Introduction

We're thrilled to introduce Terraform support for Azure Monitor Baseline Alerts (AMBA) for Azure Landing Zones (ALZ). This new module is designed to streamline the deployment process, making it easier than ever to get started with AMBA-ALZ.

Imagine having a set of pre-configured alarms that you can quickly set up to keep an eye on your Azure services. With this new module, you can deploy AMBA-ALZ via Terraform. Whether you're a seasoned pro or just starting out, this module offers a robust solution to monitor your Azure services effectively.

But what exactly is AMBA ? Azure Monitor Baseline Alerts provides best-practice alert rules for Azure services, offering guidance and deployment methods for various scenarios, including the Azure Landing Zones pattern. 

Azure Landing Zone pattern 🚁

Deploying alerts at scale through Policy, this pattern provides a structured approach to monitoring key components of your Azure Landing Zone, including:

• Express Route Circuits
• Express Route Gateways
• Express Route Ports
• Azure Firewalls
• Application Gateways
• Load Balancers
• Virtual Networks
• Virtual Network Gateways
• Log Analytics Workspaces
• Private DNS Zones
• Azure Key Vaults
• Virtual Machines
• Service Health

Good to know.. 💭

• AMBA ALZ  resources module: deploys resources for the AMBA-ALZ pattern and works together with the ALZ module to provide a complete implementation.
• Leverages existing ALZ module: Why reinvent the wheel? We leverage the existing Azure Landing Zones (ALZ) module for deploying and assigning Azure Policies. This means you can build on a solid foundation and focus on what matters most.  
• Uses the ALZ library: The architecture, archetype definitions, and policy files are centrally stored in the Azure Landing Zone Library. However, you have the flexibility to fork or host your own version of the library.
• Extensibility: Tailor to fit your unique requirements. Deploy to any management group hierarchy, modify Azure Policy deployment and assignments, or adjust an archetype definition to meet specific monitoring needs. Define and customize alert thresholds to ensure potential issues are identified before they become critical. It's like having a tailor-made suit that fits you perfectly.

Try out the module 👨‍💻

Ready to enhance your monitoring capabilities with AMBA? Dive into the provided examples in avm-ptn-monitoring-amba-alz. These examples provide a comprehensive guide for common scenarios, ensuring a smooth and successful deployment.

Follow this example to get started: 

1. Create a new folder, for example tf-amba-alz.

2. Open Visual Studio Code or another preferred tool.

3. Select Open Folder... from the File menu (or Ctrl+K Ctrl+O).

4. Create the file named terraform.tf and add the following code:

terraform {
  required_version = "~> 1.9"
  required_providers {
    alz = {
      source  = "Azure/alz"
      version = "~> 0.17.4"
    }
    azapi = {
      source  = "azure/azapi"
      version = "~> 2.2"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.0"
    }
  }
}

5. Create another file, main.tf and add the following code:

data "azapi_client_config" "current" {}

provider "alz" {
  library_overwrite_enabled = true
  library_references = [
    {
      path = "platform/amba"
      ref  = "2025.04.0"
    },
    {
      custom_url = "${path.root}/lib"
    }
  ]
}

provider "azurerm" {
  alias           = "management"
  subscription_id = var.management_subscription_id != "" ? var.management_subscription_id : data.azapi_client_config.current.subscription_id
  features {}
}

variable "management_subscription_id" {
  description = "Management subscription ID"
  type        = string
  default     = ""
}

variable "location" {
  description = "Location"
  type        = string
  default     = "swedencentral"
}

variable "resource_group_name" {
  type        = string
  default     = "rg-amba-monitoring-001"
  description = "The resource group where the resources will be deployed."
}

variable "user_assigned_managed_identity_name" {
  type        = string
  default     = "id-amba-prod-001"
  description = "The name of the user-assigned managed identity."
}
variable "action_group_email" {
  description = "Action group email"
  type        = list(string)
  default     = []
}

variable "action_group_arm_role_id" {
  description = "Action group ARM role ID"
  type        = list(string)
  default     = []
}

variable "tags" {
  type = map(string)
  default = {
    _deployed_by_amba = "True"
  }
  description = "(Optional) Tags of the resource."
}

locals {
  root_management_group_name = jsondecode(file("${path.root}/lib/custom.alz_architecture_definition.json")).management_groups[0].id
}

module "amba_alz" {
  source  = "Azure/avm-ptn-monitoring-amba-alz/azurerm"
  version = "0.1.1"
  providers = {
    azurerm = azurerm.management
  }
  location                            = var.location
  root_management_group_name          = local.root_management_group_name
  resource_group_name                 = var.resource_group_name
  user_assigned_managed_identity_name = var.user_assigned_managed_identity_name
}

module "amba_policy" {
  source             = "Azure/avm-ptn-alz/azurerm"
  version            = "0.11.0"
  architecture_name  = "custom"
  location           = var.location
  parent_resource_id = data.azapi_client_config.current.tenant_id
  policy_default_values = {
    amba_alz_management_subscription_id          = jsonencode({ value = var.management_subscription_id != "" ? var.management_subscription_id : data.azapi_client_config.current.subscription_id })
    amba_alz_resource_group_location             = jsonencode({ value = var.location })
    amba_alz_resource_group_name                 = jsonencode({ value = var.resource_group_name })
    amba_alz_resource_group_tags                 = jsonencode({ value = var.tags })
    amba_alz_user_assigned_managed_identity_name = jsonencode({ value = var.user_assigned_managed_identity_name })
    amba_alz_action_group_email                  = jsonencode({ value = var.action_group_email })
    amba_alz_arm_role_id                         = jsonencode({ value = var.action_group_arm_role_id })
  }
}

6. Review the variables in main.tf and update default values as needed.

Steps 7-9 are required only when utilizing a custom architecture definition, which is a common practice. This approach allows for the specification of management group names and their hierarchy.

7. Create a new child folder named "lib" in folder that was created in step 1.

8. Create the custom.alz_architecture_definition.json file in the lib folder.

9. Adjust the management group names in custom.alz_architecture_definition.json.

10. Open a Terminal.

11. Log in to Azure: az login

12. Run: terraform init

13. Run: terraform apply

Next steps 🚶‍♀️

💭 - Learn more: aka.ms/amba/alz

👉 - Latest on AMBA for ALZ: aka.ms/amba/alz/whatsnew

🛫 - Prefer a different deployment method? aka.ms/amba/alz/deploy 

💬 - Feedback & Issues: aka.ms/amba/issues

Stay tuned for more updates and enhancements, coming soon.. Bicep.. 💪