您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Terraform 生成登陆区域Use Terraform to build your landing zones

Azure 为部署登陆区域提供本机服务。Azure provides native services for deploying your landing zones. 其他第三方工具也有助于完成这项工作。Other third-party tools can also help with this effort. 客户和合作伙伴经常用来部署登陆区域的一种工具是 Terraform 的 HashiCorp。One such tool that customers and partners often use to deploy landing zones is Terraform by HashiCorp. 本部分演示如何使用示例登陆区域来部署 Azure 订阅的基础监管、会计和安全功能。This section shows how to use a sample landing zone to deploy foundational governance, accounting, and security capabilities for an Azure subscription.

登陆区域的用途Purpose of the landing zone

适用于 Terraform 的云采用框架基础登录区域提供了强制执行日志记录、记帐和安全性的功能。The Cloud Adoption Framework foundations landing zone for Terraform provides features to enforce logging, accounting, and security. 此登陆区域使用称为 Terraform 模块的标准组件来强制实施环境中部署的资源之间的一致性。This landing zone uses standard components known as Terraform modules to enforce consistency across resources deployed in the environment.

使用标准模块Use standard modules

组件重用是基础结构即代码的基本原则。Reuse of components is a fundamental principle of infrastructure as code. 模块有助于在环境内和跨环境之间跨资源部署定义标准和一致性。Modules are instrumental in defining standards and consistency across resource deployment within and across environments. 用于部署此第一个登陆区域的模块在官方 Terraform 注册表中提供。The modules used to deploy this first landing zone are available in the official Terraform registry.

体系结构关系图Architecture diagram

第一个登陆区域在你的订阅中部署以下组件:The first landing zone deploys the following components in your subscription:

使用 Terraform 的基础登陆区域 图1:使用 Terraform 的基础登陆区域。Foundational landing zone using Terraform Figure 1: A foundation landing zone using Terraform.


部署的组件及其用途包括:The components deployed and their purpose include the following:

组件Component 责任方Responsibility
资源组Resource groups 基础所需的核心资源组Core resource groups needed for the foundation
活动日志记录Activity logging 审核所有订阅活动和存档:Auditing all subscription activities and archiving:
  • 存储帐户Storage account
  • Azure 事件中心Azure Event Hubs
  • 诊断日志记录Diagnostics logging 所有操作日志保留指定的天数:All operation logs kept for a specific number of days:
  • 存储帐户Storage account
  • 事件中心Event Hubs
  • Log AnalyticsLog Analytics 存储操作日志。Stores the operation logs. 部署适用于深层应用程序最佳实践检查的常见解决方案:Deploy common solutions for deep application best practices review:
  • NetworkMonitoringNetworkMonitoring
  • AdAssessmentAdAssessment
  • Get-adreplicationAdReplication
  • AgentHealthAssessmentAgentHealthAssessment
  • DnsAnalyticsDnsAnalytics
  • KeyVaultAnalyticsKeyVaultAnalytics
  • Azure 安全中心Azure Security Center 安全卫生指标和发送给电子邮件和电话号码的警报Security hygiene metrics and alerts sent to email and phone number

    使用此蓝图Use this blueprint

    使用 Cloud 接纳 Framework foundation 登陆区域之前,请查看以下假设、决策和实现指南。Before you use the Cloud Adoption Framework foundation landing zone, review the following assumptions, decisions, and implementation guidance.


    定义此初始登陆区域时,应考虑以下假设或约束。The following assumptions or constraints were considered when this initial landing zone was defined. 如果这些假设与你的约束条件一致,可以使用蓝图创建第一个登陆区域。If these assumptions align with your constraints, you can use the blueprint to create your first landing zone. 还可以将蓝图扩展为创建可满足你的唯一性约束的登陆区域蓝图。The blueprint also can be extended to create a landing zone blueprint that meets your unique constraints.

    • 订阅限制: 此采用工作不太可能超过 订阅限制Subscription limits: This adoption effort is unlikely to exceed subscription limits. 两个常见指标是超过 25,000 个 VM 或 10,000 个 vCPU。Two common indicators are an excess of 25,000 VMs or 10,000 vCPUs.
    • 符合性: 此登陆区域不需要第三方符合性要求。Compliance: No third-party compliance requirements are needed for this landing zone.
    • 体系结构复杂性: 体系结构复杂性不需要额外的生产订阅。Architectural complexity: Architectural complexity doesn't require additional production subscriptions.
    • 共享服务: Azure 中的现有共享服务不需要将此订阅视为中心和辐射型体系结构中的分支。Shared services: No existing shared services in Azure require this subscription to be treated like a spoke in a hub and spoke architecture.

    如果这些假设与当前环境相匹配,则可能是开始构建登陆区域的好方法。If these assumptions match your current environment, this blueprint might be a good way to start building your landing zone.

    设计决策Design decisions

    CAF Terraform 模块中表示以下决策:The following decisions are represented in the CAF Terraform modules:

    组件Component 决策Decisions 替代方法Alternative approaches
    日志记录和监视Logging and monitoring Azure Monitor 使用 Log Analytics 工作区。Azure Monitor Log Analytics workspace is used. 还预配了诊断存储帐户和事件中心。A diagnostics storage account as well as event hub is provisioned.
    网络Network N/A-网络在另一个登陆区域中实现。N/A - network is implemented in another landing zone. 网络决策Networking decisions
    标识Identity 假设订阅已与 Azure Active Directory 实例关联。It's assumed that the subscription is already associated with an Azure Active Directory instance. 标识管理最佳做法Identity management best practices
    策略Policy 此登陆区域当前假定不会应用 Azure 策略。This landing zone currently assumes that no Azure policies are to be applied.
    订阅设计Subscription design 不适用于单个生产订阅。N/A - designed for a single production subscription. 创建初始订阅Create initial subscriptions
    资源组Resource groups 不适用于单个生产订阅。N/A - designed for a single production subscription. 缩放订阅Scale subscriptions
    管理组Management groups 不适用于单个生产订阅。N/A - designed for a single production subscription. 组织订阅Organize subscriptions
    数据Data 不适用N/A 在 Azure 和azure 数据存储指南中选择正确的 SQL Server 选项Choose the correct SQL Server option in Azure and Azure data store guidance
    存储Storage 不适用N/A Azure 存储指南Azure Storage guidance
    命名标准Naming standards 创建环境后,还会创建一个唯一的前缀。When the environment is created, a unique prefix is also created. 需要全局唯一名称 ((例如存储帐户) )的资源使用此前缀。Resources that require a globally unique name (such as storage accounts) use this prefix. 自定义名称后追加一个随机后缀。The custom name is appended with a random suffix. 标记用法是强制性的,如下表所述。Tag usage is mandated as described in the following table. 命名和标记最佳做法Naming and tagging best practices
    成本管理Cost management 不适用N/A 跟踪成本Tracking costs
    计算Compute 不适用N/A 计算选项Compute options

    标记标准Tagging standards

    下面显示的最小标记集必须存在于所有资源和资源组上:The minimum set of tags shown below must be present on all resources and resource groups:

    标记名称Tag name 说明Description 密钥Key 示例值Example values
    业务部门Business unit 拥有资源所属的订阅或工作负荷的公司顶级部门。Top-level division of your company that owns the subscription or workload the resource belongs to. BusinessUnit finance, marketing, <product-name>, corp, sharedfinance, marketing, <product-name>, corp, shared
    成本中心Cost center 与此资源关联的计帐成本中心。Accounting cost center associated with this resource. CostCenter <cost-center-number>
    灾难恢复Disaster recovery 应用程序、工作负荷或服务的业务关键性。Business criticality of the application, workload, or service. DR dr-enabled, non-dr-enableddr-enabled, non-dr-enabled
    环境Environment 应用程序、工作负荷或服务的部署环境。Deployment environment of the application, workload, or service. Env prod, dev, qa, staging, test, trainingprod, dev, qa, staging, test, training
    所有者名称Owner name 应用程序、工作负荷或服务的所有者。Owner of the application, workload, or service. Owner email
    部署类型Deployment type 定义如何维护资源。Defines how the resources are being maintained. DeploymentType manual, terraformmanual, terraform
    版本Version 已部署的蓝图版本。Version of the blueprint deployed. Version v0.1
    应用程序名称Application name 与资源关联的关联应用程序、服务或工作负荷的名称。Name of the associated application, service, or workload associated with the resource. ApplicationName <app-name>

    自定义和部署第一个登陆区域Customize and deploy your first landing zone

    可以 克隆 Terraform foundation 登陆区域You can clone your Terraform foundation landing zone. 通过修改 Terraform 变量,使用登陆区域轻松入门。Get started easily with the landing zone by modifying the Terraform variables. 在我们的示例中,我们使用 blueprint_foundations tfvars,因此 Terraform 会自动为你设置此文件中的值。In our example, we use blueprint_foundations.sandbox.auto.tfvars, so Terraform automatically sets the values in this file for you.

    让我们看一下不同的变量部分。Let's look at the different variable sections.

    在第一个对象中,我们在名为和的区域中创建了两个资源组, southeastasia -hub-core-sec 并在 -hub-operations 运行时添加了前缀。In this first object, we create two resource groups in the southeastasia region named -hub-core-sec and -hub-operations along with a prefix added at runtime.

    resource_groups_hub = {
        HUB-CORE-SEC    = {
            name = "-hub-core-sec"
            location = "southeastasia"
        HUB-OPERATIONS  = {
            name = "-hub-operations"
            location = "southeastasia"

    接下来,指定可在其中设置基础的区域。Next, we specify the regions where we can set the foundations. 此处 southeastasia 用于部署所有资源。Here, southeastasia is used to deploy all the resources.

    location_map = {
        region1   = "southeastasia"
        region2   = "eastasia"

    然后,为操作日志和 Azure 订阅日志指定保持期。Then, we specify the retention period for the operations logs and the Azure subscription logs. 此数据存储在单独的存储帐户和事件中心中,其名称是随机生成的,因为它们必须是唯一的。This data is stored in separate storage accounts and an event hub, whose names are randomly generated because they must be unique.

    azure_activity_logs_retention = 365
    azure_diagnostics_logs_retention = 60

    在 tags_hub 中,我们将指定应用于所有已创建资源的标记的最小集合。Into the tags_hub, we specify the minimum set of tags that are applied to all resources created.

    tags_hub = {
        environment     = "DEV"
        owner           = "Arnaud"
        deploymentType  = "Terraform"
        costCenter      = "65182"
        BusinessUnit    = "SHARED"
        DR              = "NON-DR-ENABLED"

    然后,指定 Log Analytics 名称和一组分析部署的解决方案。Then, we specify the Log Analytics name and a set of solutions that analyze the deployment. 在这里,我们保留了网络监视、Active Directory 评估和复制、DNS Analytics 和 Key Vault 分析。Here, we retained network monitoring, Active Directory assessment and replication, DNS Analytics, and Key Vault analytics.

    analytics_workspace_name = "lalogs"
    solution_plan_map = {
        NetworkMonitoring = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/NetworkMonitoring"
        ADAssessment = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/ADAssessment"
        ADReplication = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/ADReplication"
        AgentHealthAssessment = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/AgentHealthAssessment"
        DnsAnalytics = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/DnsAnalytics"
        KeyVaultAnalytics = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/KeyVaultAnalytics"

    接下来,我们配置了 Azure 安全中心的警报参数。Next, we configured the alert parameters for Azure Security Center.

    # Azure Security Center Configuration
    security_center = {
        contact_email   = "joe@contoso.com"
        contact_phone   = "+6500000000"

    执行操作Take action

    查看配置后,你可以部署配置,就像部署 Terraform 环境一样。After you've reviewed the configuration, you can deploy the configuration as you would deploy a Terraform environment. 建议使用火星,它是允许从 Windows、Linux 或 macOS 进行部署的 Docker 容器。We recommend that you use the rover, which is a Docker container that allows deployment from Windows, Linux, or macOS. 你可以开始 登录区域You can get started with the landing zones.

    后续步骤Next steps

    基础登陆区域以分解方式为复杂环境奠定了基础。The foundation landing zone lays the groundwork for a complex environment in a decomposed manner. 此版本提供了一组简单的功能,可通过将其他模块添加到蓝图,或在其之上分层其他登陆区域来进行扩展。This edition provides a set of simple capabilities that can be extended by adding other modules to the blueprint or layering additional landing zones on top of it.

    将登陆区域分层是一种很好的做法,适用于分离系统、对要使用的每个组件进行版本控制,并使基础结构的快速创新和稳定性成为代码部署。Layering your landing zones is a good practice for decoupling systems, versioning each component that you're using, and allowing fast innovation and stability for your infrastructure as code deployment.

    将来的参考体系结构将演示针对中心辐射型拓扑的这一概念。Future reference architectures will demonstrate this concept for a hub and spoke topology.