-
Notifications
You must be signed in to change notification settings - Fork 36
[User Guide] Starter Module Terraform Sovereign Landing Zone
The sovereign_landing_zone
starter module provides full customization of the Sovereign Landing Zone (SLZ) using the inputs.yaml
file. The inputs.yaml
file provides the ability to enable and disable modules, configure module inputs and outputs, and configure module resources.
A custom inputs.yaml
file can be passed to the inputs
argument of the ALZ PowerShell Module. This allows you to firstly design your Azure Landing Zone, and then deploy it.
The default inputs.yaml
file will need to be modified based on the documentation below.
Example input files can be found here:
- inputs-azure-devops-terraform-sovereign-landing-zone.yaml
- inputs-github-terraform-sovereign-landing-zone.yaml
- inputs-local-terraform-sovereign-landing-zone.yaml
The following table describes the inputs for the sovereign_landing_zone
starter module.
Input | Required | Type | Default Value | Description |
---|---|---|---|---|
allowed_locations |
Required | List | This is a list of Azure regions all workloads running outside of the Confidential Management Group scopes are allowed to be deployed into. | |
allowed_locations_for_confidential_computing |
Required | List | This is a list of Azure regions all workloads running inside of the Confidential Management Group scopes are allowed to be deployed into. | |
az_firewall_policies_enabled |
Boolean | true |
Set to true to deploy a default Azure Firewall Policy resource if enable_firewall is also true . |
|
apply_alz_archetypes_via_architecture_definition_template |
Boolean | true |
This controls whether to apply the ALZ archetypes (polcy assignments) to the SLZ deployment. | |
bastion_outbound_ssh_rdp_ports |
List | ["22", "3389"] |
List of outbound remote access ports to enable on the Azure Bastion NSG if deploy_bastion is also true . |
|
custom_subnets |
Map | See inputs.yaml for default object. |
Map of subnets and their configurations to create within the hub network. | |
customer |
String | "Country/Region" |
Customer name to use when branding the compliance dashboard. | |
customer_policy_sets |
Map | See the Custom Compliance section below for details. | Map of customer specified policy initiatives to apply alongside the SLZ. | |
default_postfix |
String | Postfix value to append to all resources. | ||
default_prefix |
Required | String | slz |
Prefix value to append to all resources. |
deploy_bastion |
Boolean | true |
Set to true to deploy Azure Bastion within the hub network. |
|
deploy_ddos_protection |
Boolean | true |
Set to true to deploy Azure DDoS Protection within the hub network. |
|
deploy_hub_network |
Boolean | true |
Set to true to deploy the hub network. |
|
deploy_log_analytics_workspace |
Boolean | true |
Set to true to deploy Azure Log Analytics Workspace. |
|
enable_firewall |
Boolean | true |
Set to true to deploy Azure Firewall within the hub network. |
|
enable_telemetry |
Boolean | true |
Set to false to opt out of telemetry tracking. We use telemetry data to understand usage rates to help prioritize future development efforts. |
|
express_route_gateway_config |
Map | {name: "noconfigEr"} |
Leave as default to not deploy an ExpressRoute Gateway. See the Network Connectivity section below for details. | |
hub_network_address_prefix |
CIDR | "10.20.0.0/16" | This is the CIDR to use for the hub network. | |
landing_zone_management_group_children |
Map | See the Customize Application Landing Zones section below for details. | ||
log_analytics_workspace_retention_in_days |
Numeric | 365 | Number of days to retain logs in the Log Analytics Workspace. | |
ms_defender_for_cloud_email_security_contact |
[email protected] |
Email address to use for Microsoft Defender for Cloud. | ||
policy_assignment_enforcement_mode |
String | Default |
The enforcement mode to use for the Sovereign Baseline Policy initiatives. | |
policy_effect |
String | Deny |
The effect to use for the Sovereign Baseline Policy initiatives, when policies support multiple effects. | |
policy_exemptions |
Map | See the Custom Compliance section below for details. | Map of customer specified policy exemptions to use alongside the SLZ. | |
subscription_billing_scope |
String | Only required if you have not provided existing subscription IDs for management, connectivity, and identity. | ||
tags |
Map | See the Custom Tagging section below for details. | Set of tags to apply to all resources deployed. | |
use_premium_firewall |
Boolean | true |
Set to true to deploy Premium SKU of the Azure Firewall if enable_firewall is also true . |
|
vpn_gateway_config |
Map | {name: "noconfigEr"} |
Leave as default to not deploy an VPN Gateway. See the Network Connectivity section below for details. |
An example of the format for the customer_policy_sets
map is as follows:
customer_policy_sets: {
assignment1: {
policySetDefinitionId: "/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f",
policySetAssignmentName: "FedRAMPHigh",
policySetAssignmentDisplayName: "FedRAMP High",
policySetAssignmentDescription: "FedRAMP High",
policySetManagementGroupAssignmentScope: "/providers/Microsoft.management/managementGroups/<MG-ID-SCOPE>",
policyParameterFilePath: "./policy_parameters/policySetParameterSampleFile.json"
}
}
An example of the format for the policy_exemptions
map is as follows:
policy_exemptions: {
policy_exemption1: {
name: "globalexemption",
display_name: "global",
description: "test",
management_group_id: "/providers/Microsoft.management/managementGroups/<MG-ID-SCOPE>",
policy_assignment_id: "/providers/microsoft.management/managementGroups/<MG-ID-SCOPE>/providers/microsoft.Authorization/policyassignments/enforce-sovereign-global",
policy_definition_reference_ids: ["AllowedLocations"]
}
}
An example of the format for the landing_zone_management_group_children
map is as follows:
landing_zone_management_group_children: {
child1: {
id: "child1",
display_name: "Landing zone child one"
}
}
An example of the format for the tags
map is as follows:
tags: {
Environment: "Production",
ServiceName: "SLZ"
}
An example of the format for the express_route_gateway_config
map is as follows:
express_route_gateway_config: {
name: "express_route",
gatewayType: "ExpressRoute",
sku: "ErGw1AZ",
vpnType: "RouteBased",
vpnGatewayGeneration: null,
enableBgp: false,
activeActive: false,
enableBgpRouteTranslationForNat: false,
enableDnsForwarding: false,
asn: 65515,
bgpPeeringAddress: "",
peerWeight: 5
}
An example of the format for the vpn_gateway_config
map is as follows:
vpn_gateway_config: {
name: "vpn_gateway",
gatewayType: "Vpn",
sku: "VpnGw1",
vpnType: "RouteBased",
vpnGatewayGeneration: "Generation1",
enableBgp: false,
activeActive: false,
enableBgpRouteTranslationForNat: false,
enableDnsForwarding: false,
bgpPeeringAddress: "",
asn: 65515,
peerWeight: 5,
vpnClientConfiguration: {
vpnAddressSpace: ["10.2.0.0/24"]
}
}
The following are known issues with the Public Preview release for the SLZ.
Occasionally, terraform will attempt to recreate many resources under a subscription despite no resource configurations being changed. A temporary work around can be done by updating locals.tf
with the following:
locals {
subscription_id_management = "management_subscription_id"
subscription_id_connectivity = "connectivity_subscription_id"
subscription_id_identity = "identity_subscription_id"
}
The inputs for bootstrap_location
and starter_locations
must be identical, using the first region in starter_locations as the default location. Therefore, starter_locations is required and must include at least one region. In a future release, we will have defaults and overrides for these values.
Any updates should be made to the inputs.yaml
file and the tfvars will be updated upon executing the Deploy-Accelerator
PowerShell command.
There is no validation done to ensure subnets fall within the hub network CIDR or that subnets do not overlap. These issues will be uncovered during apply.
It is necessary to rerun az login
after creating subscriptions for terraform to pick up that they exist.
Updating the address prefix on either the hub network or subnets is not supported at this time.
Modifying the Top Level or Sub Level Management Group name is not supported at this time.
Certain resources are not receiving the default tags. This will be addressed in a future release.
Certain resources will show as being out of compliance by default. This will be addressed in a future release.
The Terraform-based deployment for the Sovereign Landing Zone (SLZ) provides an Enterprise Scale Landing Zone with equivalent compliance posture equal to that of our Bicep implementation. There is not currently a migration path between the two implementations, however multiple landing zones can be created with either deployment technology in the same Azure tenant.
The alz-archetypes
and slz-archetypes
are different from Terraform modules, but are used to deploy the management group hierarchy, policy assignments and management resources including the sovereign baseline policies. For more information on the archetypes, view the ALZ archetypes and the SLZ archetypes.
The subscription-vending
module is used to deploy the subscriptions and move them within the right management group scopes. For more information on the module itself see here.
The hubnetworking
module is used to deploy the hub VNET, Azure Firewall , Route Tables, and other networking primitives into the connectivity subscription. For more information on the module itself see here.
The private-link
module is used to deploy default private link private DNS Zones. For more information on the module itself see here.
The alz-management
module is used to deploy a set of management resources such as those for centralized logging. For more information on the module itself see here.
The resource-group
module is used to deploy a variety of resource groups within the default subscriptions. For more information on the module itself see here.
The portal-dashboard
module is used to deploy the default compliance dashboard. For more information on the module itself see here.
The azure-bastion
module is used to deploy Azure Bastion for remote access. For more information on the module itself see here.
The firewall-policy
module is used to deploy a default Azure Firewall Policy for further configuration. For more information on the module itself see here.
The ddos-protection
module is used to deploy a Standard SKU DDoS Protection Plan resource for network security. For more information on the module itself see here.
The public-ip
module is used to deploy a Azure Public IP resoures for offerings that need inbound public internet access such as the VPN and ExpressRoute Gateways. For more information on the module itself see here.
The networksecuritygroup
module is used to deploy a default NSG for the Azure Bastion subnet to restrict ingress and egress network access. For more information on the module itself see here.
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request. The wiki docs are located in the repository in the docs/wiki/
folder.
- Home
-
User guide
- Getting started
- Quick Start
- Starter Modules
- Input Files
- Azure DevOps Bicep Complete
- Azure DevOps Terraform Complete Multi Region
- Azure DevOps Terraform Sovereign Landing Zone
- Azure DevOps Terraform Basic
- Azure DevOps Terraform Hub Networking
- Azure DevOps Terraform Complete
- GitHub Bicep Complete
- GitHub Terraform Complete Multi Region
- GitHub Terraform Sovereign Landing Zone
- GitHub Terraform Basic
- GitHub Terraform Hub Networking
- GitHub Terraform Complete
- Local Bicep Complete
- Local Terraform Complete Multi Region
- Local Terraform Sovereign Landing Zone
- Local Terraform Basic
- Local Terraform Hub Networking
- Local Terraform Complete
- Frequently Asked Questions
- Upgrade Guide
- Advanced Scenarios
- Troubleshooting
- Contributing