- Enable HIPAA/HITECH and GDPR compliance with a single variable in your
terraform.tfvars. - Automatically assigns built-in Azure Policy initiatives for HIPAA and GDPR at the resource group or resource level.
- Diagnostic settings, network restrictions, and managed identity for remediation are all handled for you.
- Post-deployment PowerShell script automates storage lockdown for HIPAA.
- Validate compliance with the included PowerShell script for instant feedback.
- Compliance automation is a starting point: Review assigned policies in the Azure Portal and use the validation script to identify additional remediation steps. Extend the solution as needed for your organization.
- See HIPAA_GDPR_COMPLIANCE.md for full details and usage examples.
This accelerator provisions a reference implementation of a Data & Analytics Hub on Azure and Microsoft Fabric using Infrastructure-as-Code (IaC) with Terraform.
It is fully parameterized and supports deployment for any organization by configuring variables in terraform.tfvars.
- Terraform-first deployment of Azure + Microsoft Fabric resources
- Supports Dev / QA / Prod environments through variables
- Optional modules so admins can choose which components to deploy
- Implements a Medallion-style data lake (Bronze / Silver / Gold) in ADLS for landing + staging data that feeds Microsoft Fabric OneLake
- Creates monitoring, logging, and Purview governance primitives
- Provides a starter Azure DevOps pipeline for CI/CD
- Fully parameterized: no hardcoded company names or project identifiers
- Multi-tenant ready: deploy for any organization by changing variables
- Terraform v1.3+ (tested with 1.5.x; should work with later 1.x versions)
- An Azure subscription and permissions to create resources
- A service principal with
Contributorrights on the subscription
Export the following environment variables before running terraform:
$env:ARM_CLIENT_ID = "<service-principal-app-id>"
$env:ARM_CLIENT_SECRET = "<service-principal-password>"
$env:ARM_TENANT_ID = "<aad-tenant-id>"
$env:ARM_SUBSCRIPTION_ID = "<subscription-id>"main.tf/variables.tf/outputs.tf- root compositionmodules/*- reusable modules for individual building blocksci-cd/azure-pipelines.yml- example Azure DevOps pipelineterraform.tfvars.example- sample configuration for one environment- Fabric capacity administration requires Azure AD user or service principal object IDs (Enterprise applications > > Object ID). Group object IDs are rejected by the Fabric API.
From PowerShell:
cd <path-to-cloned-or-unzipped-accelerator>
# 1. Copy and edit variables
cp terraform.tfvars.example terraform.tfvars
# -> open terraform.tfvars and adjust values (prefix, location, environment, etc.)
# 2. Initialize providers and modules
terraform.exe init
# 3. See what will be created
terraform.exe plan
# 4. Apply changes
terraform.exe apply
# 5. Destroy (if you want to clean up the environment)
terraform.exe destroyModule usage is controlled via boolean flags in terraform.tfvars (e.g. enable_fabric = true,
enable_purview = false, etc.), so you can pick and choose which resources to deploy.
NOTE: This accelerator is opinionated and meant as a starting point. You should review, extend, and harden it for your specific organizational policies.
The following script demonstrates a typical deployment workflow for both INFRA and FABRIC directories:
az login
# INFRA
.\terraform --% -chdir=infra init
.\terraform --% -chdir=infra plan -out=tfplan -var-file=../terraform.tfvars
.\terraform --% -chdir=infra apply tfplan
# FABRIC
.\terraform --% -chdir=fabric init
.\terraform --% -chdir=fabric plan -out=tfplan -var-file=../terraform.tfvars
.\terraform --% -chdir=fabric apply tfplanAll resource names, display names, and descriptions are generated from variables:
prefix: lowercase, alphanumeric, used in Azure resource namescompany_name: used in display names and descriptionsproject_name: used in tags and documentationenvironment: used in resource names and tags
You can override auto-generated names for backward compatibility or migration. See PARAMETERIZATION_GUIDE.md and VARIABLE_REFERENCE.md for details.
This repo includes a baseline policy pack under policy/ intended to catch common
security, compliance, and governance issues early from Terraform plan output.
The Azure DevOps pipeline (ci-cd/azure-pipelines.yml) generates plan.json for both
Terraform roots (infra/ and fabric/) and runs:
conftest test --policy policy infra/plan.jsonconftest test --policy policy fabric/plan.json
Policy enforcement is controlled by the pipeline variable enforcePolicies:
true: fail the pipeline on policy violations (production-ready default)false: audit-only (reports are still published)
- Generate a plan JSON:
terraform plan -out=tfplan
terraform show -json tfplan > plan.json- Run Conftest:
conftest test --policy policy plan.json -o table- See IMPLEMENTATION_SUMMARY.md for a summary of recent changes
- See PARAMETERIZATION_GUIDE.md for migration and usage guidance
- See VARIABLE_REFERENCE.md for a full list of supported variables and patterns
- See HIPAA_GDPR_COMPLIANCE.md for compliance automation details
To deploy Microsoft Fabric resources, you must provide:
- A Service Principal (SP) with Contributor rights on your Azure subscription
- At least one Azure AD (Entra ID) user account with admin rights for Fabric
Run the following command in Azure CLI:
az ad sp create-for-rbac --name "fabric-terraform-sp" --role Contributor --scopes /subscriptions/<your-subscription-id>This will output values for client_id, client_secret, and tenant_id to use in your terraform.tfvars.
az ad sp show --id <appId-from-above> --query objectId -o tsvUse this value in the fabric_admin_object_ids array.
You must also provide at least one Azure AD user UPN (email) with admin rights for Fabric. Do not use group object IDs.
fabric_admin_object_ids = [
"00000000-0000-0000-0000-000000000001", # Service principal object ID
#"00000000-0000-0000-0000-000000000002" # Optional: Entra ID user object ID
]
fabric_admin_upns = [
"[email protected]"
# Add more valid UPNs or service principal object IDs as needed, but do not include group object IDs
]Note: Do not use group object IDs. Only user or service principal object IDs are supported for Fabric admin assignment.
Scripts for deployment, automation, and management are provided in both scripts/ and fabric/scripts/ folders. For a full guide and usage examples, see SCRIPTS_GUIDE.md.
This accelerator uses the free/open-source version of Terraform to provide a low/no-cost solution for Infrastructure-as-Code (IaC) deployments on Azure and Microsoft Fabric. The free version is fully capable for most enterprise scenarios and does not require any paid license or subscription.
- No cost for users or organizations
- Most core IaC features are available
- No dependency on paid Terraform Cloud or Enterprise features
- Enables maximum accessibility and flexibility
Visit the official HashiCorp Terraform download page: https://developer.hashicorp.com/terraform/install
- Go to the Terraform Install Page
- Download the Windows AMD64 zip file
- Extract and place
terraform.exein a directory included in your systemPATH
- macOS: Download the appropriate zip for your architecture and extract to
/usr/local/binor another directory in yourPATH - Linux: Download the Linux zip for your architecture and extract to
/usr/local/binor another directory in yourPATH
- PowerShell is included by default on Windows and available on other platforms
- Enables scripting, automation, and orchestration of Terraform commands
- No need for additional paid automation tools
- Demonstrates ingenuity and practical, low-cost DevOps for Azure and Microsoft Fabric
The Accelerator showcases how to achieve robust, enterprise-grade IaC deployments with zero licensing cost, using only free tools and built-in scripting capabilities.
Note: This solution provides a strong starting point for compliance automation, but is not a full end-to-end IaC and compliance guarantee. Users should review, validate, and extend the solution to meet their organization's specific requirements.
- Hans Esquivel
Start a Discussion to reach me.
