caf-enterprise-scale
Azure/caf-enterprise-scale/azurerm
Terraform Module
HCL
AZURERM
✓ Verified
Azure landing zones Terraform module
Install
module "caf-enterprise-scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "6.3.1"
}
README
Azure landing zones Terraform module > [!IMPORTANT] > For new deployments we now recommend using Azure Verified Modules for Platform Landing Zones. > Please see the documentation at . ⚠️ DEPRECATION NOTICE This module is now in extended support mode and will be archived on August 1, 2026. Current Status - Extended Support Period: This module is now in extended support for one year (until August 1, 2026) - Support Scope: During this period, we will provide quality updates (e.g. bug fixes) and policy library updates only - No New Features: No new features or functionality will be added to this module Migration Path We strongly recommend that all users migrate to the new Azure Verified Modules approach for Azure Landing Zones. This new approach provides: - Enhanced reliability and testing - I
Inputs (39)
| Name | Type | Description | Default |
|---|---|---|---|
| root_parent_id | string | The root_parent_id is used to specify where to set the root for all Landing Zone | |
| default_location | string | Must be specified, e.g `eastus`. Will set the Azure region in which region bound | |
| resource_custom_timeouts | object({ azurerm_private_d | Optional - Used to tune terraform deploy when faced with errors caused by API li | {} |
| deploy_sap_landing_zones | bool | If set to true, module will deploy the "SAP" Management Group, including "out of | false |
| configure_management_resources | object({ settings = option | If specified, will customize the "Management" landing zone settings and resource | {} |
| deploy_connectivity_resources | bool | If set to true, will enable the "Connectivity" landing zone settings and add "Co | false |
| policy_non_compliance_message_enforcement_placeholder | string | If set overrides the non-compliance message placeholder used in message template | "{enforcementMode}" |
| root_name | string | If specified, will set a custom Display Name value for the Enterprise-scale "roo | "Enterprise-Scale" |
| deploy_corp_landing_zones | bool | If set to true, module will deploy the "Corp" Management Group, including "out o | false |
| deploy_demo_landing_zones | bool | If set to true, module will deploy the demo "Landing Zone" Management Groups ("C | false |
| deploy_management_resources | bool | If set to true, will enable the "Management" landing zone settings and add "Mana | false |
| policy_non_compliance_message_enabled | bool | If set to false, will disable non-compliance messages altogether. | true |
| policy_non_compliance_message_not_supported_definitions | list(string) | If set, overrides the list of built-in policy definition that do not support non | [
"/providers/Microsoft.Authorization/ |
| library_path | string | If specified, sets the path to a custom library folder for archetype artefacts. | "" |
| custom_policy_roles | map(list(string)) | If specified, the custom_policy_roles variable overrides which Role Definition I | {} |
| policy_non_compliance_message_default | string | If set overrides the default non-compliance message used for policy assignments. | "This resource {enforcementMode} be comp |
| root_id | string | If specified, will set a custom Name (ID) value for the Enterprise-scale "root" | "es" |
| configure_identity_resources | object({ settings = option | If specified, will customize the "Identity" landing zone settings. | {} |
| create_duration_delay | object({ azurerm_managemen | Used to tune terraform apply when faced with errors caused by API caching or eve | {} |
| strict_subscription_association | bool | If set to true, subscriptions associated to management groups will be exclusivel | false |
| policy_non_compliance_message_enforced_replacement | string | If set overrides the non-compliance replacement used for enforced policy assignm | "must" |
| deploy_diagnostics_for_mg | bool | If set to true, will deploy Diagnostic Settings for management groups | false |
Outputs (31)
azurerm_vpn_gateway — Returns the configuration data for all (Virtual WAN) VPN Gateways created by this module.azurerm_virtual_hub_connection — Returns the configuration data for all Virtual Hub Connections created by this module.azurerm_resource_group — Returns the configuration data for all Resource Groups created by this module.azurerm_automation_account — Returns the configuration data for all Automation Accounts created by this module.azurerm_public_ip — Returns the configuration data for all Public IPs created by this module.azurerm_firewall — Returns the configuration data for all Azure Firewalls created by this module.data_collection_rules — A map of the data collection rules created by this module.ama_user_assigned_identity — The user assigned identity for Azure Monitor Agent that is created by this module.azurerm_role_definition — Returns the configuration data for all Role Definitions created by this module.azurerm_subnet — Returns the configuration data for all Subnets created by this module.azurerm_management_group_policy_assignment — Returns the configuration data for all Management Group Policy Assignments created by this module.azurerm_log_analytics_solution — Returns the configuration data for all Log Analytics solutions created by this module.azurerm_express_route_gateway — Returns the configuration data for all (Virtual WAN) ExpressRoute Gateways created by this module.azurerm_virtual_network_gateway — Returns the configuration data for all Virtual Network Gateways created by this module.azurerm_virtual_network_peering — Returns the configuration data for all Virtual Network Peerings created by this module.azurerm_virtual_wan — Returns the configuration data for all Virtual WANs created by this module.azurerm_virtual_hub_routing_intent — Returns the configuration data for all Virtual Hub Routing Intents created by this module.azurerm_policy_definition — Returns the configuration data for all Policy Definitions created by this module.azurerm_role_assignment — Returns the configuration data for all Role Assignments created by this module.azurerm_log_analytics_workspace — Returns the configuration data for all Log Analytics workspaces created by this module.azurerm_log_analytics_linked_service — Returns the configuration data for all Log Analytics linked services created by this module.azurerm_dns_zone — Returns the configuration data for all DNS Zones created by this module.azurerm_policy_set_definition — Returns the configuration data for all Policy Set Definitions created by this module.azurerm_private_dns_zone — Returns the configuration data for all Private DNS Zones created by this module.azurerm_virtual_hub — Returns the configuration data for all Virtual Hubs created by this module.azurerm_management_group — Returns the configuration data for all Management Groups created by this module.azurerm_management_group_subscription_association — Returns the configuration data for all Management Group Subscription Associations created by this moazurerm_virtual_network — Returns the configuration data for all Virtual Networks created by this module.azurerm_network_ddos_protection_plan — Returns the configuration data for all DDoS Protection Plans created by this module.azurerm_private_dns_zone_virtual_network_link — Returns the configuration data for all Private DNS Zone network links created by this module.… and 1 more outputs
Resources (34)
azapi_resourceazurerm_automation_accountazurerm_dns_zoneazurerm_express_route_gatewayazurerm_firewallazurerm_firewall_policyazurerm_log_analytics_linked_serviceazurerm_log_analytics_solutionazurerm_log_analytics_workspaceazurerm_management_groupazurerm_management_group_policy_assignmentazurerm_management_group_subscription_associationazurerm_network_ddos_protection_planazurerm_policy_definitionazurerm_policy_set_definitionazurerm_private_dns_zoneazurerm_private_dns_zone_virtual_network_linkazurerm_public_ipazurerm_resource_groupazurerm_role_assignmentazurerm_role_definitionazurerm_subnetazurerm_subscription_template_deploymentazurerm_user_assigned_identityazurerm_virtual_hubazurerm_virtual_hub_connectionazurerm_virtual_hub_routing_intentazurerm_virtual_networkazurerm_virtual_network_gatewayazurerm_virtual_network_peeringazurerm_virtual_wanazurerm_vpn_gatewayrandom_idtime_sleep
Details
FrameworkTerraform Module
LanguageHCL
Version6.3.1
Cloud AZURERM
★ Stars952
Forks639
Total downloads1.4M
Inputs39
Outputs31
Resources34
Examples4
Submodules5
LicenseMIT
NamespaceAzure
Updated
Similar packages
caf
Terraform supermodule for the Terraform platform engineering for Azure
★ 581azure
lz-vending
Terraform module to deploy landing zone subscriptions (and much more) in Azure
★ 210azure
label
Terraform Module to define a consistent naming convention by (namespace, stage,
★ 702terraform
avm-res-keyvault-vault
Terraform Azure Verified Resource Module for Key Vault
★ 45azure