This section details the available configuration settings / variables in this starter module.
Custom Replacements (custom_replacements)
The custom_replacements variable builds on the built-in replacements to provide user defined replacements that can be used throughout your configuration. This reduces the complexity of the configuration file by allowing re-use of names and other definitions that may be repeated throughout the configuration.
There are 4 layers of replacements that can be built upon to provide the level of flexibility you need. The order of precedence determines which other replacements can be used to build your replacement. For example a ‘Name’ replacement can be used to build a ‘Resource Group Identifier’ replacement, but a ‘Resource Group Identifier’ replacement cannot be used to build a ‘Name’ replacement.
The layers and precedence order is:
Built-in Replacements: These can be found at the top of our example config files and you can also see them in the code base here
Names: This is for resource names and other basic strings
Resource Group Identifiers: This is for resource group IDs
Resource Identifiers: This is for resource IDs
Names (custom_replacements.names)
Used to define custom names and strings that can be used throughout the configuration file. This can leverage the built-in replacements.
Used to define resource IDs that can be used throughout the configuration file. This can leverage the built-in replacements, custom names, and resource group IDs.
The enable_telemetry variable determines whether telemetry about module usage is sent to Microsoft, enabling us to invest in improvements to the Accelerator and Azure Verified Modules.
Example usage:
1
enable_telemetry = true
Tags (tags)
The tags variable is a default set of tags to apply to resources that support them. In many cases, these tags can be overridden on a per resource basis.
Example usage:
1
2
3
4
tags = {deployed_by = "terraform"source = "Azure Landing Zones Accelerator"}
The management_resource_settings variable is used to configure the management resources. This includes the log analytics workspace, automation account, and data collection rules for Azure Monitoring Agent (AMA).
This variable is of type any as it maps directly to the Azure Verified Module variables. To determine what can be supplied to this variable you can refer to the documentation for this module directly:
Management Group Settings (management_group_settings)
The management_group_settings variable is used to configure the management groups, policies, and policy role assignments.
This variable is of type any as it maps directly to the Azure Verified Module variables. To determine what can be supplied to this variable you can refer to the documentation for this module directly:
management_group_settings = {location = "$${starter_location_01}"architecture_name = "alz"parent_resource_id = "$${root_parent_management_group_id}" # Example of how to set default values for policy parameters
policy_default_values = {ama_change_tracking_data_collection_rule_id = "$${ama_change_tracking_data_collection_rule_id}"ama_mdfc_sql_data_collection_rule_id = "$${ama_mdfc_sql_data_collection_rule_id}"ama_vm_insights_data_collection_rule_id = "$${ama_vm_insights_data_collection_rule_id}"ama_user_assigned_managed_identity_id = "$${ama_user_assigned_managed_identity_id}"ama_user_assigned_managed_identity_name = "$${ama_user_assigned_managed_identity_name}"log_analytics_workspace_id = "$${log_analytics_workspace_id}"ddos_protection_plan_id = "$${ddos_protection_plan_id}"private_dns_zone_subscription_id = "$${subscription_id_connectivity}"private_dns_zone_region = "$${starter_location_01}"private_dns_zone_resource_group_name = "$${dns_resource_group_name}"} # Example of how to place the 3 platform subscriptions under their management groups
subscription_placement = {identity = {subscription_id = "$${subscription_id_identity}"management_group_name = "identity"}connectivity = {subscription_id = "$${subscription_id_connectivity}"management_group_name = "connectivity"}management = {subscription_id = "$${subscription_id_management}"management_group_name = "management"}}policy_assignments_to_modify = { # Example of how to update a policy assignment parameters for Defender for Cloud
alzroot = {policy_assignments = {Deploy-MDFC-Config-H224 = {parameters = {ascExportResourceGroupName = "$${asc_export_resource_group_name}"ascExportResourceGroupLocation = "$${starter_location_01}"emailSecurityContact = "security_contact@replace_me"enableAscForServers = "DeployIfNotExists"enableAscForServersVulnerabilityAssessments = "DeployIfNotExists"enableAscForSql = "DeployIfNotExists"enableAscForAppServices = "DeployIfNotExists"enableAscForStorage = "DeployIfNotExists"enableAscForContainers = "DeployIfNotExists"enableAscForKeyVault = "DeployIfNotExists"enableAscForSqlOnVm = "DeployIfNotExists"enableAscForArm = "DeployIfNotExists"enableAscForOssDb = "DeployIfNotExists"enableAscForCosmosDbs = "DeployIfNotExists"enableAscForCspm = "DeployIfNotExists"}}}} # Example of how to update a policy assignment enforcement mode for DDOS Protection Plan
connectivity = {policy_assignments = {Enable-DDoS-VNET = {enforcement_mode = "DoNotEnforce"}}}}}
Connectivity Type (connectivity_type)
The connectivity_type variable is used to choose the type of connectivity to deploy. Supported values are:
hub_and_spoke_vnet: Deploy hub and spoke networking using Azure Virtual Networks
virtual_wan: Deploy Azure Virtual WAN networking
none: Don’t deploy any networking
Example usage:
1
2
3
4
5
6
7
8
# Example of how to use a hub and spoke Virtual Network for connectivity
connectivity_type = "hub_and_spoke_vnet"# Example of how to use a Virtual WAN for connectivity
connectivity_type = "virtual_wan"# Example of how to disable connectivity
connectivity_type = "none"
Connectivity Resource Groups (connectivity_resource_groups)
The connectivity_resource_groups variable is used to specify the name and location of the resource groups used for connectivity.
This variable is a map(object) and has two properties:
Hub and Spoke Virtual Network Settings (hub_and_spoke_vnet_settings)
The hub_and_spoke_vnet_settings variable is used to set the non-regional settings for the hub and spoke Virtual Network connectivity option. It is only used to set the DDOS Protection Plan at this time.
This variable is of type any as it will be used for other purposes moving forward.
Hub and Spoke Virtual Networks (hub_and_spoke_vnet_virtual_networks)
The hub_and_spoke_vnet_virtual_networks variable is used to set the regional settings for the hub and spoke Virtual Network connectivity options. This includes Hub Networks, Peering, Routing, Subnets, Firewalls, Virtual Network Gateways, Bastion Hosts, Private DNS Zones, and Private DNS Resolver
This variable is of type map(object). Some of the object properties map directly to the Azure Verified Module variables. To determine what can be supplied to these variable you can refer to the documentation for this module directly.
virtual_network_gateways: This an object to specify the Virtual Network Gateways settings (omit this object if you don’t want to deploy any Virtual Network Gateways)
subnet_address_prefix: The Virtual Network Gateway subnet address space
private_dns_zones: This an object to specify the Private DNS Zone settings (omit this object if you don’t want to deploy any Private DNS Zones)
subnet_address_prefix: The Private DNS Resolver subnet address space
resource_group_name: The name of the resource group to deploy the Private DNS Zones into
is_primary: Whether this is the primary region. Any non-regional Private Link Private DNS Zones will be deployed into this region. Although the Private DNS Zones are a global resource, their meta-data needs to reside in a specific region.
private_link_private_dns_zones: This is a map(object) used to override the Private Link Private DNS Zones that are deployed, leave this empty to deploy the default set of zones specified by ALZ
zone_name: The name of the Private DNS Zone to deploy
auto_registration_zone_enabled: Whether to deploy the Virtual Machine auto-registration Private DNS Zone
auto_registration_zone_name: The name of the Virtual Machine auto-registration Private DNS Zone
private_dns_resolver: This is an object to specify the Private DNS Resolver
name: The name of the Private DNS Resolver
resource_group_name: The name of the resource group to deploy the Private DNS Resolver into
ip_address: The static IP Address of the Private DNS Resolver. This will be auto calculated if not supplied
hub_and_spoke_vnet_virtual_networks = {primary = { # Example hub network settings for this region
hub_virtual_network = {name = "vnet-hub-$${starter_location_01}"resource_group_name = "$${connectivity_hub_primary_resource_group_name}"resource_group_creation_enabled = falselocation = "$${starter_location_01}"address_space = ["$${primary_hub_virtual_network_address_space}"]routing_address_space = ["$${primary_hub_address_space}"]route_table_name_firewall = "rt-hub-fw-$${starter_location_01}"route_table_name_user_subnets = "rt-hub-std-$${starter_location_01}"mesh_peering = trueddos_protection_plan_id = "$${management_resource_group_id}/providers/Microsoft.Network/ddosProtectionPlans/$${ddos_protection_plan_name}"subnets = {} # Example Azure Firewall settings for this region (omit this section if not using Azure Firewall)
firewall = {subnet_address_prefix = "$${primary_firewall_subnet_address_prefix}"name = "fw-hub-$${starter_location_01}"sku_name = "AZFW_VNet"sku_tier = "Standard"zones = "$${starter_location_01_availability_zones}"default_ip_configuration = {public_ip_config = {name = "pip-fw-hub-$${starter_location_01}"zones = "$${starter_location_01_availability_zones}"}} # Example firewall policy settings for this region
firewall_policy = {name = "fwp-hub-$${starter_location_01}"}}} # Example Virtual Network Gateway settings for this region (omit this section if not using Virtual Network Gateway)
virtual_network_gateways = {subnet_address_prefix = "$${primary_gateway_subnet_address_prefix}" # Example ExpressRoute settings for this region (omit this section if not using ExpressRoute)
express_route = {location = "$${starter_location_01}"name = "vgw-hub-expressroute-$${starter_location_01}"sku = "$${starter_location_01_virtual_network_gateway_sku_express_route}"ip_configurations = {default = {name = "ipconfig-vgw-hub-expressroute-$${starter_location_01}"public_ip = {name = "pip-vgw-hub-expressroute-$${starter_location_01}"zones = "$${starter_location_01_availability_zones}"}}}} # Example VPN Gateway settings for this region (omit this section if not using VPN Gateway)
vpn = {location = "$${starter_location_01}"name = "vgw-hub-vpn-$${starter_location_01}"sku = "$${starter_location_01_virtual_network_gateway_sku_vpn}"ip_configurations = {default = {name = "ipconfig-vgw-hub-vpn-$${starter_location_01}"public_ip = {name = "pip-vgw-hub-vpn-$${starter_location_01}"zones = "$${starter_location_01_availability_zones}"}}}}} # Example Private DNS Zone settings for this region (omit this section if not using Private DNS Zones)
private_dns_zones = {resource_group_name = "$${dns_resource_group_name}"is_primary = trueauto_registration_zone_enabled = trueauto_registration_zone_name = "$${starter_location_01}.azure.local"subnet_address_prefix = "$${primary_private_dns_resolver_subnet_address_prefix}"private_dns_resolver = {name = "pdr-hub-dns-$${starter_location_01}"}} # Example Bastion Host settings for this region (omit this section if not using Bastion Host)
bastion = {subnet_address_prefix = "$${primary_bastion_subnet_address_prefix}"bastion_host = {name = "bastion-hub-$${starter_location_01}"}bastion_public_ip = {name = "pip-bastion-hub-$${starter_location_01}"zones = "$${starter_location_01_availability_zones}"}}}}
Virtual WAN Settings (virtual_wan_settings)
The virtual_wan_settings variable is used to set the non-regional settings for the Virtual WAN connectivity option. It is used to set the Virtual WAN non-regional properties and the DDOS Protection Plan.
This variable is of type any as it maps directly to the Azure Verified Module variables. To determine what can be supplied to this variable you can refer to the documentation for this module directly:
Virtual WAN Virtual Hubs (virtual_wan_virtual_hubs)
The hub_and_spoke_vnet_virtual_networks variable is used to set the regional settings for the Virtual WAN connectivity options. This includes Virtual WAN Hubs, Firewalls, Virtual Network Gateways, Bastion Hosts, Private DNS Zones, and Private DNS Resolver
This variable is of type map(object). Some of the object properties map directly to the Azure Verified Module variables. To determine what can be supplied to these variable you can refer to the documentation for this module directly.
virtual_network_gateways: This an object to specify the Virtual Network Gateways settings (omit this object if you don’t want to deploy any Virtual Network Gateways)
private_dns_zones: This an object to specify the Private DNS Zone settings (omit this object if you don’t want to deploy any Private DNS Zones)
subnet_address_prefix: The Private DNS Resolver subnet address space
resource_group_name: The name of the resource group to deploy the Private DNS Zones into
is_primary: Whether this is the primary region. Any non-regional Private Link Private DNS Zones will be deployed into this region. Although the Private DNS Zones are a global resource, their meta-data needs to reside in a specific region.
private_link_private_dns_zones: This is a map(object) used to override the Private Link Private DNS Zones that are deployed, leave this empty to deploy the default set of zones specified by ALZ
zone_name: The name of the Private DNS Zone to deploy
auto_registration_zone_enabled: Whether to deploy the Virtual Machine auto-registration Private DNS Zone
auto_registration_zone_name: The name of the Virtual Machine auto-registration Private DNS Zone
private_dns_resolver: This is an object to specify the Private DNS Resolver
name: The name of the Private DNS Resolver
resource_group_name: The name of the resource group to deploy the Private DNS Resolver into
ip_address: The static IP Address of the Private DNS Resolver. This will be auto calculated if not supplied
virtual_wan_virtual_hubs = {primary = { # Example hub network settings for this region
hub = {name = "vwan-hub-$${starter_location_01}"resource_group = "$${connectivity_hub_primary_resource_group_name}"location = "$${starter_location_01}"address_prefix = "$${primary_hub_address_space}"} # Example Azure Firewall settings for this region (omit this section if not using Azure Firewall)
firewall = {name = "fw-hub-$${starter_location_01}"sku_name = "AZFW_Hub"sku_tier = "Standard"zones = "$${starter_location_01_availability_zones}"} # Example firewall policy settings for this region (omit this section if not using Azure Firewall)
firewall_policy = {name = "fwp-hub-$${starter_location_01}"} # Example Virtual Network Gateway settings for this region (omit this section if not using Virtual Network Gateway)
virtual_network_gateways = { # Example ExpressRoute settings for this region (omit this section if not using ExpressRoute)
express_route = {name = "vgw-hub-expressroute-$${starter_location_01}"} # Example VPN Gateway settings for this region (omit this section if not using VPN Gateway)
vpn = {name = "vgw-hub-vpn-$${starter_location_01}"}} # Example Private DNS Zone settings for this region (omit this section if not using Private DNS Zones)
private_dns_zones = {resource_group_name = "$${dns_resource_group_name}"is_primary = trueauto_registration_zone_enabled = trueauto_registration_zone_name = "$${starter_location_01}.azure.local"subnet_address_prefix = "$${primary_private_dns_resolver_subnet_address_prefix}"private_dns_resolver = {name = "pdr-hub-dns-$${starter_location_01}"}} # Example Bastion Host settings for this region (omit this section if not using Bastion Host)
bastion = {subnet_address_prefix = "$${primary_bastion_subnet_address_prefix}"bastion_host = {name = "bastion-hub-$${starter_location_01}"}bastion_public_ip = {name = "pip-bastion-hub-$${starter_location_01}"zones = "$${starter_location_01_availability_zones}"}} # Example Side Car Virtual Network settings for this region
side_car_virtual_network = {name = "vnet-side-car-$${starter_location_01}"address_space = ["$${primary_side_car_virtual_network_address_space}"]}}}
We would like to use third party code to improve the functionality of this website.
