Add management landing zone resources (#69)

- Adds support for Terraform `v0.15.0`
- Adds "Management resources" capability to enable deploying the "Management landing zone", including:
  - Log Analytics workspace
  - Automation Account (integrated with Log Analytics workspace)
  - Recommended Log Analytics solutions
  - Automated integration of Log Analytics workspace config into Policy Assignments
  - "Feature switches" to control additional Policy Assignment settings relating to the Management capabilities
- Documentation to reflect additions, including update to release v0.2.0
- Remove `Deploy-Diagnostics-PublicIP` Policy Definition (now built-in)
- Add multiple Policy Definitions for ASC Defender configuration
- Replace `Deploy-ASC-Standard` Policy Definition with `Deploy-ASC-Config` Policy Set Definition
- Update Log Analytics workspace configuration settings in `Deploy-Log-Analytics` Policy Definition
- Fix incorrect logic for handling `enforcement_mode` setting for Policy Assignments
- Remove deprecated `skip_service_principal_aad_check` setting from Role Assignments
- Update minimum supported AzureRM provider version to `v2.41.0`

README.md

@@ -1,15 +1,11 @@
 # Terraform Module for Cloud Adoption Framework Enterprise-scale
 
-<br>
-
-> **WARNING**: Please note that the `v0.1.0` release contained a number of changes which may impact your deployment.
-> Please review the [Upgrade from v0.0.8 to v0.1.0][wiki_upgrade_from_v0_0_8_to_v0_1_0] guidance before upgrading to v0.1.0 or later.
-
-<br>
-
 [![Build Status](https://dev.azure.com/mscet/CAE-ESTF/_apis/build/status/Tests/E2E?branchName=main)](https://dev.azure.com/mscet/CAE-ESTF/_build/latest?definitionId=26&branchName=main)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat&logo=github)
 
+> **NOTE:** The latest `v0.2.0` release adds new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
+> Please refer to the [Deploy Management Resources][wiki_deploy_management_resources] page on our Wiki for more information about how to use this.
+
 ## Documentation
 
 For detailed information about how to use, configure and extend this module, please refer to the documentation on our Wiki:
@@ -19,7 +15,9 @@ For detailed information about how to use, configure and extend this module, ple
   - [Getting Started][wiki_getting_started]
   - [Module Variables][wiki_module_variables]
   - [Archetype Definitions][wiki_archetype_definitions]
+  - [Deploy Management Resources][wiki_deploy_management_resources]
   - [Upgrade from v0.0.8 to v0.1.0][wiki_upgrade_from_v0_0_8_to_v0_1_0]
+  - [Upgrade from v0.1.2 to v0.2.0][wiki_upgrade_from_v0_1_2_to_v0_2_0]
 - [Examples][wiki_examples]
   - [Deploy Default Configuration][wiki_deploy_default_configuration]
   - [Deploy Demo Landing Zone Archetypes][wiki_deploy_demo_landing_zone_archetypes]
@@ -35,14 +33,23 @@ For detailed information about how to use, configure and extend this module, ple
 
 ## Overview
 
-The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for delivering the core platform capabilities needed to start building Azure landing zones using Terraform.
-This module deploys the foundations of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture], with a focus on the central resource hierarchy and governance:
+The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for delivering Azure landing zones using Terraform.
+Depending on the selected options, this module is able to deploy different groups of resources as needed.
+
+This is currently split logically into the following capabilities:
 
-![Enterprise-scale Landing Zone Architecture][TFAES-Overview]
+- Core resources
+- Management resources
 
-## Resources
+The following sections outline the different resource types deployed and managed by this module, depending on the configuration options specified.
 
-The following resource types are deployed and managed by this module:
+### Core resources
+
+The core capability of this module deploys the foundations of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture], with a focus on the central resource hierarchy and governance:
+
+![Enterprise-scale Core Landing Zones Architecture][TFAES-Overview]
+
+The following resource types are deployed and managed by this module when using the core capabilities:
 
 |     | Azure Resource | Terraform Resource |
 | --- | -------------- | ------------------ |
@@ -56,19 +63,39 @@ The following resource types are deployed and managed by this module:
 
 The exact number of resources created depends on the module configuration, but you can expect upwards of `100` resources to be created by this module for a default installation based on the example below.
 
+> **NOTE:** None of these resources are deployed at the Subscription scope, however Terraform still requires a Subscription to establish an authenticated session with Azure.
+
+### Management resources
+
+From release `v0.2.0` onwards, the module includes new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
+This brings the benefit of being able to manage the full lifecycle of these resources using Terraform, with native integration into the corresponding Policy Assignments to ensure full policy compliance.
+
+![Enterprise-scale Management Landing Zone Architecture][TFAES-Management]
+
+The following resource types are deployed and managed by this module when the Management resources capabilities are enabled:
+
+|     | Azure Resource | Terraform Resource |
+| --- | -------------- | ------------------ |
+| Resource Groups | [`Microsoft.Resources/resourceGroups`][arm_resource_group] | [`azurerm_resource_group`][azurerm_resource_group] |
+| Log Analytics Workspace | [`Microsoft.OperationalInsights/workspaces`][arm_log_analytics_workspace] | [`azurerm_log_analytics_workspace`][azurerm_log_analytics_workspace] |
+| Log Analytics Solutions | [`Microsoft.OperationsManagement/solutions`][arm_log_analytics_solution] | [`azurerm_log_analytics_solution`][azurerm_log_analytics_solution] |
+| Automation Account | [`Microsoft.Automation/automationAccounts`][arm_automation_account] | [`azurerm_automation_account`][azurerm_automation_account] |
+| Log Analytics Linked Service | [`Microsoft.OperationalInsights/workspaces /linkedServices`][arm_log_analytics_linked_service] | [`azurerm_log_analytics_linked_service`][azurerm_log_analytics_linked_service] |
+
+Please refer to the [Deploy Management Resources][wiki_deploy_management_resources] page on our Wiki for more information about how to use this capability.
+
 ## Terraform versions
 
-This module has been tested using Terraform `0.13.2` onwards.
-It is also tested against the AzureRM Provider `2.34.0` onwards. In some cases, individual versions of the AzureRM provider may cause errors.
+This module has been tested using Terraform `0.13.2` and AzureRM Provider `2.41.0` as a baseline, and various versions to up the most recent at the time of release.
+In some cases, individual versions of the AzureRM provider may cause errors.
 If this happens, we advise upgrading to the latest version and checking our [troubleshooting][wiki_troubleshooting] guide before [raising an issue](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues).
 
-This module has some known issues with the pre-release Terraform `0.15.x` versions which we plan to resolve in a future release.
 
 ## Usage
 
 As a basic starting point, we recommend starting with the following configuration in your root module.
 
-> **NOTE**: For production use we highly recommend using the Terraform Registry and pinning to the latest stable version, as per the example below.
+> **NOTE:** For production use we highly recommend using the Terraform Registry and pinning to the latest stable version, as per the example below.
 > Pinning to the `main` branch in GitHub will give you the latest updates quicker, but increases the likelihood of unplanned changes to your environment and unforeseen issues.
 
 **File: `main.tf`**
@@ -81,7 +108,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 2.46.1"
+      version = ">= 2.41.0"
     }
   }
 }
@@ -114,7 +141,7 @@ variable "root_name" {
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "0.1.2"
+  version = "0.2.0"
 
   root_parent_id = data.azurerm_client_config.current.tenant_id
   root_id        = var.root_id
@@ -138,14 +165,16 @@ module "enterprise_scale" {
  [//]: # (INSERT IMAGE REFERENCES BELOW)
  [//]: # (*****************************)
 
-[TFAES-Overview]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/media/terraform-caf-enterprise-scale-overview.png "Diagram showing the Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Overview]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/media/terraform-caf-enterprise-scale-overview.png "Diagram showing the core Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Management]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
 
  [//]: # (************************)
  [//]: # (INSERT LINK LABELS BELOW)
  [//]: # (************************)
 
 [terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
 [ESLZ-Architecture]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture
+[ESLZ-Management]: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
 
 [arm_management_group]:               https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups
 [arm_management_group_subscriptions]: https://docs.microsoft.com/en-us/azure/templates/microsoft.management/managementgroups/subscriptions
@@ -154,24 +183,36 @@ module "enterprise_scale" {
 [arm_policy_set_definition]:          https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policysetdefinitions
 [arm_role_assignment]:                https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments
 [arm_role_definition]:                https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roledefinitions
-
-[azurerm_management_group]:      https://www.terraform.io/docs/providers/azurerm/r/management_group.html
-[azurerm_policy_assignment]:     https://www.terraform.io/docs/providers/azurerm/r/policy_assignment.html
-[azurerm_policy_definition]:     https://www.terraform.io/docs/providers/azurerm/r/policy_definition.html
-[azurerm_policy_set_definition]: https://www.terraform.io/docs/providers/azurerm/r/policy_set_definition.html
-[azurerm_role_assignment]:       https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html
-[azurerm_role_definition]:       https://www.terraform.io/docs/providers/azurerm/r/role_definition.html
-
-[TFAES-LICENSE]: https://github.com/Azure/terraform-azurerm-enterprise-scale/blob/main/LICENSE
+[arm_resource_group]:                 https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/resourcegroups
+[arm_log_analytics_workspace]:        https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/workspaces
+[arm_log_analytics_solution]:         https://docs.microsoft.com/en-us/azure/templates/microsoft.operationsmanagement/solutions
+[arm_automation_account]:             https://docs.microsoft.com/en-us/azure/templates/microsoft.automation/automationaccounts
+[arm_log_analytics_linked_service]:   https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/workspaces/linkedservices
+
+[azurerm_management_group]:             https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group
+[azurerm_policy_assignment]:            https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment
+[azurerm_policy_definition]:            https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition
+[azurerm_policy_set_definition]:        https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition
+[azurerm_role_assignment]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+[azurerm_role_definition]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
+[azurerm_resource_group]:               https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group
+[azurerm_log_analytics_workspace]:      https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace
+[azurerm_log_analytics_solution]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution
+[azurerm_automation_account]:           https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_account
+[azurerm_log_analytics_linked_service]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_linked_service
+
+[TFAES-LICENSE]:      https://github.com/Azure/terraform-azurerm-enterprise-scale/blob/main/LICENSE
 [TFAES-CONTRIBUTING]: https://github.com/Azure/terraform-azurerm-enterprise-scale/blob/main/CONTRIBUTING
-[TFAES-Library]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/terraform-azurerm-caf-enterprise-scale-archetypes/lib
+[TFAES-Library]:       https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/terraform-azurerm-caf-enterprise-scale-archetypes/lib
 
 [wiki_home]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Home "Wiki - Home"
 [wiki_user_guide]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/User-Guide "Wiki - User Guide"
 [wiki_getting_started]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Getting-Started "Wiki - Getting Started"
 [wiki_module_variables]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Module-Variables "Wiki - Module Variables"
 [wiki_archetype_definitions]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions "Wiki - Archetype Definitions"
 [wiki_upgrade_from_v0_0_8_to_v0_1_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.0.8-to-v0.1.0 "Wiki - Upgrade from v0.0.8 to v0.1.0"
+[wiki_upgrade_from_v0_1_2_to_v0_2_0]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
+[wiki_deploy_management_resources]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
 [wiki_examples]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Examples "Wiki - Examples"
 [wiki_deploy_default_configuration]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Default-Configuration "Wiki - Deploy Default Configuration"
 [wiki_deploy_demo_landing_zone_archetypes]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Demo-Landing-Zone-Archetypes "Wiki - Deploy Demo Landing Zone Archetypes"

locals.management.tf

@@ -0,0 +1,63 @@
+# The following locals are used to extract the Log Analytics
+# configuration from the solution module outputs.
+locals {
+  es_log_analytics_workspaces = module.management_resources.configuration.azurerm_log_analytics_workspace
+}
+
+# The following locals are used to build the map of Log
+# Analytics workspaces to deploy.
+locals {
+  azurerm_log_analytics_workspace_enterprise_scale = {
+    for resource in local.es_log_analytics_workspaces :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Log Analytics
+# Solutions configuration from the solution module outputs.
+locals {
+  es_log_analytics_solution = module.management_resources.configuration.azurerm_log_analytics_solution
+}
+
+# The following locals are used to build the map of Log
+# Analytics workspaces to deploy.
+locals {
+  azurerm_log_analytics_solution_enterprise_scale = {
+    for resource in local.es_log_analytics_solution :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Automation
+# Account configuration from the solution module outputs.
+locals {
+  es_automation_account = module.management_resources.configuration.azurerm_automation_account
+}
+
+# The following locals are used to build the map of Log
+# Analytics workspaces to deploy.
+locals {
+  azurerm_automation_account_enterprise_scale = {
+    for resource in local.es_automation_account :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}
+
+# The following locals are used to extract the Log Analytics
+# Linked Service configuration from the solution module outputs.
+locals {
+  es_log_analytics_linked_service = module.management_resources.configuration.azurerm_log_analytics_linked_service
+}
+
+# The following locals are used to build the map of Log
+# Analytics workspaces to deploy.
+locals {
+  azurerm_log_analytics_linked_service_enterprise_scale = {
+    for resource in local.es_log_analytics_linked_service :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}

locals.management_groups.tf

@@ -206,7 +206,14 @@ locals {
       display_name               = value.display_name
       parent_management_group_id = try(length(value.parent_management_group_id) > 0, false) ? replace(lower(value.parent_management_group_id), "/[^a-z0-9]/", "-") : local.root_parent_id
       subscription_ids           = value.subscription_ids
-      archetype_config           = value.archetype_config
+      archetype_config = {
+        archetype_id   = value.archetype_config.archetype_id
+        access_control = value.archetype_config.access_control
+        parameters = merge(
+          value.archetype_config.parameters,
+          try(module.management_resources.configuration.archetype_config_overrides[key].parameters, null),
+        )
+      }
     }
   }
 }

locals.policy_assignments.tf

@@ -3,7 +3,7 @@
 locals {
   es_policy_assignments_by_management_group = flatten([
     for archetype in values(module.management_group_archetypes) :
-    archetype.configuration.policy_assignments
+    archetype.configuration.azurerm_policy_assignment
   ])
   es_policy_assignments_by_subscription = []
   es_policy_assignments = concat(
@@ -221,12 +221,11 @@ locals {
     for policy_assignment_id, policy_id in local.policy_assignments_with_managed_identity : [
       for role_definition_id in try(local.policy_roles[policy_id], local.empty_list) : [
         {
-          resource_id                      = "${local.azurerm_policy_assignment_enterprise_scale[policy_assignment_id].scope_id}${local.provider_path.role_assignment}${uuidv5(uuidv5("url", role_definition_id), policy_assignment_id)}"
-          scope_id                         = local.azurerm_policy_assignment_enterprise_scale[policy_assignment_id].scope_id
-          principal_id                     = try(azurerm_policy_assignment.enterprise_scale[policy_assignment_id].identity[0].principal_id, null)
-          role_definition_name             = null
-          role_definition_id               = role_definition_id
-          skip_service_principal_aad_check = true
+          resource_id          = "${local.azurerm_policy_assignment_enterprise_scale[policy_assignment_id].scope_id}${local.provider_path.role_assignment}${uuidv5(uuidv5("url", role_definition_id), policy_assignment_id)}"
+          scope_id             = local.azurerm_policy_assignment_enterprise_scale[policy_assignment_id].scope_id
+          principal_id         = try(azurerm_policy_assignment.enterprise_scale[policy_assignment_id].identity[0].principal_id, null)
+          role_definition_name = null
+          role_definition_id   = role_definition_id
         }
       ]
     ]

locals.policy_definitions.tf

@@ -3,7 +3,7 @@
 locals {
   es_policy_definitions_by_management_group = flatten([
     for archetype in values(module.management_group_archetypes) :
-    archetype.configuration.policy_definitions
+    archetype.configuration.azurerm_policy_definition
   ])
   es_policy_definitions_by_subscription = []
   es_policy_definitions = concat(