This pattern module creates the full AI/ML landing zone which supports multiple ai project scenarios.
The following requirements are needed by this module:
-
terraform (>= 1.9, < 2.0)
-
azapi (~> 2.4)
-
azurerm (~> 4.0)
-
modtm (~> 0.3)
-
random (~> 3.5)
-
time (~> 0.12)
The following resources are used by this module:
- azapi_resource.bing_grounding (resource)
- azapi_resource_action.purge_ai_foundry (resource)
- azurerm_resource_group.this (resource)
- azurerm_role_assignment.deployment_user_kv_admin (resource)
- azurerm_virtual_hub_connection.this (resource)
- modtm_telemetry.telemetry (resource)
- random_integer.zone_index (resource)
- random_string.name_suffix (resource)
- random_uuid.telemetry (resource)
- time_sleep.purge_ai_foundry_cooldown (resource)
- azapi_client_config.telemetry (data source)
- azurerm_client_config.current (data source)
- modtm_module_source.telemetry (data source)
The following input variables are required:
Description: Azure region where all resources should be deployed.
This specifies the primary Azure region for deploying the AI/ML landing zone infrastructure. All resources will be created in this region unless specifically configured otherwise in individual resource definitions.
Type: string
Description: The name of the resource group where all resources will be deployed.
This resource group will contain all the AI/ML landing zone infrastructure components. The resource group should already exist or will be created as part of the deployment process.
Type: string
Description: Configuration object for the Virtual Network (VNet) to be deployed.
name- (Optional) The name of the Virtual Network. If not provided, a name will be generated.address_space- (Required) The address space for the Virtual Network in CIDR notation.ddos_protection_plan_resource_id- (Optional) Resource ID of the DDoS Protection Plan to associate with the VNet.dns_servers- (Optional) Set of custom DNS server IP addresses for the VNet.subnets- (Optional) Map of subnet configurations. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.enabled- (Optional) Whether the subnet is enabled. Default is true.name- (Optional) The name of the subnet. If not provided, a name will be generated.address_prefix- (Optional) The address prefix for the subnet in CIDR notation.
vnet_peering_configuration- (Optional) Configuration for VNet peering.peer_vnet_resource_id- (Optional) Resource ID of the peer VNet.firewall_ip_address- (Optional) IP address of the firewall for routing.name- (Optional) Name of the peering connection.allow_forwarded_traffic- (Optional) Whether forwarded traffic is allowed. Default is true.allow_gateway_transit- (Optional) Whether gateway transit is allowed. Default is true.allow_virtual_network_access- (Optional) Whether virtual network access is allowed. Default is true.create_reverse_peering- (Optional) Whether to create reverse peering. Default is true.reverse_allow_forwarded_traffic- (Optional) Whether reverse forwarded traffic is allowed. Default is false.reverse_allow_gateway_transit- (Optional) Whether reverse gateway transit is allowed. Default is false.reverse_allow_virtual_network_access- (Optional) Whether reverse virtual network access is allowed. Default is true.reverse_name- (Optional) Name of the reverse peering connection.reverse_use_remote_gateways- (Optional) Whether to use remote gateways in reverse direction. Default is false.use_remote_gateways- (Optional) Whether to use remote gateways. Default is false.
vwan_hub_peering_configuration- (Optional) Configuration for Virtual WAN hub peering.peer_vwan_hub_resource_id- (Optional) Resource ID of the Virtual WAN hub to peer with.
Type:
object({
name = optional(string)
address_space = string
ddos_protection_plan_resource_id = optional(string)
dns_servers = optional(set(string), [])
subnets = optional(map(object({
enabled = optional(bool, true)
name = optional(string)
address_prefix = optional(string)
}
)), {})
vnet_peering_configuration = optional(object({
peer_vnet_resource_id = optional(string)
firewall_ip_address = optional(string)
name = optional(string)
allow_forwarded_traffic = optional(bool, true)
allow_gateway_transit = optional(bool, true)
allow_virtual_network_access = optional(bool, true)
create_reverse_peering = optional(bool, true)
reverse_allow_forwarded_traffic = optional(bool, false)
reverse_allow_gateway_transit = optional(bool, false)
reverse_allow_virtual_network_access = optional(bool, true)
reverse_name = optional(string)
reverse_use_remote_gateways = optional(bool, false)
use_remote_gateways = optional(bool, false)
}), {})
vwan_hub_peering_configuration = optional(object({
peer_vwan_hub_resource_id = optional(string)
#TODO: Add other connection properties here?
}), {})
})The following input variables are optional (have default values):
Description: Configuration object for the Azure AI Foundry deployment (hub, projects, and Bring Your Own Resources).
-
create_byor- (Optional) Whether to create BYOR resources managed by this module. Default is true. -
purge_on_destroy- (Optional) Whether to purge soft-delete–capable resources on destroy. Default is false. -
ai_foundry- (Optional) Azure AI Foundry hub settings.name- (Optional) Name of the hub. If not provided, a name will be generated.disable_local_auth- (Optional) Whether to disable local authentication. Default is false.allow_project_management- (Optional) Whether project management is allowed from the hub. Default is true.create_ai_agent_service- (Optional) Whether to create the AI Agent service in the hub. Default is false.private_dns_zone_resource_ids- (Optional) List of private DNS zone resource IDs for hub endpoints. Default is [].sku- (Optional) The SKU for the hub. Default is "S0".role_assignments- (Optional) Map of role assignments on the hub. The map key is deliberately arbitrary to avoid plan-time unknown key issues.role_definition_id_or_name- Role definition ID or name to assign.principal_id- Principal ID for the assignment.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principals. Default is false.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
-
ai_model_deployments- (Optional) Map of model deployment configurations to create. The map key is arbitrary.name- The name of the deployment.rai_policy_name- (Optional) Responsible AI policy name applied to the deployment.version_upgrade_option- (Optional) Version upgrade option for the model. Default is "OnceNewDefaultVersionAvailable".model- Model specification.format- Model format (e.g., OpenAI, OSS foundation model format).name- Model name.version- Model version.
scale- Scale configuration for the deployment.capacity- (Optional) Capacity value for the selected SKU family/size.family- (Optional) SKU family.size- (Optional) SKU size.tier- (Optional) SKU tier.type- Scale type (e.g., Standard/ProvisionedManaged/Serverless, depending on service).
-
ai_projects- (Optional) Map of AI Project configurations to create. The map key is arbitrary.name- Resource name of the project.sku- (Optional) SKU for the project. Default is "S0".display_name- Display name for the project.description- Description of the project.create_project_connections- (Optional) Whether to create project-level connections to dependent services. Default is false.cosmos_db_connection- (Optional) Connection to Cosmos DB.existing_resource_id- (Optional) Resource ID of an existing Cosmos DB to connect.new_resource_map_key- (Optional) Key referencing a new resource fromcosmosdb_definition.
ai_search_connection- (Optional) Connection to Azure AI Search.existing_resource_id- (Optional) Resource ID of an existing AI Search to connect.new_resource_map_key- (Optional) Key referencing a new resource fromai_search_definition.
key_vault_connection- (Optional) Connection to Key Vault.existing_resource_id- (Optional) Resource ID of an existing Key Vault to connect.new_resource_map_key- (Optional) Key referencing a new resource fromkey_vault_definition.
storage_account_connection- (Optional) Connection to Storage Account.existing_resource_id- (Optional) Resource ID of an existing Storage Account to connect.new_resource_map_key- (Optional) Key referencing a new resource fromstorage_account_definition.
-
Bring Your Own Resources (BYOR) definitions
-
ai_search_definition- (Optional) Map defining one or more Azure AI Search services.existing_resource_id- (Optional) Resource ID of an existing service to reuse.name- (Optional) Name of the service if creating new.private_dns_zone_resource_id- (Optional) Private DNS zone resource ID for the service.enable_diagnostic_settings- (Optional) Whether diagnostic settings are enabled. Default is true.sku- (Optional) Service SKU. Default is "standard".local_authentication_enabled- (Optional) Whether local auth is enabled. Default is true.partition_count- (Optional) Number of partitions. Default is 1.replica_count- (Optional) Number of replicas. Default is 2.semantic_search_sku- (Optional) Semantic search SKU. Default is "standard".semantic_search_enabled- (Optional) Whether semantic search is enabled. Default is false.hosting_mode- (Optional) Hosting mode. Default is "default".tags- (Optional) Map of tags for the service.role_assignments- (Optional) Map of role assignments on the service.role_definition_id_or_name- Role definition ID or name to assign.principal_id- Principal ID for the assignment.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principals. Default is false.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
enable_telemetry- (Optional) Whether telemetry is enabled for this resource. Default is true.
-
cosmosdb_definition- (Optional) Map defining one or more Azure Cosmos DB accounts.existing_resource_id- (Optional) Resource ID of an existing account to reuse.private_dns_zone_resource_id- (Optional) Private DNS zone resource ID.enable_diagnostic_settings- (Optional) Whether diagnostic settings are enabled. Default is true.name- (Optional) Name of the account if creating new.secondary_regions- (Optional) List of secondary regions for geo-replication. Default is [].location- Azure region name for the secondary location.zone_redundant- (Optional) Whether zone redundancy is enabled. Default is true.failover_priority- (Optional) Failover priority. Default is 0.
public_network_access_enabled- (Optional) Whether public network access is enabled. Default is false.analytical_storage_enabled- (Optional) Whether analytical storage is enabled. Default is true.automatic_failover_enabled- (Optional) Whether automatic failover is enabled. Default is true.local_authentication_disabled- (Optional) Whether local authentication is disabled. Default is true.partition_merge_enabled- (Optional) Whether partition merge is enabled. Default is false.multiple_write_locations_enabled- (Optional) Whether multiple write locations are enabled. Default is false.analytical_storage_config- (Optional) Analytical storage configuration. Default is null.schema_type- Schema type for analytical storage.
consistency_policy- (Optional) Consistency policy configuration.max_interval_in_seconds- (Optional) Max staleness interval in seconds. Default is 300.max_staleness_prefix- (Optional) Max staleness prefix. Default is 100001.consistency_level- (Optional) Consistency level. Default is "Session".
backup- (Optional) Backup configuration.retention_in_hours- (Optional) Backup retention in hours.interval_in_minutes- (Optional) Backup interval in minutes.storage_redundancy- (Optional) Storage redundancy for backups.type- (Optional) Backup type.tier- (Optional) Backup tier.
capabilities- (Optional) Set of capabilities to enable.name- Capability name.
capacity- (Optional) Capacity configuration.total_throughput_limit- (Optional) Total throughput limit. Default is -1 (unlimited).
cors_rule- (Optional) CORS rule configuration. Default is null.allowed_headers- Set of allowed headers.allowed_methods- Set of allowed methods.allowed_origins- Set of allowed origins.exposed_headers- Set of exposed headers.max_age_in_seconds- (Optional) Maximum age in seconds for CORS.
role_assignments- (Optional) Map of role assignments on the account.role_definition_id_or_name- Role definition ID or name to assign.principal_id- Principal ID for the assignment.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principals. Default is false.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
tags- (Optional) Map of tags for the account.
-
key_vault_definition- (Optional) Map defining one or more Azure Key Vaults.existing_resource_id- (Optional) Resource ID of an existing vault to reuse.name- (Optional) Name of the vault if creating new.private_dns_zone_resource_id- (Optional) Private DNS zone resource ID.enable_diagnostic_settings- (Optional) Whether diagnostic settings are enabled. Default is true.sku- (Optional) Vault SKU. Default is "standard".tenant_id- (Optional) Tenant ID for the Key Vault.role_assignments- (Optional) Map of role assignments on the vault.role_definition_id_or_name- Role definition ID or name to assign.principal_id- Principal ID for the assignment.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principals. Default is false.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
tags- (Optional) Map of tags for the vault.
-
law_definition- (Optional) Map defining one or more Log Analytics Workspaces.existing_resource_id- (Optional) Resource ID of an existing workspace to reuse.name- (Optional) Name of the workspace if creating new.retention- (Optional) Data retention in days. Default is 30.sku- (Optional) Workspace SKU. Default is "PerGB2018".tags- (Optional) Map of tags for the workspace.
-
storage_account_definition- (Optional) Map defining one or more Storage Accounts.existing_resource_id- (Optional) Resource ID of an existing account to reuse.enable_diagnostic_settings- (Optional) Whether diagnostic settings are enabled. Default is true.name- (Optional) Name of the account if creating new.account_kind- (Optional) Storage account kind. Default is "StorageV2".account_tier- (Optional) Storage account tier. Default is "Standard".account_replication_type- (Optional) Replication type. Default is "ZRS".endpoints- (Optional) Map of subservice endpoints to enable. Defaults to enabling theblobendpoint.- map key - Endpoint name (e.g.,
blob). type- Endpoint type (e.g., "blob").private_dns_zone_resource_id- (Optional) Private DNS zone resource ID for the endpoint.
- map key - Endpoint name (e.g.,
access_tier- (Optional) Access tier for the account. Default is "Hot".shared_access_key_enabled- (Optional) Whether shared access keys are enabled. Default is false.role_assignments- (Optional) Map of role assignments on the storage account.role_definition_id_or_name- Role definition ID or name to assign.principal_id- Principal ID for the assignment.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principals. Default is false.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
tags- (Optional) Map of tags for the storage account.
-
This object supports both creating new resources and connecting to existing ones, enabling flexible deployment scenarios across the hub, projects, and dependent services.
Type:
object({
# AI Foundry Hub Configuration
create_byor = optional(bool, true)
purge_on_destroy = optional(bool, false)
ai_foundry = optional(object({
name = optional(string, null)
disable_local_auth = optional(bool, false)
allow_project_management = optional(bool, true)
create_ai_agent_service = optional(bool, false)
#network_injections is statically set to vnet/subnet created in the module.
private_dns_zone_resource_ids = optional(list(string), [])
sku = optional(string, "S0")
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
}), {})
#AI model configurations
ai_model_deployments = optional(map(object({
name = string
rai_policy_name = optional(string)
version_upgrade_option = optional(string, "OnceNewDefaultVersionAvailable")
model = object({
format = string
name = string
version = string
})
scale = object({
capacity = optional(number)
family = optional(string)
size = optional(string)
tier = optional(string)
type = string
})
})), {})
# AI Projects Configuration
ai_projects = optional(map(object({
name = string
sku = optional(string, "S0")
display_name = string
description = string
create_project_connections = optional(bool, false)
cosmos_db_connection = optional(object({
existing_resource_id = optional(string, null)
new_resource_map_key = optional(string, null)
}), {})
ai_search_connection = optional(object({
existing_resource_id = optional(string, null)
new_resource_map_key = optional(string, null)
}), {})
key_vault_connection = optional(object({
existing_resource_id = optional(string, null)
new_resource_map_key = optional(string, null)
}), {})
storage_account_connection = optional(object({
existing_resource_id = optional(string, null)
new_resource_map_key = optional(string, null)
}), {})
})), {})
# Bring Your Own Resources (BYOR) Configuration
# One or more AI search installations.
ai_search_definition = optional(map(object({
existing_resource_id = optional(string, null)
name = optional(string)
private_dns_zone_resource_id = optional(string, null)
enable_diagnostic_settings = optional(bool, true)
sku = optional(string, "standard")
local_authentication_enabled = optional(bool, true)
partition_count = optional(number, 1)
replica_count = optional(number, 2)
semantic_search_sku = optional(string, "standard")
semantic_search_enabled = optional(bool, false)
hosting_mode = optional(string, "default")
tags = optional(map(string), {})
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
enable_telemetry = optional(bool, true)
})), {})
cosmosdb_definition = optional(map(object({
existing_resource_id = optional(string, null)
private_dns_zone_resource_id = optional(string, null)
enable_diagnostic_settings = optional(bool, true)
name = optional(string)
secondary_regions = optional(list(object({
location = string
zone_redundant = optional(bool, true)
failover_priority = optional(number, 0)
})), [])
public_network_access_enabled = optional(bool, false)
analytical_storage_enabled = optional(bool, true)
automatic_failover_enabled = optional(bool, true)
local_authentication_disabled = optional(bool, true)
partition_merge_enabled = optional(bool, false)
multiple_write_locations_enabled = optional(bool, false)
analytical_storage_config = optional(object({
schema_type = string
}), null)
consistency_policy = optional(object({
max_interval_in_seconds = optional(number, 300)
max_staleness_prefix = optional(number, 100001)
consistency_level = optional(string, "Session")
}), {})
backup = optional(object({
retention_in_hours = optional(number)
interval_in_minutes = optional(number)
storage_redundancy = optional(string)
type = optional(string)
tier = optional(string)
}), {})
capabilities = optional(set(object({
name = string
})), [])
capacity = optional(object({
total_throughput_limit = optional(number, -1)
}), {})
cors_rule = optional(object({
allowed_headers = set(string)
allowed_methods = set(string)
allowed_origins = set(string)
exposed_headers = set(string)
max_age_in_seconds = optional(number, null)
}), null)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
tags = optional(map(string), {})
})), {})
key_vault_definition = optional(map(object({
existing_resource_id = optional(string, null)
name = optional(string)
private_dns_zone_resource_id = optional(string, null)
enable_diagnostic_settings = optional(bool, true)
sku = optional(string, "standard")
tenant_id = optional(string)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
tags = optional(map(string), {})
})), {})
law_definition = optional(map(object({
existing_resource_id = optional(string)
name = optional(string)
retention = optional(number, 30)
sku = optional(string, "PerGB2018")
tags = optional(map(string), {})
})), {})
storage_account_definition = optional(map(object({
existing_resource_id = optional(string, null)
enable_diagnostic_settings = optional(bool, true)
name = optional(string, null)
account_kind = optional(string, "StorageV2")
account_tier = optional(string, "Standard")
account_replication_type = optional(string, "ZRS")
endpoints = optional(map(object({
type = string
private_dns_zone_resource_id = optional(string, null)
})), {
blob = {
type = "blob"
}
})
access_tier = optional(string, "Hot")
shared_access_key_enabled = optional(bool, false)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
tags = optional(map(string), {})
})), {})
})Default: {}
Description: Configuration object for the Azure API Management service to be deployed.
deploy- (Optional) Whether to deploy the API Management service. Default is true.name- (Optional) The name of the API Management service. If not provided, a name will be generated.publisher_email- (Required) The email address of the publisher of the API Management service.publisher_name- (Required) The name of the publisher of the API Management service.additional_locations- (Optional) List of additional locations where the API Management service will be deployed.location- The Azure region for the additional location.capacity- (Optional) The number of units for the additional location.zones- (Optional) List of availability zones for the additional location.public_ip_address_id- (Optional) Resource ID of the public IP address for the additional location.gateway_disabled- (Optional) Whether the gateway is disabled in the additional location.virtual_network_configuration- (Optional) Virtual network configuration for the additional location.subnet_id- The resource ID of the subnet for virtual network integration.
certificate- (Optional) List of certificates to be uploaded to the API Management service.encoded_certificate- The base64 encoded certificate data.store_name- The certificate store name (e.g., "CertificateAuthority", "Root").certificate_password- (Optional) The password for the certificate.
client_certificate_enabled- (Optional) Whether client certificate authentication is enabled. Default is false.hostname_configuration- (Optional) Hostname configuration for different endpoints.management- (Optional) List of custom hostnames for the management endpoint.portal- (Optional) List of custom hostnames for the developer portal endpoint.developer_portal- (Optional) List of custom hostnames for the new developer portal endpoint.proxy- (Optional) List of custom hostnames for the proxy endpoint.scm- (Optional) List of custom hostnames for the SCM endpoint.
Each hostname configuration includes:host_name- The custom hostname.key_vault_id- (Optional) Resource ID of the Key Vault containing the certificate.certificate- (Optional) Base64 encoded certificate data.certificate_password- (Optional) Password for the certificate.negotiate_client_certificate- (Optional) Whether to negotiate client certificates.ssl_keyvault_identity_client_id- (Optional) Client ID of the user-assigned managed identity for Key Vault access.default_ssl_binding- (Optional, proxy only) Whether this is the default SSL binding.
min_api_version- (Optional) The minimum API version that the API Management service will accept.notification_sender_email- (Optional) Email address from which notifications will be sent.protocols- (Optional) Protocol configuration.enable_http2- (Optional) Whether HTTP/2 protocol is enabled. Default is false.
role_assignments- (Optional) Map of role assignments to create on the API Management service. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.role_definition_id_or_name- The role definition ID or name to assign.principal_id- The principal ID to assign the role to.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principal.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
sign_in- (Optional) Sign-in configuration for the developer portal.enabled- Whether sign-in is enabled.
sign_up- (Optional) Sign-up configuration for the developer portal.enabled- Whether sign-up is enabled.terms_of_service- Terms of service configuration.consent_required- Whether consent to terms of service is required.enabled- Whether terms of service are enabled.text- (Optional) The terms of service text.
sku_root- (Optional) The SKU of the API Management service. Default is "Premium".sku_capacity- (Optional) The capacity/scale units of the API Management service. Default is 3.tags- (Optional) Map of tags to assign to the API Management service.tenant_access- (Optional) Tenant access configuration.enabled- Whether tenant access is enabled.
Type:
object({
deploy = optional(bool, true)
name = optional(string)
publisher_email = string
publisher_name = string
additional_locations = optional(list(object({
location = string
capacity = optional(number, null)
zones = optional(list(string), null)
public_ip_address_id = optional(string, null)
gateway_disabled = optional(bool, null)
virtual_network_configuration = optional(object({
subnet_id = string
}), null)
})), [])
certificate = optional(list(object({
encoded_certificate = string
store_name = string
certificate_password = optional(string, null)
})), [])
client_certificate_enabled = optional(bool, false)
hostname_configuration = optional(object({
management = optional(list(object({
host_name = string
key_vault_id = optional(string, null)
certificate = optional(string, null)
certificate_password = optional(string, null)
negotiate_client_certificate = optional(bool, false)
ssl_keyvault_identity_client_id = optional(string, null)
})), [])
portal = optional(list(object({
host_name = string
key_vault_id = optional(string, null)
certificate = optional(string, null)
certificate_password = optional(string, null)
negotiate_client_certificate = optional(bool, false)
ssl_keyvault_identity_client_id = optional(string, null)
})), [])
developer_portal = optional(list(object({
host_name = string
key_vault_id = optional(string, null)
certificate = optional(string, null)
certificate_password = optional(string, null)
negotiate_client_certificate = optional(bool, false)
ssl_keyvault_identity_client_id = optional(string, null)
})), [])
proxy = optional(list(object({
host_name = string
default_ssl_binding = optional(bool, false)
key_vault_id = optional(string, null)
certificate = optional(string, null)
certificate_password = optional(string, null)
negotiate_client_certificate = optional(bool, false)
ssl_keyvault_identity_client_id = optional(string, null)
})), [])
scm = optional(list(object({
host_name = string
key_vault_id = optional(string, null)
certificate = optional(string, null)
certificate_password = optional(string, null)
negotiate_client_certificate = optional(bool, false)
ssl_keyvault_identity_client_id = optional(string, null)
})), [])
}), null)
min_api_version = optional(string)
notification_sender_email = optional(string, null)
protocols = optional(object({
enable_http2 = optional(bool, false)
}))
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
sign_in = optional(object({
enabled = bool
}), null)
sign_up = optional(object({
enabled = bool
terms_of_service = object({
consent_required = bool
enabled = bool
text = optional(string, null)
})
}), null)
sku_root = optional(string, "Premium")
sku_capacity = optional(number, 3)
tags = optional(map(string), {})
tenant_access = optional(object({
enabled = bool
}), null)
})Default:
{
"publisher_email": "[email protected]",
"publisher_name": "Azure API Management"
}Description: Configuration object for the Azure Application Gateway to be deployed.
deploy- (Optional) Deploy the application gateway. Default is true.name- (Optional) The name of the Application Gateway. If not provided, a name will be generated.http2_enable- (Optional) Whether HTTP/2 is enabled. Default is true.authentication_certificate- (Optional) Map of authentication certificates for backend authentication.name- The name of the authentication certificate.data- The base64 encoded certificate data.
sku- (Optional) SKU configuration for the Application Gateway.name- (Optional) The SKU name. Default is "WAF_v2".tier- (Optional) The SKU tier. Default is "WAF_v2".capacity- (Optional) The instance capacity (fixed scale units).
autoscale_configuration- (Optional) Autoscale configuration.max_capacity- (Optional) Maximum number of scale units. Default is 10.min_capacity- (Optional) Minimum number of scale units. Default is 2.
backend_address_pools- (Required) Map of backend address pools. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the backend address pool.fqdns- (Optional) Set of FQDNs for the backend pool.ip_addresses- (Optional) Set of IP addresses for the backend pool.
backend_http_settings- (Required) Map of backend HTTP settings. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.cookie_based_affinity- (Optional) Cookie-based affinity setting. Default is "Disabled".name- The name of the HTTP settings.port- The port number for backend communication.protocol- The protocol for backend communication (HTTP/HTTPS).affinity_cookie_name- (Optional) Name of the affinity cookie.host_name- (Optional) Host name for backend requests.path- (Optional) Path for backend requests.pick_host_name_from_backend_address- (Optional) Whether to pick host name from backend address.probe_name- (Optional) Name of the health probe to use.request_timeout- (Optional) Request timeout in seconds.trusted_root_certificate_names- (Optional) List of trusted root certificate names.authentication_certificate- (Optional) List of authentication certificates.connection_draining- (Optional) Connection draining configuration.
frontend_ports- (Required) Map of frontend port configurations. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the frontend port.port- The port number.
http_listeners- (Required) Map of HTTP listener configurations. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the HTTP listener.frontend_port_name- The name of the frontend port to use.frontend_ip_configuration_name- (Optional) Name of the frontend IP configuration.firewall_policy_id- (Optional) Resource ID of the WAF policy.require_sni- (Optional) Whether SNI is required.host_name- (Optional) Host name for the listener.host_names- (Optional) List of host names for the listener.ssl_certificate_name- (Optional) Name of the SSL certificate.ssl_profile_name- (Optional) Name of the SSL profile.custom_error_configuration- (Optional) Custom error page configurations.
probe_configurations- (Optional) Map of health probe configurations. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the probe.host- (Optional) Host name for the probe.interval- Probe interval in seconds.timeout- Probe timeout in seconds.unhealthy_threshold- Number of failed probes before marking unhealthy.protocol- Protocol for the probe (HTTP/HTTPS).port- (Optional) Port for the probe.path- Path for the probe.pick_host_name_from_backend_http_settings- (Optional) Whether to use backend HTTP settings host name.minimum_servers- (Optional) Minimum number of servers always marked healthy.match- (Optional) Response matching criteria.
redirect_configuration- (Optional) Map of redirect configurations. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.include_path- (Optional) Whether to include path in redirect.include_query_string- (Optional) Whether to include query string in redirect.name- The name of the redirect configuration.redirect_type- The type of redirect.target_listener_name- (Optional) Target listener for redirect.target_url- (Optional) Target URL for redirect.
request_routing_rules- (Required) Map of request routing rules. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the routing rule.rule_type- The type of rule (Basic/PathBasedRouting).http_listener_name- The name of the HTTP listener to use.backend_address_pool_name- The name of the backend address pool.priority- The priority of the rule.url_path_map_name- (Optional) Name of the URL path map for path-based routing.backend_http_settings_name- The name of the backend HTTP settings.redirect_configuration_name- (Optional) Name of the redirect configuration.rewrite_rule_set_name- (Optional) Name of the rewrite rule set.
rewrite_rule_set- (Optional) Map of rewrite rule sets. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the rewrite rule set.rewrite_rules- (Optional) Map of rewrite rules within the set.
ssl_certificates- (Optional) Map of SSL certificates. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the SSL certificate.data- (Optional) Base64 encoded certificate data.password- (Optional) Password for the certificate.key_vault_secret_id- (Optional) Key Vault secret ID containing the certificate.
ssl_policy- (Optional) SSL policy configuration.cipher_suites- (Optional) List of cipher suites to enable.disabled_protocols- (Optional) List of protocols to disable.min_protocol_version- (Optional) Minimum TLS protocol version. Default is "TLSv1_2".policy_name- (Optional) Name of the predefined SSL policy.policy_type- (Optional) Type of the SSL policy.
ssl_profile- (Optional) Map of SSL profiles. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the SSL profile.trusted_client_certificate_names- (Optional) List of trusted client certificate names.verify_client_cert_issuer_dn- (Optional) Whether to verify client certificate issuer DN.verify_client_certificate_revocation- (Optional) Client certificate revocation verification method.ssl_policy- (Optional) SSL policy for the profile.
trusted_client_certificate- (Optional) Map of trusted client certificates. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.data- The base64 encoded certificate data.name- The name of the certificate.
trusted_root_certificate- (Optional) Map of trusted root certificates. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.data- (Optional) Base64 encoded certificate data.key_vault_secret_id- (Optional) Key Vault secret ID containing the certificate.name- The name of the certificate.
url_path_map_configurations- (Optional) Map of URL path map configurations. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.name- The name of the URL path map.default_redirect_configuration_name- (Optional) Default redirect configuration name.default_rewrite_rule_set_name- (Optional) Default rewrite rule set name.default_backend_http_settings_name- (Optional) Default backend HTTP settings name.default_backend_address_pool_name- (Optional) Default backend address pool name.path_rules- Map of path-based routing rules.
tags- (Optional) Map of tags to assign to the Application Gateway.role_assignments- (Optional) Map of role assignments to create on the Application Gateway. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.role_definition_id_or_name- The role definition ID or name to assign.principal_id- The principal ID to assign the role to.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principal.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
Type:
object({
deploy = optional(bool, true)
name = optional(string)
http2_enable = optional(bool, true)
authentication_certificate = optional(map(object({
name = string
data = string
})), null)
sku = optional(object({
name = optional(string, "WAF_v2")
tier = optional(string, "WAF_v2")
capacity = optional(number)
}), {})
autoscale_configuration = optional(object({
max_capacity = optional(number, 10)
min_capacity = optional(number, 2)
}), {})
backend_address_pools = map(object({
name = string
fqdns = optional(set(string))
ip_addresses = optional(set(string))
}))
backend_http_settings = map(object({
cookie_based_affinity = optional(string, "Disabled")
name = string
port = number
protocol = string
affinity_cookie_name = optional(string)
host_name = optional(string)
path = optional(string)
pick_host_name_from_backend_address = optional(bool)
probe_name = optional(string)
request_timeout = optional(number)
trusted_root_certificate_names = optional(list(string))
authentication_certificate = optional(list(object({ name = string })))
connection_draining = optional(object({
drain_timeout_sec = number
enable_connection_draining = bool
}))
}))
frontend_ports = map(object({
name = string
port = number
}))
http_listeners = map(object({
name = string
frontend_port_name = string
frontend_ip_configuration_name = optional(string)
firewall_policy_id = optional(string)
require_sni = optional(bool)
host_name = optional(string)
host_names = optional(list(string))
ssl_certificate_name = optional(string)
ssl_profile_name = optional(string)
custom_error_configuration = optional(list(object({
status_code = string
custom_error_page_url = string
})))
}))
probe_configurations = optional(map(object({
name = string
host = optional(string)
interval = number
timeout = number
unhealthy_threshold = number
protocol = string
port = optional(number)
path = string
pick_host_name_from_backend_http_settings = optional(bool)
minimum_servers = optional(number)
match = optional(object({
body = optional(string)
status_code = optional(list(string))
}))
})), null)
redirect_configuration = optional(map(object({
include_path = optional(bool)
include_query_string = optional(bool)
name = string
redirect_type = string
target_listener_name = optional(string)
target_url = optional(string)
})), null)
request_routing_rules = map(object({
name = string
rule_type = string
http_listener_name = string
backend_address_pool_name = string
priority = number
url_path_map_name = optional(string)
backend_http_settings_name = string
redirect_configuration_name = optional(string)
rewrite_rule_set_name = optional(string)
}))
rewrite_rule_set = optional(map(object({
name = string
rewrite_rules = optional(map(object({
name = string
rule_sequence = number
conditions = optional(map(object({
ignore_case = optional(bool)
negate = optional(bool)
pattern = string
variable = string
})))
request_header_configurations = optional(map(object({
header_name = string
header_value = string
})))
response_header_configurations = optional(map(object({
header_name = string
header_value = string
})))
url = optional(object({
components = optional(string)
path = optional(string)
query_string = optional(string)
reroute = optional(bool)
}))
})))
})), null)
ssl_certificates = optional(map(object({
name = string
data = optional(string)
password = optional(string)
key_vault_secret_id = optional(string)
})), null)
ssl_policy = optional(object({
cipher_suites = optional(list(string))
disabled_protocols = optional(list(string))
min_protocol_version = optional(string, "TLSv1_2")
policy_name = optional(string)
policy_type = optional(string)
}), null)
ssl_profile = optional(map(object({
name = string
trusted_client_certificate_names = optional(list(string))
verify_client_cert_issuer_dn = optional(bool, false)
verify_client_certificate_revocation = optional(string, "OCSP")
ssl_policy = optional(object({
cipher_suites = optional(list(string))
disabled_protocols = optional(list(string))
min_protocol_version = optional(string, "TLSv1_2")
policy_name = optional(string)
policy_type = optional(string)
}))
})), null)
trusted_client_certificate = optional(map(object({
data = string
name = string
})), null)
trusted_root_certificate = optional(map(object({
data = optional(string)
key_vault_secret_id = optional(string)
name = string
})), null)
url_path_map_configurations = optional(map(object({
name = string
default_redirect_configuration_name = optional(string)
default_rewrite_rule_set_name = optional(string)
default_backend_http_settings_name = optional(string)
default_backend_address_pool_name = optional(string)
path_rules = map(object({
name = string
paths = list(string)
backend_address_pool_name = optional(string)
backend_http_settings_name = optional(string)
redirect_configuration_name = optional(string)
rewrite_rule_set_name = optional(string)
firewall_policy_id = optional(string)
}))
})), null)
tags = optional(map(string), {})
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
})Default: null
Description: Configuration object for the Azure Bastion service to be deployed.
deploy- (Optional) Deploy the bastion service? Default is true.name- (Optional) The name of the Bastion service. If not provided, a name will be generated.sku- (Optional) The SKU of the Bastion service. Default is "Standard".tags- (Optional) Map of tags to assign to the Bastion service.zones- (Optional) List of availability zones for the Bastion service. Default is ["1", "2", "3"].
Type:
object({
deploy = optional(bool, true)
name = optional(string)
sku = optional(string, "Standard")
tags = optional(map(string), {})
zones = optional(list(string), ["1", "2", "3"])
})Default: {}
Description: Configuration object for the Build VM to be created for managing the implementation services.
deploy- (Optional) Deploy the build vm. Default is true.name- (Optional) The name of the Build VM. If not provided, a name will be generated.sku- (Optional) The VM size/SKU for the Build VM. Default is "Standard_B2s".tags- (Optional) Map of tags to assign to the Build VM.enable_telemetry- (Optional) Whether telemetry is enabled for the Build VM module. Default is true.
Type:
object({
deploy = optional(bool, true)
name = optional(string)
sku = optional(string, "Standard_B2s")
tags = optional(map(string), {})
enable_telemetry = optional(bool, true)
})Default: {}
Description: Configuration object for the Container App Environment to be created for GenAI services.
deploy- (Optional) Whether to deploy the Container App Environment. Default is true.name- (Optional) The name of the Container App Environment. If not provided, a name will be generated.enable_diagnostic_settings- (Optional) Whether diagnostic settings are enabled. Default is true.tags- (Optional) Map of tags to assign to the Container App Environment.internal_load_balancer_enabled- (Optional) Whether the load balancer is internal. Default is true.log_analytics_workspace_resource_id- (Optional) Resource ID of the Log Analytics workspace for logging.zone_redundancy_enabled- (Optional) Whether zone redundancy is enabled. Default is true.user_assigned_managed_identity_ids- (Optional) List of user-assigned managed identity resource IDs.workload_profile- (Optional) List of workload profiles for the Container App Environment.name- The name of the workload profile.workload_profile_type- The type of workload profile (e.g., "Consumption", "Dedicated").
app_logs_configuration- (Optional) Application logs configuration.destination- The destination for application logs.log_analytics- (Optional) Log Analytics configuration when destination is "log-analytics".customer_id- The Log Analytics workspace customer ID.shared_key- The Log Analytics workspace shared key.
role_assignments- (Optional) Map of role assignments to create on the Container App Environment. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.role_definition_id_or_name- The role definition ID or name to assign.principal_id- The principal ID to assign the role to.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principal.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
Type:
object({
deploy = optional(bool, true)
name = optional(string)
enable_diagnostic_settings = optional(bool, true)
tags = optional(map(string), {})
internal_load_balancer_enabled = optional(bool, true)
log_analytics_workspace_resource_id = optional(string)
zone_redundancy_enabled = optional(bool, true)
user_assigned_managed_identity_ids = optional(list(string), [])
workload_profile = optional(list(object({
name = string
workload_profile_type = string
})), [{
name = "Consumption"
workload_profile_type = "Consumption"
}])
app_logs_configuration = optional(object({
destination = string
log_analytics = optional(object({
customer_id = string
shared_key = string
}), null)
}), null)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
})Default: {}
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: Configuration object for the Azure Firewall to be deployed.
deploy- (Optional) Deploy the Azure Firewall? Default is true.name- (Optional) The name of the Azure Firewall. If not provided, a name will be generated.sku- (Optional) The SKU of the Azure Firewall. Default is "AZFW_VNet".tier- (Optional) The tier of the Azure Firewall. Default is "Standard".zones- (Optional) List of availability zones for the Azure Firewall. Default is ["1", "2", "3"].tags- (Optional) Map of tags to assign to the Azure Firewall.
Type:
object({
deploy = optional(bool, true)
name = optional(string)
sku = optional(string, "AZFW_VNet")
tier = optional(string, "Standard")
zones = optional(list(string), ["1", "2", "3"])
tags = optional(map(string), {})
})Default: {}
Description: Configuration object for the Azure Firewall Policy to be deployed.
network_policy_rule_collection_group_name- (Optional) The name of the network policy rule collection group.network_policy_rule_collection_group_priority- (Optional) The priority of the network policy rule collection group.network_rules- (Optional) List of network rules for the firewall policy.name- The name of the network rule.description- Description of the network rule.destination_addresses- List of destination addresses for the rule.destination_ports- List of destination ports for the rule.source_addresses- List of source addresses for the rule.protocols- List of protocols for the rule (TCP/UDP/ICMP/Any).
Type:
object({
network_policy_rule_collection_group_name = optional(string)
network_policy_rule_collection_group_priority = optional(number, null)
network_rules = optional(list(object({
name = string
description = string
destination_addresses = list(string)
destination_ports = list(string)
source_addresses = list(string)
protocols = list(string)
})), null)
})Default: {}
Description: Flag to indicate if the platform landing zone is enabled.
If set to true, the module will deploy resources and connect to a platform landing zone hub. This enables integration with existing hub-and-spoke network architectures and centralized management services.
Type: bool
Default: true
Description: Configuration object for the Azure App Configuration service to be created for GenAI services.
data_plane_proxy- (Optional) Data plane proxy configuration for private endpoints.authentication_mode- The authentication mode for the data plane proxy.private_link_delegation- The private link delegation setting.
deploy- (Optional) Whether to deploy the App Configuration store. Default is true.name- (Optional) The name of the App Configuration store. If not provided, a name will be generated.local_auth_enabled- (Optional) Whether local authentication is enabled. Default is false.purge_protection_enabled- (Optional) Whether purge protection is enabled. Default is true.sku- (Optional) The SKU of the App Configuration store. Default is "standard".soft_delete_retention_in_days- (Optional) The retention period in days for soft delete. Default is 7.tags- (Optional) Map of tags to assign to the App Configuration store.role_assignments- (Optional) Map of role assignments to create on the App Configuration store. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.role_definition_id_or_name- The role definition ID or name to assign.principal_id- The principal ID to assign the role to.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principal.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
Type:
object({
data_plane_proxy = optional(object({
authentication_mode = string
private_link_delegation = string
}), null)
deploy = optional(bool, true)
name = optional(string)
local_auth_enabled = optional(bool, false)
purge_protection_enabled = optional(bool, true)
sku = optional(string, "standard")
soft_delete_retention_in_days = optional(number, 7)
tags = optional(map(string), {})
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
})Default: {}
Description: Configuration object for the Azure Container Registry to be created for GenAI services.
deploy- (Optional) Whether to deploy the Container Registry. Default is true.name- (Optional) The name of the Container Registry. If not provided, a name will be generated.sku- (Optional) The SKU of the Container Registry. Default is "Premium".zone_redundancy_enabled- (Optional) Whether zone redundancy is enabled. Default is true.public_network_access_enabled- (Optional) Whether public network access is enabled. Default is false.tags- (Optional) Map of tags to assign to the Container Registry.role_assignments- (Optional) Map of role assignments to create on the Container Registry. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.role_definition_id_or_name- The role definition ID or name to assign.principal_id- The principal ID to assign the role to.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principal.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
Type:
object({
deploy = optional(bool, true)
name = optional(string)
sku = optional(string, "Premium")
zone_redundancy_enabled = optional(bool, true)
public_network_access_enabled = optional(bool, false)
enable_diagnostic_settings = optional(bool, true)
tags = optional(map(string), {})
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
})Default: {}
Description: Configuration object for the Azure Cosmos DB account to be created for GenAI services.
deploy- (Optional) Whether to deploy the Cosmos DB account. Default is true.name- (Optional) The name of the Cosmos DB account. If not provided, a name will be generated.secondary_regions- (Optional) List of secondary regions for geo-replication.location- The Azure region for the secondary location.zone_redundant- (Optional) Whether zone redundancy is enabled for the secondary region. Default is true.failover_priority- (Optional) The failover priority for the secondary region. Default is 0.
public_network_access_enabled- (Optional) Whether public network access is enabled. Default is false.analytical_storage_enabled- (Optional) Whether analytical storage is enabled. Default is true.automatic_failover_enabled- (Optional) Whether automatic failover is enabled. Default is false.local_authentication_disabled- (Optional) Whether local authentication is disabled. Default is true.partition_merge_enabled- (Optional) Whether partition merge is enabled. Default is false.multiple_write_locations_enabled- (Optional) Whether multiple write locations are enabled. Default is false.analytical_storage_config- (Optional) Analytical storage configuration.schema_type- The schema type for analytical storage.
consistency_policy- (Optional) Consistency policy configuration.max_interval_in_seconds- (Optional) Maximum staleness interval in seconds. Default is 300.max_staleness_prefix- (Optional) Maximum staleness prefix. Default is 100001.consistency_level- (Optional) The consistency level. Default is "Session".
backup- (Optional) Backup configuration.retention_in_hours- (Optional) Backup retention in hours.interval_in_minutes- (Optional) Backup interval in minutes.storage_redundancy- (Optional) Storage redundancy for backups.type- (Optional) The backup type.tier- (Optional) The backup tier.
capabilities- (Optional) Set of capabilities to enable on the Cosmos DB account.name- The name of the capability.
capacity- (Optional) Capacity configuration.total_throughput_limit- (Optional) Total throughput limit. Default is -1 (unlimited).
cors_rule- (Optional) CORS rule configuration.allowed_headers- Set of allowed headers.allowed_methods- Set of allowed HTTP methods.allowed_origins- Set of allowed origins.exposed_headers- Set of exposed headers.max_age_in_seconds- (Optional) Maximum age in seconds for CORS.
Type:
object({
deploy = optional(bool, true)
name = optional(string)
enable_diagnostic_settings = optional(bool, true)
secondary_regions = optional(list(object({
location = string
zone_redundant = optional(bool, true)
failover_priority = optional(number, 0)
})), [])
public_network_access_enabled = optional(bool, false)
analytical_storage_enabled = optional(bool, true)
automatic_failover_enabled = optional(bool, true)
local_authentication_disabled = optional(bool, true)
partition_merge_enabled = optional(bool, false)
multiple_write_locations_enabled = optional(bool, false)
analytical_storage_config = optional(object({
schema_type = string
}), null)
consistency_policy = optional(object({
max_interval_in_seconds = optional(number, 300)
max_staleness_prefix = optional(number, 100001)
consistency_level = optional(string, "Session")
}), {})
backup = optional(object({
retention_in_hours = optional(number)
interval_in_minutes = optional(number)
storage_redundancy = optional(string)
type = optional(string)
tier = optional(string)
}), {})
capabilities = optional(set(object({
name = string
})), [])
capacity = optional(object({
total_throughput_limit = optional(number, -1)
}), {})
cors_rule = optional(object({
allowed_headers = set(string)
allowed_methods = set(string)
allowed_origins = set(string)
exposed_headers = set(string)
max_age_in_seconds = optional(number, null)
}), null)
})Default: {}
Description: Configuration object for the Azure Key Vault to be created for GenAI services.
name- (Optional) The name of the Key Vault. If not provided, a name will be generated.network_acls- (Optional) Network access control list configuration for the Key Vault.bypass- (Optional) Services that can bypass the network ACLs. Default is "AzureServices".default_action- (Optional) Default action when no rule matches. Default is "Deny".ip_rules- (Optional) List of IP addresses or CIDR blocks to allow access.virtual_network_subnet_ids- (Optional) List of subnet resource IDs to allow access.
public_network_access_enabled- (Optional) Whether public network access is enabled. Default is false.sku- (Optional) The SKU of the Key Vault. Default is "standard".tenant_id- (Optional) The tenant ID for the Key Vault. If not provided, the current tenant will be used.role_assignments- (Optional) Map of role assignments to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.role_definition_id_or_name- The role definition ID or name to assign.principal_id- The principal ID to assign the role to.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principal.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
tags- (Optional) Map of tags to assign to the Key Vault.
Type:
object({
name = optional(string)
network_acls = optional(object({
bypass = optional(string, "AzureServices")
default_action = optional(string, "Deny")
ip_rules = optional(list(string), [])
virtual_network_subnet_ids = optional(list(string), [])
}), null)
public_network_access_enabled = optional(bool, false)
sku = optional(string, "standard")
tenant_id = optional(string)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
tags = optional(map(string), {})
})Default: {}
Description: Configuration object for the Azure Storage Account to be created for GenAI services.
deploy- (Optional) Whether to deploy the Storage Account. Default is true.name- (Optional) The name of the Storage Account. If not provided, a name will be generated.account_kind- (Optional) The kind of storage account. Default is "StorageV2".account_tier- (Optional) The performance tier of the storage account. Default is "Standard".account_replication_type- (Optional) The replication type for the storage account. Default is "GRS".endpoint_types- (Optional) Set of endpoint types to enable. Default is ["blob"].access_tier- (Optional) The access tier for the storage account. Default is "Hot".public_network_access_enabled- (Optional) Whether public network access is enabled. Default is false.shared_access_key_enabled- (Optional) Whether shared access keys are enabled. Default is true.role_assignments- (Optional) Map of role assignments to create on the Storage Account. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.role_definition_id_or_name- The role definition ID or name to assign.principal_id- The principal ID to assign the role to.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principal.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
tags- (Optional) Map of tags to assign to the Storage Account.
Type:
object({
deploy = optional(bool, true)
name = optional(string)
enable_diagnostic_settings = optional(bool, true)
account_kind = optional(string, "StorageV2")
account_tier = optional(string, "Standard")
account_replication_type = optional(string, "GRS")
endpoint_types = optional(set(string), ["blob"])
access_tier = optional(string, "Hot")
public_network_access_enabled = optional(bool, false)
shared_access_key_enabled = optional(bool, true)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
tags = optional(map(string), {})
#TODO:
# Implement subservice passthrough here
})Default: {}
Description: Configuration object for the Jump VM to be created for managing the implementation services.
name- (Optional) The name of the Jump VM. If not provided, a name will be generated.sku- (Optional) The VM size/SKU for the Jump VM. Default is "Standard_B2s".tags- (Optional) Map of tags to assign to the Jump VM.enable_telemetry- (Optional) Whether telemetry is enabled for the Jump VM module. Default is true.
Type:
object({
deploy = optional(bool, true)
name = optional(string)
sku = optional(string, "Standard_B2s")
tags = optional(map(string), {})
enable_telemetry = optional(bool, true)
})Default: {}
Description: Configuration object for the Azure AI Search service to be created as part of the enterprise and public knowledge services.
deploy- (Optional) Deploy the AI Search service. Default is true.name- (Optional) The name of the AI Search service. If not provided, a name will be generated.sku- (Optional) The SKU of the AI Search service. Default is "standard".local_authentication_enabled- (Optional) Whether local authentication is enabled. Default is true.partition_count- (Optional) The number of partitions for the search service. Default is 1.public_network_access_enabled- (Optional) Whether public network access is enabled. Default is false.replica_count- (Optional) The number of replicas for the search service. Default is 2.semantic_search_sku- (Optional) The SKU for semantic search capabilities. Default is "standard".tags- (Optional) Map of tags to assign to the AI Search service.role_assignments- (Optional) Map of role assignments to create on the AI Search service. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.role_definition_id_or_name- The role definition ID or name to assign.principal_id- The principal ID to assign the role to.description- (Optional) Description of the role assignment.skip_service_principal_aad_check- (Optional) Whether to skip AAD check for service principal.condition- (Optional) Condition for the role assignment.condition_version- (Optional) Version of the condition.delegated_managed_identity_resource_id- (Optional) Resource ID of the delegated managed identity.principal_type- (Optional) Type of the principal (User, Group, ServicePrincipal).
enable_telemetry- (Optional) Whether telemetry is enabled for the AI Search module. Default is true.
Type:
object({
deploy = optional(bool, true)
name = optional(string)
enable_diagnostic_settings = optional(bool, true)
sku = optional(string, "standard")
local_authentication_enabled = optional(bool, true)
partition_count = optional(number, 1)
public_network_access_enabled = optional(bool, false)
replica_count = optional(number, 2)
semantic_search_sku = optional(string, "standard")
tags = optional(map(string), {})
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
enable_telemetry = optional(bool, true)
})Default: {}
Description: Configuration object for the Bing Grounding service to be created as part of the enterprise and public knowledge services.
deploy- (Optional) Deploy the Bing Ground service. Default is true.name- (Optional) The name of the Bing Grounding service. If not provided, a name will be generated.sku- (Optional) The SKU of the Bing Grounding service. Default is "G1".tags- (Optional) Map of tags to assign to the Bing Grounding service.
Type:
object({
deploy = optional(bool, true)
name = optional(string)
sku = optional(string, "G1")
tags = optional(map(string), {})
})Default: {}
Description: Configuration object for the Log Analytics Workspace to be created for monitoring and logging.
resource_id- (Optional) The resource ID of an existing Log Analytics Workspace to use. If provided, the workspace will not be created and the other inputs will be ignored.name- (Optional) The name of the Log Analytics Workspace. If not provided, a name will be generated.retention- (Optional) The data retention period in days for the workspace. Default is 30.sku- (Optional) The SKU of the Log Analytics Workspace. Default is "PerGB2018".tags- (Optional) Map of tags to assign to the Log Analytics Workspace.
Type:
object({
resource_id = optional(string)
name = optional(string)
retention = optional(number, 30)
sku = optional(string, "PerGB2018")
tags = optional(map(string), {})
})Default: {}
Description: Optional prefix to be used for naming resources.
This prefix will be applied to all resource names generated by the module. It is useful for ensuring consistent naming conventions across deployments without requiring explicit names for each resource. The prefix should be kept under 10 characters and use only alphanumeric lowercase characters to avoid Azure naming limitations.
Type: string
Default: null
Description: Configuration object for Network Security Groups (NSGs) to be deployed.
name- (Optional) The name of the Network Security Group. If not provided, a name will be generated.security_rules- (Optional) Map of security rules for the NSG. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.access- Whether to allow or deny traffic (Allow/Deny).description- (Optional) Description of the security rule.destination_address_prefix- (Optional) Destination address prefix (CIDR or service tag).destination_address_prefixes- (Optional) Set of destination address prefixes.destination_application_security_group_ids- (Optional) Set of destination Application Security Group resource IDs.destination_port_range- (Optional) Destination port or port range.destination_port_ranges- (Optional) Set of destination ports or port ranges.direction- Direction of traffic (Inbound/Outbound).name- The name of the security rule.priority- Priority of the rule (100-4096).protocol- Protocol for the rule (TCP/UDP/ICMP/ESP/AH/*).source_address_prefix- (Optional) Source address prefix (CIDR or service tag).source_address_prefixes- (Optional) Set of source address prefixes.source_application_security_group_ids- (Optional) Set of source Application Security Group resource IDs.source_port_range- (Optional) Source port or port range.source_port_ranges- (Optional) Set of source ports or port ranges.timeouts- (Optional) Timeout configuration for resource operations.create- (Optional) Create timeout.delete- (Optional) Delete timeout.read- (Optional) Read timeout.update- (Optional) Update timeout.
Type:
object({
name = optional(string)
security_rules = optional(map(object({
access = string
description = optional(string)
destination_address_prefix = optional(string)
destination_address_prefixes = optional(set(string))
destination_application_security_group_ids = optional(set(string))
destination_port_range = optional(string)
destination_port_ranges = optional(set(string))
direction = string
name = string
priority = number
protocol = string
source_address_prefix = optional(string)
source_address_prefixes = optional(set(string))
source_application_security_group_ids = optional(set(string))
source_port_range = optional(string)
source_port_ranges = optional(set(string))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
})))
})Default: {}
Description: Configuration object for Private DNS Zones and their network links.
existing_zones_resource_group_resource_id- (Optional) Resource group resource id where existing Private DNS Zones are located.allow_internet_resolution_fallback- (Optional) Whether to allow fallback to internet resolution for Private DNS Zone network links. Default is false.network_links- (Optional) Map of network links to create for Private DNS Zones. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.vnetlinkname- The name of the virtual network link.vnetid- The resource ID of the virtual network to link.resolutionPolicy- (Optional) The resolution policy for the virtual network link. Default is "Default".
Type:
object({
existing_zones_resource_group_resource_id = optional(string)
allow_internet_resolution_fallback = optional(bool, false)
network_links = optional(map(object({
vnetlinkname = string
vnetid = string
resolutionPolicy = optional(string, "Default")
})), {})
})Default: {}
Description: Map of tags to be assigned to all resources created by this module.
Tags are key-value pairs that help organize and manage Azure resources. These tags will be applied to all resources created by the module, enabling consistent resource governance, cost tracking, and operational management across the AI/ML landing zone infrastructure.
Type: map(string)
Default: null
Description: Configuration object for the Web Application Firewall (WAF) Policy to be deployed.
name- (Optional) The name of the WAF Policy. If not provided, a name will be generated.policy_settings- (Optional) Policy settings configuration.enabled- (Optional) Whether the WAF policy is enabled. Default is true.mode- (Optional) The mode of the WAF policy (Detection/Prevention). Default is "Prevention".request_body_check- (Optional) Whether request body inspection is enabled. Default is true.max_request_body_size_kb- (Optional) Maximum request body size in KB. Default is 128.file_upload_limit_mb- (Optional) File upload limit in MB. Default is 100.
managed_rules- (Optional) Managed rules configuration.exclusion- (Optional) Map of rule exclusions. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.match_variable- The variable to match for exclusion.selector- The selector for the match variable.selector_match_operator- The operator for matching the selector.excluded_rule_set- (Optional) Specific rule set exclusions.type- (Optional) The type of rule set.version- (Optional) The version of rule set.rule_group- (Optional) List of rule groups to exclude.
managed_rule_set- Map of managed rule sets to apply. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.type- (Optional) The type of managed rule set.version- The version of the managed rule set.rule_group_override- (Optional) Map of rule group overrides.rule_group_name- The name of the rule group to override.rule- (Optional) List of specific rules to override.action- (Optional) The action to take for the rule.enabled- (Optional) Whether the rule is enabled.id- The ID of the rule.
tags- (Optional) Map of tags to assign to the WAF Policy.
Type:
object({
name = optional(string)
policy_settings = optional(object({
enabled = optional(bool, true)
mode = optional(string, "Prevention")
request_body_check = optional(bool, true)
max_request_body_size_kb = optional(number, 128)
file_upload_limit_mb = optional(number, 100)
}), {})
managed_rules = optional(object({
exclusion = optional(map(object({
match_variable = string
selector = string
selector_match_operator = string
excluded_rule_set = optional(object({
type = optional(string)
version = optional(string)
rule_group = optional(list(object({
excluded_rules = optional(list(string))
rule_group_name = string
})))
}))
})), null)
managed_rule_set = map(object({
type = optional(string)
version = string
rule_group_override = optional(map(object({
rule_group_name = string
rule = optional(list(object({
action = optional(string)
enabled = optional(bool)
id = string
})))
})), null)
}))
}), {
managed_rule_set = {
owasp = {
version = "3.2"
type = "OWASP"
}
}
})
tags = optional(map(string), {})
})Default: {}
The following outputs are exported:
Description: Future resource ID output for the LZA.
Description: A map of the deployed subnets in the AI PTN LZA.
The following Modules are called:
Source: Azure/avm-res-network-virtualnetwork/azurerm
Version: =0.7.1
Source: Azure/avm-res-apimanagement-service/azurerm
Version: 0.0.5
Source: Azure/avm-res-appconfiguration-configurationstore/azure
Version: 0.4.1
Source: Azure/avm-res-network-applicationgatewaywebapplicationfirewallpolicy/azurerm
Version: 0.2.0
Source: Azure/avm-res-network-applicationgateway/azurerm
Version: 0.4.2
Source: Azure/avm-res-keyvault-vault/azurerm
Version: =0.10.0
Source: Azure/avm-utl-regions/azurerm
Version: 0.5.2
Source: Azure/avm-res-network-bastionhost/azurerm
Version: 0.7.2
Source: Azure/avm-res-compute-virtualmachine/azurerm
Version: 0.19.3
Source: Azure/avm-res-app-managedenvironment/azurerm
Version: 0.3.0
Source: Azure/avm-res-containerregistry-registry/azurerm
Version: 0.4.0
Source: Azure/avm-res-documentdb-databaseaccount/azurerm
Version: 0.8.0
Source: Azure/avm-res-network-azurefirewall/azurerm
Version: 0.3.0
Source: Azure/avm-res-network-firewallpolicy/azurerm//modules/rule_collection_groups
Version: 0.3.3
Source: Azure/avm-res-network-firewallpolicy/azurerm
Version: 0.3.3
Source: Azure/avm-res-network-routetable/azurerm
Version: 0.4.1
Source: Azure/avm-ptn-aiml-ai-foundry/azurerm
Version: 0.6.0
Source: Azure/avm-res-network-publicipaddress/azurerm
Version: 0.2.0
Source: Azure/avm-res-network-virtualnetwork/azurerm//modules/peering
Version: 0.9.0
Source: Azure/avm-res-compute-virtualmachine/azurerm
Version: 0.19.3
Source: Azure/avm-res-operationalinsights-workspace/azurerm
Version: 0.4.2
Source: Azure/avm-res-network-networksecuritygroup/azurerm
Version: 0.4.0
Source: Azure/avm-res-network-privatednszone/azurerm
Version: 0.3.4
Source: Azure/avm-res-search-searchservice/azurerm
Version: 0.1.5
Source: Azure/avm-res-storage-storageaccount/azurerm
Version: 0.6.3
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.