This Terraform module provisions and manages a fully configurable Azure Event Hubs environment. It supports deploying an Event Hub Namespace, Event Hubs, authorization rules, consumer groups, disaster recovery configuration, customer-managed keys (CMKs), schema groups, and optional integration with a dedicated Event Hubs cluster. The module enables advanced features like capture configuration, network rules, managed identities, and encryption—all using flexible input variables.
- Creates an Event Hub Namespace with support for auto-inflate, capacity, and identity configuration.
- Supports optional dedicated Event Hub Clusters with configurable SKU and location.
- Creates one or more Event Hubs with optional capture settings (blob storage integration).
- Supports Managed Identity for Event Hub Namespace.
- Adds Network Rulesets including IP and VNet filtering.
- Configures Authorization Rules at both Event Hub and Namespace levels.
- Creates Consumer Groups within Event Hubs.
- Enables Schema Group creation for data validation and compatibility checks.
- Integrates Customer-Managed Keys (CMKs) using Key Vault and identity.
- Sets up Geo-Disaster Recovery Configuration with a partner namespace.
- Allows definition of resource timeouts for all supported components.
This example demonstrates how to provision a fully configured Azure Event Hub environment, including an Event Hub Namespace, one or more Event Hubs with capture settings, authorization rules, a consumer group, schema group, disaster recovery setup, and optional dedicated cluster integration. It showcases how to customize identity, networking, encryption, and timeouts using flexible module inputs.
resource "azurerm_resource_group" "this" {
name = "my-datahub-rg"
location = "germanywestcentral"
}
resource "azurerm_user_assigned_identity" "this" {
location = azurerm_resource_group.this.location
name = "example-user"
resource_group_name = azurerm_resource_group.this.name
}
module "eventhub-namespace" {
source = "../.."
name = "example-eventhub-namespace"
location = azurerm_resource_group.this.location
resource_group_name = azurerm_resource_group.this.name
sku = "Standard"
capacity = 1
identity = {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.this.id]
}
authorization_rule = {
rule-1 = {
name = "namespace-access-policy"
listen = true
send = false
manage = false
}
rule-2 = {
name = "namespace-full-access"
listen = true
send = true
manage = true
}
}
schema_group = {
my-schema-group = {
name = "my-schema-group"
schema_compatibility = "Forward"
schema_type = "Avro"
}
}
tags = {
environment = "production"
team = "eventhub"
}
eventhub = {
app-logs = {
name = "app-logs"
partition_count = 4
message_retention = 7
status = "Active"
authorization_rule = {
app-logs = {
name = "reader"
listen = true
send = false
manage = false
}
}
cluster = {
name = "my-eventhub-cluster"
sku_name = "Dedicated_1"
tags = {
environment = "production"
owner = "team-xyz"
}
}
consumer_group = {
app-logs = {
name = "my-consumer-group"
user_metadata = "Used by fraud detection pipeline"
}
}
}
}
}| Name | Version |
|---|---|
| terraform | ~> 1.9.0 |
| azurerm | >= 4.0.0 |
| Name | Version |
|---|---|
| azurerm | >= 4.0.0 |
| Name | Type |
|---|---|
| azurerm_eventhub.this | resource |
| azurerm_eventhub_authorization_rule.this | resource |
| azurerm_eventhub_cluster.this | resource |
| azurerm_eventhub_consumer_group.this | resource |
| azurerm_eventhub_namespace.this | resource |
| azurerm_eventhub_namespace_authorization_rule.this | resource |
| azurerm_eventhub_namespace_customer_managed_key.this | resource |
| azurerm_eventhub_namespace_disaster_recovery_config.this | resource |
| azurerm_eventhub_namespace_schema_group.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| location | * location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. Example: location = "germanywestcentral" |
string |
n/a | yes |
| name | * name - (Required) Specifies the name of the EventHub Namespace resource. Changing this forces a new resource to be created.Example: name = "eh-namespace-dev" |
string |
n/a | yes |
| resource_group_name | * resource_group_name - (Required) The name of the resource group in which to create the namespace. Changing this forces a new resource to be created.Example: resource_group_name = "rg-eventhub-dev-germanywestcentral" |
string |
n/a | yes |
| sku | * sku - (Required) Defines which tier to use. Valid options are Basic, Standard, and Premium. Please note that setting this field to Premium will force the creation of a new resource.Example: sku = "Standard" |
string |
n/a | yes |
| authorization_rule | The following arguments are supported: ~> Note: At least one of the 3 permissions below needs to be set. * name - (Required) Specifies the name of the EventHub Authorization Rule resource. Changing this forces a new resource to be created.* listen - Enable listen permission for the Event Hub Namespace Authorization Rule. Grants the rule the ability to receive messages from the Event Hub Namespace.* send - (Optional) Does this Authorization Rule have permissions to Send to the Event Hub? Defaults to false.* manage - (Optional) Does this Authorization Rule have permissions to Manage to the Event Hub? When this property is true - both listen and send must be too. Defaults to false.Example: authorization_rule = { |
map(object({ |
null |
no |
| auto_inflate_enabled | * auto_inflate_enabled - (Optional) Is Auto Inflate enabled for the EventHub Namespace?Example: auto_inflate_enabled = true |
bool |
null |
no |
| capacity | * capacity - (Optional) Specifies the Capacity / Throughput Units for a Standard SKU namespace. Default capacity has a maximum of 2, but can be increased in blocks of 2 on a committed purchase basis. Defaults to 1.Example: capacity = 2 |
number |
1 |
no |
| customer_managed_key | The following arguments are supported: * key_vault_key_ids - (Required) The list of keys of Key Vault.* infrastructure_encryption_enabled - (Optional) Whether to enable Infrastructure Encryption (Double Encryption). Changing this forces a new resource to be created.* user_assigned_identity_id - (Optional) The ID of a User Managed Identity that will be used to access Key Vaults that contain the encryption keys.user_assigned_identity_id, ensure the User Assigned Identity is also assigned to the parent Event Hub.user_assigned_identity_id, make sure to assign the identity the appropriate permissions to access the Key Vault key. Failure to grant Get, UnwrapKey, and WrapKey will cause this resource to fail to apply.Example: customer_managed_key = { |
map(object({ |
null |
no |
| dedicated_cluster_id | * dedicated_cluster_id - (Optional) Specifies the ID of the EventHub Dedicated Cluster where this Namespace should created. Changing this forces a new resource to be created.Example: dedicated_cluster_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.EventHub/clusters/my-cluster" |
string |
null |
no |
| disaster_recovery_config | The following arguments are supported: * name - (Required) Specifies the name of the Disaster Recovery Config. Changing this forces a new resource to be created.* partner_namespace_id - (Required) The ID of the EventHub Namespace to replicate to.Example: disaster_recovery_config = { |
map(object({ |
null |
no |
| eventhub | The following arguments are supported: * name - (Required) Specifies the name of the EventHub resource. Changing this forces a new resource to be created.* partition_count - (Required) Specifies the current number of shards on the Event Hub.partition_count cannot be changed unless Eventhub Namespace SKU is Premium and cannot be decreased.partition_count is 1024. When using a shared parent EventHub Namespace, maximum value is 32.* message_retention - (Required) Specifies the number of days to retain the events for this Event Hub.~> Note: When using a dedicated Event Hubs cluster, maximum value of message_retention is 90 days. When using a shared parent EventHub Namespace, maximum value is 7 days; or 1 day when using a Basic SKU for the shared parent EventHub Namespace.* A capture_description block supports the following:* enabled - (Required) Specifies if the Capture Description is Enabled.* encoding - (Required) Specifies the Encoding used for the Capture Description. Possible values are Avro and AvroDeflate.* interval_in_seconds - (Optional) Specifies the time interval in seconds at which the capture will happen. Values can be between 60 and 900 seconds. Defaults to 300 seconds.* size_limit_in_bytes - (Optional) Specifies the amount of data built up in your EventHub before a Capture Operation occurs. Value should be between 10485760 and 524288000 bytes. Defaults to 314572800 bytes.* skip_empty_archives - (Optional) Specifies if empty files should not be emitted if no events occur during the Capture time window. Defaults to false.* A destination block supports the following:* name - (Required) The Name of the Destination where the capture should take place. At this time the only supported value is EventHubArchive.AzureBlockBlob.-> Note: At this time it's only possible to Capture EventHub messages to Blob Storage. There's a Feature Request for the Azure SDK to add support for Capturing messages to Azure Data Lake here. * archive_name_format - (Required) The Blob naming convention for archiving. e.g. {Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}. Here all the parameters (Namespace,EventHub .. etc) are mandatory irrespective of order* blob_container_name - (Required) The name of the Container within the Blob Storage Account where messages should be archived.* storage_account_id - (Required) The ID of the Blob Storage Account where messages should be archived.* status - (Optional) Specifies the status of the Event Hub resource. Possible values are Active, Disabled and SendDisabled. Defaults to Active.* authorization_rule - (Optional) The following arguments are supported: * name - (Required) Specifies the name of the EventHub Authorization Rule resource. Changing this forces a new resource to be created.~> Note: At least one of the 3 permissions below needs to be set. * listen - (Optional) Does this Authorization Rule have permissions to Listen to the Event Hub? Defaults to false.* send - (Optional) Does this Authorization Rule have permissions to Send to the Event Hub? Defaults to false.* manage - (Optional) Does this Authorization Rule have permissions to Manage to the Event Hub? When this property is true - both listen and send must be too. Defaults to false.* cluster - (Optional) The following arguments are supported:* name - (Required) Specifies the name of the EventHub Cluster resource. Changing this forces a new resource to be created.* sku_name - (Required) The SKU name of the EventHub Cluster. The only supported value at this time is Dedicated_1.* tags - (Optional) A mapping of tags to assign to the resource.* consumer_group - (Optional) The following arguments are supported:* name - (Required) Specifies the name of the EventHub Consumer Group resource. Changing this forces a new resource to be created.* user_metadata - (Optional) Specifies the user metadata.Example: eventhub = { |
map(object({ |
null |
no |
| identity | A identity block supports the following:* type - (Required) Specifies the type of Managed Service Identity that should be configured on this Event Hub Namespace. Possible values are SystemAssigned or UserAssigned.* identity_ids - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this EventHub namespace.type is set to UserAssigned or SystemAssigned, UserAssigned.Example: identity = { |
object({ |
null |
no |
| local_authentication_enabled | * local_authentication_enabled - (Optional) Is SAS authentication enabled for the EventHub Namespace? Defaults to true.Example: local_authentication_enabled = false |
bool |
true |
no |
| maximum_throughput_units | * maximum_throughput_units - (Optional) Specifies the maximum number of throughput units when Auto Inflate is Enabled. Valid values range from 1 - 40.Example: maximum_throughput_units = 20 |
number |
null |
no |
| minimum_tls_version | * minimum_tls_version - (Optional) The minimum supported TLS version for this EventHub Namespace. Valid values are: 1.0, 1.1 and 1.2. Defaults to 1.2.~> Note: Azure Services will require TLS 1.2+ by August 2025, please see this announcement for more. Example: minimum_tls_version = "1.2" |
string |
"1.2" |
no |
| network_rulesets | * A network_rulesets block supports the following:* default_action - (Required) The default action to take when a rule is not matched. Possible values are Allow and Deny.* public_network_access_enabled - (Optional) Is public network access enabled for the EventHub Namespace? Defaults to true.~> Note: The public network access setting at the network rule sets level should be the same as it's at the namespace level. * trusted_service_access_enabled - (Optional) Whether Trusted Microsoft Services are allowed to bypass firewall.* A virtual_network_rule block supports the following:* subnet_id - (Required) The id of the subnet to match on.* ignore_missing_virtual_network_service_endpoint - (Optional) Are missing virtual network service endpoints ignored? A ip_rule block supports the following:* ip_mask - (Required) The IP mask to match on.* action - (Optional) The action to take when the rule is matched. Possible values are Allow. Defaults to Allow.Example: network_rulesets = [ |
list(object({ |
null |
no |
| public_network_access_enabled | * public_network_access_enabled - (Optional) Is public network access enabled for the EventHub Namespace? Defaults to true.Example: public_network_access_enabled = false |
bool |
true |
no |
| schema_group | The following arguments are supported: * name - (Required) Specifies the name of this schema group. Changing this forces a new resource to be created.* schema_compatibility - (Required) Specifies the compatibility of this schema group. Possible values are None, Backward, Forward. Changing this forces a new resource to be created.* schema_type - (Required) Specifies the Type of this schema group. Possible values are Avro, Unknown and Json. Changing this forces a new resource to be created.~> Note: When schema_type is specified as Json, schema_compatibility must be set to None.Example: schema_group = { |
map(object({ |
null |
no |
| tags | * tags - (Optional) A mapping of tags to assign to the resource.Example: tags = { |
map(string) |
null |
no |
| timeouts | The timeouts block allows you to specify timeouts for certain actions:* create - (Defaults to 30 minutes) Used when creating the EventHub.* update - (Defaults to 30 minutes) Used when updating the EventHub.* read - (Defaults to 5 minutes) Used when retrieving the EventHub.* delete - (Defaults to 30 minutes) Used when deleting the EventHub.Example: timeouts = { |
object({ |
null |
no |
| Name | Description |
|---|---|
| authorization_rule | * id - The EventHub ID.* primary_connection_string_alias - The alias of the Primary Connection String for the Event Hubs authorization Rule, which is generated when disaster recovery is enabled.* secondary_connection_string_alias - The alias of the Secondary Connection String for the Event Hubs Authorization Rule, which is generated when disaster recovery is enabled.* primary_connection_string - The Primary Connection String for the Event Hubs authorization Rule.* primary_key - The Primary Key for the Event Hubs authorization Rule.* secondary_connection_string - The Secondary Connection String for the Event Hubs Authorization Rule.* secondary_key - The Secondary Key for the Event Hubs Authorization Rule.Example output: output "namespace_authorization_rule_id" { |
| consumer_group | * id - The ID of the EventHub Consumer Group.Example output: output "consumer_id" { |
| eventhub | * id - The ID of the EventHub.* partition_ids - The identifiers for partitions created for Event Hubs.Example output: output "eventhub_id" { |
| eventhub_cluster | * id - The EventHub Cluster ID.Example output: output "cluster_id" { |
| eventhub_namespace | * id - The EventHub Namespace ID.The following attributes are exported only if there is an authorization rule named RootManageSharedAccessKey which is created automatically by Azure. * default_primary_connection_string - The primary connection string for the authorization rule RootManageSharedAccessKey.* default_primary_connection_string_alias - The alias of the primary connection string for the authorization rule RootManageSharedAccessKey, which is generated when disaster recovery is enabled.* default_primary_key - The primary access key for the authorization rule RootManageSharedAccessKey.* default_secondary_connection_string - The secondary connection string for the authorization rule RootManageSharedAccessKey.* default_secondary_connection_string_alias - The alias of the secondary connection string for the authorization rule RootManageSharedAccessKey, which is generated when disaster recovery is enabled.* default_secondary_key - The secondary access key for the authorization rule RootManageSharedAccessKey.An identity block exports the following:* principal_id - The Principal ID associated with this Managed Service Identity.* tenant_id - The Tenant ID associated with this Managed Service Identity.Example output: output "eventhub_namespace_id" { |
| namespace_authorization_rule | * id - The EventHub Namespace Authorization Rule ID.* primary_connection_string_alias - The alias of the Primary Connection String for the Authorization Rule, which is generated when disaster recovery is enabled.<br/> * secondary_connection_string_alias- The alias of the Secondary Connection String for the Authorization Rule, which is generated when disaster recovery is enabled.<br/> *primary_connection_string- The Primary Connection String for the Authorization Rule.<br/> *primary_key- The Primary Key for the Authorization Rule.<br/> *secondary_connection_string- The Secondary Connection String for the Authorization Rule.<br/> *secondary_key- The Secondary Key for the Authorization Rule.<br/><br/><br/> Example output:<br/> output "namespace_authorization_rule_id" { |
| namespace_disaster_recovery_config | * id - The EventHub Namespace Disaster Recovery Config ID.Example output: output "namespace_disaster_recovery_config_id" { |
| namespace_schema_group | * id - The ID of the EventHub Namespace Schema Group.Example output: output "schema_group_id" { |
No modules.
Please open a GitHub issue or start a discussion if you encounter problems or would like to suggest improvements. Contributions are welcome!
This module is released under the Apache 2.0 License. See the LICENSE file for full details.