

In the first part of this series, we explored the concept of a cloud landing zone and discussed the most common building blocks that are often involved. This part will focus mostly on the implementation itself, getting our hands dirty with everything we learned on theory.

To sum the concept of a Landing Zone in a few words, something along the lines of “Reusable blueprint that provide a consistent foundation while increasing efficiency, security, and compliance” makes a lot of sense.


While the best description is a matter of taste and debate, I think it’s safe to assume that the purpose and functionalities are easier to agree on. The scope and implementation of a Landing Zone on the other hand is an area that may include some variation to the discussion.

A large part of this post is dedicated to creating a Landing Zone solution in practice. There is a considerable amount of Infrastructure as Code and tech buzz below, included with some explanations and reasoning on why we chose to pursue some tech choices. As described in the first part, this example is using Terraform for practical reasons. ARM templates would work just as well, and then you could take advantage of Azure Blueprints.

Enter CAF Terraform Landing Zones

Within the last couple of years, the Microsoft Cloud Adoption Framework has gained a significant presence. Rightfully so, the CAF is a great foundation for any organization looking to move their workloads to Azure. During an assignment, I was tasked to build a Landing Zone for a multi-subscription organization. I was already pretty deep into planning to manage this with Azure Blueprints when my brother-in-arms Masi Malmi tipped me about the CAF-compliant modules and Landing Zone tools for Terraform!

In this post, we are using the CAF Landing Zones and rover, since they offload so many tasks and steps that we would have to take into account if coming up with a complete custom approach. I strongly advise you to plan this ahead if you are embarking on a Landing Zone journey of your own. Creating a solution from scratch is arguably the best way to learn, but it comes with a steep learning curve.

The CAF Landing Zone setup includes a tool called rover — which includes a Terraform wrapper, among other beneficial tools in a container — which saved me countless hours of repetitive work and spending time on mechanisms that were available already. I have now used these tools for a couple of different projects and they have proven to be an efficient solution if you are working with Terraform and Azure.

There is plenty of documentation in Github about the code architecture and organizing of the Landing Zones, included with example LZ’s to get anyone started. I have personally taken some liberties for the customer projects since we’ve worked with a more specific toolset.

As said, using Rover as a runtime allows us to offload state management for the most part, and it enables a working level-based approach for creating the Landing Zones. When working on a new subscription, the first thing is to deploy a Launchpad aka Level 0 Landing Zone, which creates the necessary storage for the remote state. Each and every LZ represents a certain “level” which relies on data and parameters that have been set on a previous stage.

Each level is responsible for certain functionalities or parts of the infrastructure, beginning from the low-level basic functionalities, such as roles and policies.


By design, each Landing Zone is responsible for its state even if Rover makes the management quite straightforward. Each Landing Zone can produce outputs that are then used by the next “levels” of the Landing Zone. This is a great way to pass data to other landing zones and supports the idea of setting certain variables once and using them throughout the lifecycle. Some elements such as tags, regions, and resource IDs can be set once those can be referred to later on as we’ve done with our example.

One important takeaway from the picture above is that the target environment can have as many Landing Zone levels as you see fit. If you are working in an enterprise with a lot of requirements, it might make sense to spread the security and compliance Landing Zone to multiple parts. On the contrary, if you can manage with two or three layers that cater to all your needs as well as the application infrastructure, go ahead! If you look at the picture, you’ll notice that starting from Level 3 the configuration involves application configuration. This is likely something specific to your environment or subscription, so at that point, the Landing Zones will start to branch out from each other and they are no longer identical with each other. In an ideal situation, levels 1 and 2 change rarely, whereas levels 3+ may be redeployed multiple times a day because of ongoing development. If you look at the reference picture, levels 1 and 2 are the common baseline LZ’s that are deployed to each and every subscription, and from that point onwards each subscription may start to branch out separately if they are hosting different workloads.

Splitting the Landing Zone to smaller levels provide:


  • Least privilege approach — easier to control permissions

  • Autonomy and modularity — easier to author changes and features

  • Controlled blast radius — Smaller units of configuration are easier to test

  • A consistent toolset that can be used for both development and deployment


Individual Landing Zones and the amount of them depend on your environment and complexity.


Rover also integrates directly with VSCode and the Remote Development extension. This way you can use VSCode to create your Terraform configurations and deploy them directly from your workstation with Rover to ensure they function as expected. This extends the development capabilities so that you can use the same runtime as you would use from a CD pipeline.

Please take a look at the CAF landing zones and rover if you are interested in learning more about them. We are using a fairly simple example in this post which doesn’t even begin to take advantage of all the cool features available. That is to keep this blog from becoming a three-part series.

Hands-On: Introducing Contoso Corporation

Picture this; It’s your first day working in the IT Ops team for Contoso Corporation. Somebody is asking if you could help to create a repeatable, secure, and well-optimized infrastructure template that could be used for all future Azure deployments. Sure thing!

To get things started, we quickly map out the requirements we need to include in our Minimum Viable Product. As I explained in the first part of the series, start from the very basic requirements and work your way from there. Every fine little detail may not be in place from day one. This is as much of software development as any, so define the capabilities and features accordingly. Use agile. Use sprints. Use whatever methods and tools you feel comfortable with to keep the development moving on continuously.

Based on an internal brainstorming session we conclude that version 0.1 should deploy the following for each subscription:


  • Deployment of Log Analytics (configured with Activity Logs for preserving audit data)

  • Deployment of an Azure Policy that enforces certain Azure regions

  • Deployment of an Azure Policy that denies VMs to use any public IPs

  • Configuration of RBAC with designated Azure AD security groups

  • All resource groups tagged with predefined key:value pairs.


To make things a bit easier to maintain later, each deployment must supply some unique input that will be used, such as values for tags, contact information for Azure Security Center, and a short friendly name for the subscription, which will be used in the naming conventions for all resources.


Now, if you are just starting with the CAF Landing Zones, I suggest using the starter examples and learning from them. Clone the repository, try things out and study the docs. They are a great reference and include a lot of good use cases on how to use the ready-made modules and blueprints in conjunction. However, we want to keep this example fairly short and straightforward so we’ll create our own Landing Zone. We are using the Level 0 (“Launchpad”) that is provided out of the box, to get a head start, but other than that we’ve taken some liberties. Don’t take the examples too literally, they are here to merely prove a point.

Getting our hands dirty

Now, for our experiments let’s use a repository with the original starter LZs as well as the ones we use for this post. Let’s start by cloning the existing CAF repository and start building our fresh Level 1 LZ to a new directory. The last line invokes VSCode so if you prefer to use another IDE, disregard that (although I strongly suggest you use VSCode):

git clone https://github.com/anttipo/caf-landingzone-example.gitcode caf-landingzone-example/

If you have the Remote Development -extension installed in your VSCode, you should get a prompt asking if you want to reopen the folder inside a container. Clicking ‘Yes’ will reopen the workspace in the rover container, which makes it easy to run interactive commands directly. If you are using the VSCode and Remote Development combo, you’ll first need to log in with rover:

# log in similar to azure cli
rover login# after logging in choose the proper subscription if needed
az account set --subscription <subscription_id>

This will invoke the normal device login process that you are likely used to with AzCLI. Next up we’ll deploy the Level 0 Landing Zone, also known as Launchpad. For this we are using a pre-existing launchpad, that is included in the repository.

rover -lz /tf/caf/landingzones/launchpad/ -a apply -launchpad -env sandpit

rover is pretty verbose and will instruct you accordingly if you mistype something important. Having the environment is optional, and it will automatically default to sandpit if nothing is provided. It’s best to learn the habit of including the environment right from the start.

If everything went as expected, you have some new resources deployed in your Azure subscription! These follow a certain, predefined naming convention with a random prefix, as well as descriptive names of what the resource groups are used for. You can find more information from the Terraform CAF GitHub that describes what these resources are for, but basically, they prepare your subscription and set the stage to deploy more Landing Zones, by creating a Key Vault and storage for the Terraform state.

Launchpad deployed to our subscription

To follow clear and practical conventions, we’ll structure our LZ’s around modules.


We begin with making a simple module for the Log Analytics part, while taking advantage of the CAF provider, along with some existing modules:

We have a separate variables.tf -file which introduces the variables used by the module. Let’s do a similar convention for providing some ready-made RBAC assignments. In our example, we want the LZ to always create three predefined AAD security groups and assign them to appropriate roles. Note that for this module to function you will need to have the appropriate AAD permissions to create security groups:

Once more for the road, so let’s also create a module for Azure Policy that we want to include with the LZ:


Then, we call this module from the main.tf -file in our LZ root:

Notice the data “terraform_remote_state” “level0_launchpad” we configured? That is used to pull any outputs that might be necessary from the previous LZ level. We don’t take advantage of it in our Level 1 LZ here but the example in GitHub contains a Level 2 LZ as well which does use this feature for its benefit. Even if you might not need it, it’s good to keep the remote state reference in place for future compatibility.

注意我们配置的数据“ terraform_remote_state”“ level0_launchpad”吗? 这用于从先前的LZ级别提取任何可能需要的输出。 我们不在这里的Level 1 LZ中利用它,但是GitHub中的示例也包含Level 2 LZ,它确实利用了此功能。 即使您可能不需要它,也最好将远程状态引用保留在适当的位置,以备将来兼容。

We are using the null data source subscription_prefix to form the friendly name that is incorporated in most of the resource names around our landing zone. The subscription_prefix is one of the things we want to provide as an output, so further landing zones can take advantage of it!

我们使用空数据源subscription_prefix来形成友好名称,该友好名称并入我们着陆区周围的大多数资源名称中。 subscription_prefix是我们要提供的输出内容之一,因此更多的着陆区都可以利用它!

OK, we have a very simple yet supposedly functional Landing Zone at our hands. Let’s see how it works with sandbox values that I provide to it as variables in the tfvars file:

rover -lz /tf/caf/landingzones/landingzone_contoso_level_1 -a plan --var-file /tf/caf/landingzones/landingzone_contoso_level_1/sandpit.tfvars

Time to sit back and observe Rover do its thing, which is basically running terraform plan for the Landing Zone we just provided. If everything goes as planned, the outcome should be a properly evaluated plan of actions that Terraform will take. If no errors are detected, run the same command but instead with apply instead of plan:

rover -lz /tf/caf/landingzones/landingzone_contoso_level_1 -a apply --var-file /tf/caf/landingzones/landingzone_contoso_level_1/sandpit.tfvars

After rover and Terraform are finished, we should have a few new resource groups, one of which includes a Log Analytics workspace.

This is already a working yet a very small PoC of a Landing Zone. To scale this to multiple subscriptions or environments you should rely on specifying the values for Terraform variables and apply the same configuration at scale. We’ll use GitHub Actions to deploy this automatically to our sandbox environment. The entire solution with other components of the Landing Zone is available in.

OK, so far from the Terraform perspective all this is fairly straightforward. Nothing extraordinary here. What the layered approach brings to the table, is that now we create outputs to represent the important resources. Later levels will be able to import this data from the remote state and reuse the same parameters instead of setting them all again — keeping our code a bit more DRY.

For example, this short example shows how a Level 2 Landing Zone can import the data for resource location and tags:


See? We import the previous state, pull the interesting outputs to local values, and reuse them with all our resources wherever applicable. Convenient!

That's it? What next?

The example used here is an overly straightforward and simple implementation. It is not a direct fit for an enterprise, but rather proves a point and demonstrates a proof of concept on how Landing Zones can be built.

这里使用的示例是一个过于直接和简单的实现。 它不是直接适合企业,而是证明了一个观点并证明了如何构建着陆区的概念证明。

Here are a few more pointers to get you forward:


  • Modify the Launchpad (Level 0) according to your needs or create an entirely new version of it. The existing Launchpad creates some resources — such as networking — that you may want to change.

  • Focus on developing a baseline and rely on core controls. By definition, that’s what Landing Zone is about. Don’t incorporate services and controls that are useless for your development teams. You can include such functions as optional layers applied later on.

    专注于制定基准并依靠核心控制 。 根据定义,这就是着陆区。 不要合并对您的开发团队无用的服务和控件。 您可以包含诸如稍后应用的可选图层之类的功能。

  • Rely on Terraform best practices and use modules whenever possible, to keep your code DRY.

  • Don’t spend too much time on irrelevant details. For example, a diagnostic configuration can be called just vnetDiagnostics or something similar because it doesn’t overlap with anything.

Automation concepts and CI/CD

Ok, we’ve spent a good while on learning the ropes of creating and maintaining the configurations. However, especially in large environments, deploying individual Landing Zones manually becomes a burden very quickly.

One working approach is to provide each environment or subscription a dedicated tfvars -file, which includes the variable values unique to the environment. This way, the Landing Zone configuration stays intact and can be deployed at scale, while the environment-specific values may change whenever necessary. This keeps each deployment pretty much identical to each other, which streamlines the deployment event further. Depending on your CI/CD solution, this kind of approach may require separate deployment pipelines for each subscription or something resembling the Azure DevOps’s variable groups, so you could use the same pipeline but rotate the variables per deployment or environment.

一种可行的方法是为每个环境或订阅提供专用的tfvars -file,该文件包括该环境唯一的变量值。 这样,着陆区配置保持不变,可以大规模部署,而特定于环境的值可以在必要时更改。 这样可以使每个部署几乎完全相同,从而进一步简化了部署事件。 根据您的CI / CD解决方案,这种方法可能需要为每个订阅使用单独的部署管道或类似于Azure DevOps变量组的部署管道,因此您可以使用相同的管道,但是根据部署或环境旋转变量。

We are gonna harness our LZ to GitHub Actions, which we mimicked from the CAF Terraform repos, and do a simple deployment consisting of:

  • Deploy Launchpad/Level 0 if not present

  • Plan & Apply Level 1

  • Plan & Apply Level 2

  • Destroy Level 2

  • Destroy Level 1

  • Destroy Launchpad/Level 0


So as you can see we basically want to deploy all our current LZs and then get rid of them in an automated fashion. While we cannot use the resources since they are instantly removed, we’ll get the verification that individual levels work with each other and there are no errors in the pipeline. I suggest incorporating this sort of build for testing purposes, so that whenever someone files a change, the setup can be deployed once to a sandbox environment to verify that everything remains intact and functional.

First up, you’ll need a service principal that the workflow will use to log in to your subscription.


# create a new service principal with azure cli
az ad sp create-for-rbac --name $SPNAME

Once you have create the service principal, note down the following parameters and add them as individual secrets on GitHub:


In order to properly use the example LZ, you will need to provide the subscription owner role, as well as the necessary AAD permissions for this principal. After that, create a new yaml file to describe your build workflow or clone the one used in this example and modify it according to your needs. Save the file as /.github/workflows/deploy.yml

If everything goes as planned (and why wouldn’t it) you can observe your GitHub Actions Workflow kick in and deploy the Landing Zone once in its entirety, and then destroy the LZ as well at the end. Obviously this isn’t much good if you want to actually deploy the resources, in which case you should remove the pipeline steps that destroy the LZs.

如果一切都按计划进行(为什么不这样做),您可以观察到GitHub Actions工作流的启动,并一次完整地部署着陆区,然后最后也销毁LZ。 显然,如果您想实际部署资源,这不是很好,在这种情况下,您应该删除破坏LZ的流水线步骤。

Conclusion

Throughout the two posts, we’ve explored concepts, methods and the common patterns of creating a Landing Zone. Due to the tools and on-demand nature of the public cloud platforms, LZ is a logical choice there but is by no means limited to only the public offering. Similar orchestration can be achieved with a private cloud as well, even if the toolkit may look a bit different.

If you find yourself or your organization in demand of a repeatable and modular way to bootstrap cloud subscriptions or accounts, investing time for Landing Zones is likely worth the effort. If your cloud journey takes place in Azure, the Cloud Adoption Framework will serve as an endless source of guidance and practices for your migration.

