Azure Windows IIS Stack
Overview
The Azure Windows IIS Stack template is a purpose-built solution designed to streamline the deployment of a resilient and secure infrastructure for hosting classic applications that rely on Microsoft Internet Information Services (IIS). By automating the creation of Windows Virtual Machines (VMs) with pre-installed IIS, this template ensures a hassle-free setup for organizations seeking a robust hosting environment. The VMs are configured to be zone redundant, include backup functionality, and have logging enabled, addressing key aspects of reliability and operational efficiency.
List of resources
- Virtual Machines
- Application gateways
- Key vault
- DNS zone
- Private DNS zones
- Private Endpoint
- Storage Account
- Recovery Services Vault
- Log Analytics workspace
- Application Insights
- Virtual network
Cloud Architecture
© Copyright BOS Framework 2024
Input Parameters
| Input Variables | Descriptions | Default Values | Type | Supported Values |
|---|---|---|---|---|
| sp_client_id | Service Principal Client ID, used for authentication in Azure. | abcde123-4567-890f-12ab-34cd56789ef0 | string | |
| sp_tenant_id | Azure AD Tenant ID, the identity provider for the service principal. | 12345678-abcd-1234-ef12-123456789abc | string | |
| sp_subscription_id | Azure Subscription ID, specifying the target subscription. | abcdefgh-1234-5678-90ab-cdef12345678 | string | |
| sp_name | Name or identifier for the Service Principal | myserviceprincipal | string | |
| sp_client_secret | The secret key associated with the Service Principal for authentication. | mysecretclientsecret123 | string | |
| storage_use_azuread | Should the AzureRM Provider use AzureAD to connect to the Storage Blob API's, rather than the SharedKey from the Storage Account | true | bool | true, false |
| resource_group_name | The name of the Azure Resource Group where resources will be deployed. | myrg | string | |
| resource_group_location | Azure region where the Resource Group will be created. | eastus | string | string |
| resourcegroup_lock | Whether to apply a resource group-level lock. | true | bool | true, false |
| resourcegroup_lock_level | Level of the resource group lock if resourcegroup_lock is set to true. | CanNotDelete | string | CanNotDelete, ReadOnly |
| tags_name | A map of tags to apply to Azure resources. | '{"Environment":"Dev","ProductName":"JohnDoe"}' | map(string) | |
| enable_defender_plans | Enable or disable Azure defender plans for the subscription. | true | bool | true, false |
| security_center_resource_types | list of resource types to be covered by Azure Security Center. | ["CloudPosture", "VirtualMachines", "AppServices", "SqlServers", "SqlServerVirtualMachines", "OpenSourceRelationalDatabases", "CosmosDbs", "StorageAccounts", "Containers", "KeyVaults", "Arm"]' | list | ["CloudPosture", "VirtualMachines", "AppServices", "SqlServers", "SqlServerVirtualMachines", "OpenSourceRelationalDatabases", "CosmosDbs", "StorageAccounts", "Containers", "KeyVaults", "Arm"]' |
| security_center_resource_types_tier | The Azure Security Center tier to use for the specified resource types. | ["Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard"]' | list | ["Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard", "Standard"]' |
| auto_provision_log_analytics_agent | Whether to automatically provision the Log Analytics agent on VMs within the VNet. | Off | string | Off, On |
| vnet_name | The name of the Virtual Network (VNet). | my-vnet | string | |
| vnet_subnet1_iis_name | The name of the first subnet for IIS VM. | my-subnet-1 | string | |
| vnet_subnet2_appgw_name | The name of the second subnet for Application Gateway. | my-subnet-2 | string | |
| vnet_subnet3_services_name | The name of the third subnet for services. | my-subnet-3 | string | |
| vnet_address_space | The address space for the Virtual Network. | ["10.11.0.0/16"]' | list | |
| vnet_dns_servers | The DNS server IP addresses for the Virtual Network. | [] | list | |
| vnet_subnet1_iis_address_prefix | The address prefix for the first subnet for IIS VM. | ["10.11.8.0/21"]' | list | |
| vnet_subnet2_appgw_address_prefix | The address prefix for the second subnet for Application Gateway. | ["10.11.16.0/24"]' | list | |
| vnet_subnet3_services_address_prefix | The address prefix for the third subnet for services. | ["10.11.24.0/23"]' | list | |
| vnet_subnet4_firewall_address_prefix | The address prefix for the fourth subnet for the firewall. | ["10.11.32.0/26"]' | list | |
| vnet_firewall_enable | Whether to enable the Azure Firewall in the VNet. | false | bool | true, false |
| vnet_firewall_public_ip_zones | list of public IP address zones for the Azure Firewall. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| vnet_firewall_zones | list of zones for the Azure Firewall. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| vnet_firewall_sku | The SKU for the Azure Firewall. | AZFW_VNet | string | AZFW_VNet, AZFW_Hub |
| vnet_firewall_tier | The threat intelligence tier for the Azure Firewall. | Standard | string | Premium, Standard, Basic |
| vnet_firewall_threat_intel_mode | The threat intelligence mode for the Azure Firewall. | Deny | string | Deny, Alert |
| vnet_ddos_protection_plan_enable | Whether to enable DDoS protection for the VNet. | false | bool | true, false |
| vnet_ddos_protection_plan_name | The name for the DDoS protection plan. | my-ddos-plan | string | |
| vnet_subnet1_iis_service_endpoints | The list of Service endpoints to associate with the subnet1 | ["Microsoft.KeyVault", "Microsoft.Storage"]' | list | ["Microsoft.KeyVault", "Microsoft.Storage"]' |
| vnet_subnet3_service_endpoints | The list of Service endpoints to associate with the subnet3 | ["Microsoft.KeyVault", "Microsoft.Storage"]' | list | ["Microsoft.KeyVault", "Microsoft.Storage"]' |
| natgw_public_ip_prefix_name | Name of the Public IP Prefix for the NAT Gateway. | my-nat-pub-ip-prefix | string | |
| natgw_public_ip_prefix_length | Prefix length (subnet mask) for the Public IP Prefix. | 29 | number | 28,29,30,31 |
| natgw_public_ip_prefix_zones | Availability zones for the Public IP Prefix. | ["1"]' | list | ["1", "2", "3"]' |
| natgw_public_ip_name | Name of the Public IP address for the NAT Gateway. | my-nat-pub-ip | string | |
| natgw_public_ip_allocation_method | IP address allocation method for the Public IP. | Static | string | Dynamic, Static |
| natgw_public_ip_sku | SKU (service tier) for the Public IP address. | Standard | string | Basic, Standard |
| natgw_public_ip_zones | Availability zones for the Public IP address of the NAT Gateway. | ["1"]' | list | ["1", "2", "3"]' |
| natgw_name | Name of the NAT Gateway. | my-nat-gateway | string | |
| natgw_idle_timeout_in_minutes | Idle timeout in minutes for the NAT Gateway's outbound connections. | 4 | number | |
| natgw_sku | SKU (service tier) for the NAT Gateway. | Standard | string | Basic, Standard |
| natgw_zones | Availability zones for the NAT Gateway. | ["1"]' | list | ["1", "2", "3"]' |
| network_watchername | Name of the Network Watcher resource. | NetworkWatcher_eastus | string | NetworkWatcher_region |
| network_watcher_exists | Indicates whether the Network Watcher resource exists or not. | false | bool | true, false |
| nsg_flow_logs_enable | Whether to enable Network Security Group (NSG) flow logs. | false | bool | true, false |
| vnet_subnet1_iis_nsg_name | Name of the Network Security Group (NSG) for the first subnet used by IIS VMs. | my-nsg-1 | string | |
| vnet_subnet1_iis_nsg_rules | Rules defined for the Network Security Group (NSG) in the first subnet used by IIS VMs. | {"rule1": {"name": "sn01-nsg-rule-01","priority": 1000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "22","source_address_prefix": "*","destination_address_prefix": "*"},"rule2": {"name": "sn01-nsg-rule-02","priority": 2000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "3389","source_address_prefix": "*","destination_address_prefix": "*"}}' | map(json) | It should consist of name, priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix and destination_address_prefix for each rule. |
| vnet_subnet3_services_nsg_name | Name of the Network Security Group (NSG) for the third subnet used for services. | my-nsg-3 | string | |
| vnet_subnet3_services_nsg_rules | Rules defined for the Network Security Group (NSG) in the third subnet used for services. | {"rule1": {"name": "sn03-nsg-rule-01","priority": 1000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "22","source_address_prefix": "*","destination_address_prefix": "*"},"rule2": {"name": "sn03-nsg-rule-02","priority": 2000,"direction": "Inbound","access": "Deny","protocol": "Tcp","source_port_range": "*","destination_port_range": "3389","source_address_prefix": "*","destination_address_prefix": "*"}}' | map(json) | It should consist of name, priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix and destination_address_prefix for each rule. |
| vnet_subnet1_iis_nsg_flow_log_name | Name of the flow log for the Network Security Group (NSG) in the first subnet used by IIS VM. | my-nsg-1-flow-log | string | |
| vnet_subnet1_iis_nsg_flow_log_enabled | Whether flow logging is enabled for the Network Security Group (NSG) in the first subnet used by IIS VM. | true | bool | true, false |
| vnet_subnet1_iis_nsg_flow_log_retention_enabled | Whether log retention is enabled for the flow log of the Network Security Group (NSG) in the first subnet used by IIS VM. | true | bool | true, false |
| vnet_subnet1_iis_nsg_flow_log_retention_in_days | number of days to retain flow log data for the Network Security Group (NSG) in the first subnet used by IIS VM. | 90 | number | |
| vnet_subnet3_services_nsg_flow_log_name | Name of the flow log for the Network Security Group (NSG) in the third subnet used for services. | my-nsg-3-flow-log | string | |
| vnet_subnet3_services_nsg_flow_log_enabled | Whether flow logging is enabled for the Network Security Group (NSG) in the third subnet used for services. | true | bool | true, false |
| vnet_subnet3_services_nsg_flow_log_retention_enabled | Whether log retention is enabled for the flow log of the Network Security Group (NSG) in the third subnet used for services. | true | bool | true, false |
| vnet_subnet3_services_nsg_flow_log_retention_in_days | number of days to retain flow log data for the Network Security Group (NSG) in the third subnet used for services. | 90 | number | |
| vnet_subnet1_iis_nsg_flow_log_traffic_analytics_enabled | Whether traffic analytics is enabled for the flow log of the Network Security Group (NSG) in the first subnet used by IIS VM. | true | bool | true, false |
| vnet_subnet1_iis_nsg_flow_log_traffic_analytics_interval_in_minutes | Interval in minutes for traffic analytics for the flow log of the Network Security Group (NSG) in the first subnet used by IIS VM. | 60 | number | 10, 60 |
| vnet_subnet3_services_nsg_flow_log_traffic_analytics_enabled | Whether traffic analytics is enabled for the flow log of the Network Security Group (NSG) in the third subnet used for services. | true | bool | true, false |
| vnet_subnet3_services_nsg_flow_log_traffic_analytics_interval_in_minutes | Interval in minutes for traffic analytics for the flow log of the Network Security Group (NSG) in the third subnet used for services. | 60 | number | 10, 60 |
| vnet_subnet1_iis_nsg_flow_log_version | Version of the flow log for the Network Security Group (NSG) in the first subnet used by IIS VM. | 2 | number | 1, 2 |
| vnet_subnet3_services_nsg_flow_log_version | Version of the flow log for the Network Security Group (NSG) in the third subnet used for services. | 2 | number | 1, 2 |
| vnet_diagnostic_log_enable | Whether to enable diagnostic logs for the Virtual Network (VNet). | true | bool | true, false |
| vnet_diagnostic_log_name | Name of the diagnostic logs for the Virtual Network (VNet). | my-vnet-logs | string | |
| vnet_diagnostic_log_category_group | Category of diagnostic logs to enable for the Virtual Network (VNet). | allLogs | string | allLogs |
| require_vnet_peering | Whether to enable Vnet Peering. | false | bool | true, false |
| vnet_peering_configs | Configuration of the Vnet Peering. | [{"new_vnet_name": "myexistingvnet","new_vnet_rg": "myexistingvnetrg","peering_name_1": "peer1to2","peering_name_2": "peer2to1","allow_gateway_transit": false,"allow_vnet_access": true,"allow_forwarded_traffic": true,}]' | map(json) | It should consist of new_vnet_name, new_vnet_rg, peering_name_1, peering_name_2, allow_gateway_transit, allow_vnet_access, allow_forwarded_traffic for each peering. |
| log_analytics_workspace_name | Name of the Log Analytics workspace. | my-log-analytics | string | |
| log_analytics_workspace_sku | SKU (service tier) for the Log Analytics workspace. | PerGB2018 | string | Free, PerNode, Premium, Standard, Standalone, Unlimited, CapacityReservation, PerGB2018) |
| log_retention_in_days | number of days to retain log data in the Log Analytics workspace. | 30 | number | |
| log_analytics_daily_quota_gb | Daily data ingestion quota in gigabytes for the Log Analytics workspace. | 3 | number | |
| log_analytics_action_group_name | Name of the Action Group associated with the Log Analytics workspace. | mydailycapactiongrp | string | |
| log_analytics_action_group_short_name | Short name or identifier for the Action Group. | mydailycapgrp | string | |
| log_analytics_daily_cap_alert_emails | list of email addresses for recipients of daily capacity alerts. | ["user1@example.com"]' | list | |
| log_analytics_action_group_common_schema | Use a common schema for the Action Group. | true | bool | true, false |
| log_analytics_daily_cap_alert_name | Name of the daily capacity alert in Log Analytics. | mydailycaplogalert | string | |
| log_analytics_daily_cap_alert_evaluation_frequency | Frequency of evaluation for the daily capacity alert. | PT10M | string | |
| log_analytics_daily_cap_alert_window_duration | Duration of the evaluation window for the daily capacity alert. | PT10M | string | |
| log_analytics_daily_cap_alert_severity | Severity level for the daily capacity alert. | 2 | number | 1 , 2, 3, 4 |
| log_analytics_daily_cap_alert_auto_mitigation_enabled | Enable or disable automatic mitigation for the daily capacity alert. | false | bool | true, false |
| log_analytics_daily_cap_alert_storage_enabled | Enable or disable alert data storage for the daily capacity alert. | false | bool | true, false |
| log_analytics_daily_cap_alert_enabled | Enable or disable the daily capacity alert. | true | bool | true, false |
| log_analytics_daily_cap_alert_query_time_range_override | Time range override for the daily capacity alert. | P1D | string | |
| application_insights_name | Name of the Application Insights resource. | my-prv-app-insights | string | |
| application_insights_application_type | Type or category of the Application Insights resource. | web | string | ios, java, MobileCenter, Node.JS, other, phone, store, web |
| security_center_contact_email_enable | Enable or disable security center contact email | true | bool | true, false |
| security_center_contact_name | Name of the security center contact | user1contact | string | |
| security_center_contact_email | Email address for security center contact | user1@example.com | string | |
| security_center_alert_notifications | Enable or disable security center alert notifications | false | bool | true, false |
| security_center_alerts_to_admins | Enable or disable sending security center alerts to admins | true | bool | true, false |
| log_archive_enable | Enable or disable log archiving | true | bool | true, false |
| log_archive_storage_account_name | Name of the storage account for log archiving | logarchivestorage | string | |
| log_archive_storage_account_tier | Storage account tier for log archiving | Standard | string | Standard, Premium |
| log_archive_storage_account_kind | Storage account kind for log archiving | StorageV2 | string | BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2 |
| log_archive_storage_account_replication_type | Replication type for the log archiving storage account. | GRS | string | LRS, GRS, RAGRS, ZRS, GZRS, RAGZRS |
| log_archive_storage_account_access_tier | Access tier for the log archiving storage account. | Cool | string | Hot, Cool |
| log_archive_storage_account_public_network_access_enabled | Enable or disable public network access for the storage account for log archive. | true | bool | true, false |
| log_archive_storage_account_versioning_enabled | Enable or disable versioning for the storage account used for log archive. | true | bool | true, false |
| log_archive_storage_account_network_default_action | Default action for network traffic to log archive storage account | Deny | string | Deny, Allow |
| log_archive_storage_account_network_ip_rules | List of IP addresses allowed to access the log archive storage account | ["45.127.59.60/32"]' | list | |
| log_archive_storage_account_network_bypass | List of network traffic types to bypass | ["AzureServices"] | list(string) | AzureServices, None |
| log_archive_storage_account_shared_access_key_enabled | Whether shared access keys are enabled for the log archive storage account. | false | bool | true, false |
| log_archive_storage_account_allow_nested_items_to_be_public | Whether nested items within the log archive storage account, such as blobs within containers, are allowed to be made public. | false | bool | true, false |
| log_archive_storage_account_lifecycle_rule_name | Name of the lifecycle rule for log archiving storage account. | rule1 | string | |
| log_archive_storage_account_lifecycle_rule_enabled | Enable or disable the lifecycle rule for log archiving storage account. | true | bool | true, false |
| log_archive_storage_account_lifecycle_rule_blob_types | List of blob types to apply the lifecycle rule to | ["blockBlob", "appendBlob"] | list(string) | ["blockBlob", "appendBlob"] |
| log_archive_storage_account_lifecycle_rule_delete_base_blob_after_days | Number of days to keep the base blob before deleting | 365 | number | |
| log_archive_storage_account_lifecycle_rule_delete_snapshot_after_days | Number of days to keep the blob snapshot before deleting | 365 | number | |
| log_archive_storage_account_lifecycle_rule_delete_version_after_days | Number of days to keep the blob version before deleting | 365 | number | |
| log_archive_storage_account_enable_https_traffic_only | Enables HTTPS-only access to the log archive storage account. | true | bool | true, false |
| log_archive_storage_account_infra_encryption_enabled | Enables infrastructure encryption for the log archive storage account. | true | bool | true, false |
| log_archive_storage_account_min_tls_version | Specifies the minimum TLS version required for connections to the log archive storage account. | TLS1_2 | string | TLS1_0, TLS1_1, TLS1_2 |
| log_archive_storage_account_uaid_name | Name of the user-assigned identity for log archive storage account. | my-log-archive-sa-uaid | string | |
| log_archive_storage_account_key_name | Name of the key for log archive storage account user-assigned identity | my-log-archive-sa-uaid-key | string | |
| log_archive_storage_account_key_type | Type of the key for log archive storage account user-assigned identity | RSA | string | RSA |
| log_archive_storage_account_key_size | Size of the key for log archive storage account user-assigned identity | 2048 | number | 2048, 3072, 4096 |
| log_archive_storage_account_key_opts | Options for the key for log archive storage account user-assigned identity | ["unwrapKey", "wrapKey"] | list(string) | decrypt, encrypt, sign, unwrapKey, verify, wrapKey |
| log_archive_storage_account_key_expire_after | Expiry duration for the key for log archive storage account user-assigned identity | P24M | string | Duration in ISO 8601 format |
| log_archive_storage_account_key_rotation_time_before_expiry | Time before expiry to start key rotation for log archive storage account identity | P22M | string | Duration in ISO 8601 format |
| log_archive_storage_account_key_notify_before_expiry | Time before expiry to notify for key rotation for log archive storage account identity | P21M | string | Duration in ISO 8601 format |
| log_archive_storage_account_key_expiration_date | Expiration date for the storage account key used for log archival | "2024-12-31T11:59:59.000Z" | string | |
| log_archive_storage_account_delete_retention_days | Specifies the number of days that the blob should be retained in log archive storage account | 7 | number | 1-365 |
| log_archive_storage_account_container_delete_retention_days | Specifies the number of days that the container should be retained in log archive storage account | 7 | number | 1-365 |
| log_archive_storage_account_private_endpoint_enable | Enable or Disable private endpoint for log archive storage account. | false | bool | true, false |
| log_archive_storage_account_private_endpoint_name | Name of the private endpoint for log archive storage account. | my-log-archive-sa-pvep | string | |
| log_archive_storage_account_private_service_connection_name | Name of the private service connection for log archive storage account. | my-log-archive-sa-svc | string | |
| log_archive_storage_account_private_service_is_manual_connection | Enable or disable manual private service connection for log archive storage account. | false | bool | true, false |
| log_archive_storage_account_private_service_subresource | List of subresources for the private service connection. | ["blob"] | list(string) | ["blob"] |
| log_archive_storage_account_private_dns_zone | Private DNS zone for log archive storage account. | privatelink.blob.cache.windows.net | string | privatelink.blob.cache.windows.net |
| log_archive_storage_account_private_dns_zone_vnet_link_name | Name of the VNet link for the private DNS zone. | my-log-archive-sa-vnet-link | string | |
| log_archive_storage_account_private_dns_a_record_ttl | Time to live (TTL) for the private DNS A record in seconds. | 300 | number | |
| private_dns_zone | Name of the Private DNS Zone to configure. | mywebsite.internal.com | string | |
| private_dns_vnetlink_name | Name of the Private DNS Virtual Network Link. | my-vnet-link | string | |
| public_dns_enable | Whether to create a Public DNS Zone. | true | bool | |
| public_dns_zone | Name of the public DNS zone for a Virtual Network. | mywebsite.com | string | |
| key_vault_name | Name of the Azure Key Vault. | my-keyvault | string | |
| keyvault_enabled_for_disk_encryption | Whether the Key Vault is enabled for disk encryption. | true | bool | true, false |
| keyvault_soft_delete_retention_days | The number of days for soft delete retention for the Key Vault. | 7 | number | |
| keyvault_sku | The SKU (service tier) for the Azure Key Vault. | standard | string | Standard, Premium |
| key_vault_secret_expiration_date | Expiration date for a secret in the Key Vault. | "2024-12-31T11:59:59.000Z" | string | |
| keyvault_private_endpoint_name | Name of the Private Endpoint for the Key Vault. | my-kv-pvep | string | |
| keyvault_private_dns_zone | Name of the Private DNS Zone for the Key Vault Private Endpoint. | privatelink.vaultcore.azure.net | string | privatelink.vaultcore.azure.net |
| keyvault_private_service_connection_name | Name of the Private Service Connection for the Key Vault. | my-kv-svc | string | |
| keyvault_private_service_is_manual_connection | Whether the Private Service Connection is a manual connection. | false | bool | true, false |
| keyvault_private_service_connection_subresource | Name of the Private Service Connection Subresource for the Key Vault. | ["Vault"]' | list | ["Vault"]' |
| keyvault_private_dns_zone_group_name | Name of the Private DNS Zone Group for the Key Vault. | my-kv-pv-grp | string | |
| keyvault_dns_vnet_link | Name of the DNS Virtual Network Link for the Key Vault. | my-pv-vnet-link | string | |
| keyvault_purge_protection_enabled | Whether purge protection is enabled for the Key Vault. | true | bool | true, false |
| keyvault_enable_rbac_authorization | Whether RBAC (Role-Based Access Control) authorization is enabled for the Key Vault. | true | bool | true, false |
| keyvault_public_network_access_enabled | Enable or disable public network access for the Key Vault. | true | bool | true, false |
| keyvault_network_acls_default_action | Default action for network access control lists (ACLs) in the Key Vault. | Deny | string | Allow, Deny |
| keyvault_network_acls_bypass | Bypass option for network ACLs in the Key Vault. | AzureServices | string | AzureServices, None |
| keyvault_network_acls_ip_rules | IP rules for network access control lists (ACLs) in the Key Vault. | ["45.127.59.60/32"]' | list | |
| key_vault_diagnostic_log_enable | Enable or disable diagnostic logs for the Azure Key Vault. | true | bool | true, false |
| key_vault_diagnostic_log_name | Name of the diagnostic logs setting for the Azure Key Vault. | my-keyvault-logs | string | |
| key_vault_diagnostic_log_archive_enable | Specifies whether archiving of diagnostic logs for an Azure Key Vault is enabled | true | bool | true, false |
| key_vault_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by an Azure Key Vault. | Dedicated | string | AzureDiagnostics. Dedicated |
| key_vault_diagnostic_log_category_group | Category of diagnostic logs to enable for the Key Vault. | audit | string | allLogs, audit |
| iis_vm_os_disk_encryption_key_name | Name of the Azure Key Vault key used for encrypting and decrypting the OS disk. | my-os-disk-key | string | |
| iis_vm_os_disk_encryption_key_set_name | Name of the Azure Disk Encryption Set used for managing disk encryption | my-os-disk-key-set | string | |
| iis_vm_os_disk_encryption_key_auto_rotation | Controls whether automatic key rotation is enabled for the encryption key. | true | bool | true, false |
| iis_vm_os_disk_encryption_key_identity_type | Specifies the identity type used for key management | SystemAssigned | string | SystemAssigned, UserAssigned |
| iis_vm_os_disk_encryption_key_expire_after | Duration of key validity after creation (in days). Used for key rotation. | P24M | string | |
| iis_vm_os_disk_encryption_key_rotation_time_before_expiry | Time before key expiration when automatic rotation should occur (in days). | P22M | string | |
| iis_vm_os_disk_encryption_key_expire_notify_before_expiry | Time before key expiration to receive notifications (in days). | P21M | string | |
| recovery_services_vault_name | Name of the Azure Recovery Services Vault | my-recovery-vault | string | |
| recovery_services_vault_sku | SKU for the Azure Recovery Services Vault | Standard | string | |
| recovery_services_vault_soft_delete_enabled | Enable soft delete for the Recovery Services Vault | true | bool | true, false |
| vm_backup_policy_name | Name of the Azure VM backup policy | my-recovery-vault-policy | string | |
| recovery_services_vault_backup_frequency | Frequency of VM backups within the policy | Daily | string | Hourly, Daily, Weekly |
| recovery_services_vault_backup_time | Time of day when VM backups should occur | 23:00 | string | |
| recovery_services_vault_daily_retention | Number of days to retain daily backups | 7 | number | |
| recovery_services_vault_identity_type | Specifies the identity type to be used for the recovery services vault | SystemAssigned | string | SystemAssigned |
| backup_management_service_object_id | Object ID for the Backup Management. | 1234532-364d-43a1-8296-98f011342 | string | |
| recovery_services_vault_cross_region_restore_enabled | Indicates whether cross-region restore is enabled for the recovery services vault. | true | bool | true, false |
| recovery_services_vault_alerts_for_job_failures_enabled | Enabling/Disabling built-in Azure Monitor alerts for security scenarios and job failure scenarios | true | bool | true, false |
| recovery_services_vault_alerts_for_critical_operation_failures_enabled | Enabling/Disabling alerts from the older (classic alerts) solution. | true | bool | true, false |
| recovery_services_vault_diagnostic_log_enable | Enable diagnostic logs for the recovery services vault | true | bool | true, false |
| recovery_services_vault_diagnostic_log_name | Name of the diagnostic log setting for the recovery services vault | my-recovery-vault-logs | string | |
| recovery_services_vault_diagnostic_log_archive_enable | Enable diagnostic log archiving for the recovery services vault | true | bool | true, false |
| recovery_services_vault_diagnostic_log_destination_type | Destination type for diagnostic logs in the recovery services vault | Dedicated | string | AzureDiagnostics. Dedicated |
| recovery_services_vault_diagnostic_log_category_group | Category group for diagnostic logs in the recovery services vault | allLogs | string | allLogs, audit |
| private_app_gateway_public_ip_name | Name of the public IP associated with the private Application Gateway. | my-appgw-pub-ip | string | |
| private_app_gateway_public_ip_allocation_method | Allocation method for the public IP of the private Application Gateway. | Static | string | Dynamic, Static |
| private_app_gateway_public_ip_sku | SKU (service tier) for the public IP of the private Application Gateway. | Standard | string | Basic, Standard |
| private_app_gateway_public_ip_ddos_protection_mode | DDoS protection mode for the public IP of the private Application Gateway. | Disabled | string | Enabled, Disabled |
| private_app_gateway_public_ip_zones | Availability zones for the public IP of the private Application Gateway. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| private_app_gateway_capacity | Capacity (instance count) for the private Application Gateway. | 2 | number | |
| private_app_gateway_name | Name of the private Application Gateway. | my-appgw | string | |
| private_app_gateway_sku | SKU (service tier) for the private Application Gateway. | WAF_v2 | string | Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, WAF_v2) |
| private_app_gateway_tier | Tier (performance level) for the private Application Gateway. | WAF_v2 | string | Standard, Standard_v2, WAF, WAF_v2 |
| private_app_gateway_zones | Availability zones for the private Application Gateway. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| private_app_gateway_private_fe_address | Private IP address for the frontend of the private Application Gateway. | 10.11.16.10 | string | |
| private_app_gateway_waf_enabled | Enable or disable Web Application Firewall (WAF) for the private Application Gateway. | true | bool | true, false |
| private_app_gateway_waf_firewall_mode | Firewall mode for the WAF in the private Application Gateway. | Prevention | string | Detection, Prevention |
| private_app_gateway_waf_rule_set_type | Type of WAF rule set for the private Application Gateway. | OWASP | string | OWASP, Microsoft_BotManagerRuleSet |
| private_app_gateway_waf_rule_set_version | Version of the WAF rule set for the private Application Gateway. | 3.2 | string | 0.1, 1.0, 2.2.9, 3.0, 3.1, 3.2 |
| private_app_gateway_ssl_policy_type | Specifies the type of SSL policy for the private Application Gateway. | Predefined | string | Predefined, Custom, CustomV2 |
| private_app_gateway_ssl_policyname | Specifies the name of the SSL policy for the private Application Gateway. | AppGwSslPolicy20220101S | string | AppGwSslPolicy20150501, AppGwSslPolicy20220101, AppGwSslPolicy20220101S, AppGwSslPolicy20170401, AppGwSslPolicy20170401S |
| private_app_gateway_diagnostic_log_enable | Enable or disable diagnostic logs for the private Application Gateway. | true | bool | true, false |
| private_app_gateway_diagnostic_log_name | Name of the diagnostic logs setting for the private Application Gateway. | my-appgw-logs | string | |
| private_app_gateway_log_archive_enable | Specifies whether archiving of diagnostic logs for private Application Gateway is enabled | true | bool | true, false |
| private_app_gateway_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by private Application Gateway. | Dedicated | string | AzureDiagnostics. Dedicated |
| private_app_gateway_diagnostic_log_category_group | Category of diagnostic logs to enable for the private Application Gateway. | allLogs | string | allLogs |
| public_app_gateway_public_ip_name | Name of the public IP associated with the public Application Gateway. | my-pub-app-gw-pub-ip | string | |
| public_app_gateway_public_ip_allocation_method | Allocation method for the public IP of the public Application Gateway. | Static | string | Dynamic, Static |
| public_app_gateway_public_ip_sku | SKU (service tier) for the public IP of the public Application Gateway. | Standard | string | Basic, Standard |
| public_app_gateway_public_ip_ddos_protection_mode | DDoS protection mode for the public IP of the public Application Gateway. | Disabled | string | Enabled, Disabled |
| public_app_gateway_public_ip_zones | Availability zones for the public IP of the public Application Gateway. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| public_app_gateway_capacity | Capacity (instance count) for the public Application Gateway. | 2 | number | number |
| public_app_gateway_name | Name of the public Application Gateway. | my-pub-app-gw | string | |
| public_app_gateway_sku | SKU (service tier) for the public Application Gateway. | WAF_v2 | string | Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, WAF_v2 |
| public_app_gateway_tier | Tier (performance level) for the public Application Gateway. | WAF_v2 | string | Standard, Standard_v2, WAF, WAF_v2 |
| public_app_gateway_zones | Availability zones for the public Application Gateway. | ["1", "2", "3"]' | list | ["1", "2", "3"]' |
| public_app_gateway_waf_enabled | Enable or disable Web Application Firewall (WAF) for the public Application Gateway. | true | bool | true, false |
| public_app_gateway_waf_firewall_mode | Firewall mode for the WAF in the public Application Gateway. | Prevention | string | Detection, Prevention |
| public_app_gateway_waf_rule_set_type | Type of WAF rule set for the public Application Gateway. | OWASP | string | OWASP, Microsoft_BotManagerRuleSet |
| public_app_gateway_waf_rule_set_version | Version of the WAF rule set for the public Application Gateway. | 3.2 | string | 0.1, 1.0, 2.2.9, 3.0, 3.1, 3.2 |
| public_app_gateway_ssl_policy_type | Specifies the type of SSL policy for the public Application Gateway. | Predefined | string | Predefined, Custom, CustomV2 |
| public_app_gateway_ssl_policyname | Specifies the name of the SSL policy for the public Application Gateway. | AppGwSslPolicy20220101S | string | AppGwSslPolicy20150501, AppGwSslPolicy20220101, AppGwSslPolicy20220101S, AppGwSslPolicy20170401, AppGwSslPolicy20170401S |
| public_app_gateway_diagnostic_log_enable | Enable or disable diagnostic logs for the public Application Gateway. | true | bool | true, false |
| public_app_gateway_diagnostic_log_name | Name of the diagnostic logs setting for the public Application Gateway. | my-pub-app-gw-logs | string | |
| public_app_gateway_log_archive_enable | Specifies whether archiving of diagnostic logs for public Application Gateway is enabled | true | bool | true, false |
| public_app_gateway_diagnostic_log_destination_type | Specifies the type of destination for diagnostic logs generated by public Application Gateway. | Dedicated | string | AzureDiagnostics. Dedicated |
| public_app_gateway_diagnostic_log_category_group | Category of diagnostic logs to enable for the public Application Gateway. | allLogs | string | allLogs |
| windows_vm_IIS_admin_username | Username for the Windows VM's administrative account | adminuser | string | |
| windows_vm_IIS_size | Size/configuration of the Windows VM | Standard_B2s | string | |
| windows_vm_IIS_count | number of Windows VM instances to create | 1 | number | |
| windows_vm_IIS_nic_name | Name of the Network Interface Card (NIC) for the VM | my-vm-nic | string | |
| windows_vm_IIS_nic_ip_configuration_name | Name of the IP configuration for the NIC | internal | string | |
| windows_vm_IIS_nic_private_ip_address_allocation | Allocation method for the NIC's private IP address | Dynamic | string | Dynamic, Static |
| windows_vm_IIS_name | Name of the Windows VM | my-vm | string | |
| windows_vm_IIS_zone | Availability zones for the Windows IIS VM. | ["1","2","3"]' | list | ["1","2","3"]' |
| windows_vm_IIS_os_disk_caching | Caching type for the OS disk of the Windows VM | ReadWrite | string | None, ReadOnly, ReadWrite |
| windows_vm_IIS_os_disk_storage_account_type | Storage account type for the OS disk of the Windows VM | StandardSSD_LRS | string | Standard_LRS, Premium_LRS, StandardSSD_LRS, StandardSSD_ZRS, Premium_ZRS |
| windows_vm_IIS_source_image_reference_publisher | Publisher of the source image reference for the VM | MicrosoftWindowsServer | string | |
| windows_vm_IIS_source_image_reference_offer | Offer of the source image reference for the VM | WindowsServer | string | |
| windows_vm_IIS_source_image_reference_sku | SKU of the source image reference for the VM | 2022-datacenter-azure-edition | string | |
| windows_vm_IIS_source_image_reference_version | Version of the source image reference for the VM | latest | string | |
| windows_vm_IIS_extension_publisher | Publisher of the VM extension | Microsoft.Compute | string | |
| windows_vm_IIS_extension_type | Type of the VM extension | CustomScriptExtension | string | |
| windows_vm_IIS_extension_type_handler_version | Version of the VM extension handler | 1.8 | string | |
| windows_vm_IIS_extension_auto_upgrade_minor_version | Enable automatic upgrade of minor extension versions | true | bool | true, false |
| storage_account_name | Name of the Azure Storage Account for nsg flow logs. | mynsglogsstorage | string | |
| storage_account_tier | Tier for the Azure Storage Account for nsg flow logs. | Standard | string | Standard, Premium |
| storage_account_kind | Kind of the Azure Storage Account for nsg flow logs. | StorageV2 | string | BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2 |
| storage_account_replication_type | Replication type for the Azure Storage Account for nsg flow logs. | GRS | string | LRS, GRS, RAGRS, ZRS, GZRS, RAGZRS |
| storage_account_access_tier | Access tier for the Azure Storage Account for nsg flow logs. | Hot | string | Hot, Cool |
| storage_account_public_network_access_enabled | Enable or disable public network access for the Azure Storage Account for nsg flow logs. | true | bool | true, false |
| storage_account_diagnostic_log_enable | Enable or disable diagnostic logs for the Azure Storage Account for nsg flow logs. | true | bool | true, false |
| storage_account_diagnostic_log_name | Name of the diagnostic logs setting for the Azure Storage Account for nsg flow logs. | my-sa-logs | string | |
| storage_account_diagnostic_log_category_group | Specifies whether archiving of diagnostic logs for Azure Storage Account is enabled for nsg flow logs. | true | bool | true, false |
| storage_account_diagnostic_log_archive_enable | Specifies the type of destination for diagnostic logs generated by Azure Storage Account for nsg flow logs. | Dedicated | string | AzureDiagnostics. Dedicated |
| storage_account_diagnostic_log_category_group | Category of diagnostic logs to enable for the Azure Storage Account for nsg flow logs. | allLogs | string | allLogs |
| storage_account_shared_access_key_enabled | Controls whether shared access keys are enabled for the storage account for nsg flow logs. | false | bool | true, false |
| storage_account_allow_nested_items_to_be_public | Indicates whether nested items within containers can have public access | false | bool | true, false |
| storage_account_enable_https_traffic_only | Enables HTTPS-only access to the storage account for nsg flow logs. | true | bool | true, false |
| storage_account_infra_encryption_enabled | Enables infrastructure encryption for the storage account for nsg flow logs. | true | bool | true, false |
| storage_account_min_tls_version | Specifies the minimum TLS version required for connections to the storage account for nsg flow logs. | TLS1_2 | string | TLS1_0, TLS1_1, TLS1_2 |
| storage_account_uaid_name | Name of the user-assigned identity for storage account for nsg flow logs. | my-sa-uaid | string | |
| storage_account_key_name | Name of the key for storage account user-assigned identity | my-sa-uaid-key | string | |
| storage_account_key_type | Type of the key for nsg flow log storage account user-assigned identity | RSA | string | RSA |
| storage_account_key_size | Size of the key for nsg flow log storage account user-assigned identity | 2048 | number | 2048, 3072, 4096 |
| storage_account_key_opts | Options for the key for nsg flow log storage account user-assigned identity | ["unwrapKey", "wrapKey"] | list(string) | decrypt, encrypt, sign, unwrapKey, verify, wrapKey |
| storage_account_key_expire_after | Expiry duration for the key for nsg flow log storage account user-assigned identity | P24M | string | Duration in ISO 8601 format |
| storage_account_key_rotation_time_before_expiry | Time before expiry to start key rotation for nsg flow log storage account identity | P22M | string | Duration in ISO 8601 format |
| storage_account_key_notify_before_expiry | Time before expiry to notify for key rotation for nsg flow log storage account identity | P21M | string | Duration in ISO 8601 format |
| storage_account_delete_retention_days | Specifies the number of days that the blob should be retained in nsg flow log storage account | 7 | number | 1-365 |
| storage_account_container_delete_retention_days | Specifies the number of days that the container should be retained in nsg flow storage account | 7 | number | 1-365 |
| storage_account_private_endpoint_enable | Enable or Disable private endpoint for nsg flow log storage account. | false | bool | true, false |
| storage_account_private_endpoint_name | Name of the private endpoint for nsg flow log storage account. | my-sa-pvep | string | |
| storage_account_private_service_connection_name | Name of the private service connection for nsg flow log storage account. | my-sa-svc | string | |
| storage_account_private_service_is_manual_connection | Enable or disable manual private service connection for nsg flow log storage account. | false | bool | true, false |
| storage_account_private_service_subresource | List of subresources for the private service connection. | ["blob"] | list(string) | ["blob"] |
| storage_account_private_dns_zone | Private DNS zone for nsg flow log storage account. | privatelink.blob.cache.windows.net | string | privatelink.blob.cache.windows.net |
| storage_account_private_dns_zone_vnet_link_name | Name of the VNet link for the private DNS zone. | my-sa-vnet-link | string | |
| storage_account_private_dns_a_record_ttl | Time to live (TTL) for the private DNS A record in seconds. | 300 | number | |
| storage_account_network_default_action | Default action for network traffic to nsg flow storage account | Deny | string | |
| storage_account_network_ip_rules | List of IP addresses allowed to access the nsg flow storage account | ["45.127.59.60/32"]' | list | |
| storage_account_network_bypass | List of network traffic types to bypass | ["AzureServices"] | list(string) | |
| storage_account_key_expiration_date | Expiration date for the storage account key | "2024-12-31T11:59:59.000Z" | string | |
| iis_vm_os_disk_encryption_key_expiration_date | Expiration date for the OS disk for Windows VM which hosts the IIS | "2024-12-31T11:59:59.000Z" | string | |
| windows_vm_IIS_patch_assessment_mode | Specifies the mode for assessing whether patches are applicable to the IIS (Internet Information Services) on Windows virtual machines. | AutomaticByPlatform | string | AutomaticByPlatform |
| windows_vm_IIS_patch_mode | Specifies the mode for applying patches to the IIS (Internet Information Services) on Windows virtual machines. | AutomaticByPlatform | string | AutomaticByPlatform |
| windows_vm_IIS_reboot_setting | Specifies the reboot setting for Windows virtual machines after patching IIS (Internet Information Services). | Never | string | Never |
| windows_vm_IIS_bypass_platform_safety_checks_user_schedule_enabled | Specifies whether to enable bypassing platform safety checks for user-scheduled actions on Windows virtual machines. | true | bool | true, false |
| iis_vm_os_disk_encryption_key_set_type | Specifies the type of encryption key set for encrypting the operating system disk of the IIS (Internet Information Services) virtual machine | EncryptionAtRestWithPlatformAndCustomerKeys | string | EncryptionAtRestWithPlatformAndCustomerKeys |
| log_analytics_cmk_for_query_forced | Force the use of Customer Managed Key (CMK) for query in Log Analytics | true | bool | true, false |
Output Parameters
| Output Variable Name | Description |
|---|---|
| rg_name | The name of the Azure Resource Group. |
| rg_location | The location (region) of the Azure Resource Group. |
| log_analytics_id | The unique ID of the Azure Log Analytics workspace. |
| log_analytics_workspace_id | The Workspace ID for the Log Analytics Workspace. |
| log_archive_storage_account_id | The ID of the storage account used for log archiving. |
| virtual_network_id | The ID of the Azure Virtual Network. |
| subnet1_iis_id | The ID of the first subnet used by the IIS VM |
| subnet2_appgw_id | The ID of the second subnet used for Application Gateway. |
| subnet3_services_id | The ID of the third subnet used for services. |
| subnet1_iis_address | The address prefix of the first subnet. |
| subnet2_appgw_address | The address prefix of the second subnet for Application Gateway. |
| subnet3_services_address | The address prefix of the third subnet for services. |
| subnet4_firewall_address | The address prefix of the fourth subnet for the firewall. |
| vnet_address | The CIDR of the Azure Virtual Network. |
| natgw_public_ip | The public IP address of the Network Address Translation (NAT) gateway. |
| natgw_public_ip_prefix | The public IP prefix of the NAT gateway. |
| public_dns_zone_name | The name of the public DNS Zone. |
| public_dns_zone_id | The ID of the public DNS Zone. |
| keyvault_name | The name of the Azure Key Vault. |
| keyvault_id | The ID of the Azure Key Vault. |
| disk_encryption_set_id | The unique ID of the Azure Disk Encryption Set. |
| keyvault_uri | The full URI of the Azure Key Vault. |
| disk_encryption_key_id | The unique ID of the Azure Disk Encryption Key. |
| keyvault_private_endpoint_fqdn | The Fully Qualified Domain Name (FQDN) of the private endpoint for the Key Vault. |
| tenant_id | The Azure Active Directory tenant ID of the directory. |
| subscription_id | The ID of the Azure subscription where resources are created. |
| sp_client_id | The client ID of the Service Principal used to create resources. |
| vm_backup_vault_name | The name of the Azure VM Backup Vault. |
| vm_backup_policy_id | The ID of the VM Backup Policy. |
| public_appgw_name | Name of the Public application Gateway |
| public_appgw_backend_pool_name | Name of the default backend pool of Public application Gateway |
| public_appgw_backend_pool_id | Name of the default backend pool of Public application Gateway |
| public_appgw_fe_public_config_name | Name of the public front end config of Public application Gateway |
| public_appgw_fe_public_ip | Public IP address of the Application Gateway. |
| private_appgw_name | The name of the Private Application Gateway. |
| private_appgw_backend_pool_name | The name of the default backend pool of the Private Application Gateway. |
| private_appgw_backend_pool_id | The ID of the default backend pool of the Private Application Gateway. |
| private_appgw_fe_private_config_name | The name of the Frontend Configuration of the Private Application Gateway. |
| private_appgw_fe_public_config_name | The name of the Frontend Configuration of the Private Application Gateway. |
| private_appgw_fe_public_ip | The public IP address of the Application Gateway. |
| private_appgw_fe_private_ip | The private IP address of the Application Gateway. |
| windows_vm_IIS_private_ips | The private IP addresses of the IIS VMs. |
| windows_vm_IIS_admin_username | The administrative username for the IIS VM. |
| windows_vm_IIS_names | The names of the IIS VMs. |
| storage_account_name | The name of the Azure Storage Account. |
| storage_account_id | The ID of the Azure Storage Account. |