terraform-azurerm-avm-res-azurestackhci-cluster

Module to provision azure stack hci.

Requirements

The following requirements are needed by this module:

• terraform (~> 1.5)

• azapi (~> 2.0)

• azuread (~> 2.50.0)

• azurerm (~> 4.0)

• modtm (~> 0.3)

• random (~> 3.5)

Resources

The following resources are used by this module:

• azapi_resource.cluster (resource)
• azapi_resource.validatedeploymentsetting (resource)
• azapi_update_resource.deploymentsetting (resource)
• azurerm_key_vault.deployment_keyvault (resource)
• azurerm_key_vault_secret.azure_stack_lcm_user_credential (resource)
• azurerm_key_vault_secret.default_arb_application (resource)
• azurerm_key_vault_secret.local_admin_credential (resource)
• azurerm_key_vault_secret.witness_storage_key (resource)
• azurerm_management_lock.this (resource)
• azurerm_role_assignment.machine_role_assign (resource)
• azurerm_role_assignment.service_principal_role_assign (resource)
• azurerm_role_assignment.this (resource)
• azurerm_storage_account.witness (resource)
• modtm_telemetry.telemetry (resource)
• random_integer.random_suffix (resource)
• random_uuid.telemetry (resource)
• azapi_resource.arc_settings (data source)
• azapi_resource.arcbridge (data source)
• azapi_resource.customlocation (data source)
• azapi_resource_list.user_storages (data source)
• azuread_service_principal.hci_rp (data source)
• azurerm_arc_machine.arcservers (data source)
• azurerm_client_config.current (data source)
• azurerm_client_config.telemetry (data source)
• azurerm_key_vault.key_vault (data source)
• azurerm_storage_account.witness (data source)
• modtm_module_source.telemetry (data source)

Required Inputs

The following input variables are required:

adou_path

Description: The Active Directory OU path.

Type: string

custom_location_name

Description: The name of the custom location.

Type: string

default_gateway

Description: The default gateway for the network.

Type: string

deployment_user

Description: The username for the domain administrator account.

Type: string

deployment_user_password

Description: The password for the domain administrator account.

Type: string

dns_servers

Description: A list of DNS server IP addresses.

Type: list(string)

domain_fqdn

Description: The domain FQDN.

Type: string

ending_address

Description: The ending IP address of the IP address range.

Type: string

keyvault_name

Description: The name of the key vault.

Type: string

local_admin_password

Description: The password for the local administrator account.

Type: string

local_admin_user

Description: The username for the local administrator account.

Type: string

location

Description: Azure region where the resource should be deployed.

Type: string

name

Description: The name of the HCI cluster. Must be the same as the name when preparing AD.

Type: string

resource_group_id

Description: The resource id of resource group.

Type: string

servers

Description: A list of servers with their names and IPv4 addresses.

Type:

list(object({
    name        = string
    ipv4Address = string
  }))

service_principal_id

Description: The service principal ID for the Azure account.

Type: string

service_principal_secret

Description: The service principal secret for the Azure account.

Type: string

site_id

Description: A unique identifier for the site.

Type: string

starting_address

Description: The starting IP address of the IP address range.

Type: string

Optional Inputs

The following input variables are optional (have default values):

account_replication_type

Description: The replication type for the storage account.

Type: string

Default: "ZRS"

allow_nested_items_to_be_public

Description: Indicates whether nested items can be public.

Type: bool

Default: false

azure_service_endpoint

Description: The Azure service endpoint.

Type: string

Default: "core.windows.net"

azure_stack_lcm_user_credential_content_type

Description: (Optional) Content type of the azure stack lcm user credential.

Type: string

Default: null

azure_stack_lcm_user_credential_expiration_date

Description: (Optional) Expiration date of the azure stack lcm user credential.

Type: string

Default: null

azure_stack_lcm_user_credential_tags

Description: (Optional) Tags of the azure stack lcm user credential.

Type: map(string)

Default: null

bitlocker_boot_volume

Description: When set to true, BitLocker XTS_AES 256-bit encryption is enabled for all data-at-rest on the OS volume of your Azure Stack HCI cluster. This setting is TPM-hardware dependent.

Type: bool

Default: true

bitlocker_data_volumes

Description: When set to true, BitLocker XTS-AES 256-bit encryption is enabled for all data-at-rest on your Azure Stack HCI cluster shared volumes.

Type: bool

Default: true

cluster_name

Description: The name of the HCI cluster.

Type: string

Default: ""

cluster_tags

Description: (Optional) Tags of the cluster.

Type: map(string)

Default: null

compute_intent_name

Description: The name of compute intent.

Type: string

Default: "ManagementCompute"

compute_override_adapter_property

Description: Indicates whether to override adapter property for compute.

Type: bool

Default: true

compute_override_qos_policy

Description: Indicates whether to override qos policy for compute network.

Type: bool

Default: false

compute_qos_policy_overrides

Description: QoS policy overrides for network settings with required properties for compute.

Type:

object({
    priorityValue8021Action_SMB     = string
    priorityValue8021Action_Cluster = string
    bandwidthPercentage_SMB         = string
  })

Default:

{
  "bandwidthPercentage_SMB": "",
  "priorityValue8021Action_Cluster": "",
  "priorityValue8021Action_SMB": ""
}

compute_rdma_enabled

Description: Indicates whether RDMA is enabled for compute.

Type: bool

Default: false

compute_rdma_jumbo_packet

Description: The jumbo packet size for RDMA of compute network.

Type: string

Default: "9014"

compute_rdma_protocol

Description: The RDMA protocol of compute network.

Type: string

Default: "RoCEv2"

compute_traffic_type

Description: Traffic type of compute.

Type: list(string)

Default:

[
  "Management",
  "Compute"
]

configuration_mode

Description: The configuration mode for the storage.

Type: string

Default: "Express"

create_hci_rp_role_assignments

Description: Indicates whether to create role assignments for the HCI resource provider service principal.

Type: bool

Default: false

create_key_vault

Description: Set to true to create the key vault, or false to skip it

Type: bool

Default: true

create_witness_storage_account

Description: Set to true to create the witness storage account, or false to skip it

Type: bool

Default: true

credential_guard_enforced

Description: When set to true, Credential Guard is enabled on your Azure HCI cluster.

Type: bool

Default: false

cross_tenant_replication_enabled

Description: Indicates whether cross-tenant replication is enabled.

Type: bool

Default: false

default_arb_application_content_type

Description: (Optional) Content type of the default arb application.

Type: string

Default: null

default_arb_application_expiration_date

Description: (Optional) Expiration date of the default arb application.

Type: string

Default: null

default_arb_application_tags

Description: (Optional) Tags of the default arb application.

Type: map(string)

Default: null

deployment_configuration_version

Description: The version of deployment configuration. Latest version will be used if not specified.

Type: string

Default: null

drift_control_enforced

Description: When set to true, the security baseline is re-applied regularly.

Type: bool

Default: true

drtm_protection

Description: By default, Secure Boot is enabled on your Azure HCI cluster. This setting is hardware dependent.

Type: bool

Default: true

enable_telemetry

Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.

Type: bool

Default: false

eu_location

Description: Indicates whether the location is in EU.

Type: bool

Default: false

hvci_protection

Description: By default, Hypervisor-protected Code Integrity is enabled on your Azure HCI cluster.

Type: bool

Default: true

intent_name

Description: The name of intent.

Type: string

Default: "ManagementComputeStorage"

is_exported

Description: Indicate whether the resource is exported

Type: bool

Default: false

key_vault_location

Description: The location of the key vault.

Type: string

Default: ""

key_vault_resource_group

Description: The resource group of the key vault.

Type: string

Default: ""

keyvault_purge_protection_enabled

Description: Indicates whether purge protection is enabled.

Type: bool

Default: true

keyvault_secrets

Description: A list of key vault secrets.

Type:

list(object({
    eceSecretName = string
    secretSuffix  = string
  }))

Default: []

keyvault_soft_delete_retention_days

Description: The number of days that items should be retained for soft delete.

Type: number

Default: 30

keyvault_tags

Description: (Optional) Tags of the keyvault.

Type: map(string)

Default: null

local_admin_credential_content_type

Description: (Optional) Content type of the local admin credential.

Type: string

Default: null

local_admin_credential_expiration_date

Description: (Optional) Expiration date of the local admin credential.

Type: string

Default: null

local_admin_credential_tags

Description: (Optional) Tags of the local admin credential.

Type: map(string)

Default: null

lock

Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:

• kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".
• name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.

Type:

object({
    kind = string
    name = optional(string, null)
  })

Default: null

management_adapters

Description: A list of management adapters.

Type: list(string)

Default: []

min_tls_version

Description: The minimum TLS version.

Type: string

Default: "TLS1_2"

naming_prefix

Description: The naming prefix in HCI deployment settings. Site id will be used if not provided.

Type: string

Default: ""

operation_type

Description: The intended operation for a cluster.

Type: string

Default: "ClusterProvisioning"

override_adapter_property

Description: Indicates whether to override adapter property.

Type: bool

Default: true

override_qos_policy

Description: Indicates whether to override qos policy for converged network.

Type: bool

Default: false

qos_policy_overrides

Description: QoS policy overrides for network settings with required properties.

Type:

object({
    priorityValue8021Action_SMB     = string
    priorityValue8021Action_Cluster = string
    bandwidthPercentage_SMB         = string
  })

Default:

{
  "bandwidthPercentage_SMB": "",
  "priorityValue8021Action_Cluster": "",
  "priorityValue8021Action_SMB": ""
}

random_suffix

Description: Indicate whether to add random suffix

Type: bool

Default: true

rdma_enabled

Description: Enables RDMA when set to true. In a converged network configuration, this will make the network use RDMA. In a dedicated storage network configuration, enabling this will enable RDMA on the storage network.

Type: bool

Default: false

rdma_jumbo_packet

Description: The jumbo packet size for RDMA of converged network.

Type: string

Default: "9014"

rdma_protocol

Description: The RDMA protocol of converged network.

Type: string

Default: "RoCEv2"

resource_group_location

Description: The location of resource group.

Type: string

Default: ""

role_assignments

Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

• role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
• principal_id - The ID of the principal to assign the role to.
• description - The description of the role assignment.
• skip_service_principal_aad_check - If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
• condition - The condition which will be used to scope the role assignment.
• condition_version - The version of the condition syntax. Valid values are '2.0'.

Note: only set skip_service_principal_aad_check to true if you are assigning a role to a service principal.

Type:

map(object({
    role_definition_id_or_name             = string
    principal_id                           = string
    description                            = optional(string, null)
    skip_service_principal_aad_check       = optional(bool, false)
    condition                              = optional(string, null)
    condition_version                      = optional(string, null)
    delegated_managed_identity_resource_id = optional(string, null)
    principal_type                         = optional(string, null)
  }))

Default: {}

rp_service_principal_object_id

Description: The object ID of the HCI resource provider service principal.

Type: string

Default: ""

secrets_location

Description: Secrets location for the deployment.

Type: string

Default: ""

side_channel_mitigation_enforced

Description: When set to true, all the side channel mitigations are enabled.

Type: bool

Default: true

smb_cluster_encryption

Description: When set to true, cluster east-west traffic is encrypted.

Type: bool

Default: false

smb_signing_enforced

Description: When set to true, the SMB default instance requires sign in for the client and server services.

Type: bool

Default: true

storage_adapter_ip_info

Description: The IP information for the storage networks. Key is the storage network name.

Type:

map(list(object({
    physicalNode = string
    ipv4Address  = string
    subnetMask   = string
  })))

Default: null

storage_connectivity_switchless

Description: Indicates whether storage connectivity is switchless.

Type: bool

Default: false

storage_intent_name

Description: The name of storage intent.

Type: string

Default: "Storage"

storage_networks

Description: A list of storage networks.

Type:

list(object({
    name               = string
    networkAdapterName = string
    vlanId             = string
  }))

Default: []

storage_override_adapter_property

Description: Indicates whether to override adapter property for storage network.

Type: bool

Default: true

storage_override_qos_policy

Description: Indicates whether to override qos policy for storage network.

Type: bool

Default: false

storage_qos_policy_overrides

Description: QoS policy overrides for network settings with required properties for storage.

Type:

object({
    priorityValue8021Action_SMB     = string
    priorityValue8021Action_Cluster = string
    bandwidthPercentage_SMB         = string
  })

Default:

{
  "bandwidthPercentage_SMB": "",
  "priorityValue8021Action_Cluster": "",
  "priorityValue8021Action_SMB": ""
}

storage_rdma_enabled

Description: Indicates whether RDMA is enabled for storage. Storage RDMA will be enabled if either rdma_enabled or storage_rdma_enabled is set to true.

Type: bool

Default: false

storage_rdma_jumbo_packet

Description: The jumbo packet size for RDMA of storage network.

Type: string

Default: "9014"

storage_rdma_protocol

Description: The RDMA protocol of storage network.

Type: string

Default: "RoCEv2"

storage_tags

Description: (Optional) Tags of the storage.

Type: map(string)

Default: null

storage_traffic_type

Description: Traffic type of storage.

Type: list(string)

Default:

[
  "Storage"
]

subnet_mask

Description: The subnet mask for the network.

Type: string

Default: "255.255.255.0"

tenant_id

Description: (Optional) Value of the tenant id

Type: string

Default: ""

traffic_type

Description: Traffic type of intent.

Type: list(string)

Default:

[
  "Management",
  "Compute",
  "Storage"
]

use_legacy_key_vault_model

Description: Indicates whether to use the legacy key vault model.

Type: bool

Default: false

wdac_enforced

Description: WDAC is enabled by default and limits the applications and the code that you can run on your Azure Stack HCI cluster.

Type: bool

Default: true

witness_path

Description: The path to the witness.

Type: string

Default: "Cloud"

witness_storage_account_name

Description: The name of the witness storage account.

Type: string

Default: ""

witness_storage_account_resource_group_name

Description: The resource group of the witness storage account. If not provided, 'resource_group_name' will be used as the storage account's resource group.

Type: string

Default: ""

witness_storage_key_content_type

Description: (Optional) Content type of the witness storage key.

Type: string

Default: null

witness_storage_key_expiration_date

Description: (Optional) Expiration date of the witness storage key.

Type: string

Default: null

witness_storage_key_tags

Description: (Optional) Tags of the witness storage key.

Type: map(string)

Default: null

witness_type

Description: The type of the witness.

Type: string

Default: "Cloud"

Outputs

The following outputs are exported:

arc_settings

Description: Arc settings instance after HCI connected.

arcbridge

Description: Arc resource bridge instance after HCI connected.

cluster

Description: HCI Cluster instance

customlocation

Description: Custom location instance after HCI connected.

keyvault

Description: Keyvault instance that stores deployment secrets.

resource_id

Description: This is the full output for the resource.

user_storages

Description: User storage instances after HCI connected.

v_switch_name

Description: The name of the virtual switch that is used by the network.

Modules

No modules.

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.

storage_adapter_ip_info = {
  storage_network_a = [{
    physicalNode = "HostA"
    ipv4Address = "192.168.200.10"
    subnetMask = "255.255.255.0"
  }, {
    physicalNode = "HostB"
    ipv4Address = "192.168.200.11"
    subnetMask = "255.255.255.0"
  }]
  storage_network_b = [{
    physicalNode = "HostA"
    ipv4Address = "192.168.201.10"
    subnetMask = "255.255.255.0"
  }, {
    physicalNode = "HostB"
    ipv4Address = "192.168.201.11"
    subnetMask = "255.255.255.0"
  }]
}

storage_adapter_ip_info = {
  storage_network_a = [{
    physicalNode = "HostA"
    ipv4Address = "192.168.200.10"
    subnetMask = "255.255.255.0"
  }, {
    physicalNode = "HostB"
    ipv4Address = "192.168.200.11"
    subnetMask = "255.255.255.0"
  }]
  storage_network_b = [{
    physicalNode = "HostA"
    ipv4Address = "192.168.201.10"
    subnetMask = "255.255.255.0"
  }, {
    physicalNode = "HostB"
    ipv4Address = "192.168.201.11"
    subnetMask = "255.255.255.0"
  }]
}

 
 {
  "workingFolder": "packages",
  "packages": [
    // packages defined earlier
    {
      "name": "avm-terraform/azurestackhci-cluster",
      "version": "2.0.2"
    }
  ]
}