A terraform feature which includes services needed for Claranet RUN/MSP on Azure IaaS resources (VMs).
It includes:
- Azure Backup (example)
- A Recovery Services Vault to store VM backups (documentation).
- A VM backup policy to assign on VM instances (via the vm-backup module).
- A file share backup policy to assign on Storage Account file shares (via the backup_protected_file_share terraform resource)
- A diagnostics settings to manage logging (documentation)
- An Automation account to execute runbooks (documentation) - Available only in module version >= 2.2.0 (example)
- Azure Update Management using Automation Account (documentation) (example)
- A Data Collection Rule to gather metrics and logs from Virtual Machines (documentation)
Module version | Terraform version | AzureRM version |
---|---|---|
>= 6.x.x | 1.x | >= 3.0 |
>= 5.x.x | 0.15.x | >= 2.0 |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
>= 3.x.x | 0.12.x | >= 2.0 |
>= 2.x.x | 0.12.x | < 2.0 |
< 2.x.x | 0.11.x | < 2.0 |
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "logs" {
source = "claranet/run-common/azurerm//modules/logs"
version = "x.x.x"
client_name = var.client_name
location = module.azure_region.location
location_short = module.azure_region.location_short
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
}
resource "time_offset" "update_template" {
offset_hours = 4
}
locals {
update_template_time = format("%02d:%02d", time_offset.update_template.hour, time_offset.update_template.minute)
update_template_date = substr(time_offset.update_template.rfc3339, 0, 10)
}
module "run_iaas" {
source = "claranet/run-iaas/azurerm"
version = "x.x.x"
client_name = var.client_name
location = module.azure_region.location
location_short = module.azure_region.location_short
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
log_analytics_workspace_id = module.logs.log_analytics_workspace_id
update_management_os_list = ["Linux"]
update_management_scope = [module.rg.resource_group_id]
update_management_tags_filtering = { update_color = ["blue"] }
update_management_schedule = [{
startTime = "${local.update_template_date}T${local.update_template_time}:00+00:00"
expiryTime = "9999-12-31T23:59:00+00:00"
isEnabled = true
interval = 1
frequency = "Month"
timeZone = "UTC"
advancedSchedule = {
monthlyOccurrences = [
{
occurrence = 3
day = "Monday"
}
]
}
}]
logs_destinations_ids = [module.logs.log_analytics_workspace_id]
extra_tags = {
foo = "bar"
}
}
No providers.
Name | Source | Version |
---|---|---|
automation_account | ./modules/automation-account | n/a |
backup | ./modules/backup | n/a |
update_management | ./modules/update-management | n/a |
vm_monitoring | ./modules/vm-monitoring | n/a |
No resources.
Name | Description | Type | Default | Required |
---|---|---|---|---|
automation_account_extra_tags | Extra tags to add to automation account | map(string) |
{} |
no |
automation_account_identity_type | Automation Account identity type. Possible values include: null , SystemAssigned and UserAssigned . |
object({ |
{ |
no |
automation_account_sku | Automation account Sku | string |
"Basic" |
no |
client_name | Client name | string |
n/a | yes |
custom_automation_account_name | Automation account custom name | string |
"" |
no |
data_collection_syslog_facilities_names | List of syslog to retrieve in Data Collection Rule | list(string) |
[ |
no |
data_collection_syslog_levels | List of syslog levels to retrieve in Data Collection Rule | list(string) |
[ |
no |
dcr_custom_name | VM Monitoring - Data Collection rule custom name. | string |
"" |
no |
default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
deploy_update_management_solution | Should we deploy the Log Analytics Update solution or not | bool |
true |
no |
environment | Environment name | string |
n/a | yes |
extra_tags | Extra tags to add | map(string) |
{} |
no |
file_share_backup_daily_policy_retention | The number of daily file share backups to keep. Must be between 7 and 9999. | number |
30 |
no |
file_share_backup_monthly | Map to configure the monthly File Share backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_monthly | any |
{} |
no |
file_share_backup_policy_custom_name | Azure Backup - File share backup policy custom name. Empty by default, using naming convention. | string |
"" |
no |
file_share_backup_policy_frequency | Specifies the frequency for file_share backup schedules. Must be either Daily or Weekly . |
string |
"Daily" |
no |
file_share_backup_policy_time | The time of day to perform the file share backup in 24hour format. | string |
"04:00" |
no |
file_share_backup_policy_timezone | Specifies the timezone for file share backup schedules. Defaults to UTC . |
string |
"UTC" |
no |
file_share_backup_weekly | Map to configure the weekly File Share backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_weekly | any |
{} |
no |
file_share_backup_yearly | Map to configure the yearly File Share backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share#retention_yearly | any |
{} |
no |
linux_update_management_config_name | Custom configuration name for Linux Update management | string |
"Standard Linux Update Schedule" |
no |
linux_update_management_configuration | Linux specific update management configuration. Possible values for reboot_setting are IfRequired , RebootOnly , Never , Always . More informations on the documentation. |
any |
{ |
no |
linux_update_management_duration | To set the maintenance window for Linux machines, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). | string |
null |
no |
linux_update_management_schedule | Map of specific schedule parameters for update management of Linux machines. All parameters are available on the documentation | list(any) |
null |
no |
linux_update_management_scope | Scope of the update management for Linux machines, it can be a subscription ID, a resource group ID etc.. | list(string) |
null |
no |
linux_update_management_tags_filtering | Filter scope for Linux machines using tags on VMs. Example :{ os_family = ["linux"] } |
map(any) |
null |
no |
linux_update_management_tags_filtering_operator | Filter Linux VMs by Any or All specified tags. Possible values are All or Any . |
string |
null |
no |
location | Azure location. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
log_analytics_resource_group_name | Log Analytics Workspace resource group name (if different from resource_group_name variable.) |
string |
null |
no |
log_analytics_workspace_id | Log Analytics Workspace ID where the logs are sent and linked to Automation account | string |
n/a | yes |
log_analytics_workspace_link_enabled | Enable Log Analytics Workspace that will be connected with the automation account | bool |
true |
no |
logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
logs_destinations_ids | List of destination resources Ids for logs diagnostics destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. Empty list to disable logging. | list(string) |
n/a | yes |
logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
logs_retention_days | Number of days to keep logs on storage account | number |
30 |
no |
name_prefix | Optional prefix for the generated name | string |
"" |
no |
name_suffix | Optional suffix for the generated name | string |
"" |
no |
recovery_vault_custom_name | Azure Recovery Vault custom name. Empty by default, using naming convention. | string |
"" |
no |
recovery_vault_extra_tags | Extra tags to add to recovery vault | map(string) |
{} |
no |
recovery_vault_identity_type | Azure Recovery Vault identity type. Possible values include: null , SystemAssigned . Default to SystemAssigned . |
string |
"SystemAssigned" |
no |
recovery_vault_sku | Azure Recovery Vault SKU. Possible values include: Standard , RS0 . Default to Standard . |
string |
"Standard" |
no |
resource_group_name | Resource Group the resources will belong to | string |
n/a | yes |
stack | Stack name | string |
n/a | yes |
update_management_duration | To set the maintenance window, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). | string |
"PT2H" |
no |
update_management_name_prefix | Name prefix to apply on Update Management resources | string |
null |
no |
update_management_os_list | List of OS to cover. Possible values can be Windows or Linux . Define empty list to disable update management. |
list(string) |
n/a | yes |
update_management_schedule | List of Map with schedule parameters for update management. All parameters are available on the documentation | list(any) |
n/a | yes |
update_management_scope | Scope of the update management, it can be a subscription ID, a resource group ID etc.. | list(string) |
null |
no |
update_management_tags_filtering | Filter scope using tags on VMs. Example :{ os_family = ["linux"] } |
map(any) |
{} |
no |
update_management_tags_filtering_operator | Filter VMs by Any or All specified tags. Possible values are All or Any . |
string |
"Any" |
no |
use_caf_naming | Use the Azure CAF naming provider to generate default resource name. custom_automation_account_name override this if set. Legacy default name is used if this is set to false . |
bool |
true |
no |
vm_backup_daily_policy_retention | The number of daily VM backups to keep. Must be between 7 and 9999. | number |
30 |
no |
vm_backup_monthly | Map to configure the monthly backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_monthly | any |
{} |
no |
vm_backup_policy_custom_name | Azure Backup - VM backup policy custom name. Empty by default, using naming convention. | string |
"" |
no |
vm_backup_policy_frequency | Specifies the frequency for VM backup schedules. Must be either Daily or Weekly . |
string |
"Daily" |
no |
vm_backup_policy_time | The time of day to preform the backup in 24hour format. | string |
"04:00" |
no |
vm_backup_policy_timezone | Specifies the timezone for schedules. Defaults to UTC . |
string |
"UTC" |
no |
vm_backup_weekly | Map to configure the weekly backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_weekly | any |
{} |
no |
vm_backup_yearly | Map to configure the yearly backup policy according to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_vm#retention_yearly | any |
{} |
no |
windows_update_management_configuration | Windows specific update management configuration. Possible values for reboot_setting are IfRequired , RebootOnly , Never , Always . More informations on the documentation. |
any |
{ |
no |
windows_update_management_configuration_name | Custom configuration name for Windows Update management | string |
"Standard Windows Update Schedule" |
no |
windows_update_management_duration | To set the maintenance window for Windows machines, the duration must be a minimum of 30 minutes and less than 6 hours. The last 20 minutes of the maintenance window is dedicated for machine restart and any remaining updates will not be started once this interval is reached. In-progress updates will finish being applied. This parameter needs to be specified using the format PT[n]H[n]M[n]S as per ISO8601. Defaults to 2 hours (PT2H). | string |
null |
no |
windows_update_management_schedule | Map of specific schedule parameters for update management of Windows machines. All parameters are available on the documentation | list(any) |
null |
no |
windows_update_management_scope | Scope of the update management for Windows machines, it can be a subscription ID, a resource group ID etc.. | list(string) |
null |
no |
windows_update_management_tags_filtering | Filter scope for Windows machines using tags on VMs. Example :{ os_family = ["windows"] } |
map(any) |
null |
no |
windows_update_management_tags_filtering_operator | Filter Windows VMs by Any or All specified tags. Possible values are All or Any . |
string |
null |
no |
Name | Description |
---|---|
automation_account_dsc_primary_access_key | Azure Automation Account DSC Primary Acess Key |
automation_account_dsc_secondary_access_key | Azure Automation Account DSC Secondary Acess Key |
automation_account_dsc_server_endpoint | Azure Automation Account DSC Server Endpoint |
automation_account_id | Azure Automation Account ID |
automation_account_name | Azure Automation Account name |
data_collection_rule | Azure Monitor Data Collection Rule object |
data_collection_rule_id | Id of the Azure Monitor Data Collection Rule |
data_collection_rule_name | Name of the Azure Monitor Data Collection Rule |
file_share_backup_policy_id | File share Backup policy ID |
file_share_backup_policy_name | File share Backup policy name |
recovery_vault_id | Azure Recovery Services Vault ID |
recovery_vault_name | Azure Recovery Services Vault name |
vm_backup_policy_id | VM Backup policy ID |
vm_backup_policy_name | VM Backup policy name |
- Microsoft Update management documentation: docs.microsoft.com/en-us/azure/automation/update-management/overview
- Microsoft ARM template for Update management documentation: docs.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts/softwareupdateconfigurations