-
Notifications
You must be signed in to change notification settings - Fork 578
[Examples] Expand built in archetype definitions
This page describes how to deploy your Azure landing zone with a basic configuration based mainly on module defaults.
We then show how to dynamically modify the built-in archetype definitions using the archetype extensions
and archetype exclusions
.
NOTE: This feature is available from version
0.2.0
and also works on your own custom archetype definitions.
We will use the es_landing_zones
configuration as an example.
The built-in definition contains the following settings:
{
"es_landing_zones": {
"policy_assignments": [
"Audit-AppGW-WAF",
"Deny-IP-forwarding",
"Deny-MgmtPorts-Internet",
"Deny-Priv-Esc-AKS",
"Deny-Privileged-AKS",
"Deny-Storage-http",
"Deny-Subnet-Without-Nsg",
"Deploy-AKS-Policy",
"Deploy-AzSqlDb-Auditing",
"Deploy-SQL-Threat",
"Deploy-VM-Backup",
"Enable-DDoS-VNET",
"Enforce-AKS-HTTPS",
"Enforce-GR-KeyVault",
"Enforce-TLS-SSL"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
We will update the built-in configuration by adding 2 new settings:
-
Create an extension
extend_es_landing_zones
which will add a Policy AssignmentDeny-Resource-Locations
and set the parameters of this Policy Assignment. -
Create an exclusion
exclude_es_landing_zones
which will remove a set of Policy AssignmentsDeny-Priv-Escalation-AKS
,Deny-Priv-Containers-AKS
andDeny-http-Ingress-AKS
.
IMPORTANT: Ensure the module version is set to the latest, and don't forget to run
terraform init
if upgrading to a later version of the module..
To make the code easier to maintain when extending your configuration, we recommend splitting the root module into multiple files. For the purpose of this example, we use the following:
- main.tf
- lib/archetype_extension_es_landing_zones.tmpl.json
- lib/archetype_exclusion_es_landing_zones.tmpl.json
The main.tf
file contains the azurerm_client_config
resource, which is used to determine the Tenant ID from your user connection to Azure.
This is used to ensure the deployment will target your Tenant Root Group
by default.
This example code will deploy the minimum recommended management group and subscription organization from the Azure landing zone conceptual architecture.
To allow the declaration of custom or expanded templates, you must create a custom library folder within the root module and include the path to this folder using the library_path
variable within the module configuration.
In our example, the directory is /lib
.
NOTE: To learn more about module configuration using input variables, please refer to the Module Variables documentation.
# We strongly recommend using the required_providers block to set the
# Azure Provider source and version being used.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.74.0"
}
}
}
provider "azurerm" {
features {}
}
# You can use the azurerm_client_config data resource to dynamically
# extract connection settings from the provider configuration.
data "azurerm_client_config" "core" {}
# Call the caf-enterprise-scale module directly from the Terraform Registry
# pinning to the latest version
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = data.azurerm_client_config.core.tenant_id
root_id = "myorg"
root_name = "My Organization"
library_path = "${path.root}/lib"
}
-
In the
/lib
directory create an**/archetype_extension_*.json
file. -
In the file
**/archetype_extension_*.json
add theextend_
prefix to the name of the desired built-in archetype definition and your custom settings.
IMPORTANT: Please ensure you create this file in the
/lib
directory within your root module.
In this example, we want to add the policy assignment "Deny-Resource-Locations"
and its related parameters in the built-in archetype es_landing_zones
-
In the
/lib
directory create anarchetype_extension_es_landing_zones.tmpl.json
file.- In the file
archetype_extension_es_landing_zones.tmpl.json
add this code:
- In the file
{
"extend_es_landing_zones": {
"policy_assignments": ["Deny-Resource-Locations"],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {
"Deny-Resource-Locations": {
"listOfAllowedLocations": ["eastus", "westus"]
}
},
"access_control": {}
}
}
}
-
In the
/lib
directory create an**/archetype_exclusion_*.json
file. -
In the file
**/archetype_exclusion_*.json
add theexclude_
prefix to the name of the desired built-in archetype definition and your custom settings.
IMPORTANT: Please ensure you create this file in the
/lib
directory within your root module.
In this example, we want to remove the policy assignments "Deny-Priv-Esc-AKS"
, Deny-Privileged-AKS
and Deny-Storage-http
from the built-in archetype es_landing_zones
-
In the
/lib
directory create anarchetype_exclusion_es_landing_zones.tmpl.json
file.- In the file
archetype_exclusion_es_landing_zones.tmpl.json
add this code:
- In the file
{
"exclude_es_landing_zones": {
"policy_assignments": [
"Deny-Priv-Esc-AKS",
"Deny-Privileged-AKS",
"Deny-Storage-http"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
You have successfully expanded the archetype(s) by adding or removing configuration settings from the built-in archetype definitions for your Azure landing zone.
TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 200 resources to be created by this module for a default installation.
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request. The wiki docs are located in the repository in the docs/wiki/
folder.
- Home
- User guide
- Video guides
-
Examples
- Level 100
- Level 200
-
Level 300
- Deploy multi region networking with custom settings (Hub and Spoke)
- Deploy multi region networking with custom settings (Virtual WAN)
- Deploy with Zero Trust network principles (Hub and Spoke)
- Deploy identity resources with custom settings
- Deploy management resources with custom settings
- Expand built-in archetype definitions
- Create custom policies, initiatives and assignments
- Override module role assignments
- Control policy enforcement mode
- Policy assignments with user assigned managed identities
- Level 400
- Frequently Asked Questions
- Troubleshooting
- Contributing