Skip to main content
Version: 2203.1

Core files settings reference

In this section, we will review the fundamental parameters to deploy customized stack and review the various parameters.

ignite.yaml

The ignite.yaml contains all core parameters that will be reused across all levels, entries in this file will be used to generate configuration files and the readme files to execute all the commands in the various levels. The root of this file is called caf_terraform: and contains the following sections:

top level variables

parameterrequiredpossible valuesdescription
customer_nameyesonly lowercase with no spacesIs used to create the folder name to store the definition and configuration files.
caf_environmentyesany stringName of the environment to use or to create. A caf_environment is used to discriminate multiple environments that could live on the same subscriptions.
default_email_addressyesemail formatIndividual or distribution list to send subscription health alerts.
alz_mg_prefixyesbetween 2 and 10 charactersAzure landing zones management group prefix.
alz_mg_nameyesany stringAzure Management group name.
azure_regionsyesmap (key=region key, value= region)List of the Azure regions where services are authorized to be deployed. The region must be the small, lower-case with no space format (i.e: southeastasia)
prefixyesstringUse a prefix to put in front of all names generated.
deployment_modeyes'platform' or 'asvm'Inform the rover ignite if the deployments are for the platform or for an application landing zone.
caf_landingzone_branchyestag or branch nameRelease number from the repo https://github.com/Azure/caf-terraform-landingzones/releases
caf_regionsyesyaml list of objectsList of the Azure regions generated by the rover ignite from the azure_regions variable.
resources_allowed_regionsyesyaml list of stringList of the region's key used by Azure policies to defined the Azure regions where services can be deployed.
resource_groups_allowed_regionsyesyaml list of stringList of the region's key used by Azure policies to defined the Azure regions where the resource groups can be deployed.
default_region_keyyescaf_regions keyValue of the region's key that will be used when a resource does not explicitly mention the region to use.
azuread_user_ea_account_owneryesuser principal nameUser Principal Name of the Azure AD principal deploying the platform landing zones.
ea_owner_object_idyesguidGUID of the Azure AD principal deploying the platform landing zones.
azuread_identity_modeyes'service_principal'Type of principal used to secure the levels in the Azure Terraform SRE landing zones.
enable_azuread_groupsyesbooleanEnable the creation of the Azure AD groups required to set the operation model.
enable_azuread_applicationsyesbooleanGrant the identity principal the Azure AD API privilege to manage Azure AD applications.
enable_azure_subscription_vending_machineyesbooleanEnable the Azure Subscription Vending Machine to deploy Azure landing zone solutions accelerators.
subscription_deployment_modeyes'single_reuse''single_resuse' deploys all platform and application landing zones into the same existing Azure subscription.

caf_regions blocks will contain a structure of keys with name and short names (slug) as in the following example:

caf_regions:
region1:
# set the short form of the Azure region
name: southeastasia # Use the lower-case region's name, short version with no space
region2:
name: eastasia # Use the lower-case region's name, short version with no space
parameterrequiredpossible valuesdescription
keyyesany stringregion1 and region2 are the keys, they can be any string.
nameyesany Azure region namename of the region as in the Azure available regions list.

naming_convention

The section is used to describe how names are being created in the platform, in development phases, we often use part of the name to be automatically generated so we can integrate and test faster, once you are reaching production, you will use name as passthrough in order to apply your own naming convention.

parameterrequiredpossible valuesdescription
passthroughyestrue, falseWhen set to true, use the name as specified in the files after filtering. If set to false, will add generate names aligned to CAF guidance will prefixes if defined.
prefixyesstringUse a prefix to put in front of all names generated.
random_lengthyesintegerThe number or randomly generated characters at the end of the resource name, if passthrough is set to false.
inherit_tagsyestrue, falseDefine if resources will inherit the tags defined at the resource group level.

caf_launchpad

parameterrequiredpossible valuesdescription
subscription_idyesstringGUID of the subscription to use to deploy launchpad.
subscription_nameyesstringName of the subscription to use to deploy launchpad.
tenant_idyesstringHome tenant of the subscription to use to deploy launchpad.
global_tags_propagatedyestrue, falseIf set to true, the tags defined in launchpad will be propagated to all resources in this environment.
tagsyesblock of tagsA block of tags that will be added to the launchpad.

billing_subscription_role_delegations

This section defines settings for the subscription billing role delegation from and EA or MCA account.

If you are not planning to generate subscriptions automatically, you can define it to false, you will still need to input the azuread_user settings.

parameterrequiredpossible valuesdescription
enableyestrue, falseEnable the subscription billing account delegation functions.
azuread_user_ea_account_owneryesstringUPN of the user doing the manual deployment of the platform. Must be populated even if you are not using automatic subscription generation.
azuread_user_ea_account_owner_object_idyesstringGUID of the user doing the manual deployment of the platform. Must be populated even if you are not using automatic subscription generation. If that user is already loged-in to an azure cli session you can get the object_id by running: az ad signed-in-user show --query objectId -o tsv
billing_account_namenonumberBilling account name (typically 8 digits)
enrollment_account_namenonumberEnrollment account name (typically 6 digits)

configuration_folders

This section defines how and where the output files (Terraform configuration files) are going to be stored.

parameterrequiredpossible valuesdescription
platformyesblockcontent of the block described below.

The platform block takes the following settings:

parameterrequiredpossible valuesdescription
cleanup_destinationyestrue, falsetrue: forces the destination folder to be deleted and re-created before the files are created. false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is.

management_groups

The settings in this section defines the core behavior of the environment including reference to the enterprise-scale architecture. It is following the structure:

management_groups:
region1: // key of the default region used by enterprise-scale.
es: // alz_mg_prefix.
{{enterprise_scale}} // block as defined bellow.

parameterrequiredpossible valuesdescription
enterprise_scaleyesblockcontent of the block described below.

The enterprise_scale block takes the following parameters:

parameterrequiredpossible valuesdescription
management_group_nameyesstringsThe base path to generate the files.
management_group_prefixyesstringsThe second part of the path where to generate the configuration files.
deploy_core_landing_zonesyesTrue, Falsetrue: forces the destination folder to be deleted and re-created before the files are created. false: create the target folder structure if it does not exist. On sub-sequent executions, the folder structure is reused as is.
clean_up_destination_folderyesTrue, FalseThe second part of the path where to generate the configuration files.
root_parent_idnostringsThe name of the root parent id where you want to deploy the enterprise scale management groups hierarchy.
update_lib_folderyesTrue, FalseUpdate your definition lib folder
version_to_deployyes'v1.1.3', 'v1.1.1'Set the enterprise-scale module version to deploy.

subscriptions

This settings defines the Azure subscriptions that will be created or re-used to deploy the platform landing zones.

It is following the structure:

subscriptions:
launchpad: # key of launchpad. Do not rename the key
{{subscription}}
identity: # key of launchpad. Do not rename the key
{{subscription}}
connectivity: # key of launchpad. Do not rename the key
{{subscription}}
management: # key of launchpad. Do not rename the key
{{subscription}}

parameterrequiredpossible valuesdescription
subscriptionyesblockcontent of the block described below.

The subscription block takes the following parameters:

parameterrequiredpossible valuesdescription
nameyestrue, falseName of the subscription.
create_aliasnotrue, falseWhen re-using an existing subscription by setting a value to subscription_id, create an alias if the principal has API subscription creation permissions.
subscription_idnoguidWhen set, reuse that subscription instead of creating a new one.

networking_topology

parameterrequiredpossible valuesdescription
deployment_optionyesvirtual_wanCurrently supported mode is only virtual_wan, this might change in the future depending on customer requests.

platform_identity

parameterrequiredpossible valuesdescription
tenant_nameyesstringName of the primary domain name of the Azure Active Directory tenant (*.onmicrosoft.com or custom domain name)
azuread_identity_modeyeslogged_in_user, service_principalCurrently supported mode for production is service_principal, for lab and learning purposes, we support logged_in_user to run command from rover in interactive environment.
caf_platform_maintainersyeslist of principal namesIgnored in logged in user mode, contains the list of UPN or groups to be added in the security group caf_platform_maintainers
caf_platform_contributorsyeslist of principal namesOnly used in service_principal mode, contains the list of UPN or groups to be added in the security group caf_platform_contributors