Skip to main content

Azure AKS APP Stack Global

Overview

Tailored for globally distributed microservices, the Azure AKS APP Stack Global environment template excels in establishing a resilient presence across diverse Azure regions. Comprising key components such as AKS, ACR, and Application Gateway, it forms a sturdy foundation for secure and high-performance application hosting. Advanced functionalities like zone redundancy, data replication, and auto scaling enhance fault tolerance. Adhering to security best practices and CIS compliance, the template offers configurable options for additional resources such as Azure SQL Database, CosmosDB, Azure Cache for Redis, and Front Door. This holistic solution seamlessly blends flexibility with industry standards, ensuring a smooth and efficient deployment experience for microservices applications.

List of resources

  1. AKS
  2. Application gateway
  3. Container registry
  4. Key vault
  5. DNS zone
  6. Private DNS zones
  7. Private Endpoints
  8. Storage Accounts
  9. SQL Database
  10. CosmosDB
  11. Cache for Redis
  12. Frontdoor
  13. Log Analytics workspace
  14. Application Insights
  15. Virtual network

Cloud Architecture

BOS_ARC
BOS_ARC
© Copyright BOS Framework 2024

Input Parameters

Input VariablesDescriptionsDefault ValuesTypeSupported Values
sp_client_idService Principal Client ID, used for authentication in Azure.abcde123-4567-890f-12ab-34cd56789ef0string
sp_tenant_idAzure AD Tenant ID, the identity provider for the service principal.12345678-abcd-1234-ef12-123456789abcstring
sp_subscription_idAzure Subscription ID, specifying the target subscription.abcdefgh-1234-5678-90ab-cdef12345678string
sp_nameName or identifier for the Service Principalmyserviceprincipalstring
sp_client_secretThe secret key associated with the Service Principal for authentication.mysecretclientsecret123string
storage_use_azureadShould the AzureRM Provider use AzureAD to connect to the Storage Blob API's, rather than the SharedKey from the Storage Accounttruebooltrue, false
resource_group_nameThe name of the Azure Resource Group where resources will be deployed.myrgstring
resource_group_locationAzure region where the Resource Group will be created.eastusstring
resourcegroup_lockWhether to apply a resource group-level lock.truebooltrue, false
resourcegroup_lock_levelLevel of the resource group lock if resourcegroup_lock is set to true.CanNotDeletestringCanNotDelete, ReadOnly
tags_nameA map of tags to apply to Azure resources.'{"Environment":"Dev","ProductName":"JohnDoe"}'map(string)
enable_defender_plansEnable or disable Azure defender plans for the subscription.truebooltrue, false
security_center_resource_typeslist of resource types to be covered by Azure Security Center.["CloudPosture", "VirtualMachines", "AppServices", "SqlServers", "SqlServerVirtualMachines", "OpenSourceRelationalDatabases", "CosmosDbs", "StorageAccounts", "Containers", "KeyVaults", "Arm", "Api"]'list["CloudPosture", "VirtualMachines", "AppServices", "SqlServers", "SqlServerVirtualMachines", "OpenSourceRelationalDatabases", "CosmosDbs", "StorageAccounts", "Containers", "KeyVaults", "Arm", "Api"]'
security_center_resource_types_tierThe Azure Security Center tier to use for the specified resource types.["Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard"]'list["Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard"]'
auto_provision_log_analytics_agentWhether to automatically provision the Log Analytics agent on VMs within the VNet.OffstringOff, On
vnet_nameThe name of the Virtual Network (VNet).my-vnetstring
vnet_subnet1_aks_nameThe name of the first subnet for AKS.my-subnet-1string
vnet_subnet2_appgw_nameThe name of the second subnet for Application Gateway.my-subnet-2string
vnet_subnet3_services_nameThe name of the third subnet for services.my-subnet-3string
vnet_address_spaceThe address space for the Virtual Network.["10.11.0.0/16"]'list
vnet_dns_serversThe DNS server IP addresses for the Virtual Network.[]list
vnet_subnet1_aks_address_prefixThe address prefix for the first subnet for AKS.["10.11.8.0/21"]'list
vnet_subnet2_appgw_address_prefixThe address prefix for the second subnet for Application Gateway.["10.11.16.0/24"]'list
vnet_subnet3_services_address_prefixThe address prefix for the third subnet for services.["10.11.24.0/23"]'list
vnet_subnet4_firewall_address_prefixThe address prefix for the fourth subnet for the firewall.["10.11.32.0/26"]'list
vnet_firewall_enableWhether to enable the Azure Firewall in the VNet.falsebooltrue, false
vnet_firewall_public_ip_zoneslist of public IP address zones for the Azure Firewall.["1", "2", "3"]'list["1", "2", "3"]'
vnet_firewall_zoneslist of zones for the Azure Firewall.["1", "2", "3"]'list["1", "2", "3"]'
vnet_firewall_skuThe SKU for the Azure Firewall.AZFW_VNetstringAZFW_VNet, AZFW_Hub
vnet_firewall_tierThe threat intelligence tier for the Azure Firewall.StandardstringPremium, Standard, Basic
vnet_firewall_threat_intel_modeThe threat intelligence mode for the Azure Firewall.DenystringDeny, Alert
vnet_ddos_protection_plan_enableWhether to enable DDoS protection for the VNet.falsebooltrue, false
vnet_ddos_protection_plan_nameThe name for the DDoS protection plan.my-ddos-planstring
vnet_subnet1_aks_service_endpointsThe list of Service endpoints to associate with the subnet1["Microsoft.KeyVault", "Microsoft.Sql", "Microsoft.Storage", "Microsoft.AzureCosmosDB", "Microsoft.ContainerRegistry"]list["Microsoft.KeyVault", "Microsoft.Sql", "Microsoft.Storage", "Microsoft.AzureCosmosDB", "Microsoft.ContainerRegistry"]
vnet_subnet3_service_endpointsThe list of Service endpoints to associate with the subnet3["Microsoft.KeyVault", "Microsoft.Sql", "Microsoft.Storage", "Microsoft.AzureCosmosDB", "Microsoft.ContainerRegistry"]list["Microsoft.KeyVault", "Microsoft.Sql", "Microsoft.Storage", "Microsoft.AzureCosmosDB", "Microsoft.ContainerRegistry"]
natgw_public_ip_prefix_nameName of the Public IP Prefix for the NAT Gateway.my-nat-pub-ip-prefixstring
natgw_public_ip_prefix_lengthPrefix length (subnet mask) for the Public IP Prefix.29number28,29,30,31
natgw_public_ip_prefix_zonesAvailability zones for the Public IP Prefix.["1"]'list["1", "2", "3"]'
natgw_public_ip_nameName of the Public IP address for the NAT Gateway.my-nat-pub-ipstring
natgw_public_ip_allocation_methodIP address allocation method for the Public IP.StaticstringDynamic, Static
natgw_public_ip_skuSKU (service tier) for the Public IP address.StandardstringBasic, Standard
natgw_public_ip_zonesAvailability zones for the Public IP address of the NAT Gateway.["1"]'list["1", "2", "3"]'
natgw_nameName of the NAT Gateway.my-nat-gatewaystring
natgw_idle_timeout_in_minutesIdle timeout in minutes for the NAT Gateway's outbound connections.4number
natgw_skuSKU (service tier) for the NAT Gateway.StandardstringBasic, Standard
natgw_zonesAvailability zones for the NAT Gateway.["1"]'list["1", "2", "3"]'
network_watchernameName of the Network Watcher resource.NetworkWatcher_eastusstringNetworkWatcher_region
network_watcher_existsIndicates whether the Network Watcher resource exists or not.falsebooltrue, false
nsg_flow_logs_enableWhether to enable Network Security Group (NSG) flow logs.falsebooltrue, false
vnet_subnet1_aks_nsg_nameName of the Network Security Group (NSG) for the first subnet used by AKS.my-nsg-1string
vnet_subnet1_aks_nsg_rulesRules defined for the Network Security Group (NSG) in the first subnet used by AKS.{"rule1": {"name": "sn01-nsg-rule-01","priority": 1000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "22","source_address_prefix": "*","destination_address_prefix": "*"},"rule2": {"name": "sn01-nsg-rule-02","priority": 2000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "3389","source_address_prefix": "*","destination_address_prefix": "*"}}'map(json)It should consist of name, priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix and destination_address_prefix for each rule.
vnet_subnet2_appgw_nsg_nameName of the Network Security Group (NSG) for the second subnet used by Application Gateway.my-nsg-2string
vnet_subnet2_appgw_nsg_rulesRules defined for the Network Security Group (NSG) in the second subnet used by Application Gateway.{"rule1": {"name": "Allow_Front_Door_to_send_HTTP_traffic_80","priority": 120,"direction": "Inbound","access": "Allow","protocol": "Tcp","source_port_range": "*","destination_port_range": "80","source_address_prefix": "AzureFrontDoor.Backend","destination_address_prefix": "VirtualNetwork"},"rule2": {"name": "Allow_Front_Door_to_send_HTTP_traffic_443","priority": 121,"direction": "Inbound","access": "Allow","protocol": "Tcp","source_port_range": "*","destination_port_range": "443","source_address_prefix": "AzureFrontDoor.Backend","destination_address_prefix": "VirtualNetwork"},"rule3": {"name": "Allow_GWM","priority": 100,"direction": "Inbound","access": "Allow","protocol": "*","source_port_range": "*","destination_port_range": "65200-65535","source_address_prefix": "GatewayManager","destination_address_prefix": "*"},"rule4": {"name": "Allow_AzureLoadBalancer","priority": 110,"direction": "Inbound","access": "Allow","protocol": "*","source_port_range": "*","destination_port_range": "*","source_address_prefix": "AzureLoadBalancer","destination_address_prefix": "*"}}'map(json){"rule1": {"name": "Allow_Front_Door_to_send_HTTP_traffic_80","priority": 120,"direction": "Inbound","access": "Allow","protocol": "Tcp","source_port_range": "*","destination_port_range": "80","source_address_prefix": "AzureFrontDoor.Backend","destination_address_prefix": "VirtualNetwork"},"rule2": {"name": "Allow_Front_Door_to_send_HTTP_traffic_443","priority": 121,"direction": "Inbound","access": "Allow","protocol": "Tcp","source_port_range": "*","destination_port_range": "443","source_address_prefix": "AzureFrontDoor.Backend","destination_address_prefix": "VirtualNetwork"},"rule3": {"name": "Allow_GWM","priority": 100,"direction": "Inbound","access": "Allow","protocol": "*","source_port_range": "*","destination_port_range": "65200-65535","source_address_prefix": "GatewayManager","destination_address_prefix": "*"},"rule4": {"name": "Allow_AzureLoadBalancer","priority": 110,"direction": "Inbound","access": "Allow","protocol": "*","source_port_range": "*","destination_port_range": "*","source_address_prefix": "AzureLoadBalancer","destination_address_prefix": "*"}}'
vnet_subnet3_services_nsg_nameName of the Network Security Group (NSG) for the third subnet used for services.my-nsg-3string
vnet_subnet3_services_nsg_rulesRules defined for the Network Security Group (NSG) in the third subnet used for services.{"rule1": {"name": "sn03-nsg-rule-01","priority": 1000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "22","source_address_prefix": "*","destination_address_prefix": "*"},"rule2": {"name": "sn03-nsg-rule-02","priority": 2000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "3389","source_address_prefix": "*","destination_address_prefix": "*"}}'map(json)It should consist of name, priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix and destination_address_prefix for each rule.
vnet_subnet1_aks_nsg_flow_log_nameName of the flow log for the Network Security Group (NSG) in the first subnet used by AKS.my-nsg-1-flow-logstring
vnet_subnet1_aks_nsg_flow_log_enabledWhether flow logging is enabled for the Network Security Group (NSG) in the first subnet used by AKS.truebooltrue, false
vnet_subnet1_aks_nsg_flow_log_retention_enabledWhether log retention is enabled for the flow log of the Network Security Group (NSG) in the first subnet used by AKS.truebooltrue, false
vnet_subnet1_aks_nsg_flow_log_retention_in_daysnumber of days to retain flow log data for the Network Security Group (NSG) in the first subnet used by AKS.90number
vnet_subnet3_services_nsg_flow_log_nameName of the flow log for the Network Security Group (NSG) in the third subnet used for services.my-nsg-3-flow-logstring
vnet_subnet3_services_nsg_flow_log_enabledWhether flow logging is enabled for the Network Security Group (NSG) in the third subnet used for services.truebooltrue, false
vnet_subnet3_services_nsg_flow_log_retention_enabledWhether log retention is enabled for the flow log of the Network Security Group (NSG) in the third subnet used for services.truebooltrue, false
vnet_subnet3_services_nsg_flow_log_retention_in_daysnumber of days to retain flow log data for the Network Security Group (NSG) in the third subnet used for services.90number
vnet_subnet1_aks_nsg_flow_log_traffic_analytics_enabledWhether traffic analytics is enabled for the flow log of the Network Security Group (NSG) in the first subnet used by AKS.truebooltrue, false
vnet_subnet1_aks_nsg_flow_log_traffic_analytics_interval_in_minutesInterval in minutes for traffic analytics for the flow log of the Network Security Group (NSG) in the first subnet used by AKS.60number10, 60
vnet_subnet3_services_nsg_flow_log_traffic_analytics_enabledWhether traffic analytics is enabled for the flow log of the Network Security Group (NSG) in the third subnet used for services.truebooltrue, false
vnet_subnet3_services_nsg_flow_log_traffic_analytics_interval_in_minutesInterval in minutes for traffic analytics for the flow log of the Network Security Group (NSG) in the third subnet used for services.60number10, 60
vnet_subnet1_aks_nsg_flow_log_versionVersion of the flow log for the Network Security Group (NSG) in the second subnet. Used by Application Gateway2number1, 2
vnet_subnet3_services_nsg_flow_log_versionVersion of the flow log for the Network Security Group (NSG) in the second subnet. Used by Application Gateway2number1, 2
vnet_subnet2_appgw_nsg_flow_log_nameName of the flow log for the Network Security Group (NSG) in the second subnet. Used by Application Gatewaymy-nsg-2-flow-logstring
vnet_subnet2_appgw_nsg_flow_log_versionVersion of the flow log for the Network Security Group (NSG) in the second subnet. Used by Application Gateway2number1, 2
vnet_subnet2_appgw_nsg_flow_log_enabledWhether flow logging is enabled for the Network Security Group (NSG) in the second subnet. Used by Application Gatewaytruebooltrue, false
vnet_subnet2_appgw_nsg_flow_log_retention_enabledWhether log retention is enabled for the flow log of the Network Security Group (NSG) in the second subnet. Used by Application Gatewaytruebooltrue, false
vnet_subnet2_appgw_nsg_flow_log_retention_in_daysnumber of days to retain flow log data for the Network Security Group (NSG) in the second subnet. Used by Application Gateway90number
vnet_subnet2_appgw_nsg_flow_log_traffic_analytics_enabledWhether traffic analytics is enabled for the flow log of the Network Security Group (NSG) in the second subnet. Used by Application Gatewaytruebooltrue, false
vnet_subnet2_appgw_nsg_flow_log_traffic_analytics_interval_in_minutesInterval in minutes for traffic analytics for the flow log of the Network Security Group (NSG) in the second subnet. Used by Application Gateway60number10, 60
vnet_diagnostic_log_enableWhether to enable diagnostic logs for the Virtual Network (VNet).truebooltrue, false
vnet_diagnostic_log_nameName of the diagnostic logs setting for the Virtual Network (VNet).my-vnet-logsstring
vnet_diagnostic_log_category_groupCategory of diagnostic logs to enable for the Virtual Network (VNet).allLogsstringallLogs
require_vnet_peeringWhether virtual network peering is requiredfalsebooltrue, false
vnet_peering_configsConfiguration for virtual network peering[{"new_vnet_name": "mynewvnet","new_vnet_rg": "mynewvnetnetrg","peering_name_1": "peer1to2","peering_name_2": "peer2to1","allow_gateway_transit": false,"allow_vnet_access": true,"allow_forwarded_traffic": true,}]'map(json)It should consist of new_vnet_name, new_vnet_rg, peering_name_1, peering_name_2, allow_gateway_transit, allow_vnet_access, allow_forwarded_traffic for each peering connection
private_dns_zoneName of the Private DNS Zone to configure.mywebsite.internal.comstring
private_dns_vnetlink_nameName of the Private DNS Virtual Network Link.my-vnet-linkstring
public_dns_enableWhether to create a Public DNS Zone.truebooltrue, false
public_dns_zoneName of the public DNS zone for a Virtual Network.mywebsite.comstring
acr_skuThe SKU (service tier) for the Azure Container Registry (ACR).PremiumstringBasic, Standard, Premium
acr_admin_enabledWhether administrative user access is enabled for the ACR.truebooltrue, false
acr_nameName of the Azure Container Registry (ACR).mycontainerregistrystring
acr_zone_redundancy_enabledWhether geo-replication (zone redundancy) is enabled for the ACR.truebooltrue, false
aks_role_definitionnameName of the role definition to be assigned to the AKS service principal.AcrPullstringAcrPull
aks_acr_skip_service_principal_aad_checkWhether to skip the Azure AD check for the AKS service principal.truebooltrue, false
acr_private_endpoint_nameName of the Private Endpoint for the Azure Container Registry (ACR).mycontainerregistry-pvepstring
acr_private_dns_zoneName of the Private DNS Zone for the ACR Private Endpoint.privatelink.azurecr.iostringprivatelink.azurecr.io
acr_private_service_connection_nameName of the Private Service Connection for the ACR.mycontainerregistry-svcstring
acr_private_service_is_manual_connectionWhether the Private Service Connection is a manual connection.falsebooltrue, false
acr_private_service_connection_subresourceName of the Private Service Connection Subresource for the ACR.["registry"]'list["registry"]'
acr_private_dns_zone_group_nameName of the Private DNS Zone Group for the ACR.mycontainerregistry-dns-grpstring
acr_dns_vnet_linkName of the DNS Virtual Network Link for the ACR.mycontainerregistry-vnet-linkstring
acr_public_network_access_enabledEnable or disable public network access for the ACR.truebooltrue, false
acr_network_rule_bypass_optionBypass option for network rules in the ACRAzureServicesstringAzureServices, None
acr_network_rule_set_default_actionDefault action for network rules in the ACRDenystringAllow, Deny
acr_network_rule_set_ip_rule_actionAction for IP rules in the network rule setAllowstringAllow, Deny
acr_network_rule_set_ip_rule_ip_rangeIP range for IP rules in the network rule set.["45.127.59.60/32"]'list
acr_diagnostic_log_enableEnable or disable diagnostic logs for the Azure Container Registry (ACR).truebooltrue, false
acr_diagnostic_log_nameName of the diagnostic logs setting for the Azure Container Registry (ACR).my-acr-logsstring
acr_diagnostic_log_archive_enableSpecifies whether archiving of diagnostic logs for an Azure Container Registry (ACR) is enabledtruebooltrue, false
acr_diagnostic_diagnostic_log_destination_typeSpecifies the type of destination for diagnostic logs generated by an Azure Container Registry (ACR).DedicatedstringAzureDiagnostics. Dedicated
acr_diagnostic_log_category_groupCategory of diagnostic logs to enable for the ACR.auditstringallLogs, audit
key_vault_nameName of the Azure Key Vault.my-keyvaultstring
keyvault_enabled_for_disk_encryptionWhether the Key Vault is enabled for disk encryption.truebooltrue, false
keyvault_soft_delete_retention_daysThe number of days for soft delete retention for the Key Vault.7number
keyvault_skuThe SKU (service tier) for the Azure Key Vault.standardstringStandard, Premium
key_vault_secret_expiration_dateExpiration date for a secret in the Key Vault."2024-12-31T11:59:59.000Z"string
keyvault_private_endpoint_nameName of the Private Endpoint for the Key Vault.my-kv-pvepstring
keyvault_private_dns_zoneName of the Private DNS Zone for the Key Vault Private Endpoint.privatelink.vaultcore.azure.netstringprivatelink.vaultcore.azure.net
keyvault_private_service_connection_nameName of the Private Service Connection for the Key Vault.my-kv-svcstring
keyvault_private_service_is_manual_connectionWhether the Private Service Connection is a manual connection.falsebooltrue, false
keyvault_private_service_connection_subresourceName of the Private Service Connection Subresource for the Key Vault.["Vault"]'list["Vault"]'
keyvault_private_dns_zone_group_nameName of the Private DNS Zone Group for the Key Vault.my-kv-pv-grpstring
keyvault_dns_vnet_linkName of the DNS Virtual Network Link for the Key Vault.my-pv-vnet-linkstring
keyvault_purge_protection_enabledWhether purge protection is enabled for the Key Vault.truebooltrue, false
keyvault_enable_rbac_authorizationWhether RBAC (Role-Based Access Control) authorization is enabled for the Key Vault.truebooltrue, false
keyvault_public_network_access_enabledEnable or disable public network access for the Key Vault.truebooltrue, false
keyvault_network_acls_default_actionDefault action for network access control lists (ACLs) in the Key Vault.DenystringAllow, Deny
keyvault_network_acls_bypassBypass option for network ACLs in the Key Vault.AzureServicesstringAzureServices, None
keyvault_network_acls_ip_rulesIP rules for network access control lists (ACLs) in the Key Vault.["45.127.59.60/32"]'list
key_vault_diagnostic_log_enableEnable or disable diagnostic logs for the Azure Key Vault.truebooltrue, false
key_vault_diagnostic_log_nameName of the diagnostic logs setting for the Azure Key Vault.my-keyvault-logsstring
key_vault_diagnostic_log_archive_enableSpecifies whether archiving of diagnostic logs for an Azure Key Vault is enabledtruebooltrue, false
key_vault_diagnostic_log_destination_typeSpecifies the type of destination for diagnostic logs generated by an Azure Key Vault.DedicatedstringAzureDiagnostics. Dedicated
key_vault_diagnostic_log_category_groupCategory of diagnostic logs to enable for the Key Vault.auditstringallLogs, audit
log_analytics_workspace_nameName of the Log Analytics workspace.my-log-analyticsstring
log_analytics_workspace_skuSKU (service tier) for the Log Analytics workspace.PerGB2018stringFree, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018)
log_retention_in_daysnumber of days to retain log data in the Log Analytics workspace.30number
log_analytics_daily_quota_gbDaily data ingestion quota in gigabytes for the Log Analytics workspace.3number
log_analytics_action_group_nameName of the Action Group associated with the Log Analytics workspace.mydailycapactiongrpstring
log_analytics_action_group_short_nameShort name or identifier for the Action Group.mydailycapgrpstring
log_analytics_daily_cap_alert_emailslist of email addresses for recipients of daily capacity alerts.["user1@example.com"]'list
log_analytics_action_group_common_schemaUse a common schema for the Action Group.truebooltrue, false
log_analytics_daily_cap_alert_nameName of the daily capacity alert in Log Analytics.mydailycaplogalertstring
log_analytics_daily_cap_alert_evaluation_frequencyFrequency of evaluation for the daily capacity alert.PT10MstringDuration in ISO 8601 format
log_analytics_daily_cap_alert_window_durationDuration of the evaluation window for the daily capacity alert.PT10MstringDuration in ISO 8601 format
log_analytics_daily_cap_alert_severitySeverity level for the daily capacity alert.2number1 , 2, 3, 4
log_analytics_daily_cap_alert_auto_mitigation_enabledEnable or disable automatic mitigation for the daily capacity alert.falsebooltrue, false
log_analytics_daily_cap_alert_storage_enabledEnable or disable alert data storage for the daily capacity alert.falsebooltrue, false
log_analytics_daily_cap_alert_enabledEnable or disable the daily capacity alert.truebooltrue, false
log_analytics_daily_cap_alert_query_time_range_overrideTime range override for the daily capacity alert.P1DstringDuration in ISO 8601 format
application_insights_nameName of the Application Insights resource.my-prv-app-insightsstring
application_insights_application_typeType or category of the Application Insights resource.Node.JSstringios, java, MobileCenter, Node.JS, other, phone, store, web
private_aks_nameName of the private Azure Kubernetes Service (AKS) cluster.my-prv-aks-clusterstring
private_aks_dns_prefixDNS prefix for the private AKS cluster.my-prv-aks-cluster-dnsstring
private_aks_versionVersion of Kubernetes to use for the private AKS cluster.1.27.3string
private_aks_nodepoolnameName of the node pool in the private AKS cluster.np01string
private_aks_nodepool_sizeSize of nodes in the node pool of the private AKS cluster.Standard_D4ds_v4string
private_aks_nodepool_enable_auto_scalingWhether to enable auto-scaling for the node pool in the private AKS cluster.truebooltrue, false
private_aks_nodepool_max_countMaximum number of nodes in the node pool when auto-scaling is enabled.2number
private_aks_nodepool_min_countMinimum number of nodes in the node pool when auto-scaling is enabled.1number
private_aks_nodepool_os_disk_typeType of OS disk for nodes in the node pool of the private AKS cluster.EphemeralstringEphemeral, Managed
private_aks_nodepool_temp_name_for_rotationName of the temporary node pool used for node rotation.tempnp01string
private_aks_default_nodepool_identityIdentity to be assigned to the default node pool in the private AKS cluster.SystemAssignedstringSystemAssigned
private_aks_network_pluginNetwork plugin to use for the private AKS cluster.azurestringazure, kubenet, none
private_aks_dns_service_ipIP address for the DNS service in the private AKS cluster.10.10.0.10string
private_aks_service_cidrAddress space for services in the private AKS cluster.10.10.0.0/16string
private_aks_azure_policy_enabledWhether Azure Policy is enabled for the private AKS cluster.truebooltrue, false
private_aks_network_policyNetwork policy mode for the private AKS cluster.azurestringcalico, azure, cilium
private_aks_sku_tierTier (service level) for the private AKS cluster.StandardstringStandard, Free
private_aks_zonesAvailability zones for the private AKS cluster.["1", "2", "3"]'list["1", "2", "3"]'
private_aks_api_server_access_profile_authorized_ip_rangesAuthorized IP ranges for accessing the private AKS API server.["45.127.59.60/32"]'list
private_aks_automatic_channel_upgradeWhether to enable automatic channel upgrades for the private AKS cluster.node-imagestringpatch, rapid, node-image, stable
private_aks_diagnostic_log_enableEnable or disable diagnostic logs for the private AKS cluster.truebooltrue, false
private_aks_diagnostic_log_nameName of the diagnostic logs setting for the private AKS cluster.my-aks-logsstring
private_aks_log_archive_enableSpecifies whether archiving of diagnostic logs for private AKS cluster is enabledtruebooltrue, false
private_aks_diagnostic_log_destination_typeSpecifies the type of destination for diagnostic logs generated by private AKS cluster.DedicatedstringAzureDiagnostics. Dedicated
private_aks_diagnostic_log_category_groupCategory of diagnostic logs to enable for the private AKS cluster.["kube-audit", "kube-audit-admin", "kube-apiserver", "kube-controller-manager", "kube-scheduler"]'string["kube-audit", "kube-audit-admin", "kube-apiserver", "kube-controller-manager", "kube-scheduler"]', "csi-snapshot-controller", "csi-azurefile-controller", "csi-azuredisk-controller", "cluster-autoscaler", "cloud-controller-manager")
aks_services_allowed_port_policy_nameName of the policy that allows specific ports in the AKS cluster.AKS-Allowed-Ports-Policystring
aks_services_allowed_port_policy_effectEffect of the policy for allowing specific ports in the AKS cluster.denystringAllow, Deny
aks_services_allowed_portslist of allowed ports in the AKS cluster.["443", "80"]'list
aks_services_allowed_port_policy_excludednamespacesNamespaces to exclude from the port policy in the AKS cluster.[ "kube-system", "kube-node-lease", "kube-public", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system"]'list
aks_allowed_container_registries_policy_nameName of the policy that allows specific container registries in the AKS cluster.AKS-Allowed-Container_Registries-Policystring
aks_allowed_container_registries_policy_effectEffect of the policy for allowing specific container registries in the AKS cluster.denystringAllow, Deny
aks_allowed_container_registries_policy_excludednamespacesNamespaces to exclude from the container registry policy in the AKS cluster.[ "kube-system", "kube-node-lease", "kube-public", "gatekeeper-system", "azure-arc", "azuredefender", "mdc", "azure-extensions-usage-system"]'list
private_app_gateway_public_ip_nameName of the public IP associated with the private Application Gateway.my-ingress-appgw-pub-ipstring
private_app_gateway_public_ip_allocation_methodAllocation method for the public IP of the private Application Gateway.StaticstringDynamic, Static
private_app_gateway_public_ip_skuSKU (service tier) for the public IP of the private Application Gateway.StandardstringBasic, Standard
private_app_gateway_public_ip_ddos_protection_modeDDoS protection mode for the public IP of the private Application Gateway.DisabledstringEnabled, Disabled
private_app_gateway_public_ip_zonesAvailability zones for the public IP of the private Application Gateway.["1", "2", "3"]'list["1", "2", "3"]'
private_app_gateway_capacityCapacity (instance count) for the private Application Gateway.2number
private_app_gateway_nameName of the private Application Gateway.my-ingress-appgwstring
private_app_gateway_skuSKU (service tier) for the private Application Gateway.WAF_v2stringStandard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, WAF_v2)
private_app_gateway_tierTier (performance level) for the private Application Gateway.WAF_v2stringStandard, Standard_v2, WAF, WAF_v2
private_app_gateway_zonesAvailability zones for the private Application Gateway.["1", "2", "3"]'list["1", "2", "3"]'
private_app_gateway_private_fe_addressPrivate IP address for the frontend of the private Application Gateway.10.11.16.10string
private_app_gateway_waf_enabledEnable or disable Web Application Firewall (WAF) for the private Application Gateway.truebooltrue, false
private_app_gateway_waf_firewall_modeFirewall mode for the WAF in the private Application Gateway.PreventionstringDetection, Prevention
private_app_gateway_waf_rule_set_typeType of WAF rule set for the private Application Gateway.OWASPstringOWASP, Microsoft_BotManagerRuleSet
private_app_gateway_waf_rule_set_versionVersion of the WAF rule set for the private Application Gateway.3.2string0.1, 1.0, 2.2.9, 3.0, 3.1, 3.2
private_app_gateway_ssl_policy_typeSpecifies the type of SSL policy for the private Application Gateway.PredefinedstringPredefined, Custom, CustomV2
private_app_gateway_ssl_policynameSpecifies the name of the SSL policy for the private Application Gateway.AppGwSslPolicy20220101SstringAppGwSslPolicy20150501, AppGwSslPolicy20220101, AppGwSslPolicy20220101S, AppGwSslPolicy20170401, AppGwSslPolicy20170401S
private_app_gateway_diagnostic_log_enableEnable or disable diagnostic logs for the private Application Gateway.truebooltrue, false
private_app_gateway_diagnostic_log_nameName of the diagnostic logs setting for the private Application Gateway.my-ingress-appgw-logsstring
private_app_gateway_log_archive_enableSpecifies whether archiving of diagnostic logs for private Application Gateway is enabledtruebooltrue, false
private_app_gateway_diagnostic_log_destination_typeSpecifies the type of destination for diagnostic logs generated by private Application Gateway.DedicatedstringAzureDiagnostics. Dedicated
private_app_gateway_diagnostic_log_category_groupCategory of diagnostic logs to enable for the private Application Gateway.allLogsstringallLogs
frontdoor_profile_resource_guidId of the existing frontdoor which needs to be whitelisted in the application gateway custom WAF rule.nullstring
require_main_public_app_gatewayWhether main public app gateway is requiredfalsebooltrue, false
main_public_app_gateway_public_ip_nameName of the public IP associated with the main public Application Gateway.my-main-app-gw-pub-ipstring
main_public_app_gateway_public_ip_allocation_methodAllocation method for the public IP of the main public Application Gateway.StaticstringDynamic, Static
main_public_app_gateway_public_ip_skuSKU (service tier) for the public IP of the main public Application Gateway.StandardstringBasic, Standard
main_public_app_gateway_public_ip_ddos_protection_modeDDoS protection mode for the public IP of the main public Application Gateway.DisabledstringEnabled, Disabled
main_public_app_gateway_public_ip_zonesAvailability zones for the public IP of the main public Application Gateway.["1", "2", "3"]'list["1", "2", "3"]'
main_public_app_gateway_capacityCapacity (instance count) for the main public Application Gateway.2numbernumber
main_public_app_gateway_nameName of the main public Application Gateway.my-main-app-gwstring
main_public_app_gateway_skuSKU (service tier) for the main public Application Gateway.WAF_v2stringStandard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, WAF_v2
main_public_app_gateway_tierTier (performance level) for the main public Application Gateway.WAF_v2stringStandard, Standard_v2, WAF, WAF_v2
main_public_app_gateway_zonesAvailability zones for the main public Application Gateway.["1", "2", "3"]'list["1", "2", "3"]'
main_public_app_gateway_waf_enabledEnable or disable Web Application Firewall (WAF) for the main public Application Gateway.truebooltrue, false
main_public_app_gateway_waf_firewall_modeFirewall mode for the WAF in the main public Application Gateway.PreventionstringDetection, Prevention
main_public_app_gateway_waf_rule_set_typeType of WAF rule set for the main public Application Gateway.OWASPstringOWASP, Microsoft_BotManagerRuleSet
main_public_app_gateway_waf_rule_set_versionVersion of the WAF rule set for the main public Application Gateway.3.2string0.1, 1.0, 2.2.9, 3.0, 3.1, 3.2
main_public_app_gateway_ssl_policy_typeSpecifies the type of SSL policy for the main public Application Gateway.PredefinedstringPredefined, Custom, CustomV2
main_public_app_gateway_ssl_policynameSpecifies the name of the SSL policy for the main public Application Gateway.AppGwSslPolicy20220101SstringAppGwSslPolicy20150501, AppGwSslPolicy20220101, AppGwSslPolicy20220101S, AppGwSslPolicy20170401, AppGwSslPolicy20170401S
main_public_app_gateway_diagnostic_log_enableEnable or disable diagnostic logs for the main public Application Gateway.truebooltrue, false
main_public_app_gateway_diagnostic_log_nameName of the diagnostic logs setting for the main public Application Gateway.my-main-app-gw-logsstring
main_public_app_gateway_log_archive_enableSpecifies whether archiving of diagnostic logs for main public Application Gateway is enabledtruebooltrue, false
main_public_app_gateway_diagnostic_log_destination_typeSpecifies the type of destination for diagnostic logs generated by main public Application Gateway.DedicatedstringAzureDiagnostics. Dedicated
main_public_app_gateway_diagnostic_log_category_groupCategory of diagnostic logs to enable for the main public Application Gateway.allLogsstringallLogs
storage_account_nameName of the Azure Storage Account for nsg flow logs.mynsglogsstoragestring
storage_account_tierTier for the Azure Storage Account for nsg flow logs.StandardstringStandard, Premium
storage_account_kindKind of the Azure Storage Account for nsg flow logs.StorageV2stringBlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2
storage_account_replication_typeReplication type for the Azure Storage Account for nsg flow logs.GRSstringLRS, GRS, RAGRS, ZRS, GZRS, RAGZRS
storage_account_access_tierAccess tier for the Azure Storage Account for nsg flow logs.HotstringHot, Cool
storage_account_public_network_access_enabledEnable or disable public network access for the Azure Storage Account for nsg flow logs.truebooltrue, false
storage_account_diagnostic_log_enableEnable or disable diagnostic logs for the Azure Storage Account for nsg flow logs.truebooltrue, false
storage_account_diagnostic_log_nameName of the diagnostic logs setting for the Azure Storage Account for nsg flow logs.my-sa-logsstring
storage_account_diagnostic_log_category_groupSpecifies whether archiving of diagnostic logs for Azure Storage Account is enabled for nsg flow logs.truebooltrue, false
storage_account_diagnostic_log_archive_enableSpecifies the type of destination for diagnostic logs generated by Azure Storage Account for nsg flow logs.DedicatedstringAzureDiagnostics. Dedicated
storage_account_diagnostic_log_category_groupCategory of diagnostic logs to enable for the Azure Storage Account for nsg flow logs.allLogsstringallLogs
storage_account_shared_access_key_enabledControls whether shared access keys are enabled for the storage account for nsg flow logs.falsebooltrue, false
storage_account_allow_nested_items_to_be_publicIndicates whether nested items within containers can have public accessfalsebooltrue, false
storage_account_enable_https_traffic_onlyEnables HTTPS-only access to the storage account for nsg flow logs.truebooltrue, false
storage_account_infra_encryption_enabledEnables infrastructure encryption for the storage account for nsg flow logs.truebooltrue, false
storage_account_min_tls_versionSpecifies the minimum TLS version required for connections to the storage account for nsg flow logs.TLS1_2stringTLS1_0, TLS1_1, TLS1_2
storage_account_uaid_nameName of the user-assigned identity for storage account for nsg flow logs.my-sa-uaidstring
storage_account_key_nameName of the key for storage account user-assigned identitymy-sa-uaid-keystring
storage_account_key_typeType of the key for nsg flow log storage account user-assigned identityRSAstringRSA
storage_account_key_sizeSize of the key for nsg flow log storage account user-assigned identity2048number2048, 3072, 4096
storage_account_key_optsOptions for the key for nsg flow log storage account user-assigned identity["unwrapKey", "wrapKey"]list(string)decrypt, encrypt, sign, unwrapKey, verify, wrapKey
storage_account_key_expire_afterExpiry duration for the key for nsg flow log storage account user-assigned identityP24MstringDuration in ISO 8601 format
storage_account_key_rotation_time_before_expiryTime before expiry to start key rotation for nsg flow log storage account identityP22MstringDuration in ISO 8601 format
storage_account_key_notify_before_expiryTime before expiry to notify for key rotation for nsg flow log storage account identityP21MstringDuration in ISO 8601 format
storage_account_delete_retention_daysSpecifies the number of days that the blob should be retained in nsg flow log storage account7number1-365
storage_account_container_delete_retention_daysSpecifies the number of days that the container should be retained in nsg flow storage account7number1-365
storage_account_private_endpoint_enableEnable or Disable private endpoint for nsg flow log storage account.falsebooltrue, false
storage_account_private_endpoint_nameName of the private endpoint for nsg flow log storage account.my-sa-pvepstring
storage_account_private_service_connection_nameName of the private service connection for nsg flow log storage account.my-sa-svcstring
storage_account_private_service_is_manual_connectionEnable or disable manual private service connection for nsg flow log storage account.falsebooltrue, false
storage_account_private_service_subresourceList of subresources for the private service connection.["blob"]list(string)["blob"]
storage_account_private_dns_zonePrivate DNS zone for nsg flow log storage account.privatelink.blob.cache.windows.netstringprivatelink.blob.cache.windows.net
storage_account_private_dns_zone_vnet_link_nameName of the VNet link for the private DNS zone.my-sa-vnet-linkstring
storage_account_private_dns_a_record_ttlTime to live (TTL) for the private DNS A record in seconds.300number
storage_account_network_default_actionDefault action for network traffic to nsg flow storage accountDenystringDeny, Allow
storage_account_network_ip_rulesList of IP addresses allowed to access the nsg flow storage account["45.127.59.60/32"]'list
storage_account_network_bypassList of network traffic types to bypass["AzureServices"]list(string)AzureServices, None
storage_account_key_expiration_dateExpiration date for the storage account key"2024-12-31T11:59:59.000Z"string
security_center_contact_email_enableEnable or disable security center contact emailfalsebooltrue, false
security_center_contact_nameName of the security center contactuser1contactstring
security_center_contact_emailEmail address for security center contactuser1@example.comstring
security_center_alert_notificationsEnable or disable security center alert notificationstruebooltrue, false
security_center_alerts_to_adminsEnable or disable sending security center alerts to adminstruebooltrue, false
log_archive_enableEnable or disable log archivingtruebooltrue, false
log_archive_storage_accountnameName of the storage account for log archivinglogarchivestoragestring
log_archive_storage_account_tierStorage account tier for log archivingStandardstringStandard, Premium
log_archive_storage_account_kindStorage account kind for log archivingStorageV2stringBlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2
log_archive_storage_account_replication_typeReplication type for the log archiving storage account.GRSstringLRS, GRS, RAGRS, ZRS, GZRS, RAGZRS
log_archive_storage_account_access_tierAccess tier for the log archiving storage account.CoolstringHot, Cool
log_archive_storage_account_public_network_access_enabledEnable or disable public network access for the storage account for log archive.truebooltrue, false
log_archive_storage_account_versioning_enabledEnable or disable versioning for the storage account used for log archive.truebooltrue, false
log_archive_storage_account_network_default_actionDefault action for network traffic to log archive storage accountDenystringDeny, Allow
log_archive_storage_account_network_ip_rulesList of IP addresses allowed to access the log archive storage account["45.127.59.60/32"]'list
log_archive_storage_account_network_bypassList of network traffic types to bypass["AzureServices"]list(string)AzureServices, None
log_archive_storage_account_shared_access_key_enabledWhether shared access keys are enabled for the log archive storage account.falsebooltrue, false
log_archive_storage_account_allow_nested_items_to_be_publicWhether nested items within the log archive storage account, such as blobs within containers, are allowed to be made public.falsebooltrue, false
log_archive_storage_account_lifecycle_rule_nameName of the lifecycle rule for log archiving storage account.rule1string
log_archive_storage_account_lifecycle_rule_enabledEnable or disable the lifecycle rule for log archiving storage account.truebooltrue, false
log_archive_storage_account_lifecycle_rule_blob_typesList of blob types to apply the lifecycle rule to["blockBlob", "appendBlob"]list(string)["blockBlob", "appendBlob"]
log_archive_storage_account_lifecycle_rule_delete_base_blob_after_daysNumber of days to keep the base blob before deleting365number
log_archive_storage_account_lifecycle_rule_delete_snapshot_after_daysNumber of days to keep the blob snapshot before deleting365number
log_archive_storage_account_lifecycle_rule_delete_version_after_daysNumber of days to keep the blob version before deleting365number
log_archive_storage_account_enable_https_traffic_onlyEnables HTTPS-only access to the log archive storage account.truebooltrue, false
log_archive_storage_account_infra_encryption_enabledEnables infrastructure encryption for the log archive storage account.truebooltrue, false
log_archive_storage_account_min_tls_versionSpecifies the minimum TLS version required for connections to the log archive storage account.TLS1_2stringTLS1_0, TLS1_1, TLS1_2
log_archive_storage_account_uaid_nameName of the user-assigned identity for log archive storage account.my-log-archive-sa-uaidstring
log_archive_storage_account_key_nameName of the key for log archive storage account user-assigned identitymy-log-archive-sa-uaid-keystring
log_archive_storage_account_key_typeType of the key for log archive storage account user-assigned identityRSAstringRSA
log_archive_storage_account_key_sizeSize of the key for log archive storage account user-assigned identity2048number2048, 3072, 4096
log_archive_storage_account_key_optsOptions for the key for log archive storage account user-assigned identity["unwrapKey", "wrapKey"]list(string)decrypt, encrypt, sign, unwrapKey, verify, wrapKey
log_archive_storage_account_key_expire_afterExpiry duration for the key for log archive storage account user-assigned identityP24MstringDuration in ISO 8601 format
log_archive_storage_account_key_rotation_time_before_expiryTime before expiry to start key rotation for log archive storage account identityP22MstringDuration in ISO 8601 format
log_archive_storage_account_key_notify_before_expiryTime before expiry to notify for key rotation for log archive storage account identityP21MstringDuration in ISO 8601 format
log_archive_storage_account_key_expiration_dateExpiration date for the storage account key used for log archival"2024-12-31T11:59:59.000Z"string
log_archive_storage_account_delete_retention_daysSpecifies the number of days that the blob should be retained in log archive storage account7number1-365
log_archive_storage_account_container_delete_retention_daysSpecifies the number of days that the container should be retained in log archive storage account7number1-365
log_archive_storage_account_private_endpoint_enableEnable or Disable private endpoint for log archive storage account.falsebooltrue, false
log_archive_storage_account_private_endpoint_nameName of the private endpoint for log archive storage account.my-log-archive-sa-pvepstring
log_archive_storage_account_private_service_connection_nameName of the private service connection for log archive storage account.my-log-archive-sa-svcstring
log_archive_storage_account_private_service_is_manual_connectionEnable or disable manual private service connection for log archive storage account.falsebooltrue, false
log_archive_storage_account_private_service_subresourceList of subresources for the private service connection.["blob"]list(string)["blob"]
log_archive_storage_account_private_dns_zonePrivate DNS zone for log archive storage account.privatelink.blob.cache.windows.netstringprivatelink.blob.cache.windows.net
log_archive_storage_account_private_dns_zone_vnet_link_nameName of the VNet link for the private DNS zone.my-log-archive-sa-vnet-linkstring
log_archive_storage_account_private_dns_a_record_ttlTime to live (TTL) for the private DNS A record in seconds.300number
require_sqlWhether SQL resources are requiredtruebooltrue, false
sql_storage_account_nameName of the storage account for SQL audit logssqlauditlogsstoragestring
sql_storage_account_kindStorage account kind for SQL audit logsStorageV2stringStandard, Premium
sql_storage_account_tierStorage account tier for SQL audit logsStandardstringBlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2
sql_storage_account_replication_typeStorage account replication type for SQL audit logsGRSstringLRS, GRS, RAGRS, ZRS, GZRS, RAGZRS
sql_storage_account_access_tierAccess tier for SQL audit logs Storage accountHotstringHot, Cool
sql_storage_account_public_network_access_enabledEnable or disable public network access for the sql audit logs storage accounttruebooltrue, false
sql_storage_account_network_default_actionDefault action for network traffic to sql audit logs storage accountDenystringDeny, Allow
sql_storage_account_network_ip_rulesList of IP addresses allowed to access the sql audit logs storage account["45.127.59.60/32"]'list
sql_storage_account_network_bypassList of network traffic types to bypass["AzureServices"]list(string)AzureServices, None
sql_storage_account_shared_access_key_enabledList of network traffic types to bypass["AzureServices"]list(string)AzureServices, None
sql_storage_account_allow_nested_items_to_be_publicWhether shared access keys are enabled for the sql audit logs Storage Account.falsebooltrue, false
sql_storage_account_enable_https_traffic_onlyEnables HTTPS-only access to the sql audit logs storage account.truebooltrue, false
sql_storage_account_infra_encryption_enabledEnables infrastructure encryption for the sql audit logs storage account.truebooltrue, false
sql_storage_account_min_tls_versionSpecifies the minimum TLS version required for connections to the sql audit logs storage account.TLS1_2stringTLS1_0, TLS1_1, TLS1_2
sql_storage_account_uaid_nameName of the user-assigned identity for sql audit logs storage account.my-sql-audit-sa-uaidstring
sql_storage_account_key_nameName of the key for sql audit logs storage account user-assigned identitymy-sql-audit-uaid-keystring
sql_storage_account_key_typeType of the key for sql audit logs storage account user-assigned identityRSAstringRSA
sql_storage_account_key_sizeSize of the key for sql audit logs storage account user-assigned identity2048number2048, 3072, 4096
sql_storage_account_key_optsOptions for the key for sql audit logs storage account user-assigned identity["unwrapKey", "wrapKey"]list(string)decrypt, encrypt, sign, unwrapKey, verify, wrapKey
sql_storage_account_key_expire_afterExpiry duration for the key for sql audit logs storage account user-assigned identityP24MstringDuration in ISO 8601 format
sql_storage_account_key_rotation_time_before_expiryTime before expiry to start key rotation for sql audit logs storage account identityP22MstringDuration in ISO 8601 format
sql_storage_account_key_notify_before_expiryTime before expiry to notify for key rotation for sql audit logs storage account identityP21MstringDuration in ISO 8601 format
sql_storage_account_key_expiration_dateExpiration date for the storage account key used for sql audit logs"2024-12-31T11:59:59.000Z"string
sql_storage_account_delete_retention_daysSpecifies the number of days that the blob should be retained in sql audit logs storage account7number1-365
sql_storage_account_container_delete_retention_daysSpecifies the number of days that the container should be retained in sql audit logs storage account7number1-365
sql_storage_account_private_endpoint_enableEnable or Disable private endpoint for sql audit logs storage account.falsebooltrue, false
sql_storage_account_private_endpoint_nameName of the private endpoint for sql audit logs storage account.my-sql-audit-sa-pvepstring
sql_storage_account_private_service_connection_nameName of the private service connection for sql audit logs storage account.my-sql-audit-sa-svcstring
sql_storage_account_private_service_is_manual_connectionEnable or disable manual private service connection for sql audit logs storage account.falsebooltrue, false
sql_storage_account_private_service_subresourceList of subresources for the private service connection.["blob"]list(string)["blob"]
sql_storage_account_private_dns_zonePrivate DNS zone for sql audit logs storage account.privatelink.blob.cache.windows.netstringprivatelink.blob.cache.windows.net
sql_storage_account_private_dns_zone_vnet_link_nameName of the VNet link for the private DNS zone.my-sql-audit-sa-vnet-linkstring
sql_storage_account_private_dns_a_record_ttlTime to live (TTL) for the private DNS A record in seconds.300number
sql_server_vnet_subnet1_aks_rule_nameName of the rule for SQL server to VNet subnet 1 communicationsql-vnet-rule1string
sql_server_vnet_subnet3_services_rule_nameName of the rule for SQL server to VNet subnet 3 communicationsql-vnet-rule2string
sql_server_uaid_nameName of the user-assigned identity for SQL serversql-uaidstring
sql_server_key_nameName of the key for SQL server user-assigned identitysql-uaid-keystring
sql_server_key_typeType of the key for SQL server user-assigned identityRSAstringRSA
sql_server_key_sizeSize of the key for SQL server user-assigned identity2048number2048, 3072, 4096
sql_server_key_optsOptions for the key for SQL server user-assigned identity["unwrapKey", "wrapKey"]list(string)decrypt, encrypt, sign, unwrapKey, verify, wrapKey
sql_server_key_expire_afterExpiry duration for the key for SQL server user-assigned identityP24MstringDuration in ISO 8601 format
sql_server_key_rotation_time_before_expiryTime before expiry to start key rotation for SQL server identityP22MstringDuration in ISO 8601 format
sql_server_key_notify_before_expiryTime before expiry to notify for key rotation for SQL server identityP21MstringDuration in ISO 8601 format
sql_server_nameName of the SQL serversql-serverstring
sql_server_versionVersion of the SQL server12string2.0, 12.0
sql_admin_user_nameName of the admin user for SQL serveradminstring
sql_server_minimum_tls_versionMinimum TLS version for SQL server1.2string1.0, 1.1 , 1.2, Disabled
sql_server_identity_typeType of identity for SQL server (UserAssigned or SystemAssigned)UserAssignedstringUserAssigned. SystemAssigned
sql_server_azuread_authentication_onlyEnable or disable Azure AD authentication only for SQL serverfalsebooltrue, false
sql_server_audit_enableEnable or disable SQL server auditfalsebooltrue, false
sql_server_audit_logs_retention_in_daysNumber of days to retain SQL server audit logs90number
sql_server_security_alert_policy_stateState of the security alert policy for SQL serverEnabledstringEnabled, Disabled
sql_db_configsList of SQL databases and its configurations[{"name": "database1","collation": "SQL_Latin1_General_CP1_CI_AS","min_capacity": 0.5,"max_size_gb": 4,"auto_pause_delay_in_minutes": "-1","sku_name": "GP_S_Gen5_2","storage_account_type": "Local","transparent_data_encryption_enabled": true,"zone_redundant": false,"retention_days": 7,"backup_interval_in_hours": 12,"weekly_retention": "P1W","monthly_retention": "P1M","yearly_retention": "P1Y","week_of_year": 1,"diagnostic_log_enable": true,"diagnostic_log_archive_enable": true,"diagnostic_log_destination_type": "Dedicated","diagnostic_log_category_group": "allLogs","audit_enable": false,"audit_logs_retention_in_days": 90,}]map(json)It should consist of name, collation, min_capacity, max_size_gb, auto_pause_delay_in_minutes, sku_name, storage_account_type, transparent_data_encryption_enabled, zone_redundant, retention_days, backup_interval_in_hours, weekly_retention, monthly_retention, yearly_retention, week_of_year, diagnostic_log_enable, diagnostic_log_archive_enable, diagnostic_log_destination_type, diagnostic_log_category_group, audit_enable, audit_logs_retention_in_days for each database.
sql_server_firewall_rulesList of SQL server firewall rules{rule1 = {"name": "Rule1","start_ip_address": "45.127.59.60","end_ip_address": "45.127.59.60"},rule2 = {"name": "Rule2","start_ip_address": "45.127.59.61","end_ip_address": "45.127.59.61"}}map(json)It should consist of name, start_ip_address, end_ip_address for each rule.
sql_server_private_endpoint_nameName of the private endpoint for SQL servermy-sql-pvepstring
sql_server_private_service_connection_nameName of the private service connection for SQL servermy-sql-svcstring
sql_server_private_service_is_manual_connectionEnable or disable manual private service connection for SQL serverfalsebooltrue, false
sql_server_private_service_subresourceList of subresources for the private service connection["sqlServer"]list(string)["sqlServer"]
sql_server_private_dns_zonePrivate DNS zone for SQL serverprivatelink.database.windows.netstringprivatelink.database.windows.net
sql_server_private_dns_zone_vnet_link_nameName of the VNet link for the private DNS zonemy-sql-vnet-linkstring
sql_server_private_dns_a_record_ttlTime to live (TTL) for the private DNS A record300number
sql_server_key_expiration_dateExpiration date for the key used for SQL server encryption."2024-12-31T11:59:59.000Z"string
sql_server_vulnerability_assessment_container_nameName of the storage container for vulnerability assessmentmysqlvulnerabilitycontainerstring
sql_server_vulnerability_assessment_container_access_typeAccess type for the storage containerprivatestring
sql_server_vulnerability_assessment_enableFlag to enable/disable vulnerability assessment for SQL Servertruebooltrue, false
sql_server_vulnerability_assessment_recurring_scans_enableFlag to enable/disable recurring scans for vulnerability assessmenttruebooltrue, false
sql_server_vulnerability_assessment_email_adminsFlag to enable sending emails to administrators for vulnerability assessmenttruebooltrue, false
sql_server_vulnerability_assessment_emailsList of emails for vulnerability assessment notifications["user1@example.com"]'list
sql_server_public_network_access_enabledWhether public network access is allowed for this servertruebooltrue, false
require_redisWhether Redis is requiredtruebooltrue, false
redis_uaid_nameName of the user-assigned identity for Redismy-redis-uaidstring
redis_nameName of the Redis cachemy-redisstring
redis_capacityCapacity of the Redis cache2number0, 1, 2, 3, 4, 5, 6
redis_familyFamily of the Redis cacheCstringC, P
redis_skuSKU of the Redis cacheStandardstringBasic, Standard, Premium
redis_enable_non_ssl_portEnable or disable non-SSL portfalsebooltrue, false
redis_minimum_tls_versionMinimum TLS version for Redis cache1.0string1.0, 1.1, 1.2
redis_public_network_access_enabledEnable or disable public network access for Redis cachefalsebooltrue, false
redis_versionVersion of the Redis cache6string4, 6
redis_identity_typeType of identity for Redis cacheSystemAssigned, UserAssignedstringSystemAssigned, UserAssigned
redis_enable_authenticationEnable or disable authentication for Redis cachetruebooltrue, false
redis_maxmemory_reservedMaximum memory reserved for Redis cache299number
redis_maxmemory_deltaMaximum memory delta for Redis cache299number
redis_maxfragmentationmemory_reservedMaximum fragmentation memory reserved for Redis cache299number
redis_firewall_rulesMap of Redis firewall rules{rule1 = {"name": "Rule1","start_ip": "45.127.59.60","end_ip": "45.127.59.60"},rule2 = {"name": "Rule2","start_ip": "45.127.59.61","end_ip": "45.127.59.61"}}map(json)It should consist of name, start_ip, end_ip for each rule.
redis_private_endpoint_nameName of the private endpoint for Redis cachemy-redis-pvepstring
redis_private_endpoint_service_connection_nameName of the private service connection for Redis cachemy-redis-svcstring
redis_private_service_is_manual_connectionEnable or disable manual private service connection for Redis cachefalsebooltrue, false
redis_private_service_connection_subresourceList of subresources for the private service connection["redisCache"]list(string)["redisCache"]
redis_private_dns_zonePrivate DNS zone for Redis cacheprivatelink.redis.cache.windows.netstringprivatelink.redis.cache.windows.net
redis_dns_virtual_network_link_nameName of the VNet link for the private DNS zonemy-redis-vnet-linkstring
redis_private_dns_a_record_ttlTime to live (TTL) for the private DNS A record300number
redis_diagnostic_log_enableEnable or disable diagnostic logs for Redis cachetruebooltrue, false
redis_diagnostic_log_nameName of the diagnostic log for Redis cachemy-redis-logsstring
redis_diagnostic_log_archive_enableEnable or disable diagnostic log archiving for Redis cachetruebooltrue, false
redis_diagnostic_log_destination_typeDestination type for diagnostic logs for Redis cacheDedicatedstringAzureDiagnostics. Dedicated
redis_diagnostic_log_category_groupCategory group for diagnostic logs for Redis cacheallLogsstringaudit, allLogs
require_cosmos_accountWhether a Cosmos account is requiredtruebooltrue, false
cosmos_account_uaid_nameName of the user-assigned identity for Cosmos DBmy-cosmos-uaidstring
cosmos_account_principal_idPrincipal ID for Cosmos DB account12343e2c-4a64-4859-af9c-a575230100bestring12343e2c-4a64-4859-af9c-a575230100be
cosmos_account_key_nameName of the key for Cosmos DB user-assigned identitymy-cosmos-keystring
cosmos_account_key_typeType of the key for Cosmos DB user-assigned identityRSAstringRSA
cosmos_account_key_sizeSize of the key for Cosmos DB user-assigned identity3072number3072, 4096
cosmos_account_key_optsOptions for the key for Cosmos DB user-assigned identity["unwrapKey", "wrapKey", "encrypt", "decrypt", "sign", "verify"]list(string)decrypt, encrypt, sign, unwrapKey, verify, wrapKey
cosmos_account_key_rotation_time_before_expiryTime before expiry to start key rotation for Cosmos DB identityP22MstringDuration in ISO 8601 format
cosmos_account_key_expire_afterExpiry duration for the key for Cosmos DB identityP24MstringDuration in ISO 8601 format
cosmos_account_key_notify_before_expiryTime before expiry to notify for key rotation for Cosmos DB identityP21MstringDuration in ISO 8601 format
cosmos_account_nameName of the Cosmos DB accountmycosmosstring
cosmos_account_offer_typeOffer type for Cosmos DB accountStandardstringStandard
cosmos_account_kindKind of Cosmos DB accountMongoDBstringGlobalDocumentDB, MongoDB, Parse
cosmos_account_mongo_versionMongoDb version for the Cosmos DB account4.2string4.2, 4.0, 3.6, 3.2
cosmos_account_enable_automatic_failoverEnable or disable automatic failover for Cosmos DB accountfalsebooltrue, false
cosmos_account_ip_range_filterIP range filter for Cosmos DB account104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26,35string104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26,35
cosmos_account_enable_free_tierEnable or disable free tier for Cosmos DB accountfalsebooltrue, false
cosmos_account_key_expiration_dateExpiration date for the key used for cosmos account encryption."2024-12-31T11:59:59.000Z"string
cosmos_account_analytical_storage_enabledEnable or disable analytical storage for Cosmos DB accountfalsebooltrue, false
cosmos_account_public_network_access_enabledEnable or disable public network access for Cosmos DB accounttruebooltrue, false
cosmos_account_enable_multiple_write_locationsEnable or disable multiple write locations for Cosmos DB accounttruebooltrue, false
cosmos_account_access_key_metadata_writes_enabledEnable or disable access key metadata writes for Cosmos DB accounttruebooltrue, false
cosmos_account_network_acl_bypass_for_azure_servicesEnable or disable network ACL bypass for Azure services for Cosmos DB accounttruebooltrue, false
cosmos_account_local_authentication_disabledEnable or disable local authentication for Cosmos DB accountfalsebooltrue, false
cosmos_account_is_virtual_network_filter_enabledEnable or disable virtual network filter for Cosmos DB accounttruebooltrue, false
cosmos_account_consistency_levelConsistency level for Cosmos DB accountBoundedStalenessstringBoundedStaleness, Eventual, Session, Strong, ConsistentPrefix
cosmos_account_max_interval_in_secondsMaximum interval in seconds for Bounded Staleness consistency level300number
cosmos_account_max_staleness_prefixMaximum staleness prefix for Bounded Staleness consistency level100000number
cosmos_account_total_throughput_limitTotal throughput limit for Cosmos DB account-1numberAny positive integer or -1 for unlimited throughput
cosmos_account_backup_typeBackup type for Cosmos DB accountPeriodicstringPeriodic
cosmos_account_backup_interval_in_minutesBackup interval in minutes for Cosmos DB account240number
cosmos_account_backup_retention_in_hoursBackup retention in hours for Cosmos DB account8number
cosmos_account_backup_storage_redundancyStorage redundancy for Cosmos DB account backupGeostringGeo, Local, Zone
cosmos_account_identity_typeType of identity for Cosmos DB accountSystemAssigned, UserAssignedstringSystemAssigned, UserAssigned
cosmos_account_capabilitiesList of capabilities for Cosmos DB account["EnableAggregationPipeline", "DisableRateLimitingResponses", "EnableMongo"]'list(string)AllowSelfServeUpgradeToMongo36, DisableRateLimitingResponses, EnableAggregationPipeline, EnableCassandra, EnableGremlin, EnableMongo, EnableMongo16MBDocumentSupport, EnableMongoRetryableWrites, EnableMongoRoleBasedAccessControl, EnablePartialUniqueIndex, EnableServerless, EnableTable, EnableTtlOnCustomPath, EnableUniqueCompoundNestedDocs, MongoDBv3.4, mongoEnableDocLevelTTL
cosmos_account_geo_locationsMap of geographical locations for Cosmos DB account{location1 = {"location": "eastus","failover_priority": 0,"zone_redundant": true}}map(json)It should consist of location, failover_priority, zone_redundant for each location.
require_cosmos_sql_dbFlag to indicate whether Cosmos DB SQL databases are requiredfalsebooltrue, false
cosmos_sql_db_configsConfiguration for Cosmos DB SQL databases[{"name": "database1","throughput": 400,"autoscale_max_throughput": null,}]map(json)It should consist of name, throughput, autoscale_max_throughput for each database.
require_cosmos_mongo_dbFlag to indicate whether Cosmos DB MongoDB databases are requiredtruebooltrue, false
cosmos_mongo_db_configsConfiguration for Cosmos DB MongoDB databases[{"name": "database1","throughput": 400,"autoscale_max_throughput": null,}]map(json)It should consist of name, throughput, autoscale_max_throughput for each database.
cosmos_account_private_endpoint_nameName of the private endpoint for Cosmos DB accountmy-cosmos-pvepstring
cosmos_account_private_service_connection_nameName of the private service connection for Cosmos DB accountmy-cosmos-svcstring
cosmos_account_private_service_is_manual_connectionEnable or disable manual private service connection for Cosmos DB accountfalsebooltrue, false
cosmos_account_private_service_subresourceList of subresources for the private service connection["MongoDB"]list(string)["SQL"], ["MongoDB"]
cosmos_account_private_dns_zonePrivate DNS zone for Cosmos DB accountprivatelink.mongo.cosmos.azure.comstringprivatelink.mongo.cosmos.azure.com
cosmos_account_private_dns_zone_vnet_link_nameName of the VNet link for the private DNS zonemy-cosmos-vnet-linkstring
cosmos_account_private_dns_a_record_ttlTime to live (TTL) for the private DNS A record300number
cosmos_account_diagnostic_log_enableEnable or disable diagnostic logs for Cosmos DB accounttruebooltrue, false
cosmos_account_diagnostic_log_nameName of the diagnostic log for Cosmos DB accountmy-cosmos-logsstring
cosmos_account_diagnostic_log_archive_enableEnable or disable diagnostic log archiving for Cosmos DB accounttruebooltrue, false
cosmos_account_diagnostic_log_destination_typeDestination type for diagnostic logs for Cosmos DB accountDedicatedstringAzureDiagnostics. Dedicated
cosmos_account_diagnostic_log_category_groupCategory group for diagnostic logs for Cosmos DB accountallLogsstringallLogs, audit
require_frontdoorWhether Azure Front Door is requiredtruebooltrue, false
frontdoor_profile_nameName of the Azure Front Door profilemy-frontdoor-cdn-profilestring
frontdoor_profile_skuSKU (Pricing Tier) for Azure Front Door profilePremium_AzureFrontDoorstringStandard_AzureFrontDoor, Premium_AzureFrontDoor
frontdoor_diagnostic_log_enableEnable or disable diagnostic logs for Azure Front Doortruebooltrue, false
frontdoor_diagnostic_log_nameName of the diagnostic log for Azure Front Doormy-frontdoor-logsstring
frontdoor_diagnostic_log_archive_enableEnable or disable diagnostic log archiving for Azure Front Doortruebooltrue, false
frontdoor_diagnostic_log_destination_typeDestination type for diagnostic logs for Azure Front DoorDedicatedstringAzureDiagnostics. Dedicated
frontdoor_diagnostic_log_category_groupCategory group for diagnostic logs for Azure Front DoorallLogsstringallLogs, audit
require_servicebusWhether Azure Service Bus is requiredtruebooltrue, false
servicebus_nameName of the Service Busmyservicebusstring
servicebus_skuSKU of the Service BusStandardstringBasic, Standard, Premium
servicebus_capacityCapacity of the Service Bus0number0, 1, 2, 4, 8, 16
servicebus_private_endpoint_nameName of the private endpoint for Service Busmy-servicebus-pvepstring
servicebus_private_dns_zonePrivate DNS zone for Service Busprivatelink.servicebus.windows.netstringprivatelink.servicebus.windows.net
servicebus_public_network_access_enabledEnable or disable public network access for Service Bustruebooltrue, false
servicebus_private_service_connection_nameName of the private service connection for Service Busmy-servicebus-svcstring
servicebus_private_service_is_manual_connectionEnable or disable manual private service connection for Service Busfalsebooltrue, false
servicebus_private_service_connection_subresourceList of subresources for the private service connection["namespace"]'list(string)["namespace"]'
servicebus_private_dns_zone_group_nameName of the Private DNS Zone Group for the Service Bus.my-servicebus-pv-grpstring
servicebus_dns_virtual_network_link_nameName of the VNet link for the private DNS zonemy-servicebus-vnet-linkstring
servicebus_uaid_nameName of the user-assigned identity for Service Busmy-servicebus-uaidstring
servicebus_key_namePrincipal ID for Service Bus12343e2c-4a64-4859-af9c-a575230100bestring12343e2c-4a64-4859-af9c-a575230100be
servicebus_key_typeName of the key for Service Bus user-assigned identitymy-servicebus-keystring
servicebus_key_sizeType of the key for Service Bus user-assigned identityRSAstringRSA
servicebus_key_optsSize of the key for Service Bus user-assigned identity3072number3072, 4096
servicebus_key_expiration_dateOptions for the key for Service Bus user-assigned identity["unwrapKey", "wrapKey", "encrypt", "decrypt", "sign", "verify"]list(string)decrypt, encrypt, sign, unwrapKey, verify, wrapKey
servicebus_key_rotation_time_before_expiryTime before expiry to start key rotation for Service Bus identityP22MstringDuration in ISO 8601 format
servicebus_key_expire_afterExpiry duration for the key for Service Bus identityP24MstringDuration in ISO 8601 format
servicebus_key_notify_before_expiryTime before expiry to notify for key rotation for Service Bus identityP21MstringDuration in ISO 8601 format
servicebus_local_auth_enabledWhether local authentication is enabled for the Service Bus namespacetruebooltrue, false
servicebus_minimum_tls_versionMinimum TLS version for Service Bus1.2string1.0, 1.1, 1.2
servicebus_zone_redundantWhether the Service Bus namespace is zone redundanttruebooltrue, false
servicebus_network_acls_default_actionDefault action for network access control lists (ACLs) in Service Bus.DenystringAllow, Deny
servicebus_network_acls_ip_rulesIP rules for network access control lists (ACLs) in Service Bus.["45.127.59.60/32"]'list
servicebus_identity_typeType of identity for Service Bus.SystemAssigned, UserAssignedstringSystemAssigned, UserAssigned
servicebus_diagnostic_log_enableEnable or disable diagnostic logs for Service Bustruebooltrue, false
servicebus_diagnostic_log_category_groupCategory group for diagnostic logs for Service BusallLogsstringallLogs, audit
servicebus_diagnostic_log_archive_enableEnable or disable diagnostic log archiving for Service Bustruebooltrue, false
servicebus_diagnostic_log_destination_typeDestination type for diagnostic logs for Service BusDedicatedstringAzureDiagnostics. Dedicated
servicebus_diagnostic_log_nameName of the diagnostic log for Service Busmy-servicebus-logsstring
servicebus_topic_configsCreate Service Bus Topics and set its configurations.[]'map(json)[{"name": "topic1","status": "Active","auto_delete_on_idle": "P365D","default_message_ttl": "PT10M","duplicate_detection_history_time_window": "PT10M","enable_batched_operations": false,"enable_express": false,"max_size_in_megabytes": 1024,"requires_duplicate_detection": false,"support_ordering": true,"require_subscription": true,"subscription_name": "subscription1_topic1","subscription_max_delivery_count": 10,},]'
servicebus_queue_configsCreate Service Bus queues and set its configurations.[]'map(json)[{"name": "queue1","lock_duration": "PT1M","max_size_in_megabytes": 1024,"requires_duplicate_detection": false,"requires_session": false,"default_message_ttl": "PT10M","dead_lettering_on_message_expiration": false,"duplicate_detection_history_time_window": "PT10M","max_delivery_count": 10,"status": "Active","enable_batched_operations": true,"auto_delete_on_idle": "P365D","enable_express": false,}]'
private_aks_nodepool_enable_host_encryptionEnable host encryption for a private AKS node pooltruebooltrue, false
private_aks_cmk_encryption_enableEnable Customer Managed Key (CMK) encryption for a private AKStruebooltrue, false
private_aks_key_nameName of the key used for encryption in a private AKS environmentaks-encry-keystring
private_aks_key_typeType of key used for encryption in a private AKS environmentRSAstringRSA
private_aks_key_sizeSize of the key used for encryption in a private AKS environment2048number2048, 3072, 4096
private_aks_key_optsOptions associated with the key used for encryption in a private AKS environment["unwrapKey", "wrapKey"]list(string)decrypt, encrypt, sign, unwrapKey, verify, wrapKey
private_aks_key_expiration_dateExpiration date for the key used in a private AKS environment"2024-12-31T11:59:59.000Z"string
private_aks_key_rotation_time_before_expiryTime before expiration when key rotation should begin in a private AKS environmentP22MstringDuration in ISO 8601 format
private_aks_key_expire_afterTime period after which the key in a private AKS environment should expireP24MstringDuration in ISO 8601 format
private_aks_key_notify_before_expiryNotification period before key expiration in a private AKS environmentP21MstringDuration in ISO 8601 format
acr_identity_typeType of identity associated with an Azure Container Registry (ACR)SystemAssigned, UserAssignedstringSystemAssigned, UserAssigned
acr_encryption_enableEnable encryption for an Azure Container Registry (ACR)truebooltrue, false
acr_uaid_nameName of the user-assigned identity associated with an ACRtest-acr-uaiedstring
acr_key_nameName of the key associated with an ACRacr-encry-keystring
acr_key_typeType of key associated with an ACRRSAstringRSA
acr_key_sizeSize of the key associated with an ACR2048number2048, 3072, 4096
acr_key_optsOptions associated with the key associated with an ACR["unwrapKey", "wrapKey"]list(string)decrypt, encrypt, sign, unwrapKey, verify, wrapKey
acr_key_expiration_dateExpiration date for the key associated with an ACR"2024-12-31T11:59:59.000Z"string
acr_key_rotation_time_before_expiryTime before expiration when key rotation should begin for an ACRP22MstringDuration in ISO 8601 format
acr_key_expire_afterTime period after which the key associated with an ACR should expireP24MstringDuration in ISO 8601 format
acr_key_notify_before_expiryNotification period before key expiration for an ACRP21MstringDuration in ISO 8601 format
log_analytics_cmk_for_query_forcedForce the use of Customer Managed Key (CMK) for query in Log Analyticstruebooltrue, false
private_aks_key_set_nameName of the key set used for encryption in a private AKS environmentaks-key-setstring
private_aks_key_set_auto_rotationEnable automatic rotation for the key set in a private AKS environmenttruebooltrue, false
private_aks_key_set_typeType of key set used for encryption in a private AKS environmentEncryptionAtRestWithPlatformAndCustomerKeysstringEncryptionAtRestWithPlatformAndCustomerKeys
private_aks_key_set_identity_typeType of identity associated with the key set in a private AKS environmentSystemAssignedstringSystemAssigned

Output Parameters

Output Variable NameDescription
rg_nameThe name of the Azure Resource Group.
rg_locationThe Azure region where the Resource Group is located.
rg_idThe unique identifier (ID) of the Azure Resource Group.
log_archive_storage_account_idThe ID of the storage account used for log archiving.
virtual_network_idThe ID of the Azure Virtual Network.
subnet1_aks_idThe ID of the first subnet used by the Azure Kubernetes Service (AKS).
subnet2_appgw_idThe ID of the second subnet used for Application Gateway Ingress Controller (AGIC).
subnet3_services_idThe ID of the third subnet used for services.
subnet1_aks_addressThe address prefix of the first subnet.
subnet2_appgw_addressThe address prefix of the second subnet for AGIC.
subnet3_services_addressThe address prefix of the third subnet for services.
subnet4_firewall_addressThe address prefix of the fourth subnet for the firewall.
vnet_addressThe CIDR of the Azure Virtual Network.
natgw_public_ipThe public IP address of the Network Address Translation (NAT) gateway.
natgw_public_ip_prefixThe public IP prefix of the NAT gateway.
public_dns_zone_nameThe name of the public DNS Zone.
public_dns_zone_idThe ID of the public DNS Zone.
keyvault_nameThe name of the Azure Key Vault.
keyvault_idThe ID of the Azure Key Vault.
keyvault_private_endpoint_fqdnThe Fully Qualified Domain Name (FQDN) of the private endpoint for the Key Vault.
tenant_idThe Azure Active Directory (AAD) tenant ID.
subscription_idThe Azure subscription ID where resources are created.
sp_client_idThe client ID of the Service Principal used to create resources.
acr_usernameThe username for the Azure Container Registry (ACR).
acr_login_serverThe login server for the Azure Container Registry (ACR).
acr_private_endpoint_fqdnThe Fully Qualified Domain Name (FQDN) of the private endpoint for the Azure Container Registry (ACR).
private_aks_nameThe name of the private Azure Kubernetes Service (AKS).
private_appgw_fe_private_ipThe private IP address of the private Application Gateway used in AKS.
private_appgw_fe_public_ipThe public IP address of the public Application Gateway used in AKS.
log_analytics_idThe Log Analytics Workspace ID
log_analytics_workspace_idThe Workspace ID for the Log Analytics Workspace.
main_public_appgw_fe_public_ipThe public IP address of the main public Application Gateway.
storage_account_nameThe name of the Azure Storage Account used in NSG Flow logs
storage_account_idThe ID of the Azure Storage Account used in NSG Flow logs
redis_private_endpoint_fqdnRedis Private endpoint DNS FQDN.
redis_idThe ID of the Azure Redis.
redis_primary_connection_stringThe primary connection string of the Azure Redis.
sql_private_endpoint_fqdnSQL Private endpoint DNS FQDN.
sql_server_admin_userSQL database administrator login ID.
sql_database_idThe ID of the SQL Database.
sql_database_nameThe name of the SQL Database.
cosmos_account_idThe unique identifier (ID) of the Cosmos DB account.
cosmos_account_endpointThe endpoint URL of the Cosmos DB account.
cosmos_account_write_endpointsThe write endpoints for the Cosmos DB account, representing locations where write operations can be performed.
cosmos_account_read_endpointsThe read endpoints for the Cosmos DB account, representing locations where read operations can be performed.
cosmos_account_private_endpoint_fqdnCosmos DB private endpoint IPv4 Addresses.
frontdoor_profile_nameName of the Azure CDN Front Door Profile
frontdoor_profile_resource_guidID of the Azure CDN Front Door Profile
servicebus_private_endpoint_fqdnService Bus Private endpoint DNS FQDN.
servicebus_endpointEndpoint for the Service Bus