Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Azure DevOps with Terraform

Follow these instructions to bootstrap Azure DevOps ready to deploy your platform landing zone with Terraform.

  1. Create a new folder on you local drive called accelerator.

  2. Inside the accelerator create two folders called config and output. You’ll store you input file inside config and the output folder will be the place that the accelerator stores files while it works.

  3. Inside the config folder create a new files called inputs.yaml and platform-landing-zone.tfvars.

    If you are using the FSI or SLZ starter modules, you do not currently require the tfvars file, so you can exclude it.
    New-Item -ItemType "file" c:\accelerator\config\inputs.yaml -Force
    New-Item -ItemType "file" c:\accelerator\config\platform-landing-zone.tfvars -Force  # Exclude this line if using FSI or SLZ starter modules
    New-Item -ItemType "directory" c:\accelerator\output
    
    New-Item -ItemType "file" /accelerator/config/inputs.yaml -Force
    New-Item -ItemType "file" /accelerator/config/platform-landing-zone.tfvars -Force  # Exclude this line if using FSI or SLZ starter modules
    New-Item -ItemType "directory" /accelerator/output
    
    📂accelerator
    ┣ 📂config
    ┃ ┃ 📜inputs.yaml
    ┃ ┗ 📜platform-landing-zone.tfvars
    ┗ 📂output
    
  4. Open your inputs.yaml file in Visual Studio Code (or your preferred editor) and copy the content from the relevant input file for your chosen starter module:

    1. Azure Verified Modules for Platform Landing Zone (ALZ) - inputs-azure-devops.yaml
    2. Financial Services Industry Landing Zone - inputs-azure-devops.yaml
    3. Sovereign Landing Zone - inputs-azure-devops.yaml
  5. Check through the file and update each input as required. It is mandatory to update items with placeholders surrounded by angle brackets <>:

    The following inputs can also be supplied via environment variables. This may be useful for sensitive values you don’t wish to persist to a file. The Env Var Prefix denotes the prefix the environment variable should have. The environment variable is formatting is <PREFIX>_<variable_name>, e.g. $env:ALZ_iac_type = "terraform" or $env:TF_VAR_github_personal_access_token = "*****...".
    If you followed our phase 0 planning and decisions guidance, you should have these values already.
    InputEnv Var PrefixPlaceholderDescription
    iac_typeALZterraformThis is the choice of bicep or terraform. Keep this as terraform for this example.
    bootstrap_module_nameALZalz_azuredevopsThis is the choice of Version Control System. Keep this as alz_azuredevops for this example.
    starter_module_nameALZplatform_landing_zoneThis is the choice of Starter Modules, which is the baseline configuration you want for your Azure landing zone. Choose platform_landing_zone for this example.
    bootstrap_locationTF_VAR<region>Replace <region> with the Azure region where you would like to deploy the bootstrap resources in Azure. This field expects the name of the region, such as uksouth. You can find a full list of names by running az account list-locations -o table.
    starter_locationsTF_VAR[<region-1>,<region-2>]Replace <region-1> and <region-2> with the Azure regions where you would like to deploy the starter module resources in Azure. This field expects the name of the regions in and array, such as ["uksouth", "ukwest"]. You can find a full list of names by running az account list-locations -o table.
    root_parent_management_group_idTF_VAR""This is the id of the management group that will be the parent of the management group structure created by the accelerator. If you are using the Tenant Root Group management group, you leave this as an empty string "" or supply the tenant id.
    subscription_id_managementTF_VAR<management-subscription-id>Replace <management-subscription-id> with the id of the management subscription you created in the previous phase.
    subscription_id_identityTF_VAR<identity-subscription-id>Replace <identity-subscription-id> with the id of the identity subscription you created in the previous phase.
    subscription_id_connectivityTF_VAR<connectivity-subscription-id>Replace <connectivity-subscription-id> with the id of the connectivity subscription you created in the previous phase.
    azure_devops_personal_access_tokenTF_VAR<token-1>Replace <token-1> with the token-1 Azure DevOps PAT you generated in a previous step.
    azure_devops_agents_personal_access_tokenTF_VAR<token-2>Replace <token-2> with the token-2 Azure DevOps PAT you generated in the previous step specifically for the self-hosted agents. This only applies if you have use_self_hosted_agents set to true. You can set this to an empty string "" if you are not using self-hosted agents.
    azure_devops_organization_nameTF_VAR<azure-devops-organization>Replace <azure-devops-organization> with the name of your Azure DevOps organization. This is the section of the url after dev.azure.com or before .visualstudio.com. E.g. enter my-org for https://dev.azure.com/my-org.
    use_separate_repository_for_templatesTF_VARtrueDetermine whether to create a separate repository to store pipeline templates as an extra layer of security. Set to false if you don’t wish to secure your pipeline templates by using a separate repository. This will default to true.
    bootstrap_subscription_idTF_VAR""Enter the id of the subscription in which you would like to deploy the bootstrap resources in Azure. If left blank, the subscription you are connected to via az login will be used. In most cases this is the management subscription, but you can specifiy a separate subscription if you prefer.
    service_nameTF_VARalzThis is used to build up the names of your Azure and Azure DevOps resources, for example rg-<service_name>-mgmt-uksouth-001. We recommend using alz for this.
    environment_nameTF_VARmgmtThis is used to build up the names of your Azure and Azure DevOps resources, for example rg-alz-<environment_name>-uksouth-001. We recommend using mgmt for this.
    postfix_numberTF_VAR1This is used to build up the names of your Azure and Azure DevOps resources, for example rg-alz-mgmt-uksouth-<postfix_number>. We recommend using 1 for this.
    azure_devops_use_organisation_legacy_urlTF_VARfalseIf you have not migrated to the modern url (still using https://<organization_name>.visualstudio.com) for your Azure DevOps organisation, then set this to true.
    azure_devops_create_projectTF_VARtrueIf you have an existing project you want to use rather than creating a new one, select true. We recommend creating a new project to ensure it is isolated by a strong security boundary.
    azure_devops_project_nameTF_VAR<azure-devops-project-name>Replace <azure-devops-project-name> with the name of the Azure DevOps project to create or the name of an existing project if you set azure_devops_create_project to false.
    use_self_hosted_agentsTF_VARtrueThis controls if you want to deploy self-hosted agents. This will default to true.
    use_private_networkingTF_VARtrueThis controls whether private networking is deployed for your self-hosted agents and storage account. This only applies if you have use_self_hosted_agents set to true. This defaults to true.
    allow_storage_access_from_my_ipTF_VARfalseThis controls whether to allow access to the storage account from your IP address. This is only needed for trouble shooting. This only applies if you have use_private_networking set to true. This defaults to false.
    apply_approversTF_VAR<email-address>This is a list of service principal names (SPN) of people you wish to be in the group that approves apply of the Azure landing zone module. This is an array of strings like ["abc@xyz.com", "def@xyz.com", "ghi@xyz.com"]. You may need to check what the SPN is prior to filling this out as it can vary based on identity provider. Use empty array [] to disable approvals. Note if supplying via the user interface, use a comma separated string like abc@xyz.com,def@xyz.com,ghi@xyz.com.
    create_branch_policiesTF_VARtrueThis controls whether to create branch policies for the repository. This defaults to true.
    architecture_definition_nameTF_VARN/AThis is the name of the architecture definition to use when applying the ALZ archetypes via the architecture definition template. This is only relevant to some starter modules, such as the sovereign_landing_zone starter module. This defaults to null.
  6. Open your platform-landing-zone.tfvars file or keep your inputs.yaml file open for SLZ and FSI starter modules in Visual Studio Code (or your preferred editor)

  7. Now head over to your chosen starter module documentation to get the specific inputs for that module.

  8. Verify that you are logged in to Azure CLI or have the Service Principal credentials set as env vars. You should have completed this in the Prerequisites phase.

  9. In your PowerShell Core (pwsh) terminal run the module:

    Inputs can be split into multiple files if desired.
    • Run Deploy-Accelerator for the Azure Verified Modules for Platform Landing Zone (ALZ) starter module without a lib folder:

      Deploy-Accelerator `
        -inputs "c:\accelerator\config\inputs.yaml", "c:\accelerator\config\platform-landing-zone.tfvars" `
        -output "c:\accelerator\output"
      
      Deploy-Accelerator `
        -inputs "/accelerator/config/inputs.yaml", "/accelerator/config/platform-landing-zone.tfvars" `
        -output "/accelerator/output"
      
    • Run Deploy-Accelerator for the Azure Verified Modules for Platform Landing Zone (ALZ) starter module with a lib folder:

      Deploy-Accelerator `
        -inputs "c:\accelerator\config\inputs.yaml", "c:\accelerator\config\platform-landing-zone.tfvars" `
        -starterAdditionalFiles "c:\accelerator\config\lib" `
        -output "c:\accelerator\output"
      
      Deploy-Accelerator `
        -inputs "/accelerator/config/inputs.yaml", "/accelerator/config/platform-landing-zone.tfvars" `
        -starterAdditionalFiles "/accelerator/config/lib" `
        -output "/accelerator/output"
      
    • Run Deploy-Accelerator for the Sovereign Landing Zone or Financial Services Industry Landing Zone starter module:

      Deploy-Accelerator `
        -inputs "c:\accelerator\config\inputs.yaml" `
        -output "c:\accelerator\output"
      
      Deploy-Accelerator `
        -inputs "/accelerator/config/inputs.yaml" `
        -output "/accelerator/output"
      
  10. You will see a Terraform init and apply happen.

  11. There will be a pause after the plan phase you allow you to validate what is going to be deployed.

  12. If you are happy with the plan, then hit enter.

  13. The Terraform will apply and your environment will be bootstrapped.

Next Steps

Now head to Phase 3.