Look forward to seeing the updates to the TF module.. currently using a custom template to provide the flexibility... Great update and lots of new useful information and features :)
Same here. We would be using the whole thing if not for the lack of MG flexibility. Without that, we're stuck borrowing and modifying what code we can and writing the rest from scratch.
If an enterprise is to adopt the cloud adoption framework using Terraform and landing zones, should the root management group and high-level management group (and other near-root level resources) be made manually to follow security best practices, or are there ways of defining those via code securely? If so, does documentation exist on best practices how to do that securely? Or is it typical for organizations to just make those high-level resources manually then IAC the other downstream resources? Struggling on a recommendation on where IAC starts to become "everything as code". When using the portal accelerator and following the enterprise scale model, it's obviously going to require fairly beefy permissions, but that's a one-time deployment, and an organization can then utilize IAC to do the rest from within the subscriptions, or utilize RBAC at the Landing Zone management group to further scope permissions out.
Hey Mike, please raise an issue over on our terraform repo and we can take the conversation further there: github.com/Azure/terraform-azurerm-caf-enterprise-scale
Look forward to seeing the updates to the TF module.. currently using a custom template to provide the flexibility... Great update and lots of new useful information and features :)
Same here. We would be using the whole thing if not for the lack of MG flexibility. Without that, we're stuck borrowing and modifying what code we can and writing the rest from scratch.
If an enterprise is to adopt the cloud adoption framework using Terraform and landing zones, should the root management group and high-level management group (and other near-root level resources) be made manually to follow security best practices, or are there ways of defining those via code securely? If so, does documentation exist on best practices how to do that securely? Or is it typical for organizations to just make those high-level resources manually then IAC the other downstream resources?
Struggling on a recommendation on where IAC starts to become "everything as code". When using the portal accelerator and following the enterprise scale model, it's obviously going to require fairly beefy permissions, but that's a one-time deployment, and an organization can then utilize IAC to do the rest from within the subscriptions, or utilize RBAC at the Landing Zone management group to further scope permissions out.
Hey Mike, please raise an issue over on our terraform repo and we can take the conversation further there: github.com/Azure/terraform-azurerm-caf-enterprise-scale