Azure Landing Zone with Terraform
Build and customize Azure Landing Zone
Overview
Azure landing zone is a hierarchy of management groups with your Organization Root at top under Tenant Root Group.
Management groups are the containers for your subscriptions.
You can apply set of policies and RBAC roles to any management group and it will be inherited by all other manage group under the hierarchy.
It provides a framework as you can see from diagram above, Contoso is your organization root and underneath it has got the following management groups.
- Platform
- Landing Zones
- Decommissioned
- Sandbox
Identity, Management and Connectivity under Platform and Corp, Online under Landing Zones form part of the core management group to be deployed.
You can add your own BU as management group under Corp instead of directly adding subscriptions, but Microsoft recommend not to exceed hierarchy by six levels, since the purpose of landing zone is to subscription democratization i.e. instead of resource group as a container of resources, we can allow application team to use their own subscription.
Architecture
As an exercise, I am going to use the following organizational structure that to be implemented under Tenant root group.
