-
Notifications
You must be signed in to change notification settings - Fork 579
[Examples] Deploy Identity Resources With Custom Settings
This page describes how to deploy your Azure landing zone with the Identity resources created in the current Subscription context, using custom configuration settings.
Unlike the connectivity
and management
solutions, no resources are currently deployed when enabling deploy_identity_resources
.
Instead, the Policy Assignments associated with the identity
Management Group are enabled and configured based on the optional configure_identity_resources
input variable.
The module will also move the Subscription specified in subscription_id_identity
to the identity
Management Group, unless it is the same value specified in subscription_id_connectivity
or subscription_id_management
.
For the Identity resources, it is still possible to configure a number of policy settings through the configure_identity_resources
input variable.
In this example, we take the base Deploy Identity resources configuration and make the following changes:
- Add input variable on the root module for enabling/disabling Identity resources
- Add a local variable for
configure_identity_resources
and set custom values for the following:- Disable the
DeployIfNotExists
policy used to deploy and configure Azure Backup for Virtual Machines
- Disable the
Due to the way the Azure RM Provider manages dependencies, you may see a number of
azurerm_role_assignment
resources being replaced when updating Policy Assignments. Unfortunately this is a product limitation, but should have minimal impact due to the way Azure Policy works.
If you've already deployed the Identity resources using default settings, you will be able to see the changes made when moving to this configuration.
IMPORTANT: Ensure the module version is set to the latest, and don't forget to run
terraform init -upgrade
if upgrading to a later version of the module.
To make the code easier to maintain when extending your configuration, we recommend splitting the root module into multiple files. For the purpose of this example, we use the following:
TIP: The exact number of resources created depends on the module configuration, but you can expect upwards of 180 resources to be created by the module for this example.
The terraform.tf
file is used to set the provider configuration, including pinning to a specific version (or range of versions) for the AzureRM Provider. For production use, we recommend pinning to a specific version, and not using ranges.
# Configure Terraform to set the required AzureRM provider
# version and features{} block.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.107"
}
}
}
provider "azurerm" {
features {}
}
If you wish to assign a different Subscription to the identity
Management Group than the one used for deploying Core resources, please refer to our guide for Multi-Subscription deployment.
The variables.tf
file is used to declare a couple of example variables which are used to customize deployment of this root module. Defaults are provided for simplicity, but these should be replaced or over-ridden with values suitable for your environment.
# Use variables to customize the deployment
variable "root_id" {
type = string
default = "myorg"
}
variable "root_name" {
type = string
default = "My Organization"
}
variable "deploy_identity_resources" {
type = bool
default = true
}
The main.tf
file contains the azurerm_client_config
resource, which is used to determine the Tenant ID and Subscription ID values from your user connection to Azure. These are used to ensure the deployment will target your Tenant Root Group
by default, and to populate the subscription_id_identity
input variable.
It also contains the module declaration for this module, containing a number of customizations as needed to meet the specification defined in the overview above.
# Get the current client configuration from the AzureRM provider.
# This is used to populate the root_parent_id variable with the
# current Tenant ID used as the ID for the "Tenant Root Group"
# Management Group.
data "azurerm_client_config" "core" {}
# Declare the Azure landing zones Terraform module
# and provide a base configuration.
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
default_location = "<YOUR_LOCATION>"
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = data.azurerm_client_config.core.tenant_id
root_id = var.root_id
root_name = var.root_name
deploy_identity_resources = var.deploy_identity_resources
subscription_id_identity = data.azurerm_client_config.core.subscription_id
configure_identity_resources = local.configure_identity_resources
}
The settings.identity.tf
file contains a local variable containing the custom configuration for the configure_identity_resources
input variable.
This helps to keep the module block clean, whilst providing clear separation between settings for different groups of resources.
# Configure the identity resources settings.
locals {
configure_identity_resources = {
settings = {
identity = {
enabled = true
config = {
enable_deny_public_ip = true
enable_deny_rdp_from_internet = true
enable_deny_subnet_without_nsg = true
enable_deploy_azure_backup_on_vms = false
}
}
}
}
}
You have successfully created the default Management Group resource hierarchy, along with the recommended Azure Policy and Access control (IAM) settings for your Azure landing zone.
You have also assigned the current Subscription from your provider configuration to the identity
Management Group.
Check the following Policy Assignments to see how these have been configured with settings matching your Identity resources configuration set by configure_identity_resources
:
- Scope =
identity
Deny-Public-IP
Deny-RDP-From-Internet
Deny-Subnet-Without-Nsg
Deploy-VM-Backup
These Policy Assignments should all be assigned with custom parameter values based on your configuration, with enforcement_mode
correctly set.
Once evaluated, the compliance state should also be updated and you can run remediation tasks to remediate any non-compliant resources.
In this example, only Deploy-VM-Backup
will be re-configured. In this case, we are simply setting enforcement_mode
to DoNotEnforce
.
No resources will be deployed in your identity
Subscription by this module.
If you are using Archetype Exclusions or custom Archetypes in your code, make sure to not disable the policies listed above if you require policy integration using this module. The relationship between the resources deployed and the Policy parameters is dependent on specific Policy Assignments being used.
Try toggling some of the other values in local.configure_identity_resources
, or setting var.deploy_identity_resources
to false
.
To learn more about module configuration using input variables, please refer to the Module Variables documentation.
Looking for further inspiration? Why not try some of our other examples?
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request. The wiki docs are located in the repository in the docs/wiki/
folder.
- Home
- User guide
- Video guides
-
Examples
- Level 100
- Level 200
-
Level 300
- Deploy multi region networking with custom settings (Hub and Spoke)
- Deploy multi region networking with custom settings (Virtual WAN)
- Deploy with Zero Trust network principles (Hub and Spoke)
- Deploy identity resources with custom settings
- Deploy management resources with custom settings
- Expand built-in archetype definitions
- Create custom policies, initiatives and assignments
- Override module role assignments
- Control policy enforcement mode
- Policy assignments with user assigned managed identities
- Level 400
- Frequently Asked Questions
- Troubleshooting
- Contributing