A couple years ago I discovered the Azure Landing Zone module on the Terraform registry, and I was aghast. What was this nightmare tangle of nested modules with hundreds of resources? What was its purpose? What is an Azure Landing Zone anyway? Finally, I have answers for all these questions and more thanks to Kevin Evans over at Code to Cloud.
It’s really easy to create an Azure subscription with a credit card and start deploying resources willy-nilly. That’s fine if you’re just experimenting with Azure or spinning up resources for a small company. It doesn’t work so well for an enterprise scale organization that will need multiple subscriptions, separation of duties, and a well-defined hierarchy. That’s the problem that Azure Landing Zones are meant to solve.
Essentially, Landing Zones create the underlying substrate for you to deploy applications. They involve setting up Management Groups to delegate permissions, applying Azure Policies to enforce best practices, and provisioning subscriptions that are dedicated to identity, management, and connectivity. These form the platform landing zones layer, and provide shared services to application landing zones that will contain your actual applications.
The chart Microsoft provides is admittedly a bit cluttered. So I’ve simplified it.
Trust me when I say that there’s a LOT more to Landing Zones than what’s being shown here, but the essentials are pretty much covered.
The Terraform module to deploy an Landing Zones is absolutely gigantic, with a README that spans into multiple pages and scenarios. There’s a basic 100 level deployment that basically just sets up the Management Group structure and places your subscriptions in the correct place in the hierarchy. That jumps all the way up to a 300 level deployment with a hub and spoke Azure Virtual WAN and zero trust networking.
To learn more about Landing Zones and deploying them using the Terraform module, I joined Kevin Evans on his YouTube channel Code to Cloud.
Kevin gave me a primer on what Landing Zones are, how the module is structured, and some prerequisites to get started. Then we went ahead and deployed the whole damn thing. We even ran into a few hiccups that Kevin left in, so you can see that even an Azure expert and a Terraform guru get stymied from time to time.
One of the big issues we ran into was the sequencing of resources. Kevin deliberately chose to roll out the changes incrementally, otherwise they would fail due to resource dependencies. This situation and the complexity of the module made me think of Terraform Stacks, and how they would be a great fit for this exact scenario. Is that something you’d be interested in seeing? Hit me up on LinkedIn or Bluesky and let me know. I think I could adapt the current ALZ Terraform Module to use Stacks without too much difficulty.
Thanks to Kevin for inviting me to be on his show and for dispelling the mystery around Azure Landing Zones. That’s been on my to-do list for a while, but honestly I don’t know when I would have gotten to it. Kevin’s invitation served as a forcing function and now I feel comfortable talking about Azure Landing Zones and approaching the module with slightly less trepidation - slightly less.
Please give the video a watch and give Kevin a subscribe and like!
Resourcely Guardrails and Blueprints
November 15, 2024
Deploying Azure Landing Zones with Terraform
November 12, 2024
October 18, 2024
What's New in the AzureRM Provider Version 4?
August 27, 2024
