search

aztfmod / level0

Launchpads that can be used by the rover to deploy the Azure CAF Terraform landing zones
https://aka.ms/caf
MIT License
14 stars 21 forks source link

Scenario: bootstrap process for entreprise landing zones #48

Open arnaudlh opened 4 years ago

arnaudlh commented 4 years ago

Scenario

To manage multi subscriptions management, we are now having operations in level0 to include multiple phases:

  1. Prerequisites for identity
  2. Bootstrap for identity
  3. Launchpads

The identity bootstrap process for Azure CAF landing zones ensures that:

  1. Prereqs: Azure Active Directory Application Registration is created
  2. Initial Service Principals to run the landing zones are created.
  3. Initial Service Principals' secrets are rotated periodically.
  4. Create subscription custom roles to get access to initial (level0, enterprise management) subscription.
  5. Create subscription custom roles to get access to deployments subscriptions.
  6. [Optional] Create Azure DevOps to deploy service principal rotations
  7. [Optional] Create Azure DevOps pipelines to deploy sample landing zones using the hierarchy model

All phases of bootstrap would use Terraform objects as variable in order to customize the permissions as required for specific environment.