But first some history and context

As you may of heard in one of our Azure Landing Zone (ALZ) community calls over the past year, across ALZ we have been working hard to refactor both our Terraform and Bicep implementation options to be built upon Azure Verified Modules (AVM).

Earlier this year we announced that the work for Terraform, which we started on first, was complete; and you can read more about that in the announcement blog post we posted here.

But whilst this work was going on the ALZ Bicep team where already busy planning how they would go about doing the same and rebuilding ALZ Bicep from AVM modules. You can see the original plans and where we also asked for feedback in the GitHub issue (#791) .

Enough history, what’s the latest?

Now to answer the question everyone has and rightly so 😁 Well, it’s good news!

We have been busy working away on getting a number of the AVM Bicep Resource Modules updated with missing bits and pieces that we need from an ALZ perspective. All fairly minor in most cases but some required some bigger updates than others, and some modules didn’t exist at all so we have had to propose, create, and publish those of which we are pretty much done with 👍

We are still working towards an end of Q4 (June/July) target for a preview release of all the modules, accelerator and guidance on how to use the new version of ALZ Bicep, which will be called “Bicep Azure Verified Modules for Platform Landing Zone (ALZ)”; this is to align with Terraform and also to provide clear distinction between ALZ Bicep and the new AVM based version.

Please note that the timeline shared above is an ETA and may move

Announcing the preview release of `avm/ptn/alz/empty` AVM Pattern Module

Before we get to a more complete release of all the required resources and modules to build the entire ALZ architecture with the new Bicep Azure Verified Modules for Platform Landing Zone (ALZ), we wanted to share an early look at the module that will be at the heart of all of your ALZ deployments.

That module is called `avm/ptn/alz/empty`  and is available in the Public Bicep Registry for you to try out today (currently version `0.1.0`)!

Tip: Checkout the “max” test in the tests directory for advanced usage examples!

module testMg ‘br/public:avm/ptn/alz/empty:0.1.0’ = {
params: {
managementGroupName: ‘test-mg’
// Other parameters here…
}
}

This module is 1 of 11 modules that will all be based off the same code. The module optionally creates all of the below:

• The Management Group itself
  
  
  
  • Can also target an existing Management Group
  
  
  
  


• Management Group Subscription Associations


• RBAC Custom Role Definitions


• RBAC Role Assignments


• Policy Assignments


• Custom Policy Definitions


• Custom Policy Set Definitions (Initiatives)

There will also be 1 x Bicep Azure Verified Modules for Platform Landing Zone (ALZ) pattern module for each of the ALZ Architectures Management Groups, plus this empty one for custom and advanced scenarios. A reminder of those Management Groups and the associated modules that will be created for each of them:

• `avm/ptn/alz/int-root`


• `avm/ptn/alz/platform`


• `avm/ptn/alz/platform-management`


• `avm/ptn/alz/platform-identity`


• `avm/ptn/alz/platform-connectivity`


• `avm/ptn/alz/landing-zones`


• `avm/ptn/alz/landing-zones-corp`


• `avm/ptn/alz/landing-zones-online`


• `avm/ptn/alz/decommissioned`


• `avm/ptn/alz/sandbox`

These Management Group aligned pattern modules will create the same resources as above, but will have the latest release of the ALZ Library baked in to each of the modules. Meaning that for the `avm/ptn/alz/int-root` pattern module, you won’t have to declare all of the ALZ RBAC Custom Role Definitions, Custom Policy Definitions, Policy Assignments etc. via the input parameters as they’ll be hardcoded in the module based off the latest release from the ALZ Library at the point the version of the module was released.

This means that to build the ALZ Management Group hierarchy and make all of the default ALZ policy assignments, as documented here, you’d need a bicep file that would look something like this as a starting point:

Important: None of these modules exist below today!

module intRootMg ‘br/public:avm/ptn/alz/int-root:0.1.0’ = {
params: {
managementGroupName: ‘int-root-mg’
}
}

module platformMg ‘br/public:avm/ptn/alz/platform:0.1.0’ = {
params: {
managementGroupName: ‘platform-mg’
managementGroupParentId: intRootMg.outputs.managementGroupId
}
}

module platformConnectivityMg ‘br/public:avm/ptn/alz/platform-connectivity:0.1.0’ = {
params: {
managementGroupName: ‘platform-mg’
managementGroupParentId: platformMg.outputs.managementGroupId
}
}

This will make getting the ALZ Architecture out of the box really fast, and also really easy to upgrade and get the latest updates, by just bumping the version number as you desire when you are ready. 

Coupled with the `avm/ptn/alz/empty` module to add your own additional Policy Definitions and assignments, etc. at the same Management Groups scopes also helps you decouple the constant updates to the ALZ architecture and policies etc. from your own additional requirements.

Helping you keep your code cleaner and our modules simple to maintain as we won’t have to cater for handling additional custom definitions and assignments alongside the defaults from ALZ that are baked into the modules.

Note: We are looking at suggesting that all of these are deployed via Deployment Stacks to help with lifecycle management of resources. e.g. help clean-up resources as well as deploy new ones; think policy assignments and definitions etc.

We need to complete a lot more testing on this, but would love your feedback on experiences if you have any using Deployment Stacks to manage these kind of resources today. Open an issue/discussion on the ALZ Bicep GitHub repo 👍

Our asks to you 🫵

Please go try out and test the new `avm/ptn/alz/empty` module and test it out for all the scenarios you can think of relating to Management Groups, RBAC, Policies etc. we want to make sure it’s “match fit/ready” before we then build the Management Group aligned modules and bake in the ALZ defaults to them.

So please go and put the module through its paces and test it out. 

Tip: Checkout the “max” test in the tests directory for advanced usage examples!

If you find any issues, bugs, feature requests or just have a question on how to use it, please just raise them as GitHub issues here (make sure to select the `avm/ptn/alz/empty` module from the drop down 👍)

Thanks in advance for all your efforts and assistance and we look forward to hearing and getting your feedback on the module 👏