Azure Landing Zones Terraform Module - Deployment
Enterprise Scale is a Microsoft Azure Architecture that provides a framework for organizing and managing cloud resources at scale. The architecture is based on several components, which include:
Management Groups, Subscriptions, Resource Groups, Naming Convention, Azure Policy, Landing zones & Shared Services
In this post, I'll demonstrate the deployment of Enterprise Scale using Terraform in Github. Currently, there are 4 levels of deployment in the github repo. These consist of the following:
Level 100 | Level 200 | Level 300 | Level 400 | |
---|---|---|---|---|
Deploy default configuration | Deploy custom Landing Zone Archetypes | Deploy connectivity resources with custom settings (Hub and Spoke) | Deploy using module nesting | |
Deploy demo landing zone archetypes | Deploy connectivity resources (Hub and Spoke) | Deploy connectivity resources with custom settings (Virtual WAN) | Deploy using multiple module declarations with orchestration | |
Deploy connectivity resources (Virtual WAN) | Deploy identity resources with custom settings | Deploy using multiple module declarations with remote state | ||
Deploy identity resources | Deploy management resources with custom settings | |||
Deploy management resources | Expand built-in archetype definitions | |||
Assign a built-in policy | Create custom policies, initiatives and assignments | |||
Create and assign custom RBAC roles | Override module role assignments | |||
Set parameter values for Policy Assignments |
I'll be going through the level 100 example in this article
My environment:
- Terraform v1.4.2
- azurerm v3.50.0
- Windows 11
What does enterprise scale look like? See the link below
What does this guide deploy? This module will deploy the management group hierarchy based on the diagram above. This consists of
- Recommended governance baseline Azure Policies
- Azure Control Resources (IAM) - Deployed at MG Scope
Demo:
Deploy default configuration Part 1
Github repo: Azure/terraform-azurerm-caf-enterprise-scale: Azure landing zones Terraform module (github.com)
- Create main.tf/folder structure for demo purposes
2. If you haven't already done so, log in Azure CLI using az login and then select the subscription that you will be deploying to
Use az account show to confirm you are in the correct subscription
4. Create the main.tf file below. In my example, you only need to edit 3 lines
version = "3.3.0" # change this to your desired version
root_id = "cphadev
"root_name = "Cloud Alpha Dev"
# We strongly recommend using the required_providers block to set the
# Azure Provider source and version being used.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.35.0"
}
}
}
provider "azurerm" {
features {}
}
# You can use the azurerm_client_config data resource to dynamically
# extract connection settings from the provider configuration.
data "azurerm_client_config" "core" {}
# Call the caf-enterprise-scale module directly from the Terraform Registry
# pinning to the latest version
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "3.3.0" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = data.azurerm_client_config.core.tenant_id
root_id = "cphadev"
root_name = "Cloud Alpha Dev"
}
4. Use terraform apply to deploy
And that's it. It will take some time to apply. In the meantime, you can confirm the resources have been created in the portal
Management Groups:
Azure Policies - Ensure you selected the correct scope
Onto the next part
Deploy Demo Landing Zone Archetypes Part 2
TBC
Found this article useful? Why not buy Phi a coffee to show your appreciation.