |

|  [private\_endpoints\_always\_deployed](#output\_private\_endpoints\_always\_deployed) | (Required) If private endpoints should be deployed, where available. Requires the cost to be set to High |

|  [region\_lake\_containers](#output\_region\_lake\_containers) | n/a |

|  [size\_name](#output\_size\_name) | (Required) The size of the resultant resource/resources (small, medium, large or x-large).
Note: The larger the size the higher the cost! |

|  [sku\_name](#output\_sku\_name) | (Required) The sku\_name of the resource to be created (for example, free, basic, standard, premium or isolated)
The higher the sku, the more capabilities such as high availability and auto scalling are available. |

|  [subscription\_display\_name](#output\_subscription\_display\_name) | Azure Subscription Display Name |

|  [subscription\_id](#output\_subscription\_id) | Azure Subscription ID |

|  [tenant\_id](#output\_tenant\_id) | Azure Tenant ID |

|  [virtual\_network\_id](#output\_virtual\_network\_id) | Map of virtual network IDs with their names |

|  [virtual\_network\_subnet\_ids](#output\_virtual\_network\_subnet\_ids) | Map of subnet IDs with their types |



## Modules



| Name | Source | Version |

|------|--------|---------|

|  [azure\_bastion](#module\_azure\_bastion) | Azure/avm-res-network-bastionhost/azurerm | ~>0.0, < 1.0 |

|  [bastion\_public\_ip](#module\_bastion\_public\_ip) | Azure/avm-res-network-publicipaddress/azurerm | ~>0.0, < 1.0 |

|  [log\_analytics\_workspace](#module\_log\_analytics\_workspace) | Azure/avm-res-operationalinsights-workspace/azurerm | ~>0.0, < 1.0 |

|  [lz-init](#module\_lz-init) | ./init/ | n/a |

|  [lz-setup](#module\_lz-setup) | ./setup/ | n/a |

|  [naming-global](#module\_naming-global) | Azure/naming/azurerm | ~>0.0, < 1.0 |

|  [naming-landing-zone](#module\_naming-landing-zone) | Azure/naming/azurerm | ~>0.0, < 1.0 |

|  [virutal\_network](#module\_virutal\_network) | Azure/avm-res-network-virtualnetwork/azurerm | ~>0.0, < 1.0 |



---



## Additional References



Click to expand



- [Terraform Download](https://www.terraform.io/downloads.html)

- [Visual Code Download](https://code.visualstudio.com/Download)

- [Powershell VS Code Extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell)

- [HashiCorp Terraform VS Code Extension](https://marketplace.visualstudio.com/items?itemName=HashiCorp.terraform)

- [Azure Terraform VS Code Extension Name](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureterraform)

- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli)

- [Configure the Azure Terraform Visual Studio Code extension](https://docs.microsoft.com/en-us/azure/developer/terraform/configure-vs-code-extension-for-terraform)

- [Setup video](https://youtu.be/YmbmpGdhI6w)



Generated with [terraform-docs](https://terraform-docs.io/)