Feature Request: Include subscription vending in the accelerator [formerly Document the process of es deployment]

[tpatrizio]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Reading the documentation and looking at the provided examples, I cannot completely grasp the process of creating a vnet peering between landing zone's spokes and the connectivity hub. In the configureconnectivityresources configuration object there is a property spokevirtualnetworkresourceids that I don't know how (and when) to configure. Should I first create (manually or directly with a terraform module outide of the enterprise scale one) a VNet in the spoke subscription and get its ID ? does this mean that when I create the subscriptions that the es module will move under the proper management group I have to first create a VNet in each before kicking the es deployment?

Describe the solution you'd like

I'd like to have an example of the process required to deploy the es landing zone; which are the preconditions, what must be created manually before starting the terraform deployment, etc…

Additional context

[matt-FFFFFF]

Hi @tpatrizio

Thanks for logging the issue.

The scope of this module is the platform components of the ALZ conceptual architecture. The deployment of resources to application subscriptions is not in scope due to constraints around provider declaration with the azurerm provider.

The result of this means that it is impossible to create an application subscription AND deploy resources into it in the same terraform apply operation.

We plan to release another solution to manage the subscription creation and initial resource deployment. This will probably be in the form of another module.

Once the above exists, it will be possible to create an end-to-end process for the creation of a subscription, the deployment of a virtual network and the creation of a two-way peering between it and the designated hub network. We do not have any timelines to share at this time.

What is possible currently is to use this module to create one half of the network peering, and then create the other half outside this module. I realise this isn't ideal but we have the constraints above to thank for that 😃

We can provide examples of how to achieve this in our wiki - would this be satisfactory for now?

I will leave this issue open for tracking.

[tpatrizio]

We can provide examples of how to achieve this in our wiki - would this be satisfactory for now?

that would be great!

I understand that the scope of the caf-enterprise-scale module is to provision the core resources, with a special focus on governance and automation trough Deny and DINE policies. Anyway I was trying to figure out how to automate the provisioning of a working Hub and Spoke architecture. Does it make sense to create additional resources after the enterprise_scale has run (eg. by adding a local network gateway and gateway connection to complete the Hub connectivity, creating vNets in Spoke subscriptions and peering them with the Hub vNet, etc...) ? Thanks a lot for your help

[krowlandson]

@matt-FFFFFF... Worth revisiting this now in light of progress on our landing zone vending module?

[matt-FFFFFF]

100% maybe one for the accelerator repo?

@krowlandson

[mlomat]

@krowlandson @matt-FFFFFF I already created a solution which is creating subscriptions dynamically and injecting those into your framework. The whole solution is based on two terraform modules and integration inside Azure DevOps Pipeline, which is creating subscriptions in first step (for connectivity, management and identity) and passing them and injecting guids into second step which is CAF-Enterprise-Scale. Let me know if you are interested.

Best Mateusz

[matt-FFFFFF]

Hey @mlomat,

We have something in the works here already, more soon. It sounds like you have solved this already, but if you want to see what we have done then drop me an email (matt.white@...)

[MiqueasAndrade]

100% maybe one for the accelerator repo?

@krowlandson

Hello Guys, hope you're well... Are you planning to use the super module already available and maintained by MS folks (https://github.com/aztfmod/terraform-azurerm-caf) for this purpose of deploying landing zone vending machine ?

Something that I'm confused is that "aztfmod/terraform-azurerm-caf" can be used either to create standalone resources/infra and can be also be used to deploy the CAF components.

[jtracey93]

Trigger ADO Sync

[krowlandson]

Hello Guys, hope you're well... Are you planning to use the super module already available and maintained by MS folks (https://github.com/aztfmod/terraform-azurerm-caf) for this purpose of deploying landing zone vending machine ?

Something that I'm confused is that "aztfmod/terraform-azurerm-caf" can be used either to create standalone resources/infra and can be also be used to deploy the CAF components.

@MiqueasAndrade thank you for raising this and for your patience waiting for a response.

The aztfmod was indeed considered as part of our solution. In fact that project includes an option to use our module to build out the Azure landing zone management group hierarchy.

Unfortunately the integration between landing zone vending and Azure landing zones has necessitated the creation of a stand-alone lz-vending module which is now available. We are also working on a reference implementation which will show how to use these together as part of managing your platform.

It is also possible to use the aztfmod alongside this module for deploying additional resources into your landing zones, so you may also want to consider that?

[krowlandson]

Moving this issue to our (private) accelerator repo for tracking as this is where we will answer this.

[jaredfholgate]

Quick update on this. The accelerator scope is currently limited to the Azure landing zone module. It does not include subscription vending. However that would be a logical future extension of the accelerator, so will leave this issue open for the time being.