使用 Terraform 來建立登陸區域Use Terraform to build your landing zones

Azure 提供原生服務來部署登陸區域。Azure provides native services for deploying your landing zones. 其他協力廠商工具也可以協助進行這種工作。Other third-party tools can also help with this effort. 客戶和合作夥伴通常用來部署登陸區域的其中一種工具,是由 HashiCorp Terraform。One such tool that customers and partners often use to deploy landing zones is Terraform by HashiCorp. 本節說明如何使用範例登陸區域來部署 Azure 訂用帳戶的基礎治理、計量和安全性功能。This section shows how to use a sample landing zone to deploy foundational governance, accounting, and security capabilities for an Azure subscription.

登陸區域的用途Purpose of the landing zone

適用于 Terraform 的雲端採用架構基礎登陸區域會提供強制執行記錄、帳戶處理和安全性的功能。The Cloud Adoption Framework foundations landing zone for Terraform provides features to enforce logging, accounting, and security. 此登陸區域使用稱為 Terraform 模組的標準元件,在環境中部署的資源之間強制執行一致性。This landing zone uses standard components known as Terraform modules to enforce consistency across resources deployed in the environment.

使用標準模組Use standard modules

重複使用元件是基礎結構即程式碼的基本原則。Reuse of components is a fundamental principle of infrastructure as code. 模組有助於定義跨環境內與跨資源部署的標準和一致性。Modules are instrumental in defining standards and consistency across resource deployment within and across environments. 用來部署第一個登陸區域的模組可在官方 Terraform登錄中取得。The modules used to deploy this first landing zone are available in the official Terraform registry.

架構圖Architecture diagram

第一個登陸區域會在您的訂用帳戶中部署下列元件:The first landing zone deploys the following components in your subscription:

基礎登陸區域使用 Terraform 圖1:使用 Terraform 的基礎登陸區域。Foundational landing zone using Terraform Figure 1: A foundation landing zone using Terraform.

功能Capabilities

部署的元件及其用途包括下列各項:The components deployed and their purpose include the following:

元件Component 責任Responsibility
資源群組Resource groups 基礎所需的核心資源群組Core resource groups needed for the foundation
活動記錄Activity logging 審核所有訂用帳戶活動和封存:Auditing all subscription activities and archiving:
  • 儲存體帳戶Storage account
  • Azure 事件中心Azure Event Hubs
  • 診斷記錄Diagnostics logging 所有作業記錄都會保留一天的特定天數:All operation logs kept for a specific number of days:
  • 儲存體帳戶Storage account
  • 事件中樞Event Hubs
  • Log AnalyticsLog Analytics 儲存作業記錄。Stores the operation logs. 部署適用于深入應用程式最佳作法審核的常見解決方案:Deploy common solutions for deep application best practices review:
  • NetworkMonitoringNetworkMonitoring
  • AdAssessmentAdAssessment
  • Get-adreplicationAdReplication
  • AgentHealthAssessmentAgentHealthAssessment
  • DnsAnalyticsDnsAnalytics
  • KeyVaultAnalyticsKeyVaultAnalytics
  • Azure 資訊安全中心Azure Security Center 傳送至電子郵件和電話號碼的安全性防護計量和警示Security hygiene metrics and alerts sent to email and phone number

    使用此藍圖Use this blueprint

    使用「雲端採用架構基礎」登陸區域之前,請先參閱下列假設、決策和實施指引。Before you use the Cloud Adoption Framework foundation landing zone, review the following assumptions, decisions, and implementation guidance.

    假設Assumptions

    定義此初始登陸區域時,會考慮下列假設或條件約束。The following assumptions or constraints were considered when this initial landing zone was defined. 如果這些假設符合您的條件約束,您可以使用藍圖來建立您的第一個登陸區域。If these assumptions align with your constraints, you can use the blueprint to create your first landing zone. 藍圖也可以加以擴充,以建立符合您特有條件限制的登陸區域藍圖。The blueprint also can be extended to create a landing zone blueprint that meets your unique constraints.

    • 訂用帳戶限制: 這項採用工作不太可能會超過訂用帳戶 限制Subscription limits: This adoption effort is unlikely to exceed subscription limits. 兩個常見指標為超過 25,000 部 VM 或 10,000 個 vCPU。Two common indicators are an excess of 25,000 VMs or 10,000 vCPUs.
    • 合規性: 此登陸區域不需要任何協力廠商合規性需求。Compliance: No third-party compliance requirements are needed for this landing zone.
    • 架構複雜度: 架構複雜性不需要額外的生產訂用帳戶。Architectural complexity: Architectural complexity doesn't require additional production subscriptions.
    • 共用服務: 在 Azure 中,沒有任何現有的共用服務需要將此訂用帳戶視為中樞和輪輻架構中的輪輻。Shared services: No existing shared services in Azure require this subscription to be treated like a spoke in a hub and spoke architecture.

    如果這些假設符合您目前的環境,此藍圖可能是開始建立登陸區域的好方法。If these assumptions match your current environment, this blueprint might be a good way to start building your landing zone.

    設計決策Design decisions

    下列決策會以 CAF Terraform 模組表示:The following decisions are represented in the CAF Terraform modules:

    元件Component 決策Decisions 替代方法Alternative approaches
    記錄和監視Logging and monitoring 使用 Azure 監視器 Log Analytics 工作區。Azure Monitor Log Analytics workspace is used. 已布建診斷儲存體帳戶和事件中樞。A diagnostics storage account as well as event hub is provisioned.
    網路Network N/A-網路是在另一個登陸區域中執行。N/A - network is implemented in another landing zone. 網路決策Networking decisions
    身分識別Identity 假設訂用帳戶已經與 Azure Active Directory 執行個體相關聯。It's assumed that the subscription is already associated with an Azure Active Directory instance. 身分識別管理最佳做法Identity management best practices
    原則Policy 此登陸區域目前假設未套用任何 Azure 原則。This landing zone currently assumes that no Azure policies are to be applied.
    訂用帳戶設計Subscription design N/A-專為單一生產訂用帳戶所設計。N/A - designed for a single production subscription. 建立初始訂閱Create initial subscriptions
    資源群組Resource groups N/A-專為單一生產訂用帳戶所設計。N/A - designed for a single production subscription. 調整訂用帳戶Scale subscriptions
    管理群組Management groups N/A-專為單一生產訂用帳戶所設計。N/A - designed for a single production subscription. 組織訂閱Organize subscriptions
    資料Data N/AN/A 在 Azure 和azure 資料存放區中選擇正確的 SQL Server 選項Choose the correct SQL Server option in Azure and Azure data store guidance
    儲存體Storage N/AN/A Azure 儲存體指引Azure Storage guidance
    命名標準Naming standards 建立環境時,也會建立唯一的前置詞。When the environment is created, a unique prefix is also created. 需要全域唯一名稱的資源 (例如儲存體帳戶) 使用此前置詞。Resources that require a globally unique name (such as storage accounts) use this prefix. 自訂名稱會附加隨機尾碼。The custom name is appended with a random suffix. 標記使用方式會依照下表所述的方式來強制執行。Tag usage is mandated as described in the following table. 命名和標記最佳做法Naming and tagging best practices
    成本管理Cost management N/AN/A 追蹤成本Tracking costs
    計算Compute N/AN/A 計算選項Compute options

    標記標準Tagging standards

    下列所示的最小標記集合必須存在於所有資源和資源群組中:The minimum set of tags shown below must be present on all resources and resource groups:

    標籤名稱Tag name 描述Description KeyKey 範例值Example values
    業務單位Business unit 您公司中擁有該資源所屬訂用帳戶或工作負載的最上層部門。Top-level division of your company that owns the subscription or workload the resource belongs to. BusinessUnit finance, marketing, <product-name>, corp, sharedfinance, marketing, <product-name>, corp, shared
    成本中心Cost center 與此資源相關聯的會計成本中心。Accounting cost center associated with this resource. CostCenter <cost-center-number>
    災害復原Disaster recovery 應用程式、工作負載或服務的業務關鍵性。Business criticality of the application, workload, or service. DR dr-enabled, non-dr-enableddr-enabled, non-dr-enabled
    環境Environment 應用程式、工作負載或服務的部署環境。Deployment environment of the application, workload, or service. Env prod, dev, qa, staging, test, trainingprod, dev, qa, staging, test, training
    擁有人名稱Owner name 應用程式、工作負載或服務的擁有者。Owner of the application, workload, or service. Owner email
    部署類型Deployment type 定義如何維護資源。Defines how the resources are being maintained. DeploymentType manual, terraformmanual, terraform
    版本Version 已部署之藍圖的版本。Version of the blueprint deployed. Version v0.1
    應用程式名稱Application name 與資源相關聯的相關聯應用程式、服務或工作負載的名稱。Name of the associated application, service, or workload associated with the resource. ApplicationName <app-name>

    自訂和部署您的第一個登陸區域Customize and deploy your first landing zone

    您可以 複製 Terraform foundation 登陸區域You can clone your Terraform foundation landing zone. 藉由修改 Terraform 變數,即可輕鬆地開始使用登陸區域。Get started easily with the landing zone by modifying the Terraform variables. 在我們的範例中,我們使用 blueprint_foundations tfvars,因此 Terraform 會自動為您設定此檔案中的值。In our example, we use blueprint_foundations.sandbox.auto.tfvars, so Terraform automatically sets the values in this file for you.

    讓我們看看不同的變數區段。Let's look at the different variable sections.

    在此第一個物件中,我們會在名為的區域中建立兩個資源群組, southeastasia -hub-core-sec 並在 -hub-operations 執行時間加入前置詞。In this first object, we create two resource groups in the southeastasia region named -hub-core-sec and -hub-operations along with a prefix added at runtime.

    resource_groups_hub = {
        HUB-CORE-SEC    = {
            name = "-hub-core-sec"
            location = "southeastasia"
        }
        HUB-OPERATIONS  = {
            name = "-hub-operations"
            location = "southeastasia"
        }
    }
    

    接下來,我們會指定可設定基礎的區域。Next, we specify the regions where we can set the foundations. 在這裡, southeastasia 會用來部署所有資源。Here, southeastasia is used to deploy all the resources.

    location_map = {
        region1   = "southeastasia"
        region2   = "eastasia"
    }
    

    然後,我們會指定作業記錄和 Azure 訂用客戶紀錄的保留期限。Then, we specify the retention period for the operations logs and the Azure subscription logs. 這項資料會儲存在個別的儲存體帳戶和事件中樞,其名稱會隨機產生,因為它們必須是唯一的。This data is stored in separate storage accounts and an event hub, whose names are randomly generated because they must be unique.

    azure_activity_logs_retention = 365
    azure_diagnostics_logs_retention = 60
    

    在 tags_hub 中,我們會指定套用至所有所建立資源的最小標記集合。Into the tags_hub, we specify the minimum set of tags that are applied to all resources created.

    tags_hub = {
        environment     = "DEV"
        owner           = "Arnaud"
        deploymentType  = "Terraform"
        costCenter      = "65182"
        BusinessUnit    = "SHARED"
        DR              = "NON-DR-ENABLED"
    }
    

    然後,我們會指定 Log Analytics 名稱和一組分析部署的解決方案。Then, we specify the Log Analytics name and a set of solutions that analyze the deployment. 在這裡,我們保留了網路監視、Active Directory 評定和複寫、DNS 分析,以及金鑰保存庫分析。Here, we retained network monitoring, Active Directory assessment and replication, DNS Analytics, and Key Vault analytics.

    
    analytics_workspace_name = "lalogs"
    
    solution_plan_map = {
        NetworkMonitoring = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/NetworkMonitoring"
        },
        ADAssessment = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/ADAssessment"
        },
        ADReplication = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/ADReplication"
        },
        AgentHealthAssessment = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/AgentHealthAssessment"
        },
        DnsAnalytics = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/DnsAnalytics"
        },
        KeyVaultAnalytics = {
            "publisher" = "Microsoft"
            "product"   = "OMSGallery/KeyVaultAnalytics"
        }
    }
    
    

    接下來,我們設定了 Azure 安全性中心的警示參數。Next, we configured the alert parameters for Azure Security Center.

    # Azure Security Center Configuration
    security_center = {
        contact_email   = "joe@contoso.com"
        contact_phone   = "+6500000000"
    }
    

    採取動作Take action

    檢查設定之後,您可以部署設定,就像部署 Terraform 環境一樣。After you've reviewed the configuration, you can deploy the configuration as you would deploy a Terraform environment. 建議您使用 rover,這是可讓您從 Windows、Linux 或 macOS 進行部署的 Docker 容器。We recommend that you use the rover, which is a Docker container that allows deployment from Windows, Linux, or macOS. 您可以開始使用 登陸區域You can get started with the landing zones.

    下一步Next steps

    基礎登陸區域以分解的方式為複雜的環境奠定基礎。The foundation landing zone lays the groundwork for a complex environment in a decomposed manner. 此版本提供一組簡單的功能,可透過將其他模組新增至藍圖或將其他登陸區域分層在其上進行擴充。This edition provides a set of simple capabilities that can be extended by adding other modules to the blueprint or layering additional landing zones on top of it.

    將登陸區域分層是將系統分離、為您所使用的每個元件進行版本控制,以及允許基礎結構作為程式碼部署的快速創新和穩定性的好作法。Layering your landing zones is a good practice for decoupling systems, versioning each component that you're using, and allowing fast innovation and stability for your infrastructure as code deployment.

    未來的參考架構將示範中樞和輪輻拓撲的這個概念。Future reference architectures will demonstrate this concept for a hub and spoke topology.