Module to provision azure stack hci.
The following requirements are needed by this module:
-
terraform (~> 1.5)
-
azapi (~> 1.14)
-
azuread (~> 2.50.0)
-
azurerm (~> 3.71)
-
modtm (~> 0.3)
-
random (~> 3.5)
The following resources are used by this module:
- azapi_resource.cluster (resource)
- azapi_resource.validatedeploymentsetting (resource)
- azapi_update_resource.deploymentsetting (resource)
- azurerm_key_vault.deployment_keyvault (resource)
- azurerm_key_vault_secret.azure_stack_lcm_user_credential (resource)
- azurerm_key_vault_secret.default_arb_application (resource)
- azurerm_key_vault_secret.local_admin_credential (resource)
- azurerm_key_vault_secret.witness_storage_key (resource)
- azurerm_management_lock.this (resource)
- azurerm_role_assignment.machine_role_assign (resource)
- azurerm_role_assignment.service_principal_role_assign (resource)
- azurerm_role_assignment.this (resource)
- azurerm_storage_account.witness (resource)
- modtm_telemetry.telemetry (resource)
- random_integer.random_suffix (resource)
- random_uuid.telemetry (resource)
- azapi_resource.arc_settings (data source)
- azapi_resource.arcbridge (data source)
- azapi_resource.customlocation (data source)
- azapi_resource_list.user_storages (data source)
- azuread_service_principal.hci_rp (data source)
- azurerm_arc_machine.arcservers (data source)
- azurerm_client_config.current (data source)
- azurerm_client_config.telemetry (data source)
- azurerm_key_vault.key_vault (data source)
- azurerm_storage_account.witness (data source)
- modtm_module_source.telemetry (data source)
The following input variables are required:
Description: The Active Directory OU path.
Type: string
Description: The name of the custom location.
Type: string
Description: The default gateway for the network.
Type: string
Description: The username for the domain administrator account.
Type: string
Description: The password for the domain administrator account.
Type: string
Description: A list of DNS server IP addresses.
Type: list(string)
Description: The domain FQDN.
Type: string
Description: The ending IP address of the IP address range.
Type: string
Description: The name of the key vault.
Type: string
Description: The password for the local administrator account.
Type: string
Description: The username for the local administrator account.
Type: string
Description: Azure region where the resource should be deployed.
Type: string
Description: A list of management adapters.
Type: list(string)
Description: The name of the HCI cluster. Must be the same as the name when preparing AD.
Type: string
Description: The resource id of resource group.
Type: string
Description: A list of servers with their names and IPv4 addresses.
Type:
list(object({
name = string
ipv4Address = string
}))Description: The service principal ID for the Azure account.
Type: string
Description: The service principal secret for the Azure account.
Type: string
Description: A unique identifier for the site.
Type: string
Description: The starting IP address of the IP address range.
Type: string
Description: Indicates whether storage connectivity is switchless.
Type: bool
Description: A list of storage networks.
Type:
list(object({
name = string
networkAdapterName = string
vlanId = string
}))The following input variables are optional (have default values):
Description: The replication type for the storage account.
Type: string
Default: "ZRS"
Description: Indicates whether nested items can be public.
Type: bool
Default: false
Description: The Azure service endpoint.
Type: string
Default: "core.windows.net"
Description: (Optional) Content type of the azure stack lcm user credential.
Type: string
Default: null
Description: (Optional) Expiration date of the azure stack lcm user credential.
Type: string
Default: null
Description: (Optional) Tags of the azure stack lcm user credential.
Type: map(string)
Default: null
Description: When set to true, BitLocker XTS_AES 256-bit encryption is enabled for all data-at-rest on the OS volume of your Azure Stack HCI cluster. This setting is TPM-hardware dependent.
Type: bool
Default: true
Description: When set to true, BitLocker XTS-AES 256-bit encryption is enabled for all data-at-rest on your Azure Stack HCI cluster shared volumes.
Type: bool
Default: true
Description: The name of the HCI cluster.
Type: string
Default: ""
Description: (Optional) Tags of the cluster.
Type: map(string)
Default: null
Description: The name of compute intent.
Type: string
Default: "ManagementCompute"
Description: Indicates whether to override adapter property for compute.
Type: bool
Default: true
Description: Indicates whether to override qos policy for compute network.
Type: bool
Default: false
Description: QoS policy overrides for network settings with required properties for compute.
Type:
object({
priorityValue8021Action_SMB = string
priorityValue8021Action_Cluster = string
bandwidthPercentage_SMB = string
})Default:
{
"bandwidthPercentage_SMB": "",
"priorityValue8021Action_Cluster": "",
"priorityValue8021Action_SMB": ""
}Description: Indicates whether RDMA is enabled for compute.
Type: bool
Default: false
Description: The jumbo packet size for RDMA of compute network.
Type: string
Default: "9014"
Description: The RDMA protocol of compute network.
Type: string
Default: "RoCEv2"
Description: Traffic type of compute.
Type: list(string)
Default:
[
"Management",
"Compute"
]Description: The configuration mode for the storage.
Type: string
Default: "Express"
Description: Indicates whether to create role assignments for the HCI resource provider service principal.
Type: bool
Default: false
Description: Set to true to create the key vault, or false to skip it
Type: bool
Default: true
Description: Set to true to create the witness storage account, or false to skip it
Type: bool
Default: true
Description: When set to true, Credential Guard is enabled on your Azure HCI cluster.
Type: bool
Default: false
Description: Indicates whether cross-tenant replication is enabled.
Type: bool
Default: false
Description: (Optional) Content type of the default arb application.
Type: string
Default: null
Description: (Optional) Expiration date of the default arb application.
Type: string
Default: null
Description: (Optional) Tags of the default arb application.
Type: map(string)
Default: null
Description: When set to true, the security baseline is re-applied regularly.
Type: bool
Default: true
Description: By default, Secure Boot is enabled on your Azure HCI cluster. This setting is hardware dependent.
Type: bool
Default: true
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: Indicates whether the location is in EU.
Type: bool
Default: false
Description: By default, Hypervisor-protected Code Integrity is enabled on your Azure HCI cluster.
Type: bool
Default: true
Description: The name of intent.
Type: string
Default: "ManagementComputeStorage"
Description: Indicate whether the resource is exported
Type: bool
Default: false
Description: The location of the key vault.
Type: string
Default: ""
Description: The resource group of the key vault.
Type: string
Default: ""
Description: Indicates whether purge protection is enabled.
Type: bool
Default: true
Description: A list of key vault secrets.
Type:
list(object({
eceSecretName = string
secretSuffix = string
}))Default: []
Description: The number of days that items should be retained for soft delete.
Type: number
Default: 30
Description: (Optional) Tags of the keyvault.
Type: map(string)
Default: null
Description: (Optional) Content type of the local admin credential.
Type: string
Default: null
Description: (Optional) Expiration date of the local admin credential.
Type: string
Default: null
Description: (Optional) Tags of the local admin credential.
Type: map(string)
Default: null
Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:
kind- (Required) The type of lock. Possible values are\"CanNotDelete\"and\"ReadOnly\".name- (Optional) The name of the lock. If not specified, a name will be generated based on thekindvalue. Changing this forces the creation of a new resource.
Type:
object({
kind = string
name = optional(string, null)
})Default: null
Description: The minimum TLS version.
Type: string
Default: "TLS1_2"
Description: The naming prefix in HCI deployment settings. Site id will be used if not provided.
Type: string
Default: ""
Description: The intended operation for a cluster.
Type: string
Default: "ClusterProvisioning"
Description: Indicates whether to override adapter property.
Type: bool
Default: true
Description: Indicates whether to override qos policy for converged network.
Type: bool
Default: false
Description: QoS policy overrides for network settings with required properties.
Type:
object({
priorityValue8021Action_SMB = string
priorityValue8021Action_Cluster = string
bandwidthPercentage_SMB = string
})Default:
{
"bandwidthPercentage_SMB": "",
"priorityValue8021Action_Cluster": "",
"priorityValue8021Action_SMB": ""
}Description: Indicate whether to add random suffix
Type: bool
Default: true
Description: Enables RDMA when set to true. In a converged network configuration, this will make the network use RDMA. In a dedicated storage network configuration, enabling this will enable RDMA on the storage network.
Type: bool
Default: false
Description: The jumbo packet size for RDMA of converged network.
Type: string
Default: "9014"
Description: The RDMA protocol of converged network.
Type: string
Default: "RoCEv2"
Description: The location of resource group.
Type: string
Default: ""
Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
role_definition_id_or_name- The ID or name of the role definition to assign to the principal.principal_id- The ID of the principal to assign the role to.description- The description of the role assignment.skip_service_principal_aad_check- If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.condition- The condition which will be used to scope the role assignment.condition_version- The version of the condition syntax. Valid values are '2.0'.
Note: only set
skip_service_principal_aad_checkto true if you are assigning a role to a service principal.
Type:
map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
}))Default: {}
Description: The object ID of the HCI resource provider service principal.
Type: string
Default: ""
Description: Secrets location for the deployment.
Type: string
Default: ""
Description: When set to true, all the side channel mitigations are enabled.
Type: bool
Default: true
Description: When set to true, cluster east-west traffic is encrypted.
Type: bool
Default: false
Description: When set to true, the SMB default instance requires sign in for the client and server services.
Type: bool
Default: true
Description: The IP information for the storage networks. Key is the storage network name.
Type:
map(list(object({
physicalNode = string
ipv4Address = string
subnetMask = string
})))Default: null
Description: The name of storage intent.
Type: string
Default: "Storage"
Description: Indicates whether to override adapter property for storage network.
Type: bool
Default: true
Description: Indicates whether to override qos policy for storage network.
Type: bool
Default: false
Description: QoS policy overrides for network settings with required properties for storage.
Type:
object({
priorityValue8021Action_SMB = string
priorityValue8021Action_Cluster = string
bandwidthPercentage_SMB = string
})Default:
{
"bandwidthPercentage_SMB": "",
"priorityValue8021Action_Cluster": "",
"priorityValue8021Action_SMB": ""
}Description: Indicates whether RDMA is enabled for storage. Storage RDMA will be enabled if either rdma_enabled or storage_rdma_enabled is set to true.
Type: bool
Default: false
Description: The jumbo packet size for RDMA of storage network.
Type: string
Default: "9014"
Description: The RDMA protocol of storage network.
Type: string
Default: "RoCEv2"
Description: (Optional) Tags of the storage.
Type: map(string)
Default: null
Description: Traffic type of storage.
Type: list(string)
Default:
[
"Storage"
]Description: The subnet mask for the network.
Type: string
Default: "255.255.255.0"
Description: (Optional) Value of the tenant id
Type: string
Default: ""
Description: Traffic type of intent.
Type: list(string)
Default:
[
"Management",
"Compute",
"Storage"
]Description: Indicates whether to use the legacy key vault model.
Type: bool
Default: false
Description: WDAC is enabled by default and limits the applications and the code that you can run on your Azure Stack HCI cluster.
Type: bool
Default: true
Description: The path to the witness.
Type: string
Default: "Cloud"
Description: The name of the witness storage account.
Type: string
Default: ""
Description: The resource group of the witness storage account. If not provided, 'resource_group_name' will be used as the storage account's resource group.
Type: string
Default: ""
Description: (Optional) Content type of the witness storage key.
Type: string
Default: null
Description: (Optional) Expiration date of the witness storage key.
Type: string
Default: null
Description: (Optional) Tags of the witness storage key.
Type: map(string)
Default: null
Description: The type of the witness.
Type: string
Default: "Cloud"
The following outputs are exported:
Description: Arc settings instance after HCI connected.
Description: Arc resource bridge instance after HCI connected.
Description: HCI Cluster instance
Description: Custom location instance after HCI connected.
Description: Keyvault instance that stores deployment secrets.
Description: This is the full output for the resource.
Description: User storage instances after HCI connected.
Description: The name of the virtual switch that is used by the network.
No modules.
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.