By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Resources
>
Blog
>
Article
An abstract digital blue background of cloud computing with the Azure and Terraform logos in the front.
May 19, 2022

We rebuilt Azure CAF in Terraform so you don’t have to!

In this introduction of Liatrio’s Terraform Azure CAF implementation we introduce the founding principles of our module, as well as some of the benefits it provides.

Caleb Jobe
DevOps Engineer

When you start thinking about adopting cloud computing platforms, you know you want to get well supported infrastructure, cost control, and the latest technology. But how do you make it easy for the engineers who will implement your vision? That’s where a strong framework and solid foundation comes in. Following industry best practices is made so much simpler when you can adopt a well-architected set of purpose-built tools.

Intro to Azure CAF

What is a CAF?

A Cloud Adoption Framework (CAF) is a toolkit consisting of several steps (planning, readiness, adoption, governance, and management). In simple terms, a CAF is a set of tried-and-true strategies to help you migrate to the cloud in the best way possible.

Microsoft’s Azure CAF sets out to solve cloud adoption challenges for a wide range of users. Because of this deliberately broad focus, their templates require significant knowledge in Azure architecture to successfully implement. Additionally, many of their offerings are MS Azure specific.

We saw an opportunity to make things easier and more focused. With ease of implementation as our goal, we set out to make an Azure CAF based implementation using Terraform. We’ll dive more into why it is our favorite Infrastructure as code (IaC) tool in a future post. Here, we will simply say that Terraform allows us to create code that is easy to read, maintain, and extend. We aim to minimize up front input choices and give you a usable deployment experience right at your fingertips.

What is a Landing Zone?

A Landing zone is the foundation on which you will build your own cloud infrastructure to support workloads. It provides the foundation to get started quickly and securely by helping you focus on your application’s infrastructure rather than the time consuming prerequisites to begin deploying your application. Landing zones account for scale, security governance, networking, and identity.

A diagram of an Azure Landing Zone
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/media/lz-design.png

Why is it important?

A common pattern in large organizations when migrating to the cloud is that teams will dive head first into experimentation by doing initial cloud infrastructure POC’s. The intent behind these POC’s is to gain context through trial and error and return to fix issues later. This ephemeral infrastructure eventually needs to be replaced for a production deployment. Often security and audit compliance needs are not addressed until it is time to work on a production “go-live” effort. Or worse, the subpar POC configuration becomes the de-facto production standard. Instead of defaulting to this “wait until the end” approach, an Azure CAF Landing Zone allows you to build production ready deployments from the beginning.

Landing Zones make migration to the cloud easier, while ensuring consistency up front for security, regulatory compliance, networking, and identity management. You are then free to focus on delivering your applications and innovating to meet customer needs quickly. POC’s can be standardized with less need to work on building a stable baseline infrastructure and more time for simply testing your business application ideas.

Perhaps even more importantly, you can build trust that allows rapid production deployment since the cloud infrastructure patterns have been proven through repeated use and validation.

What approach has Microsoft used?

Microsoft has their own IaC solutions in Azure Resource Manager (ARM) templates and Bicep. These are Azure specific tools for managing cloud infrastructure.

Microsoft has also ventured into creation of modules using Hashicorp’s Terraform. However, their effort to cover all use cases makes those Terraform options somewhat difficult to consume, especially for new users in the Azure space. On the plus side, Terraform’s platform independence has led to broad industry support. Check out our Solution Brief to hear our thoughts on ARM vs Terraform.

After working directly with Microsoft’s CAF supermodule in Terraform, as well as their Terraform Enterprise Scale CAF module, we chose to invest time in creating our own opinionated framework for Azure CAF. We wanted to create an implementation of CAF readiness automation that provides a concise vision. While Microsoft Enterprise CAF has a lot of functionality it doesn’t provide an opinion about many of its complex components.

We wanted to emphasize ease of management, incremental rollout, and limit the amount of decisions blocking a sensible starting point. In short, we wanted to make it simple to consume.

Our Approach

When deciding to create our own Terraform implementation we came across many complex decisions that we wanted to codify for the sake of its consumers. Rather than accounting for every possible instantiation of Azure CAF readiness infrastructure, we wanted to emphasize ease of management, incremental rollout, and limit the amount of decisions blocking a sensible starting point. In short, we wanted to make it simple to consume. Azure’s voluminous service catalog is ever expanding and with this comes an overload of choice that can be daunting to navigate. Our approach aims to mitigate this by offering out-of-the-box functionality.

Example AKS landing zone ready to receive additional resources and support application workloads
Example AKS landing zone ready to receive additional resources and support application workloads

Our Azure CAF based landing zones provide opinionated sensible defaults to allow you to begin using Azure’s cloud offering quickly. You are still free to choose each implementation detail, but typically the default selections will get you what you need in order to deploy infrastructure and applications securely. For example here are a few of our features:

  • ~Azure Policy
  • ~~Here we specify safe default policies that include and enhance the Azure default policies, while being mindful of cost
  • ~~One goal here is to make policy management more accessible while sticking with our everything-as-code philosophy
  • ~Networking Infrastructure
  • ~~Our modules include a private DNS resolver service by default that is in turn linked to VNets in landing zones you deploy
  • ~~The VWAN service from Azure allows easy management of hub and spoke topology by abstracting networking complexities
  • ~Landing Zones
  • ~~We compartmentalize infrastructure required for supporting different flavors of workloads
  • ~~The modules utilized by our implementation are designed to hook into existing networking and structural components
  • ~Shared Services
  • ~~In order to support private workloads hosted in the cloud, we include a shared services cluster for reusable workloads such as github self hosted-runners.

In this introduction of Liatrio’s Terraform Azure CAF implementation we have introduced the founding principles of the module as well as some of the benefits it provides. Next time we’ll take a deeper look at our tool of choice: Hashicorp’s IaC tool, Terraform!

Latest From Our Blog

Enterprise
The Business Value of Observability: Why Enterprises Should Leverage the DORA Report

Enterprises are driving innovation and digital transformation with insights from the DORA report. Find out how in our latest blog.

Team Liatrio
6/25/2024
Automated Governance
Lowering the Barrier of Entry for Automated Governance — GitHub's New Artifact Attestation Feature

GitHub's new Artifact Attestations feature represents a significant advancement for streamlining Governance, Risk, and Compliance (GRC) processes. By integrating attestation creation directly into GitHub Actions, it simplifies the adoption of automated governance for teams and reduces the need for custom development.

Eric Chapman
Alex Detesan
5/17/2024
Security at Scale: Platform Engineering Enforces Security Best Practices

This blog looks at how bringing Platform Engineering to your security organization not only strengthens security posture, but also embeds security capabilities into IT and software delivery.

Robert Kelly
5/2/2024
IDPs and APIs: How Platform Engineering Supports Developer Experience (DevEx)

APIs and IDPs enable platforms to become accelerators for delivery, allowing teams to innovate quicker, with higher quality, and with greater satisfaction.

Robert Kelly
4/19/2024
Platform Engineering: Driving Developer Experience and Business Value

In this blog we take a high-level look at some of the drivers of business value for Platform Engineering and building enterprise delivery platforms.

Robert Kelly
4/5/2024
Enterprise
Killing DevOps: The Rise and Fall of a Transformational Giant

The majority of IT organizations have implemented DevOps principles and ways of working. Sounds amazing, right? Then why is DevOps dying? Read the blog to find out.

Robert Kelly
3/26/2024
Enterprise Modernization
What Is Platform Engineering? The Concept Behind the Term

What is platform engineering? It consists of removing obstacles between developers and production. Learn more about it in this post.

Robert Kelly
3/22/2024
DevEx
Navigating Your Path to the Ideal IDP: Backstage vs. Getport.io

This blog explores the vital role of internal development portals (IDPs) like Backstage and Getport.io in enhancing development workflows.

Jon Rudy
3/7/2024
Github
GitHub API — Automate Everything!

This blog explores the diverse capabilities of the GitHub API beyond version control, detailing how it can enhance CICD environments. From cleanup tasks and data funneling to enforcing standardization and enabling self-service jobs, the API's versatility is showcased.

Devin Leaman
2/18/2024
DevOps Tools
ServiceNow is NOT a Developer Platform (iDP)

Exploring the limitations of ServiceNow in developer environments, this blog contrasts its rigid, ticket-based system with more agile developer portals, emphasizing the need for collaboration, rapid iteration, and developer autonomy in software development.

Mitchell Phillips
2/14/2024
Read More on Our Blog
Ready to get started?

Contact Us

We'd love to learn more about your project and determine how we can help out.