Azure RUN feature

A Terraform modules composition (feature) which includes services needed for Claranet RUN/MSP.

It includes:

• Log Management with the following resources:
  • Log Analytics Workspace
  • Storage Account with SAS Token to upload logs to
• A Key Vault
• FAME monitoring function for additional metrics. The following built-in metrics are sent:
  • fame.azure.application_gateway.instances: number of Application Gateway instances
  • fame.azure.backup.file_share: number of successful file shares backups
  • fame.azure.backup.vm: number of successful virtual machines backups
  • fame.azure.virtual_network_gateway.ike_event_success: number of successful ike events for a VPN Gateway

It includes some IaaS specifics:

• Azure Backup (example)
  • A Recovery Services Vault to store VM backups (documentation).
  • A VM backup policy to assign on VM instances (via the vm-backup module).
  • A file share backup policy to assign on Storage Account file shares (via the backup_protected_file_share terraform resource)
  • A diagnostics settings to manage logging (documentation)
• An Automation account to execute runbooks (documentation) (example)
• Legacy Azure Update Management using Automation Account (documentation) (example)
• A Data Collection Rule to gather metrics and logs from Virtual Machines (documentation)
• Azure Update Center using Update Management Center (documentation) (example)

All deployed resources

Diagram of the full example usage having all features enabled:

Requirements

• You need at least the Contributor role on the subscriptions to use update_center_periodic_assessment_enabled with Update Management Center module.

Using sub-modules

The integrated services can be used separately with the same inputs and outputs when it's a sub-module.

Log management

See logs module README.

Monitoring function

See monitoring_function module README

Key Vault

See Key Vault module: terraform-azurerm-keyvault.

Azure Backup

See Azure Backup module README.

Automation Account

See Automation Account module README.

Azure Update

See Update Center module README and Update Management module (legacy) README.

Migrating from older modules

This run module is a merge of the previous run-common and run-iaas modules.

Some previously pre-activated backup and update management features must now be explicitly enabled through *_enabled variables. You must be on the latest version of run_iaas and run_common modules before updating to run module.

You can migrate your Terrafom state with the following commands:

terraform state mv module.run_common.module.keyvault module.run.module.keyvault
terraform state mv module.run_common.module.logs module.run.module.logs
terraform state mv 'module.run_common.module.monitoring_function[0]' 'module.run.module.monitoring_function[0]'
terraform state mv module.run_iaas.module.automation_account 'module.run.module.automation_account[0]'
terraform state mv module.run_iaas.module.backup 'module.run.module.backup[0]'
terraform state mv module.run_iaas.module.update_management 'module.run.module.update_management[0]'
terraform state mv 'module.run_iaas.module.update_management_center["enabled"]' 'module.run.module.update_management_center["enabled"]'
terraform state mv module.run_iaas.module.vm_monitoring 'module.run.module.vm_monitoring[0]'
terraform state mv 'module.run_common.azurerm_role_assignment.function_workspace[0]' 'module.run.azurerm_role_assignment.function_workspace[0]'
terraform apply -target='module.run.null_resource.fake_function_condition[0]'

Global versioning rule for Claranet Azure modules

Module version	Terraform version	AzureRM version
>= 7.x.x	1.3.x	>= 3.0
>= 6.x.x	1.x	>= 3.0
>= 5.x.x	0.15.x	>= 2.0
>= 4.x.x	0.13.x / 0.14.x	>= 2.0
>= 3.x.x	0.12.x	>= 2.0
>= 2.x.x	0.12.x	< 2.0
< 2.x.x	0.11.x	< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "run" {
  source  = "claranet/run/azurerm"
  version = "x.x.x"

  client_name    = var.client_name
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  monitoring_function_splunk_token = "xxxxxx"
  monitoring_function_metrics_extra_dimensions = {
    env           = var.environment
    sfx_monitored = "true"
  }

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name	Version
azurerm	~> 3.114
null	~> 3.0

Modules

Name	Source	Version
automation_account	./modules/automation-account	n/a
backup	./modules/backup	n/a
keyvault	claranet/keyvault/azurerm	~> 7.6.0
logs	./modules/logs	n/a
monitoring_function	./modules/monitoring-function	n/a
update_management	./modules/update-management	n/a
update_management_center	./modules/update-center	n/a
vm_monitoring	./modules/vm-monitoring	n/a

Resources

Name	Type
azurerm_role_assignment.function_subscription	resource
azurerm_role_assignment.function_workspace	resource
null_resource.fake_function_condition	resource
azurerm_client_config.current	data source

Inputs

Name	Description	Type	Default	Required
automation_account_enabled	Whether the Automation Account is enabled. Enabled if legacy Update Management is enabled.	bool	false	no
automation_account_extra_tags	Extra tags to add to Automation Account.	map(string)	{}	no
automation_account_identity_type	Automation Account identity type. Possible values include: null, SystemAssigned and UserAssigned.	object({ type = string identity_ids = list(string) })	{ "identity_ids": [], "type": "SystemAssigned" }	no
automation_account_sku	Automation account Sku.	string	"Basic"	no
automation_custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	string	"default"	no
automation_logs_categories	Log categories to send to destinations.	list(string)	null	no
automation_logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `	` character.	list(string)	[]
automation_logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
backup_custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	string	"default"	no
backup_file_share_enabled	Whether the File Share backup is enabled.	bool	false	no
backup_logs_categories	Log categories to send to destinations.	list(string)	null	no
backup_logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `	` character.	list(string)	[]
backup_logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
backup_managed_disk_enabled	Whether the Managed Disk backup is enabled.	bool	false	no
backup_postgresql_enabled	Whether the PostgreSQL backup is enabled.	bool	false	no
backup_storage_blob_enabled	Whether the Storage blob backup is enabled.	bool	false	no
backup_vault_custom_name	Azure Backup Vault custom name. Empty by default, using naming convention.	string	""	no
backup_vault_datastore_type	Type of data store used for the Backup Vault.	string	"VaultStore"	no
backup_vault_extra_tags	Extra tags to add to Backup Vault.	map(string)	{}	no
backup_vault_geo_redundancy_enabled	Whether the geo redundancy is enabled no the Backup Vault.	bool	true	no
backup_vault_identity_type	Azure Backup Vault identity type. Possible values include: null, SystemAssigned. Default to SystemAssigned.	string	"SystemAssigned"	no
backup_vm_enabled	Whether the Virtual Machines backup is enabled.	bool	false	no
client_name	Client name.	string	n/a	yes
custom_automation_account_name	Automation account custom name.	string	""	no
data_collection_syslog_facilities_names	List of syslog to retrieve in Data Collection Rule.	list(string)	[ "auth", "authpriv", "cron", "daemon", "mark", "kern", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7", "lpr", "mail", "news", "syslog", "user", "uucp" ]	no
data_collection_syslog_levels	List of syslog levels to retrieve in Data Collection Rule.	list(string)	[ "Error", "Critical", "Alert", "Emergency" ]	no
dcr_custom_name	VM Monitoring - Data Collection rule custom name.	string	""	no
default_tags_enabled	Whether the default tags are enabled.	bool	true	no
deploy_update_management_solution	Whether the Log Analytics Update solution is deployed.	bool	true	no
environment	Environment name.	string	n/a	yes
extra_tags	Extra tags to add.	map(string)	{}	no
file_share_backup_daily_policy_retention	The number of daily file share backups to keep. Must be between 7 and 9999.	number	30	no
file_share_backup_monthly_retention	Map to configure the monthly File Share backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_monthly	object({ count = number, weekdays = list(string), weeks = list(string), })	null	no
file_share_backup_policy_custom_name	Azure Backup - File share backup policy custom name. Empty by default, using naming convention.	string	""	no
file_share_backup_policy_frequency	Specifies the frequency for file_share backup schedules. Must be either Daily or Weekly.	string	"Daily"	no
file_share_backup_policy_time	The time of day to perform the file share backup in 24hour format.	string	"04:00"	no
file_share_backup_policy_timezone	Specifies the timezone for file share backup schedules. Defaults to UTC.	string	"UTC"	no
file_share_backup_weekly_retention	Map to configure the weekly File Share backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_weekly	object({ count = number, weekdays = list(string), })	null	no
file_share_backup_yearly_retention	Map to configure the yearly File Share backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_yearly	object({ count = number, weekdays = list(string), weeks = list(string), months = list(string), })	null	no
keyvault_admin_objects_ids	Ids of the objects that can do all operations on all keys, secrets and certificates	list(string)	[]	no
keyvault_custom_name	Name of the Key Vault, generated if not set.	string	""	no
keyvault_enabled_for_deployment	Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.	bool	false	no
keyvault_enabled_for_disk_encryption	Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.	bool	false	no
keyvault_enabled_for_template_deployment	Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.	bool	false	no
keyvault_extra_tags	Extra tags to add to the Key Vault	map(string)	{}	no
keyvault_logs_categories	Log categories to send to destinations. All by default.	list(string)	null	no
keyvault_logs_metrics_categories	Metrics categories to send to destinations. All by default.	list(string)	null	no
keyvault_managed_hardware_security_module_enabled	Create a KeyVault Managed HSM resource if enabled. Changing this forces a new resource to be created.	bool	false	no
keyvault_network_acls	Object with attributes: bypass, default_action, ip_rules, virtual_network_subnet_ids. See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more informations.	object({ bypass = optional(string, "None"), default_action = optional(string, "Deny"), ip_rules = optional(list(string)), virtual_network_subnet_ids = optional(list(string)), })	{}	no
keyvault_public_network_access_enabled	Whether access to the Key Vault, from a public network is allowed.	bool	false	no
keyvault_rbac_authorization_enabled	Whether the Key Vault uses Role Based Access Control (RBAC) for authorization of data actions instead of access policies.	bool	false	no
keyvault_reader_objects_ids	Ids of the objects that can read all keys, secrets and certificates	list(string)	[]	no
keyvault_resource_group_name	Resource Group the Key Vault will belong to. Will use resource_group_name if not set.	string	""	no
keyvault_sku	The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium".	string	"standard"	no
keyvault_soft_delete_retention_days	The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days.	number	7	no
linux_update_management_config_name	Custom configuration name for Linux Update management.	string	"Standard Linux Update Schedule"	no
linux_update_management_configuration	Linux specific update management configuration. Possible values for reboot_setting are IfRequired, RebootOnly, Never, Always. More informations on the documentation.	any	{ "excluded_packages": [], "included_packages": [], "reboot_setting": "IfRequired", "update_classifications": "Critical, Security" }	no
linux_update_management_duration	To set the maintenance window for Linux machines, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H).	string	null	no
linux_update_management_schedule	Map of specific schedule parameters for update management of Linux machines. All parameters are available on the documentation.	list(any)	null	no
linux_update_management_scope	Scope of the update management for Linux machines, it can be a subscription ID, a resource group ID etc..	list(string)	null	no
linux_update_management_tags_filtering	Filter scope for Linux machines using tags on VMs. Example : { os_family = ["linux"] } .	map(any)	null	no
linux_update_management_tags_filtering_operator	Filter Linux VMs by Any or All specified tags. Possible values are All or Any.	string	null	no
location	Azure location.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
log_analytics_resource_group_name	Log Analytics Workspace resource group name (if different from resource_group_name variable.).	string	null	no
log_analytics_workspace_custom_name	Azure Log Analytics Workspace custom name. Empty by default, using naming convention.	string	""	no
log_analytics_workspace_daily_quota_gb	The workspace daily quota for ingestion in GB. Defaults to -1 (unlimited).	number	-1	no
log_analytics_workspace_extra_tags	Extra tags to add to the Log Analytics Workspace	map(string)	{}	no
log_analytics_workspace_id	Log Analytics Workspace ID where the logs are sent and linked to Automation account.	string	null	no
log_analytics_workspace_link_enabled	Enable Log Analytics Workspace that will be connected with the automation account.	bool	true	no
log_analytics_workspace_name_prefix	Log Analytics name prefix	string	""	no
log_analytics_workspace_retention_in_days	The workspace data retention in days. Possible values range between 30 and 730.	number	30	no
log_analytics_workspace_sku	Specifies the SKU of the Log Analytics Workspace. Possible values are Free, PerNode, Premium, Standard, Standalone, Unlimited, and PerGB2018 (new Sku as of 2018-04-03).	string	"PerGB2018"	no
logs_delete_after_days_since_modification_greater_than	Delete blob after x days without modification	number	365	no
logs_resource_group_name	Resource Group the resources for log management will belong to. Will use resource_group_name if not set.	string	""	no
logs_storage_account_access_tier	Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot.	string	"Hot"	no
logs_storage_account_archived_logs_fileshare_name	Name of the file share in which externalized logs are stored	string	"archived-logs"	no
logs_storage_account_archived_logs_fileshare_quota	The maximum size in GB of the archived-logs file share, default is 5120	number	null	no
logs_storage_account_custom_name	Storage Account for logs custom name. Empty by default, using naming convention.	string	""	no
logs_storage_account_customer_managed_key	Customer Managed Key. Please refer to the documentation for more information.	object({ key_vault_key_id = optional(string) managed_hsm_key_id = optional(string) user_assigned_identity_id = optional(string) })	null	no
logs_storage_account_enable_advanced_threat_protection	Enable/disable Advanced Threat Protection, see here for more information.	bool	false	no
logs_storage_account_enable_archived_logs_fileshare	Enable/disable archived-logs file share creation	bool	false	no
logs_storage_account_enable_archiving	Enable/disable blob archiving lifecycle	bool	true	no
logs_storage_account_enable_https_traffic_only	Enable/disable HTTPS traffic only	bool	true	no
logs_storage_account_enabled	Whether the dedicated Storage Account for logs is deployed.	bool	true	no
logs_storage_account_extra_tags	Extra tags to add to the logs Storage Account	map(string)	{}	no
logs_storage_account_identity_ids	List of User Assigned Identity IDs to assign to the Storage Account.	list(string)	null	no
logs_storage_account_identity_type	The identity type of the storage account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned.	string	"SystemAssigned"	no
logs_storage_account_kind	Storage Account Kind	string	"StorageV2"	no
logs_storage_account_name_prefix	Storage Account name prefix	string	""	no
logs_storage_account_replication_type	Storage Account Replication type	string	"LRS"	no
logs_storage_account_tier	Storage Account tier	string	"Standard"	no
logs_storage_min_tls_version	Storage Account minimal TLS version	string	"TLS1_2"	no
logs_tier_to_archive_after_days_since_modification_greater_than	Change blob tier to Archive after x days without modification	number	90	no
logs_tier_to_cool_after_days_since_modification_greater_than	Change blob tier to cool after x days without modification	number	30	no
managed_disk_backup_daily_policy_retention_in_days	The number of days to keep the first daily Managed Disk backup.	number	null	no
managed_disk_backup_policy_custom_name	Azure Backup - Managed disk backup policy custom name. Empty by default, using naming convention.	string	""	no
managed_disk_backup_policy_interval_in_hours	The Managed Disk backup interval in hours.	string	24	no
managed_disk_backup_policy_retention_in_days	The number of days to keep the Managed Disk backup.	number	30	no
managed_disk_backup_policy_time	The time of day to perform the Managed Disk backup in 24 hours format (eg 04:00).	string	"04:00"	no
managed_disk_backup_weekly_policy_retention_in_weeks	The number of weeks to keep the first weekly Managed Disk backup.	number	null	no
monitoring_function_advanced_threat_protection_enabled	FAME function app's storage account: Enable Advanced Threat Protection	bool	false	no
monitoring_function_app_service_plan_name	FAME App Service Plan custom name. Empty by default, using naming convention.	string	null	no
monitoring_function_application_insights_custom_name	FAME Application Insights custom name. Empty by default, using naming convention	string	null	no
monitoring_function_application_insights_enabled	Whether FAME Application Insights is deployed.	bool	true	no
monitoring_function_assign_roles	True to assign roles for the monitoring Function on the Log Analytics Workspace (Log Analytics Reader) and the Subscription (Reader).	bool	true	no
monitoring_function_enabled	Whether additional Monitoring Function is enabled.	bool	true	no
monitoring_function_extra_application_settings	Extra application settings to set on monitoring Function	map(string)	{}	no
monitoring_function_extra_tags	Monitoring function extra tags to add	map(string)	{}	no
monitoring_function_function_app_custom_name	FAME Function App custom name. Empty by default, using naming convention.	string	null	no
monitoring_function_logs_categories	Monitoring function log categories to send to destinations. All by default.	list(string)	null	no
monitoring_function_logs_metrics_categories	Monitoring function metrics categories to send to destinations. All by default.	list(string)	null	no
monitoring_function_metrics_extra_dimensions	Extra dimensions sent with metrics	map(string)	{}	no
monitoring_function_splunk_token	Access Token to send metrics to Splunk Observability	string	null	no
monitoring_function_storage_account_custom_name	FAME Storage Account custom name. Empty by default, using naming convention.	string	null	no
monitoring_function_zip_package_path	Zip package path for monitoring function	string	"https://github.com/claranet/fame/releases/download/v1.2.1/fame.zip"	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
postgresql_backup_daily_policy_retention_in_days	The number of days to keep the first daily Postgresql backup.	number	null	no
postgresql_backup_monthly_policy_retention_in_months	The number of months to keep the first monthly Postgresql backup.	number	null	no
postgresql_backup_policy_custom_name	Azure Backup - PostgreSQL backup policy custom name. Empty by default, using naming convention.	string	""	no
postgresql_backup_policy_interval_in_hours	The Postgresql backup interval in hours.	string	24	no
postgresql_backup_policy_retention_in_days	The number of days to keep the Postgresql backup.	number	30	no
postgresql_backup_policy_time	The time of day to perform the Postgresql backup in 24 hours format (eg 04:00).	string	"04:00"	no
postgresql_backup_weekly_policy_retention_in_weeks	The number of weeks to keep the first weekly Postgresql backup.	number	null	no
recovery_vault_cross_region_restore_enabled	Is cross region restore enabled for this Vault? Can only be true, when storage_mode_type is GeoRedundant.	bool	true	no
recovery_vault_custom_name	Azure Recovery Vault custom name. Empty by default, using naming convention.	string	""	no
recovery_vault_extra_tags	Extra tags to add to Recovery Vault.	map(string)	{}	no
recovery_vault_identity_type	Azure Recovery Vault identity type. Possible values include: null, SystemAssigned. Default to SystemAssigned.	string	"SystemAssigned"	no
recovery_vault_sku	Azure Recovery Vault SKU. Possible values include: Standard, RS0. Default to Standard.	string	"Standard"	no
recovery_vault_soft_delete_enabled	Is soft delete enable for this Vault? Defaults to true.	bool	true	no
recovery_vault_storage_mode_type	The storage type of the Recovery Services Vault. Possible values are GeoRedundant, LocallyRedundant and ZoneRedundant. Defaults to GeoRedundant.	string	"GeoRedundant"	no
resource_group_name	Resource Group the resources will belong to.	string	n/a	yes
stack	Stack name.	string	n/a	yes
storage_blob_backup_policy_custom_name	Azure Backup - Storage blob backup policy custom name. Empty by default, using naming convention.	string	""	no
storage_blob_backup_policy_retention_in_days	The number of days to keep the Storage blob backup.	number	30	no
tenant_id	Tenant ID.	string	null	no
update_center_enabled	Whether the Update Management Center is enabled.	bool	false	no
update_center_maintenance_configurations	Update Management Center maintenance configurations. https://learn.microsoft.com/en-us/azure/virtual-machines/maintenance-configurations.	list(object({ configuration_name = string start_date_time = string duration = optional(string, "02:00") time_zone = optional(string, "UTC") recur_every = string reboot_setting = optional(string, "IfRequired") windows_classifications_to_include = optional(list(string), [ "Critical", "Definition", "FeaturePack", "Security", "ServicePack", "Tools", "UpdateRollup", "Updates", ]) linux_classifications_to_include = optional(list(string), [ "Critical", "Security", "Other", ]) windows_kb_numbers_to_exclude = optional(list(string), []) windows_kb_numbers_to_include = optional(list(string), []) linux_package_names_to_exclude = optional(list(string), []) linux_package_names_to_include = optional(list(string), []) }))	[]	no
update_center_periodic_assessment_enabled	Enable auto-assessment (every 24 hours) for OS updates on native Azure virtual machines by assigning Azure Policy.	bool	true	no
update_center_periodic_assessment_exclusions	Exclude some resources from auto-assessment.	list(string)	[]	no
update_center_periodic_assessment_scopes	Scope to assign the Azure Policy for auto-assessment. Can be Management Groups, Subscriptions, Resource Groups or Virtual Machines.	list(string)	[]	no
update_management_duration	To set the maintenance window, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H).	string	"PT2H"	no
update_management_legacy_enabled	Whether the legacy Update Management is enabled. This enable the Automation Account feature.	bool	false	no
update_management_name_prefix	Name prefix to apply on Update Management resources.	string	null	no
update_management_os_list	List of OS to cover. Possible values can be Windows or Linux. Define empty list to disable update management.	list(string)	[]	no
update_management_schedule	List of Map with schedule parameters for update management. All parameters are available on the documentation.	list(any)	[]	no
update_management_scope	Scope of the update management, it can be a subscription ID, a resource group ID etc..	list(string)	null	no
update_management_tags_filtering	Filter scope using tags on VMs. Example : { os_family = ["linux"] } .	map(any)	{}	no
update_management_tags_filtering_operator	Filter VMs by Any or All specified tags. Possible values are All or Any.	string	"Any"	no
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. *custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no
vm_backup_daily_policy_retention	The number of daily VM backups to keep. Must be between 7 and 9999.	number	30	no
vm_backup_monthly_retention	Map to configure the monthly VM backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_monthly	object({ count = number, weekdays = list(string), weeks = list(string), })	null	no
vm_backup_policy_custom_name	Azure Backup - VM backup policy custom name. Empty by default, using naming convention.	string	""	no
vm_backup_policy_frequency	Specifies the frequency for VM backup schedules. Must be either Daily or Weekly.	string	"Daily"	no
vm_backup_policy_time	The time of day to perform the VM backup in 24hour format.	string	"04:00"	no
vm_backup_policy_timezone	Specifies the timezone for VM backup schedules. Defaults to UTC.	string	"UTC"	no
vm_backup_policy_type	Type of the Backup Policy. Possible values are V1 and V2 where V2 stands for the Enhanced Policy. Defaults to V1. Changing this forces a new resource to be created.	string	"V1"	no
vm_backup_weekly_retention	Map to configure the weekly VM backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_weekly	object({ count = number, weekdays = list(string), })	null	no
vm_backup_yearly_retention	Map to configure the yearly VM backup policy retention according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_yearly	object({ count = number, weekdays = list(string), weeks = list(string), months = list(string), })	null	no
vm_monitoring_enabled	Whether Data Collection Rules for VM monitoring are enabled.	bool	false	no
windows_update_management_configuration	Windows specific update management configuration. Possible values for reboot_setting are IfRequired, RebootOnly, Never, Always. More informations on the documentation.	any	{ "excluded_kb_numbers": [], "included_kb_numbers": [], "reboot_setting": "IfRequired", "update_classifications": "Critical, Security" }	no
windows_update_management_configuration_name	Custom configuration name for Windows Update management.	string	"Standard Windows Update Schedule"	no
windows_update_management_duration	To set the maintenance window for Windows machines, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H).	string	null	no
windows_update_management_schedule	Map of specific schedule parameters for update management of Windows machines. All parameters are available on the documentation.	list(any)	null	no
windows_update_management_scope	Scope of the update management for Windows machines, it can be a subscription ID, a resource group ID etc..	list(string)	null	no
windows_update_management_tags_filtering	Filter scope for Windows machines using tags on VMs. Example : { os_family = ["windows"] } .	map(any)	null	no
windows_update_management_tags_filtering_operator	Filter Windows VMs by Any or All specified tags. Possible values are All or Any.	string	null	no

Outputs

Name	Description
automation_account_dsc_primary_access_key	Azure Automation Account DSC primary access key.
automation_account_dsc_secondary_access_key	Azure Automation Account DSC secondary access key.
automation_account_dsc_server_endpoint	Azure Automation Account DSC server endpoint.
automation_account_id	Azure Automation Account ID.
automation_account_identity	Identity block with principal ID and tenant ID
automation_account_name	Azure Automation Account name.
backup_vault_id	Azure Backup Vault ID.
backup_vault_identity	Azure Backup Services Vault identity.
backup_vault_name	Azure Backup Vault name.
data_collection_rule	Azure Monitor Data Collection Rule object.
data_collection_rule_id	ID of the Azure Monitor Data Collection Rule.
data_collection_rule_name	Name of the Azure Monitor Data Collection Rule.
file_share_backup_policy_id	File share Backup policy ID.
file_share_backup_policy_name	File share Backup policy name.
key_vault_hsm_uri	The URI of the Key Vault Managed Hardware Security Module, used for performing operations on keys.
keyvault_id	ID of the Key Vault.
keyvault_name	Name of the Key Vault.
keyvault_resource_group_name	Resource Group of the Key Vault.
keyvault_uri	URI of the Key Vault.
log_analytics_workspace_guid	The Log Analytics Workspace GUID.
log_analytics_workspace_id	The Log Analytics Workspace ID.
log_analytics_workspace_location	The Log Analytics Workspace location.
log_analytics_workspace_name	The Log Analytics Workspace name.
log_analytics_workspace_primary_key	The primary shared key for the Log Analytics Workspace.
log_analytics_workspace_secondary_key	The secondary shared key for the Log Analytics Workspace.
logs_resource_group_name	Resource Group of the logs resources.
logs_storage_account_archived_logs_fileshare_name	Name of the file share in which externalized logs are stored.
logs_storage_account_id	ID of the logs Storage Account.
logs_storage_account_name	Name of the logs Storage Account.
logs_storage_account_primary_access_key	Primary connection string of the logs Storage Account.
logs_storage_account_primary_connection_string	Primary connection string of the logs Storage Account.
logs_storage_account_secondary_access_key	Secondary connection string of the logs Storage Account.
logs_storage_account_secondary_connection_string	Secondary connection string of the logs Storage Account.
maintenance_configurations	Update Center Maintenance Configurations information.
managed_disk_backup_policy_id	Managed disk Backup policy ID.
monitoring_function_application_insights_app_id	App ID of the associated Application Insights
monitoring_function_application_insights_application_type	Application Type of the associated Application Insights
monitoring_function_application_insights_id	ID of the associated Application Insights
monitoring_function_application_insights_instrumentation_key	Instrumentation key of the associated Application Insights
monitoring_function_application_insights_name	Name of the associated Application Insights
monitoring_function_function_app_connection_string	Connection string of the created Function App
monitoring_function_function_app_id	ID of the created Function App
monitoring_function_function_app_identity	Identity block output of the Function App
monitoring_function_function_app_name	Name of the created Function App
monitoring_function_function_app_outbound_ip_addresses	Outbound IP addresses of the created Function App
monitoring_function_service_plan_id	Id of the created Service Plan
monitoring_function_service_plan_name	Name of the created Service Plan
monitoring_function_storage_account_id	ID of the associated Storage Account, empty if connection string provided
monitoring_function_storage_account_name	Name of the associated Storage Account, empty if connection string provided
monitoring_function_storage_account_primary_access_key	Primary connection string of the associated Storage Account, empty if connection string provided
monitoring_function_storage_account_primary_connection_string	Primary connection string of the associated Storage Account, empty if connection string provided
monitoring_function_storage_account_secondary_access_key	Secondary connection string of the associated Storage Account, empty if connection string provided
monitoring_function_storage_account_secondary_connection_string	Secondary connection string of the associated Storage Account, empty if connection string provided
monitoring_function_storage_queries_table_name	Name of the queries table in the Storage Account, empty if connection string provided
postgresql_backup_policy_id	PostgreSQL Backup policy ID.
recovery_vault_id	Azure Recovery Services Vault ID.
recovery_vault_identity	Azure Recovery Services Vault identity.
recovery_vault_name	Azure Recovery Services Vault name.
storage_blob_backup_policy_id	Storage blob Backup policy ID.
terraform_module	Information about this Terraform module
vm_backup_policy_id	VM Backup policy ID.
vm_backup_policy_name	VM Backup policy name.

Related documentation

• Microsoft Azure Monitor logs documentation: docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview
• Microsoft Azure Key Vault documentation: docs.microsoft.com/en-us/azure/key-vault/
• Microsoft Update management documentation: docs.microsoft.com/en-us/azure/automation/update-management/overview
• Microsoft ARM template for Update management documentation: docs.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts/softwareupdateconfigurations