Microsoft Cloud Adoption Framework (http://aka.ms/caf) is the one Microsoft guidance to adopt Azure in entreprise. One of the fastest way to put the framework in action and deploy an environment fast and good, is to use CAF landing zones for
Terraform.
CAF landing zones are an open source project living on GitHub and we welcome any contribution: https://aka.ms/tf-landingzones
In this article, you will find a set of videos and articles that should help you understanding the landing zones architectures and how to start crafting your own.
Cloud Adoption Framework: Introduction landing zones for Terraform
Cloud Adoption Framework: Deep-dive on landing zones for Terraform
Cloud Adoption Framework for Azure has a great set of recommendations to accelerate deployment of Azure for entreprises who seek to consolidate their IT environment in the cloud and innovate on their applications.
CAF introduces landing zones as a concept that describes all the elements that must be in place to deploy a production-grade quality deployment (ie, that includes a minimal set of auditing, controls, policies, etc).
In order to accelerate that, let’s review how to deploy our first landing zone for Azure based on Terraform! We assume that you know Terraform and Azure already, if thats not the case, spend some time on my previous post.
Clone the GitHub repo from http://aka.ms/tf-landingzones git clone https://github.com/aztfmod/blueprints.git
Initialize the environment – this will create the fundamentals for the Terraform state, like Storage Account, Azure Key Vault, and the managed identities: ./launchpad.sh
Deploy your first tranquility blueprint: ./launchpad.sh landingzone_vdc_level1 plan
Review the configuration and if you are ok with it, deploy it by running: ./launchpad.sh landingzone_vdc_level1 apply
Below is a quick demo of doing that:
Customization
In order to ease your first contact with the landing zone, we created a sample configuration file proto.landing_zone_vdc_level1.auto.tfvars. As any .auto.tfvars file, it is going to be picked up automatically by Terraform when running. This file automatically configures all variables needed to get started:
Retention period for Activity logs, and operations logs.
Names of the resource groups to be created.
Location of the resources to be deployed.
Tags for the resources.
Name of log analytics and list of solutions to be deployed.
Security center contact details.
You can tune it to match your criteria, we hope the syntax is self explanatory, feel free to provide feedback on it!
Quick tour of the architecture:
Currently the solution is composed of 3 main components:
1. Launchpad.sh
Is a shell script, it initiates the Terraform state locally, uploads it to the Azure storage account, manages the environment variables and communication accross landing zones and other components.
2. Level0_launchpad
Creates a Key Vault, an Azure managed identity a storage account that is used to create store the Terraform state of our environment. It also creates a serie of service principals to be used to access the Terraform state and to integrate with Azure DevOps (in a future release). For full documentation, refer to the readme file.
3. Landingzone_vdc_level1
This vdc level1 landing zones leverages one blueprint (called tranquility) that sets the foundation for everything accounting and operations logs in your Azure subscription:
Resource groups
Activity Logging
Diagnostics Logging
Log Analytics
Security Center
Each of those features deployments are accomplished by a respective module, which is also on the GitHub, which Terraform download when it needs it (at the plan stage).
A diagram of landingzone_vdc_level1 would look something like that:
That’s it for now, it should be enough for you to get started on the Azure Landing Zones using Terraform. Keep in mind there is much more to come on the Landing Zones, we will keep on publishing more and we will have a couple of webinars to go deep dive on the subject!
Install the Terraform extension, you may notice that the 0.12 type of syntax is not recognized by default as its still under development. You can enable preview version running Terraform: Enable/Disable Language Server in the palette.
Azure Cloud Adoption Framework in Terraform samples:
If you want to kick-start your Azure deployment based on Cloud Adoption Framework Landing Zones, here are some Terraform examples of it (more webinars on this coming soon): http://aka.ms/tf-landingzones
Since we started to help customers of all sizes to deploy cloud technologies, we have developed many frameworks which all evolved in parallel over time. You may have heard about: Cloud Adoption Framework, Cloud Operations Model, Entreprise Cloud Strategy, Entreprise Scaffolding and maybe a couple more.
The CAF is dead, long live the CAF!
A couple of weeks ago, we published a new version of CAF – Cloud Adoption Framework for Azure, which consolidates all of our engineering and field best practices, as well as patterns that we’ve seen from big entreprises going to the cloud.
CAF has now five main sections which guide you throughout the whole circle:
This model is very realistic and field inspired, including some discussions around adoption with one or more cloud providers.
Governance
One of the most intimidating aspects of cloud adoption is the governance: how to manage new risks that are involved with cloud deployments and how to accompany that with entreprise processes and policies (and how does it remain current).
It is of course an iterative process that will evolve as you add new services into your environment: from dev/test to prod, and from legacy 3-tiers application to a brand new cloud-native application.
We distinguish 5 disciplines in governance:
Cost management
Security baseline
Resource consistency
Identity baseline
Deployment Acceleration
But the difficulty is the first step: how do I get a minimal viable product (MVP) for my first cloud deployment?
Actions: In order to avoid you the blank page syndrome, we have prepared you some actions:
Determine your immediate objectives with cloud, and the readiness of your organization. Cloud Assessment Tool: https://aka.ms/CAF/gov/assess
For all those journey we document a minimum viable product across the five disciplines, we explain the design decisions we took for you, the discussion points and alternative design considerations.
When we define governance, we also think about compliance to the rules, and automatic remediation methods for it: this is called Azure Policy.
Along the way, if you are going for ongoing compliance, why not going to continuous integration and continuous deployment for your infrastructure?
If you want to have a look at all of that in action, check at:
We used to talk a lot of “scaffolding” as it is an excellent checklist, or set of mandatory technical implentation details for a good cloud deployment. It is being replaced by the “landing zone” construct (see next section).
Here is a refresher picture about what scaffolding includes:
Azure VDC is a set of concepts, implentation guidance and automation scripts that allows you to build a highly available and highly secure datacenter, based on Microsoft Azure services.
Check at the automation scripts and all the archetypes that allow you to deploy a VDC environment fast – based on Docker and Python : https://github.com/Azure/vdc
