Skip to content

Feedback Request - AVM Integration and Accelerator Enhancements #791

New issue
New issue
Open
Open
Feedback Request - AVM Integration and Accelerator Enhancements#791
Assignees
oZakari
Labels
Status: Long Term ⌛We will do it, but will take a longer amount of time due to complexity/prioritiesType: Question / Feedback ❓👂Further information is requested or just some feedback
@oZakari

Description

@oZakari
oZakari
opened on Jun 11, 2024

Let us know the feedback or general question

Overview

We're currently evaluating the future of ALZ-Bicep and would like to hear your input, before we make any decisions.
We have several ideas up for consideration, and we're looking forward to your feedback on which proposals are most sought after. Or maybe there is something we have missed that you have been thinking about, let us know!

Important

Please add any additional comments or scenarios you would like to discuss either using the comment section below. Looking forward to hearing from you all!

Proposal - Utilize Azure Verified Modules

We're considering migrating towards utilizing AVM into the ALZ Bicep framework to replace the existing ALZ-Bicep built and maintained modules, where possible and appropriate.

Note

There will still be some modules we need to maintain as the ALZ Bicep team, but these will be published as AVM modules also.

What This Means for ALZ-Bicep?

Put very simply, all ALZ Bicep modules will be deprecated and instead a new version of ALZ Bicep will be released that will be built solely of AVM Bicep modules (Resource & Pattern). The ALZ Bicep repo will transition to become the home of the accelerator providing examples and reference code bases of how to deploy the various ALZ reference architectures (Contoso (Virtual WAN), Adventure Works (Hub & Spoke), etc.)

Transition Plan: We are planning to transition all modules to be AVM modules

  • Whether ALZ Bicep Team maintained or not, they will all live in AVM as their home
  • Seamless Integration: We will provide detailed steps, and possibly tooling, to ensure a smooth transition.

Benefits for You (Consumers)

  • Enhanced customization & greater flexibility to tailor modules, via input parameters, to your specific needs as the AVM modules are way more flexible by design
  • Enhanced specifications/standards, testing, CI framework to benefit from promoting consistency and quality further in the modules that build ALZ Bicep
  • Closer alignment with the Well-Architected Framework as this is an AVM requirement
  • Larger community to help implement feature requests and fix any bugs
  • Breaking up some of the monolithic modules into smaller pieces, e.g. Hub Network ALZ Bicep module will be no more and instead composed of various AVM Resource Modules

Current Architecture

flowchart TD
    subgraph ALZ-Bicep Maintained Modules
        Management_Group_Module --- Custom_Policy_Definitions_Module
        Custom_Policy_Definitions_Module --- Custom_Policy_Exemptions_Module
        Custom_Policy_Exemptions_Module --- Custom_RBAC_Role_Definitions_Module
        Custom_RBAC_Role_Definitions_Module --- Logging_and_Security_Module
        Logging_and_Security_Module --- MG_Diagnostic_Settings_Module
        MG_Diagnostic_Settings_Module --- Hub_Networking_Module
        Hub_Networking_Module --- RBAC_Role_Assignments_Module
        RBAC_Role_Assignments_Module --- Subscription_Placement_Module
        Subscription_Placement_Module --- Policy_Assignments_Module
        Policy_Assignments_Module --- Corp_Connected_Spoke_Networking_Module
    end
Loading

Proposed AVM Integration

flowchart TD
    subgraph "AVM Maintained Modules (Already exist unless stated)"

        subgraph Governance Modules
            mg["Management Groups (inc. Diag Settings) <br>(avm/res/management/management-group)"]
            subplacement["Subscription Placement <br> *Requires creation/development*"]
            alzpoldef["ALZ Custom Policy Definitions & Initiatives <BR> *Pattern requires creation/development*"]
            ownpoldef["Custom Policy Definitions & Initiatives <BR> *Resource/Pattern requires creation/development*"]
            ownpolexm["Custom Policy Exemptions <BR> *Pattern requires creation/development*"]
            alzpolasi["ALZ Default Policy Assignments <BR> *Pattern requires creation/development*"]
            ownpolasi["Policy Assignments <BR> (avm/ptn/authorization/policy-assignment)"]
            alzroledef["ALZ Custom Role Definitions <BR> *Resource/Pattern requires creation/development*"]
            ownroledef["Custom Role Definitions <BR> *Resource/Pattern requires creation/development*"]
            roleasi["Role Assignments <BR> (avm/ptn/authorization/role-assignment)"]
        end

        subgraph "Logging & Monitoring Modules"
            law["Log Analytics Workspace <BR> (avm/res/operational-insights/workspace)"]
            lawsol["Log Analytics Workspace Solution <BR> (avm/res/operational-insights/solution)"]
        end

        subgraph Hub Networking Replacement Modules
            vnet["Virtual Network <br> (avm/res/network/virtual-network)"]
            fw["Azure Firewall <br> (avm/res/network/azure-firewall)"]
            fwp["Azure Firewall Policy <br> (avm/res/network/firewall-policy)"]
            pdnszones["Private Link Private DNS Zones <br> (avm/ptn/network/private-link-private-dns-zones) <br> *Under Development*"]
            vng["VPN/ExpressRoute Gateway <br> (avm/res/network/virtual-network-gateway)"]
            bst["Azure Bastion <br> (avm/res/network/bastion-host)"]
        end

        subgraph VWAN Networking Replacement Modules
            vwfw["Azure Firewall <br> (avm/res/network/azure-firewall)"]
            vwpdnszones["Private Link Private DNS Zones <br> (avm/ptn/network/private-link-private-dns-zones) <br> *Under Development*"]
            vwvpnvng["VPN Gateway <br> (avm/res/network/vpn-gateway)"]
            vwexrvng["ExpressRoute Gateway <br> (avm/res/network/express-route-gateway)"]
            vw["Virtual WAN<br> (avm/res/network/virtual-wan)"]
            vwhub["Virtual WAN Hub<br> (avm/res/network/virtual-hub)"]
        end
    end
Loading

Proposal - Provide Different and/or More Complex Deployment Scenarios within the Accelerator

  • Currently, we only have one "flavor" of deployments within the ALZ-Bicep Accelerator. We're considering adding different models, such as:
  • Offering a deployment scenario that only deploys the core modules (management groups, policies, and RBAC) - to match our Terraform implementation options

A note on Deployment Stacks

As you may know Deployment Stacks are now GA and therefore as part of this effort for ALZ Bicep, our intent is to also migrate our suggested deployment method to use Deployment Stacks. We are collaborating with the product groups for Deployment Stacks to work through any current limitations and will adapt the re-write to AVM of ALZ Bicep to either accommodate or highlight these for resolution so that Deployment Stacks can be used with the AVM re-write of ALZ Bicep 👍

Call to action

Thanks for getting this far 😂 Please do leave your comments and questions below to help us shape the future of ALZ Bicep

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

Labels

Status: Long Term ⌛We will do it, but will take a longer amount of time due to complexity/prioritiesType: Question / Feedback ❓👂Further information is requested or just some feedback

Type

No type

Projects

Azure Landing Zones - Bicep - Public Roadmap

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions