/terraform-azurerm-run-iaas

Terraform module composition (feature) to setup Claranet MSP Azure IaaS/VM tools

Primary LanguageHCLApache License 2.0Apache-2.0

Azure RUN IaaS/VM

Changelog Notice Apache V2 License TF Registry

A terraform feature which includes services needed for Claranet RUN/MSP on Azure IaaS resources (VMs).

It includes:

Global versioning rule for Claranet Azure modules

Module version Terraform version AzureRM version
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run-common/azurerm//modules/logs"
  version = "x.x.x"

  client_name    = var.client_name
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name
}

resource "time_offset" "update_template" {
  offset_hours = 4
}

locals {
  update_template_time = format("%02d:%02d", time_offset.update_template.hour, time_offset.update_template.minute)
  update_template_date = substr(time_offset.update_template.rfc3339, 0, 10)
}

module "run_iaas" {
  source  = "claranet/run-iaas/azurerm"
  version = "x.x.x"

  client_name    = var.client_name
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  environment    = var.environment
  stack          = var.stack

  resource_group_name        = module.rg.resource_group_name
  log_analytics_workspace_id = module.logs.log_analytics_workspace_id

  update_management_os_list        = ["Linux"]
  update_management_scope          = [module.rg.resource_group_id]
  update_management_tags_filtering = { update_color = ["blue"] }
  update_management_schedule = [{
    startTime  = "${local.update_template_date}T${local.update_template_time}:00+00:00"
    expiryTime = "9999-12-31T23:59:00+00:00"
    isEnabled  = true
    interval   = 1
    frequency  = "Month"
    timeZone   = "UTC"
    advancedSchedule = {
      monthlyOccurrences = [
        {
          occurrence = 3
          day        = "Monday"
        }
      ]
    }
  }]

  logs_destinations_ids = [module.logs.log_analytics_workspace_id]

  extra_tags = {
    foo = "bar"
  }
}

Providers

No providers.

Modules

Name Source Version
automation_account ./modules/automation-account n/a
backup ./modules/backup n/a
update_management ./modules/update-management n/a
vm_monitoring ./modules/vm-monitoring n/a

Resources

No resources.

Inputs

Name Description Type Default Required
automation_account_extra_tags Extra tags to add to automation account map(string) {} no
automation_account_identity_type Automation Account identity type. Possible values include: null, SystemAssigned and UserAssigned. 
object({
    type         = string
    identity_ids = list(string)
  })
 
{
  "identity_ids": [],
  "type": "SystemAssigned"
}
 no
automation_account_sku Automation account Sku string "Basic" no
client_name Client name string n/a yes
custom_automation_account_name Automation account custom name string "" no
data_collection_syslog_facilities_names List of syslog to retrieve in Data Collection Rule list(string) 
[
  "auth",
  "authpriv",
  "cron",
  "daemon",
  "mark",
  "kern",
  "local0",
  "local1",
  "local2",
  "local3",
  "local4",
  "local5",
  "local6",
  "local7",
  "lpr",
  "mail",
  "news",
  "syslog",
  "user",
  "uucp"
]
 no
data_collection_syslog_levels List of syslog levels to retrieve in Data Collection Rule list(string) 
[
  "Error",
  "Critical",
  "Alert",
  "Emergency"
]
 no
dcr_custom_name VM Monitoring - Data Collection rule custom name. string "" no
default_tags_enabled Option to enable or disable default tags. bool true no
deploy_update_management_solution Should we deploy the Log Analytics Update solution or not bool true no
environment Environment name string n/a yes
extra_tags Extra tags to add map(string) {} no
file_share_backup_daily_policy_retention The number of daily file share backups to keep. Must be between 7 and 9999. number 30 no
file_share_backup_monthly Map to configure the monthly File Share backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_monthly any {} no
file_share_backup_policy_custom_name Azure Backup - File share backup policy custom name. Empty by default, using naming convention. string "" no
file_share_backup_policy_frequency Specifies the frequency for file_share backup schedules. Must be either Daily or Weekly. string "Daily" no
file_share_backup_policy_time The time of day to perform the file share backup in 24hour format. string "04:00" no
file_share_backup_policy_timezone Specifies the timezone for file share backup schedules. Defaults to UTC. string "UTC" no
file_share_backup_weekly Map to configure the weekly File Share backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_weekly any {} no
file_share_backup_yearly Map to configure the yearly File Share backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_yearly any {} no
linux_update_management_config_name Custom configuration name for Linux Update management string "Standard Linux Update Schedule" no
linux_update_management_configuration Linux specific update management configuration. Possible values for reboot_setting are IfRequired, RebootOnly, Never, Always. More informations on the documentation. any 
{
  "excluded_packages": [],
  "included_packages": [],
  "reboot_setting": "IfRequired",
  "update_classifications": "Critical, Security"
}
 no
linux_update_management_duration To set the maintenance window for Linux machines, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). string null no
linux_update_management_schedule Map of specific schedule parameters for update management of Linux machines. All parameters are available on the documentation list(any) null no
linux_update_management_scope Scope of the update management for Linux machines, it can be a subscription ID, a resource group ID etc.. list(string) null no
linux_update_management_tags_filtering Filter scope for Linux machines using tags on VMs. Example :
{ os_family = ["linux"] }
 map(any) null no
linux_update_management_tags_filtering_operator Filter Linux VMs by Any or All specified tags. Possible values are All or Any. string null no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
log_analytics_resource_group_name Log Analytics Workspace resource group name (if different from resource_group_name variable.) string null no
log_analytics_workspace_id Log Analytics Workspace ID where the logs are sent and linked to Automation account string n/a yes
log_analytics_workspace_link_enabled Enable Log Analytics Workspace that will be connected with the automation account bool true no
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources Ids for logs diagnostics destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. Empty list to disable logging. list(string) n/a yes
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
logs_retention_days Number of days to keep logs on storage account number 30 no
name_prefix Optional prefix for the generated name string "" no
name_suffix Optional suffix for the generated name string "" no
recovery_vault_custom_name Azure Recovery Vault custom name. Empty by default, using naming convention. string "" no
recovery_vault_extra_tags Extra tags to add to recovery vault map(string) {} no
recovery_vault_identity_type Azure Recovery Vault identity type. Possible values include: null, SystemAssigned. Default to SystemAssigned. string "SystemAssigned" no
recovery_vault_sku Azure Recovery Vault SKU. Possible values include: Standard, RS0. Default to Standard. string "Standard" no
resource_group_name Resource Group the resources will belong to string n/a yes
stack Stack name string n/a yes
update_management_duration To set the maintenance window, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). string "PT2H" no
update_management_name_prefix Name prefix to apply on Update Management resources string null no
update_management_os_list List of OS to cover. Possible values can be Windows or Linux. Define empty list to disable update management. list(string) n/a yes
update_management_schedule List of Map with schedule parameters for update management. All parameters are available on the documentation list(any) n/a yes
update_management_scope Scope of the update management, it can be a subscription ID, a resource group ID etc.. list(string) null no
update_management_tags_filtering Filter scope using tags on VMs. Example :
{ os_family = ["linux"] }
 map(any) {} no
update_management_tags_filtering_operator Filter VMs by Any or All specified tags. Possible values are All or Any. string "Any" no
use_caf_naming Use the Azure CAF naming provider to generate default resource name. custom_automation_account_name override this if set. Legacy default name is used if this is set to false. bool true no
vm_backup_daily_policy_retention The number of daily VM backups to keep. Must be between 7 and 9999. number 30 no
vm_backup_monthly Map to configure the monthly backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_monthly any {} no
vm_backup_policy_custom_name Azure Backup - VM backup policy custom name. Empty by default, using naming convention. string "" no
vm_backup_policy_frequency Specifies the frequency for VM backup schedules. Must be either Daily or Weekly. string "Daily" no
vm_backup_policy_time The time of day to preform the backup in 24hour format. string "04:00" no
vm_backup_policy_timezone Specifies the timezone for schedules. Defaults to UTC. string "UTC" no
vm_backup_weekly Map to configure the weekly backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_weekly any {} no
vm_backup_yearly Map to configure the yearly backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_yearly any {} no
windows_update_management_configuration Windows specific update management configuration. Possible values for reboot_setting are IfRequired, RebootOnly, Never, Always. More informations on the documentation. any 
{
  "excluded_kb_numbers": [],
  "included_kb_numbers": [],
  "reboot_setting": "IfRequired",
  "update_classifications": "Critical, Security"
}
 no
windows_update_management_configuration_name Custom configuration name for Windows Update management string "Standard Windows Update Schedule" no
windows_update_management_duration To set the maintenance window for Windows machines, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). string null no
windows_update_management_schedule Map of specific schedule parameters for update management of Windows machines. All parameters are available on the documentation list(any) null no
windows_update_management_scope Scope of the update management for Windows machines, it can be a subscription ID, a resource group ID etc.. list(string) null no
windows_update_management_tags_filtering Filter scope for Windows machines using tags on VMs. Example :
{ os_family = ["windows"] }
 map(any) null no
windows_update_management_tags_filtering_operator Filter Windows VMs by Any or All specified tags. Possible values are All or Any. string null no

Outputs

Name Description
automation_account_dsc_primary_access_key Azure Automation Account DSC Primary Acess Key
automation_account_dsc_secondary_access_key Azure Automation Account DSC Secondary Acess Key
automation_account_dsc_server_endpoint Azure Automation Account DSC Server Endpoint
automation_account_id Azure Automation Account ID
automation_account_name Azure Automation Account name
data_collection_rule Azure Monitor Data Collection Rule object
data_collection_rule_id Id of the Azure Monitor Data Collection Rule
data_collection_rule_name Name of the Azure Monitor Data Collection Rule
file_share_backup_policy_id File share Backup policy ID
file_share_backup_policy_name File share Backup policy name
recovery_vault_id Azure Recovery Services Vault ID
recovery_vault_name Azure Recovery Services Vault name
vm_backup_policy_id VM Backup policy ID
vm_backup_policy_name VM Backup policy name

Related documentation