Question - Variable management_group_configuration use case

[lrottach]

Let us know the feedback or general question

Context:
Currently we are building a new sovereign landing zone deployment using the ALZ Accelerator with the following versions.

• ALZ PowerShell Module: 4.2.4
• Accelerator Bootstrap Version: 4.3.4
• Accelerator Starter Version: 5.1.0

# Basic Inputs
iac: "terraform"
bootstrap: "alz_local"
starter: "sovereign_landing_zone"

As soon as we generate the deployment we see the management_group_configuration variable within the variables.tf which requires that massive object as input.
Documentation: https://azure.github.io/Azure-Landing-Zones/accelerator/startermodules/terraformsovereign/#default-management-group-configuration

variable "management_group_configuration" {
  type = object({
    root = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    platform = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    landingzones = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    sandbox = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    decommissioned = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    management = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    connectivity = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    identity = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    corp = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    online = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    confidential_corp = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
    confidential_online = object({
      id           = string
      display_name = string
      archetypes   = optional(set(string), [])
    })
  })
  description = "Management Group configuration for the Management Group hierarchy."
}

On the other hand, we have the slz.alz_architecture_definition.json' inside our ./lib/architecture_defintions' directory, where we define the whole architecture, including relationships, archetypes, ....

Inside the locals.tf we can see that some of the inputs of the initial management_group_configuration variable are used to build some IDs using templatestring().

locals {
  management_group_resource_id_format = "/providers/Microsoft.Management/managementGroups/%s"

  management_group_format_variables = {
    default_prefix   = var.default_prefix
    optional_postfix = var.optional_postfix
  }

  root_management_group_id                = templatestring(var.management_group_configuration.root.id, local.management_group_format_variables)
  management_management_group_id          = templatestring(var.management_group_configuration.management.id, local.management_group_format_variables)
  connectivity_management_group_id        = templatestring(var.management_group_configuration.connectivity.id, local.management_group_format_variables)
  identity_management_group_id            = templatestring(var.management_group_configuration.identity.id, local.management_group_format_variables)
  confidential_corp_management_group_id   = templatestring(var.management_group_configuration.confidential_corp.id, local.management_group_format_variables)
  confidential_online_management_group_id = templatestring(var.management_group_configuration.confidential_online.id, local.management_group_format_variables)

  top_level_management_group_name                  = var.management_group_configuration.root.display_name
  sovereign_global_policy_assignment_resource_id   = format(local.management_group_resource_id_format, "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-global")
  confidential_online_management_group_resource_id = format(local.management_group_resource_id_format, local.confidential_online_management_group_id)
  confidential_corp_management_group_resource_id   = format(local.management_group_resource_id_format, local.confidential_corp_management_group_id)

However, in the end, only four IDs of this massive initial block are used / parsed in the actual bootstrap module.

Question:
What is the reason behind that management_group_configuration variable and why do we need to provide such a big part of the architecture using that variable while we maintain the actual architecture withing the architecture_definitions?
Maybe you could give us some insides about that to better understand that logic.

Just let me know if you have any questions.

Code of Conduct

• I agree to follow this project's Code of Conduct

[oZakari]

Hi @lrottach, this is the Bicep specific repository for ALZ. I'll go ahead and move this to the Terraform repository for my teammates to assist with.

@matt-FFFFFF @jaredfholgate

[jaredfholgate]

Hi @lrottach. This is a great question. This starter module is developed by the Microsoft Cloud for Industry team. I believe they built it this way in order to be able to provide the ability to update management group names in a 'simple' way. We'll forward this issue to that team.