Home
The Terraform Module for Cloud Adoption Framework Enterprise-scale provides an opinionated approach for delivering the core platform capabilities needed to start building Azure landing zones using Terraform.
This module deploys the foundations of the Cloud Adoption Framework enterprise-scale landing zone architecture, with a focus on the central resource hierarchy and governance:
The module provides a consistent approach for deploying and managing resources relating to the following Enterprise-scale critical design areas:
-
Management Group and Subscription organisation
- Create the Management Group resource hierarchy
- Assign Subscriptions to Management Groups
- Create custom Policy Assignments, Policy Definitions and Policy Set Definitions (Initiatives)
-
Identity and access management
- Create custom Role Assignments and Role Definitions
-
Management and monitoring
- Create a central Log Analytics workspace and Automation Account
- Link Log Analytics workspace to the Automation Account
- Deploy recommended Log Analytics Solutions
- Enable Azure Defender
The Terraform Module for Cloud Adoption Framework Enterprise-scale provides an opinionated approach for delivering Azure landing zones using Terraform. Depending on the selected options, this module is able to deploy different groups of resources as needed.
This is currently split logically into the following capabilities:
- Core resources
- Management resources
The following sections outline the different resource types deployed and managed by this module, depending on the configuration options specified.
The core capability of this module deploys the foundations of the Cloud Adoption Framework enterprise-scale landing zone architecture, with a focus on the central resource hierarchy and governance:
The following resource types are deployed and managed by this module when using the core capabilities:
| Azure Resource | Terraform Resource | |
|---|---|---|
| Management Groups | Microsoft.Management/managementGroups |
azurerm_management_group |
| Management Group Subscriptions | Microsoft.Management/managementGroups/subscriptions |
azurerm_management_group |
| Policy Assignments | Microsoft.Authorization/policyAssignments |
azurerm_policy_assignment |
| Policy Definitions | Microsoft.Authorization/policyDefinitions |
azurerm_policy_definition |
| Policy Set Definitions | Microsoft.Authorization/policySetDefinitions |
azurerm_policy_set_definition |
| Role Assignments | Microsoft.Authorization/roleAssignments |
azurerm_role_assignment |
| Role Definitions | Microsoft.Authorization/roleDefinitions |
azurerm_role_definition |
The exact number of resources created depends on the module configuration, but you can expect upwards of 100 resources to be created by this module for a default installation based on the example below.
NOTE: None of these resources are deployed at the Subscription scope, however Terraform still requires a Subscription to establish an authenticated session with Azure.
From release v0.2.0 onwards, the module includes new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
This brings the benefit of being able to manage the full lifecycle of these resources using Terraform, with native integration into the corresponding Policy Assignments to ensure full policy compliance.
The following resource types are deployed and managed by this module when the Management resources capabilities are enabled:
| Azure Resource | Terraform Resource | |
|---|---|---|
| Resource Groups | Microsoft.Resources/resourceGroups |
azurerm_resource_group |
| Log Analytics Workspace | Microsoft.OperationalInsights/workspaces |
azurerm_log_analytics_workspace |
| Log Analytics Solutions | Microsoft.OperationsManagement/solutions |
azurerm_log_analytics_solution |
| Automation Account | Microsoft.Automation/automationAccounts |
azurerm_automation_account |
| Log Analytics Linked Service | Microsoft.OperationalInsights/workspaces /linkedServices |
azurerm_log_analytics_linked_service |
Please refer to the Deploy Management Resources page on our Wiki for more information about how to use this capability.
Check out the User Guide, or go straight to our Examples.
- Home
- User guide
- Video guides
-
Examples
- Level 100
- Level 200
-
Level 300
- Deploy multi region networking with custom settings (Hub and Spoke)
- Deploy multi region networking with custom settings (Virtual WAN)
- Deploy with Zero Trust network principles (Hub and Spoke)
- Deploy identity resources with custom settings
- Deploy management resources with custom settings
- Expand built-in archetype definitions
- Create custom policies, initiatives and assignments
- Override module role assignments
- Control policy enforcement mode
- Policy assignments with user assigned managed identities
- Level 400
- Frequently Asked Questions
- Troubleshooting
- Contributing