Azure Organization Hierarchy
Source code & Installation
The source code of this kit module can be found here
Run the following command to install the kit module:
collie kit import azure/organization-hierarchy
This repository provides a Terraform configuration for setting up Azure Management Groups in alignment with the Azure Enterprise Scale Cloud Adoption Framework (CAF). The management groups enable efficient management, access control, and policy enforcement across multiple Azure subscriptions.
This kit module forms the core of your Azure Landing Zone architecture. You can build on this with other kit modules, see related kit modules below.
Overview
The Terraform configuration in this repository establishes a hierarchical structure of management groups to organize and govern Azure resources effectively.
This kit module provides a good starting point with many commonly deployed policies. You should however tailor this approach to your organization's individual needs and think through the rationale of each policy. The security & compliance pillar of the cloud foundation maturity model can provide useful guidance about which policies are essential and which ones are more optional.
It's fine to throw some policies out instead of going all in with the defaults. Remember, you can always iterate on your kit modules. This is useful when you're just starting out and want to keep things simple, or when you already have a lot of existing Azure resources and need to be careful about not disrupting existing workloads.
Related Kit Modules
After deploying this module, you should probably deploy the following kit modules next to
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| azurerm | ~> 3.97.0 |
Modules
| Name | Source | Version |
|---|---|---|
| policy_root | github.com/meshcloud/collie-hub//kit/azure/util/azure-policies | da8dd49 |
Resources
| Name | Type |
|---|---|
| azurerm_management_group.connectivity | resource |
| azurerm_management_group.identity | resource |
| azurerm_management_group.landingzones | resource |
| azurerm_management_group.management | resource |
| azurerm_management_group.platform | resource |
| azurerm_management_group_subscription_association.management | resource |
| terraform_data.management_subscription_name | resource |
| azurerm_management_group.parent | data source |
| azurerm_subscription.current | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| connectivity | n/a | string | "connectivity" | no |
| identity | n/a | string | "identity" | no |
| landingzones | n/a | string | "landingzones" | no |
| locations | This is for the Azure Allowed locations. Additionally, we use the first added locations where this policy assignment should exist, which is required when an identity is assigned. | list(string) | [ | no |
| management | n/a | string | "management" | no |
| management_subscription_name | Name of your management subscription | string | "management" | no |
| parent_management_group_name | n/a | string | "foundation" | no |
| platform | n/a | string | "platform" | no |
Outputs
| Name | Description |
|---|---|
| connectivity_id | n/a |
| documentation_md | n/a |
| identity_id | n/a |
| landingzones_id | n/a |
| management_id | n/a |
| parent_id | n/a |
| platform_id | n/a |