Share via

Deploy Azure Landing Zone via Bicep Accelerator without Azure Subscriptions

Bhushan Gawale 316 Reputation points
2024-07-18T13:24:04.9933333+00:00

Hey folks! Greetings! We're aiming to deploy Azure landing zones within our Azure tenancy and have been following this helpful documentation: https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow

So far, we've successfully created the Management Groups structure, deployed custom policy definitions and initiatives, and set up custom RBAC roles (steps 1, 2, and 3 are completed). Check out the image below for more details.High Level Deployment Flow

Because we currently don't have the Azure subscription required for step #4, we're blocked from directly deploying step 8.

Our goal is just to set up the structure with management groups and policy assignments. Is it possible to complete the first 3 steps, skip the intermediate ones, and go straight to step 8? We don't think so, but we're looking for expert advice on how to achieve this.

Azure Migrate
Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
816 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
912 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prashant Kumar 780 Reputation points Microsoft Employee
    2024-07-18T16:00:49.0933333+00:00

    Hi Bhushan,

    Step 8 has - "Management Groups, Log Analytics Workspace & Custom Policy Definitions" as prerequisites and this step creates policy assignments to the Management Group Hierarchy and also assigns the relevant RBAC for the system-assigned Managed Identities created for policies that require them (e.g DeployIfNotExist & Modify effect policies).

    https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow#module-deployment-sequence

    Log Analytics workspace can only be created inside subscription. So, if you do not have a Subscription, then you cannot continue with Step 8.

    Also, there are steps before step 8 for role assignments which would be needed for policy assignments to happen. Without that step 8 could fail with permission errors.

    Even the intermediate ones will not be possible without step 4.

    As a workaround, you can try passing a dummy log analytics workspace as parameter and try the policy assignments at step 8 but chances are very low that it would work.

    0 comments
  2. Bhushan Gawale 316 Reputation points
    2024-07-19T11:25:17.7233333+00:00

    Thanks for your response. Yes, that makes sense. In that case, the only option is to have at least one Azure subscription (platform subscription) before assigning the policies. I'll give it a try and keep this post updated.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.