This is the starting point for deploying the IaaS baseline reference implementation. Follow the instructions below and on the subsequent pages to get your environment ready.
| 🕙 | These steps are intentionally verbose, intermixed with context, narrative, and guidance. The deployments are all conducted via Bicep templates, but they are executed manually via az cli commands. We strongly encourage you to dedicate time to walk through these instructions, with a focus on learning. By design, there is no "one click" method to complete all deployments.Once you understand the components involved and have identified the shared responsibilities between your team and your platform team, you are encouraged to build suitable, repeatable deployment processes around your final infrastructure and bootstrapping. The DevOps architecture design is a great place to learn best practices to build your own automation pipelines. |
|---|
-
An Azure subscription.
The subscription used in this deployment cannot be a free account; it must be a standard EA, pay-as-you-go, or Visual Studio benefit subscription. This is because the resources deployed here are often beyond the quotas of free subscriptions.
This subscription is expected to NOT be an actual Azure application landing zone subscription. This is expected be deployed within a sandbox subscription offered by your organization, as long as it meets the following requirements.
⚠️ The user or service principal initiating the deployment process must have the following minimal set of Azure Role-Based Access Control (RBAC) roles:- Contributor role is required at the subscription level to have the ability to create resource groups and perform deployments.
- User Access Administrator role is required at the subscription level since you'll be performing role assignments to managed identities across various resource groups.
- Resource Policy Contributor role is required at the subscription level since you'll be creating custom Azure policy definitions to govern resources in your compute.
-
Latest Azure CLI installed (must be at least 2.49), or you can perform this from Azure Cloud Shell.
-
Ensure OpenSSL is installed to generate self-signed certificates used in this implementation. OpenSSL is already installed in Azure Cloud Shell.
⚠️ Some shells may have theopensslcommand aliased for LibreSSL. LibreSSL will not work with the instructions found here. You can check this by runningopenssl versionand you should see output that saysOpenSSL <version>and notLibreSSL <version>.
-
Clone or download this repo locally. Consider forking the repo first, for a better experience.
git clone https://github.com/mspnp/iaas-landing-zone-baseline.git cd iaas-landing-zone-baseline💡 The steps shown here and elsewhere in the reference implementation use Bash shell commands. On Windows, you can use the Windows Subsystem for Linux to run Bash.