A Terraform modules composition (feature) which includes services needed for Claranet RUN/MSP.
It includes:
- Log Management with the following resources:
- Log Analytics Workspace
- Storage Account with SAS Token to upload logs to
- A Key Vault
- FAME monitoring function for additional metrics. The following built-in metrics are sent:
fame.azure.application_gateway.instances
: number of Application Gateway instancesfame.azure.backup.file_share
: number of successful file shares backupsfame.azure.backup.vm
: number of successful virtual machines backupsfame.azure.virtual_network_gateway.ike_event_success
: number of successful ike events for a VPN Gateway
It includes some IaaS specifics:
- Azure Backup (example)
- A Recovery Services Vault to store VM backups (documentation).
- A VM backup policy to assign on VM instances (via the vm-backup module).
- A file share backup policy to assign on Storage Account file shares (via the backup_protected_file_share terraform resource)
- A diagnostics settings to manage logging (documentation)
- An Automation account to execute runbooks (documentation) (example)
- Legacy Azure Update Management using Automation Account (documentation) (example)
- A Data Collection Rule to gather metrics and logs from Virtual Machines (documentation)
- Azure Update Center using Update Management Center (documentation) (example)
Diagram of the full example usage having all features enabled:
- You need at least the
Contributor
role on the subscriptions to useupdate_center_periodic_assessment_enabled
with Update Management Center module.
The integrated services can be used separately with the same inputs and outputs when it's a sub-module.
See logs
module README.
See monitoring_function
module README
See Key Vault module: terraform-azurerm-keyvault.
See Azure Backup module README.
See Automation Account module README.
See Update Center module README and Update Management module (legacy) README.
This run
module is a merge of the previous run-common and
run-iaas modules.
Some previously pre-activated backup and update management features must now be explicitly enabled through *_enabled
variables.
You must be on the latest version of run_iaas
and run_common
modules before updating to run
module.
You can migrate your Terrafom state with the following commands:
terraform state mv module.run_common.module.keyvault module.run.module.keyvault
terraform state mv module.run_common.module.logs module.run.module.logs
terraform state mv 'module.run_common.module.monitoring_function[0]' 'module.run.module.monitoring_function[0]'
terraform state mv module.run_iaas.module.automation_account 'module.run.module.automation_account[0]'
terraform state mv module.run_iaas.module.backup 'module.run.module.backup[0]'
terraform state mv module.run_iaas.module.update_management 'module.run.module.update_management[0]'
terraform state mv 'module.run_iaas.module.update_management_center["enabled"]' 'module.run.module.update_management_center["enabled"]'
terraform state mv module.run_iaas.module.vm_monitoring 'module.run.module.vm_monitoring[0]'
terraform state mv 'module.run_common.azurerm_role_assignment.function_workspace[0]' 'module.run.azurerm_role_assignment.function_workspace[0]'
terraform apply -target='module.run.null_resource.fake_function_condition[0]'
Module version | Terraform version | AzureRM version |
---|---|---|
>= 7.x.x | 1.3.x | >= 3.0 |
>= 6.x.x | 1.x | >= 3.0 |
>= 5.x.x | 0.15.x | >= 2.0 |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
>= 3.x.x | 0.12.x | >= 2.0 |
>= 2.x.x | 0.12.x | < 2.0 |
< 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "run" {
source = "claranet/run/azurerm"
version = "x.x.x"
client_name = var.client_name
location = module.azure_region.location
location_short = module.azure_region.location_short
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
monitoring_function_splunk_token = "xxxxxx"
monitoring_function_metrics_extra_dimensions = {
env = var.environment
sfx_monitored = "true"
}
extra_tags = {
foo = "bar"
}
}
Name | Version |
---|---|
azurerm | ~> 3.114 |
null | ~> 3.0 |
Name | Source | Version |
---|---|---|
automation_account | ./modules/automation-account | n/a |
backup | ./modules/backup | n/a |
keyvault | claranet/keyvault/azurerm | ~> 7.6.0 |
logs | ./modules/logs | n/a |
monitoring_function | ./modules/monitoring-function | n/a |
update_management | ./modules/update-management | n/a |
update_management_center | ./modules/update-center | n/a |
vm_monitoring | ./modules/vm-monitoring | n/a |
Name | Type |
---|---|
azurerm_role_assignment.function_subscription | resource |
azurerm_role_assignment.function_workspace | resource |
null_resource.fake_function_condition | resource |
azurerm_client_config.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
automation_account_enabled | Whether the Automation Account is enabled. Enabled if legacy Update Management is enabled. | bool |
false |
no |
automation_account_extra_tags | Extra tags to add to Automation Account. | map(string) |
{} |
no |
automation_account_identity_type | Automation Account identity type. Possible values include: null , SystemAssigned and UserAssigned . |
object({ |
{ |
no |
automation_account_sku | Automation account Sku. | string |
"Basic" |
no |
automation_custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
automation_logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
automation_logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account , Log Analytics Workspace and Event Hub . No more than one of each can be set.If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the ` |
` character. | list(string) |
[] |
automation_logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
backup_custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
backup_file_share_enabled | Whether the File Share backup is enabled. | bool |
false |
no |
backup_logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
backup_logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account , Log Analytics Workspace and Event Hub . No more than one of each can be set.If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the ` |
` character. | list(string) |
[] |
backup_logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
backup_managed_disk_enabled | Whether the Managed Disk backup is enabled. | bool |
false |
no |
backup_postgresql_enabled | Whether the PostgreSQL backup is enabled. | bool |
false |
no |
backup_storage_blob_enabled | Whether the Storage blob backup is enabled. | bool |
false |
no |
backup_vault_custom_name | Azure Backup Vault custom name. Empty by default, using naming convention. | string |
"" |
no |
backup_vault_datastore_type | Type of data store used for the Backup Vault. | string |
"VaultStore" |
no |
backup_vault_extra_tags | Extra tags to add to Backup Vault. | map(string) |
{} |
no |
backup_vault_geo_redundancy_enabled | Whether the geo redundancy is enabled no the Backup Vault. | bool |
true |
no |
backup_vault_identity_type | Azure Backup Vault identity type. Possible values include: null , SystemAssigned . Default to SystemAssigned . |
string |
"SystemAssigned" |
no |
backup_vm_enabled | Whether the Virtual Machines backup is enabled. | bool |
false |
no |
client_name | Client name. | string |
n/a | yes |
custom_automation_account_name | Automation account custom name. | string |
"" |
no |
data_collection_syslog_facilities_names | List of syslog to retrieve in Data Collection Rule. | list(string) |
[ |
no |
data_collection_syslog_levels | List of syslog levels to retrieve in Data Collection Rule. | list(string) |
[ |
no |
dcr_custom_name | VM Monitoring - Data Collection rule custom name. | string |
"" |
no |
default_tags_enabled | Whether the default tags are enabled. | bool |
true |
no |
deploy_update_management_solution | Whether the Log Analytics Update solution is deployed. | bool |
true |
no |
environment | Environment name. | string |
n/a | yes |
extra_tags | Extra tags to add. | map(string) |
{} |
no |
file_share_backup_daily_policy_retention | The number of daily file share backups to keep. Must be between 7 and 9999. | number |
30 |
no |
file_share_backup_monthly_retention | Map to configure the monthly File Share backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_monthly | object({ |
null |
no |
file_share_backup_policy_custom_name | Azure Backup - File share backup policy custom name. Empty by default, using naming convention. | string |
"" |
no |
file_share_backup_policy_frequency | Specifies the frequency for file_share backup schedules. Must be either Daily or Weekly . |
string |
"Daily" |
no |
file_share_backup_policy_time | The time of day to perform the file share backup in 24hour format. | string |
"04:00" |
no |
file_share_backup_policy_timezone | Specifies the timezone for file share backup schedules. Defaults to UTC . |
string |
"UTC" |
no |
file_share_backup_weekly_retention | Map to configure the weekly File Share backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_weekly | object({ |
null |
no |
file_share_backup_yearly_retention | Map to configure the yearly File Share backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_yearly | object({ |
null |
no |
keyvault_admin_objects_ids | Ids of the objects that can do all operations on all keys, secrets and certificates | list(string) |
[] |
no |
keyvault_custom_name | Name of the Key Vault, generated if not set. | string |
"" |
no |
keyvault_enabled_for_deployment | Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
false |
no |
keyvault_enabled_for_disk_encryption | Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
false |
no |
keyvault_enabled_for_template_deployment | Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
false |
no |
keyvault_extra_tags | Extra tags to add to the Key Vault | map(string) |
{} |
no |
keyvault_logs_categories | Log categories to send to destinations. All by default. | list(string) |
null |
no |
keyvault_logs_metrics_categories | Metrics categories to send to destinations. All by default. | list(string) |
null |
no |
keyvault_managed_hardware_security_module_enabled | Create a KeyVault Managed HSM resource if enabled. Changing this forces a new resource to be created. | bool |
false |
no |
keyvault_network_acls | Object with attributes: bypass , default_action , ip_rules , virtual_network_subnet_ids . See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more informations. |
object({ |
{} |
no |
keyvault_public_network_access_enabled | Whether access to the Key Vault, from a public network is allowed. | bool |
false |
no |
keyvault_rbac_authorization_enabled | Whether the Key Vault uses Role Based Access Control (RBAC) for authorization of data actions instead of access policies. | bool |
false |
no |
keyvault_reader_objects_ids | Ids of the objects that can read all keys, secrets and certificates | list(string) |
[] |
no |
keyvault_resource_group_name | Resource Group the Key Vault will belong to. Will use resource_group_name if not set. |
string |
"" |
no |
keyvault_sku | The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium". | string |
"standard" |
no |
keyvault_soft_delete_retention_days | The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days. |
number |
7 |
no |
linux_update_management_config_name | Custom configuration name for Linux Update management. | string |
"Standard Linux Update Schedule" |
no |
linux_update_management_configuration | Linux specific update management configuration. Possible values for reboot_setting are IfRequired , RebootOnly , Never , Always . More informations on the documentation. |
any |
{ |
no |
linux_update_management_duration | To set the maintenance window for Linux machines, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). | string |
null |
no |
linux_update_management_schedule | Map of specific schedule parameters for update management of Linux machines. All parameters are available on the documentation. | list(any) |
null |
no |
linux_update_management_scope | Scope of the update management for Linux machines, it can be a subscription ID, a resource group ID etc.. | list(string) |
null |
no |
linux_update_management_tags_filtering | Filter scope for Linux machines using tags on VMs. Example :{ os_family = ["linux"] }. |
map(any) |
null |
no |
linux_update_management_tags_filtering_operator | Filter Linux VMs by Any or All specified tags. Possible values are All or Any . |
string |
null |
no |
location | Azure location. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
log_analytics_resource_group_name | Log Analytics Workspace resource group name (if different from resource_group_name variable.). |
string |
null |
no |
log_analytics_workspace_custom_name | Azure Log Analytics Workspace custom name. Empty by default, using naming convention. | string |
"" |
no |
log_analytics_workspace_daily_quota_gb | The workspace daily quota for ingestion in GB. Defaults to -1 (unlimited). | number |
-1 |
no |
log_analytics_workspace_extra_tags | Extra tags to add to the Log Analytics Workspace | map(string) |
{} |
no |
log_analytics_workspace_id | Log Analytics Workspace ID where the logs are sent and linked to Automation account. | string |
null |
no |
log_analytics_workspace_link_enabled | Enable Log Analytics Workspace that will be connected with the automation account. | bool |
true |
no |
log_analytics_workspace_name_prefix | Log Analytics name prefix | string |
"" |
no |
log_analytics_workspace_retention_in_days | The workspace data retention in days. Possible values range between 30 and 730. | number |
30 |
no |
log_analytics_workspace_sku | Specifies the SKU of the Log Analytics Workspace. Possible values are Free, PerNode, Premium, Standard, Standalone, Unlimited, and PerGB2018 (new Sku as of 2018-04-03). | string |
"PerGB2018" |
no |
logs_delete_after_days_since_modification_greater_than | Delete blob after x days without modification | number |
365 |
no |
logs_resource_group_name | Resource Group the resources for log management will belong to. Will use resource_group_name if not set. |
string |
"" |
no |
logs_storage_account_access_tier | Defines the access tier for BlobStorage , FileStorage and StorageV2 accounts. Valid options are Hot and Cool , defaults to Hot . |
string |
"Hot" |
no |
logs_storage_account_archived_logs_fileshare_name | Name of the file share in which externalized logs are stored | string |
"archived-logs" |
no |
logs_storage_account_archived_logs_fileshare_quota | The maximum size in GB of the archived-logs file share, default is 5120 | number |
null |
no |
logs_storage_account_custom_name | Storage Account for logs custom name. Empty by default, using naming convention. | string |
"" |
no |
logs_storage_account_customer_managed_key | Customer Managed Key. Please refer to the documentation for more information. | object({ |
null |
no |
logs_storage_account_enable_advanced_threat_protection | Enable/disable Advanced Threat Protection, see here for more information. | bool |
false |
no |
logs_storage_account_enable_archived_logs_fileshare | Enable/disable archived-logs file share creation | bool |
false |
no |
logs_storage_account_enable_archiving | Enable/disable blob archiving lifecycle | bool |
true |
no |
logs_storage_account_enable_https_traffic_only | Enable/disable HTTPS traffic only | bool |
true |
no |
logs_storage_account_enabled | Whether the dedicated Storage Account for logs is deployed. | bool |
true |
no |
logs_storage_account_extra_tags | Extra tags to add to the logs Storage Account | map(string) |
{} |
no |
logs_storage_account_identity_ids | List of User Assigned Identity IDs to assign to the Storage Account. | list(string) |
null |
no |
logs_storage_account_identity_type | The identity type of the storage account. Possible values are SystemAssigned , UserAssigned , SystemAssigned, UserAssigned . |
string |
"SystemAssigned" |
no |
logs_storage_account_kind | Storage Account Kind | string |
"StorageV2" |
no |
logs_storage_account_name_prefix | Storage Account name prefix | string |
"" |
no |
logs_storage_account_replication_type | Storage Account Replication type | string |
"LRS" |
no |
logs_storage_account_tier | Storage Account tier | string |
"Standard" |
no |
logs_storage_min_tls_version | Storage Account minimal TLS version | string |
"TLS1_2" |
no |
logs_tier_to_archive_after_days_since_modification_greater_than | Change blob tier to Archive after x days without modification | number |
90 |
no |
logs_tier_to_cool_after_days_since_modification_greater_than | Change blob tier to cool after x days without modification | number |
30 |
no |
managed_disk_backup_daily_policy_retention_in_days | The number of days to keep the first daily Managed Disk backup. | number |
null |
no |
managed_disk_backup_policy_custom_name | Azure Backup - Managed disk backup policy custom name. Empty by default, using naming convention. | string |
"" |
no |
managed_disk_backup_policy_interval_in_hours | The Managed Disk backup interval in hours. | string |
24 |
no |
managed_disk_backup_policy_retention_in_days | The number of days to keep the Managed Disk backup. | number |
30 |
no |
managed_disk_backup_policy_time | The time of day to perform the Managed Disk backup in 24 hours format (eg 04:00). | string |
"04:00" |
no |
managed_disk_backup_weekly_policy_retention_in_weeks | The number of weeks to keep the first weekly Managed Disk backup. | number |
null |
no |
monitoring_function_advanced_threat_protection_enabled | FAME function app's storage account: Enable Advanced Threat Protection | bool |
false |
no |
monitoring_function_app_service_plan_name | FAME App Service Plan custom name. Empty by default, using naming convention. | string |
null |
no |
monitoring_function_application_insights_custom_name | FAME Application Insights custom name. Empty by default, using naming convention | string |
null |
no |
monitoring_function_application_insights_enabled | Whether FAME Application Insights is deployed. | bool |
true |
no |
monitoring_function_assign_roles | True to assign roles for the monitoring Function on the Log Analytics Workspace (Log Analytics Reader) and the Subscription (Reader). | bool |
true |
no |
monitoring_function_enabled | Whether additional Monitoring Function is enabled. | bool |
true |
no |
monitoring_function_extra_application_settings | Extra application settings to set on monitoring Function | map(string) |
{} |
no |
monitoring_function_extra_tags | Monitoring function extra tags to add | map(string) |
{} |
no |
monitoring_function_function_app_custom_name | FAME Function App custom name. Empty by default, using naming convention. | string |
null |
no |
monitoring_function_logs_categories | Monitoring function log categories to send to destinations. All by default. | list(string) |
null |
no |
monitoring_function_logs_metrics_categories | Monitoring function metrics categories to send to destinations. All by default. | list(string) |
null |
no |
monitoring_function_metrics_extra_dimensions | Extra dimensions sent with metrics | map(string) |
{} |
no |
monitoring_function_splunk_token | Access Token to send metrics to Splunk Observability | string |
null |
no |
monitoring_function_storage_account_custom_name | FAME Storage Account custom name. Empty by default, using naming convention. | string |
null |
no |
monitoring_function_zip_package_path | Zip package path for monitoring function | string |
"https://github.com/claranet/fame/releases/download/v1.2.1/fame.zip" |
no |
name_prefix | Optional prefix for the generated name. | string |
"" |
no |
name_suffix | Optional suffix for the generated name. | string |
"" |
no |
postgresql_backup_daily_policy_retention_in_days | The number of days to keep the first daily Postgresql backup. | number |
null |
no |
postgresql_backup_monthly_policy_retention_in_months | The number of months to keep the first monthly Postgresql backup. | number |
null |
no |
postgresql_backup_policy_custom_name | Azure Backup - PostgreSQL backup policy custom name. Empty by default, using naming convention. | string |
"" |
no |
postgresql_backup_policy_interval_in_hours | The Postgresql backup interval in hours. | string |
24 |
no |
postgresql_backup_policy_retention_in_days | The number of days to keep the Postgresql backup. | number |
30 |
no |
postgresql_backup_policy_time | The time of day to perform the Postgresql backup in 24 hours format (eg 04:00). | string |
"04:00" |
no |
postgresql_backup_weekly_policy_retention_in_weeks | The number of weeks to keep the first weekly Postgresql backup. | number |
null |
no |
recovery_vault_cross_region_restore_enabled | Is cross region restore enabled for this Vault? Can only be true , when storage_mode_type is GeoRedundant . |
bool |
true |
no |
recovery_vault_custom_name | Azure Recovery Vault custom name. Empty by default, using naming convention. | string |
"" |
no |
recovery_vault_extra_tags | Extra tags to add to Recovery Vault. | map(string) |
{} |
no |
recovery_vault_identity_type | Azure Recovery Vault identity type. Possible values include: null , SystemAssigned . Default to SystemAssigned . |
string |
"SystemAssigned" |
no |
recovery_vault_sku | Azure Recovery Vault SKU. Possible values include: Standard , RS0 . Default to Standard . |
string |
"Standard" |
no |
recovery_vault_soft_delete_enabled | Is soft delete enable for this Vault? Defaults to true . |
bool |
true |
no |
recovery_vault_storage_mode_type | The storage type of the Recovery Services Vault. Possible values are GeoRedundant , LocallyRedundant and ZoneRedundant . Defaults to GeoRedundant . |
string |
"GeoRedundant" |
no |
resource_group_name | Resource Group the resources will belong to. | string |
n/a | yes |
stack | Stack name. | string |
n/a | yes |
storage_blob_backup_policy_custom_name | Azure Backup - Storage blob backup policy custom name. Empty by default, using naming convention. | string |
"" |
no |
storage_blob_backup_policy_retention_in_days | The number of days to keep the Storage blob backup. | number |
30 |
no |
tenant_id | Tenant ID. | string |
null |
no |
update_center_enabled | Whether the Update Management Center is enabled. | bool |
false |
no |
update_center_maintenance_configurations | Update Management Center maintenance configurations. https://learn.microsoft.com/en-us/azure/virtual-machines/maintenance-configurations. | list(object({ |
[] |
no |
update_center_periodic_assessment_enabled | Enable auto-assessment (every 24 hours) for OS updates on native Azure virtual machines by assigning Azure Policy. | bool |
true |
no |
update_center_periodic_assessment_exclusions | Exclude some resources from auto-assessment. | list(string) |
[] |
no |
update_center_periodic_assessment_scopes | Scope to assign the Azure Policy for auto-assessment. Can be Management Groups, Subscriptions, Resource Groups or Virtual Machines. | list(string) |
[] |
no |
update_management_duration | To set the maintenance window, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). | string |
"PT2H" |
no |
update_management_legacy_enabled | Whether the legacy Update Management is enabled. This enable the Automation Account feature. | bool |
false |
no |
update_management_name_prefix | Name prefix to apply on Update Management resources. | string |
null |
no |
update_management_os_list | List of OS to cover. Possible values can be Windows or Linux . Define empty list to disable update management. |
list(string) |
[] |
no |
update_management_schedule | List of Map with schedule parameters for update management. All parameters are available on the documentation. | list(any) |
[] |
no |
update_management_scope | Scope of the update management, it can be a subscription ID, a resource group ID etc.. | list(string) |
null |
no |
update_management_tags_filtering | Filter scope using tags on VMs. Example :{ os_family = ["linux"] }. |
map(any) |
{} |
no |
update_management_tags_filtering_operator | Filter VMs by Any or All specified tags. Possible values are All or Any . |
string |
"Any" |
no |
use_caf_naming | Use the Azure CAF naming provider to generate default resource name. *custom_name override this if set. Legacy default name is used if this is set to false . |
bool |
true |
no |
vm_backup_daily_policy_retention | The number of daily VM backups to keep. Must be between 7 and 9999. | number |
30 |
no |
vm_backup_monthly_retention | Map to configure the monthly VM backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_monthly | object({ |
null |
no |
vm_backup_policy_custom_name | Azure Backup - VM backup policy custom name. Empty by default, using naming convention. | string |
"" |
no |
vm_backup_policy_frequency | Specifies the frequency for VM backup schedules. Must be either Daily or Weekly . |
string |
"Daily" |
no |
vm_backup_policy_time | The time of day to perform the VM backup in 24hour format. | string |
"04:00" |
no |
vm_backup_policy_timezone | Specifies the timezone for VM backup schedules. Defaults to UTC . |
string |
"UTC" |
no |
vm_backup_policy_type | Type of the Backup Policy. Possible values are V1 and V2 where V2 stands for the Enhanced Policy. Defaults to V1 . Changing this forces a new resource to be created. |
string |
"V1" |
no |
vm_backup_weekly_retention | Map to configure the weekly VM backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_weekly | object({ |
null |
no |
vm_backup_yearly_retention | Map to configure the yearly VM backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_yearly | object({ |
null |
no |
vm_monitoring_enabled | Whether Data Collection Rules for VM monitoring are enabled. | bool |
false |
no |
windows_update_management_configuration | Windows specific update management configuration. Possible values for reboot_setting are IfRequired , RebootOnly , Never , Always . More informations on the documentation. |
any |
{ |
no |
windows_update_management_configuration_name | Custom configuration name for Windows Update management. | string |
"Standard Windows Update Schedule" |
no |
windows_update_management_duration | To set the maintenance window for Windows machines, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). | string |
null |
no |
windows_update_management_schedule | Map of specific schedule parameters for update management of Windows machines. All parameters are available on the documentation. | list(any) |
null |
no |
windows_update_management_scope | Scope of the update management for Windows machines, it can be a subscription ID, a resource group ID etc.. | list(string) |
null |
no |
windows_update_management_tags_filtering | Filter scope for Windows machines using tags on VMs. Example :{ os_family = ["windows"] }. |
map(any) |
null |
no |
windows_update_management_tags_filtering_operator | Filter Windows VMs by Any or All specified tags. Possible values are All or Any . |
string |
null |
no |
Name | Description |
---|---|
automation_account_dsc_primary_access_key | Azure Automation Account DSC primary access key. |
automation_account_dsc_secondary_access_key | Azure Automation Account DSC secondary access key. |
automation_account_dsc_server_endpoint | Azure Automation Account DSC server endpoint. |
automation_account_id | Azure Automation Account ID. |
automation_account_identity | Identity block with principal ID and tenant ID |
automation_account_name | Azure Automation Account name. |
backup_vault_id | Azure Backup Vault ID. |
backup_vault_identity | Azure Backup Services Vault identity. |
backup_vault_name | Azure Backup Vault name. |
data_collection_rule | Azure Monitor Data Collection Rule object. |
data_collection_rule_id | ID of the Azure Monitor Data Collection Rule. |
data_collection_rule_name | Name of the Azure Monitor Data Collection Rule. |
file_share_backup_policy_id | File share Backup policy ID. |
file_share_backup_policy_name | File share Backup policy name. |
key_vault_hsm_uri | The URI of the Key Vault Managed Hardware Security Module, used for performing operations on keys. |
keyvault_id | ID of the Key Vault. |
keyvault_name | Name of the Key Vault. |
keyvault_resource_group_name | Resource Group of the Key Vault. |
keyvault_uri | URI of the Key Vault. |
log_analytics_workspace_guid | The Log Analytics Workspace GUID. |
log_analytics_workspace_id | The Log Analytics Workspace ID. |
log_analytics_workspace_location | The Log Analytics Workspace location. |
log_analytics_workspace_name | The Log Analytics Workspace name. |
log_analytics_workspace_primary_key | The primary shared key for the Log Analytics Workspace. |
log_analytics_workspace_secondary_key | The secondary shared key for the Log Analytics Workspace. |
logs_resource_group_name | Resource Group of the logs resources. |
logs_storage_account_archived_logs_fileshare_name | Name of the file share in which externalized logs are stored. |
logs_storage_account_id | ID of the logs Storage Account. |
logs_storage_account_name | Name of the logs Storage Account. |
logs_storage_account_primary_access_key | Primary connection string of the logs Storage Account. |
logs_storage_account_primary_connection_string | Primary connection string of the logs Storage Account. |
logs_storage_account_secondary_access_key | Secondary connection string of the logs Storage Account. |
logs_storage_account_secondary_connection_string | Secondary connection string of the logs Storage Account. |
maintenance_configurations | Update Center Maintenance Configurations information. |
managed_disk_backup_policy_id | Managed disk Backup policy ID. |
monitoring_function_application_insights_app_id | App ID of the associated Application Insights |
monitoring_function_application_insights_application_type | Application Type of the associated Application Insights |
monitoring_function_application_insights_id | ID of the associated Application Insights |
monitoring_function_application_insights_instrumentation_key | Instrumentation key of the associated Application Insights |
monitoring_function_application_insights_name | Name of the associated Application Insights |
monitoring_function_function_app_connection_string | Connection string of the created Function App |
monitoring_function_function_app_id | ID of the created Function App |
monitoring_function_function_app_identity | Identity block output of the Function App |
monitoring_function_function_app_name | Name of the created Function App |
monitoring_function_function_app_outbound_ip_addresses | Outbound IP addresses of the created Function App |
monitoring_function_service_plan_id | Id of the created Service Plan |
monitoring_function_service_plan_name | Name of the created Service Plan |
monitoring_function_storage_account_id | ID of the associated Storage Account, empty if connection string provided |
monitoring_function_storage_account_name | Name of the associated Storage Account, empty if connection string provided |
monitoring_function_storage_account_primary_access_key | Primary connection string of the associated Storage Account, empty if connection string provided |
monitoring_function_storage_account_primary_connection_string | Primary connection string of the associated Storage Account, empty if connection string provided |
monitoring_function_storage_account_secondary_access_key | Secondary connection string of the associated Storage Account, empty if connection string provided |
monitoring_function_storage_account_secondary_connection_string | Secondary connection string of the associated Storage Account, empty if connection string provided |
monitoring_function_storage_queries_table_name | Name of the queries table in the Storage Account, empty if connection string provided |
postgresql_backup_policy_id | PostgreSQL Backup policy ID. |
recovery_vault_id | Azure Recovery Services Vault ID. |
recovery_vault_identity | Azure Recovery Services Vault identity. |
recovery_vault_name | Azure Recovery Services Vault name. |
storage_blob_backup_policy_id | Storage blob Backup policy ID. |
terraform_module | Information about this Terraform module |
vm_backup_policy_id | VM Backup policy ID. |
vm_backup_policy_name | VM Backup policy name. |
- Microsoft Azure Monitor logs documentation: docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview
- Microsoft Azure Key Vault documentation: docs.microsoft.com/en-us/azure/key-vault/
- Microsoft Update management documentation: docs.microsoft.com/en-us/azure/automation/update-management/overview
- Microsoft ARM template for Update management documentation: docs.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts/softwareupdateconfigurations