Variable Reference¶

All deployment tools read from a single central configuration file: config/variables.yml. This file is the single source of truth — your architecture decisions, sizing, identity settings, and infrastructure IDs are declared here and consumed by every automation tool.

Getting started

Copy the example and fill in your values:

cp config/variables.example.yml config/variables.yml

Never commit variables.yml — it is excluded by .gitignore because it contains environment-specific values and Key Vault references.

Naming Rules¶

Scope	Convention	Example
Top-level sections	`snake_case`	`control_plane`, `session_hosts`
Keys within sections	`snake_case`	`subscription_id`, `vm_memory_mb`
Booleans	Descriptive name	`enable_entra_id_auth: true`
Secrets	`keyvault://` URI	`keyvault://kv-name/secret-name`
Example values	IIC fictional identity	`iic.local`, `rg-iic-avd-hp-eus-01`, `kv-iic-platform`

Subscription & Global¶

subscription:
  avd_subscription_id: "00000000-0000-0000-0000-000000000000"
  azure_local_subscription_id: "00000000-0000-0000-0000-000000000000"
  tenant_id: "00000000-0000-0000-0000-000000000000"
  location: "eastus"

Variable	Type	Required	Description	Default
`subscription.avd_subscription_id`	string	Yes	Azure subscription for AVD control plane and session hosts	—
`subscription.azure_local_subscription_id`	string	Yes	Azure subscription where the Azure Local cluster is registered	—
`subscription.tenant_id`	string	Yes	Entra ID tenant	—
`subscription.location`	string	Yes	Azure region	`eastus`

Security — Key Vault¶

security:
  key_vault_name: "kv-iic-platform"
  key_vault_resource_group: "rg-iic-mgmt-eus-01"

Variable	Type	Required	Description	Default
`security.key_vault_name`	string	Yes	Platform Key Vault for all `keyvault://` URI resolution	—
`security.key_vault_resource_group`	string	Yes	Resource group containing the Key Vault	—

Control Plane¶

control_plane:
  resource_group: "rg-iic-avd-hp-eus-01"
  host_pool_name: "hp-iic-avd-pool01"
  host_pool_type: "Pooled"
  load_balancer_type: "BreadthFirst"
  max_session_limit: 16
  preferred_app_group_type: "Desktop"
  personal_assignment_type: "Automatic"
  start_vm_on_connect: false
  validation_environment: false
  custom_rdp_properties: ""
  app_group_name: "vdag-iic-avd-eus-01"
  app_group_type: "Desktop"
  workspace_name: "vdws-iic-avd-eus-01"

Variable	Type	Required	Description	Default
`control_plane.resource_group`	string	Yes	Resource group for host pool, app group, workspace	—
`control_plane.host_pool_name`	string	Yes	Host pool name	—
`control_plane.host_pool_type`	string	Yes	`Pooled` or `Personal`	`Pooled`
`control_plane.load_balancer_type`	string	Pooled	`BreadthFirst` or `DepthFirst`	`BreadthFirst`
`control_plane.max_session_limit`	integer	Pooled	Max concurrent sessions per host	`16`
`control_plane.preferred_app_group_type`	string	Yes	`Desktop`, `RailApplications`, or `None`	`Desktop`
`control_plane.personal_assignment_type`	string	Personal	`Automatic` or `Direct`	`Automatic`
`control_plane.start_vm_on_connect`	boolean	No	Requires Desktop Virtualization Power On Contributor RBAC	`false`
`control_plane.validation_environment`	boolean	No	Receives service updates before production	`false`
`control_plane.custom_rdp_properties`	string	No	Semicolon-delimited RDP properties	`""`
`control_plane.app_group_name`	string	Yes	Application group name	—
`control_plane.app_group_type`	string	Yes	`Desktop` or `RemoteApp`	`Desktop`
`control_plane.workspace_name`	string	Yes	AVD workspace name	—

Session Hosts¶

session_hosts:
  resource_group: "rg-iic-avd-sh-eus-01"
  session_host_count: 2
  vm_naming_prefix: "vm-iicavd"
  vm_start_index: 1
  vm_processors: 4
  vm_memory_mb: 16384
  vm_admin_username: "avd_admin"
  vm_admin_password: "keyvault://kv-iic-platform/avd-local-admin-password"
  session_host_os: "Windows-11-Enterprise-Multi-Session"
  custom_location_id: "<resource ID>"
  logical_network_id: "<resource ID>"
  gallery_image_id: "<resource ID>"
  storage_path_id: "<resource ID>"

Variable	Type	Required	Description	Default
`session_hosts.resource_group`	string	Yes	Resource group for session host VMs	—
`session_hosts.session_host_count`	integer	Yes	Number of session host VMs	`2`
`session_hosts.vm_naming_prefix`	string	Yes	VMs named `{prefix}-001`, `{prefix}-002`, etc.	`vm-iicavd`
`session_hosts.vm_start_index`	integer	No	Starting index for VM numbering	`1`
`session_hosts.vm_processors`	integer	Yes	vCPUs per session host	`4`
`session_hosts.vm_memory_mb`	integer	Yes	RAM per VM in MB	`16384`
`session_hosts.vm_admin_username`	string	Yes	Local admin username	`avd_admin`
`session_hosts.vm_admin_password`	string	Yes	Key Vault URI — resolved at runtime	—
`session_hosts.session_host_os`	string	Yes	OS image name	`Windows-11-Enterprise-Multi-Session`
`session_hosts.custom_location_id`	string	Yes	Azure Local custom location resource ID	—
`session_hosts.logical_network_id`	string	Yes	Compute logical network resource ID	—
`session_hosts.gallery_image_id`	string	Yes	Gallery image resource ID	—
`session_hosts.storage_path_id`	string	Yes	Storage path resource ID	—

Domain Join¶

domain:
  domain_fqdn: "iic.local"
  domain_join_username: "svc.domainjoin"
  domain_join_password: "keyvault://kv-iic-platform/domain-join-password"
  domain_join_ou_path: ""

Variable	Type	Required	Description	Default
`domain.domain_fqdn`	string	Yes	Active Directory domain FQDN	`iic.local`
`domain.domain_join_username`	string	Yes	Service account for domain join	—
`domain.domain_join_password`	string	Yes	Key Vault URI for domain join password	—
`domain.domain_join_ou_path`	string	No	Target OU — empty uses default Computers container	`""`

Entra ID Authentication¶

entra_id:
  enable_entra_id_auth: false
  enroll_in_intune: false
  entra_user_login_group_id: ""
  entra_admin_login_group_id: ""

Variable	Type	Required	Description	Default
`entra_id.enable_entra_id_auth`	boolean	No	Installs AADLoginForWindows extension + RDP SSO	`false`
`entra_id.enroll_in_intune`	boolean	No	Register session hosts in Intune MDM	`false`
`entra_id.entra_user_login_group_id`	string	No	Entra group object ID for VM User Login RBAC	`""`
`entra_id.entra_admin_login_group_id`	string	No	Entra group object ID for VM Administrator Login RBAC	`""`

Tags¶

tags:
  Environment: "Production"
  Project: "AVD on Azure Local"
  ManagedBy: "Infrastructure as Code"
  Owner: "Platform Team"
  CostCenter: "IT-Infrastructure"

Variable	Type	Required	Description	Default
`tags.Environment`	string	No	Environment tag	`Production`
`tags.Project`	string	No	Project tag	`AVD on Azure Local`
`tags.ManagedBy`	string	No	Managed-by tag	`Infrastructure as Code`
`tags.Owner`	string	No	Owner tag	`Platform Team`
`tags.CostCenter`	string	No	Cost center tag	`IT-Infrastructure`

Ansible¶

ansible:
  ansible_connection: "local"

Variable	Type	Required	Description	Default
`ansible.ansible_connection`	string	No	Ansible connection type	`local`

Key Vault Secret Resolution¶

Secrets are never stored in plaintext. The keyvault:// URI format tells deployment tools to resolve the value at runtime:

vm_admin_password: "keyvault://kv-iic-platform/avd-local-admin-password"

Resolution flow:

Tool parses the URI → vault name: kv-iic-platform, secret name: avd-local-admin-password
Tool calls az keyvault secret show --vault-name kv-iic-platform --name avd-local-admin-password
Secret value is passed directly to the deployment — never written to disk

Required secrets:

Secret Name	Used By
`avd-local-admin-password`	Local admin password for session host VMs
`domain-join-password`	Service account password for domain join

Tool-Specific Parameter Mapping¶

Each automation tool reads from config/variables.yml and maps values to its own parameter format:

Tool	Parameter File	Location
PowerShell	Reads `config/variables.yml` directly	`config/`
Bicep	`*.bicepparam`	`avd/bicep/`
Terraform	`terraform.tfvars`	`avd/terraform/`
ARM	`*.parameters.json`	`avd/arm/`
Ansible	`hosts.yml`	`src/ansible/inventory/`