Azure Landing Zone Core
Management-group hierarchy, policy baseline (ALZ-aligned), centralized logging and RBAC scaffolding — the flagship enterprise starter.
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan clean (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-29 · how we verify
Documentation
azure-landing-zone-core
Status: static-validated, live-test pending. Ships under live-test quarantine — a live apply needs tenant-root / Management Group Contributor permissions in a dedicated test tenant, so the apply→verify→destroy gate runs once such a sandbox is available. Statically validated (fmt, validate, tflint).
The flagship enterprise starter: a management-group hierarchy, an optional
centralized Log Analytics workspace, custom Azure Policy definitions
with management-group-scoped assignments, and custom RBAC role definitions
and assignments. ALZ-aligned by default, but small, transparent and fully
parameterised — original work, not a wrapper over avm-ptn-alz, so you own
the graph and can read every resource it creates.
Design & secure defaults
- ALZ-aligned default hierarchy under your root MG:
Platform,Landing Zones(withCorpandOnlinechildren),Sandbox,Decommissioned. Overridechild_management_groupsto reshape it; childparentreferences are validated so you can't point at a missing parent. - Key-based references throughout. Subscriptions, policy assignments and
role assignments target management groups by key (
rootor a child key), resolved to IDs internally — preconditions fail the plan on a typo'd key instead of producing a misplaced assignment. - Policies enforced by default (
enforce = true) — not audit-only. Custom definitions are created at the root MG and can be referenced from an assignment ascustom:<name>; built-in policy/initiative IDs work directly. - Centralized workspace: Entra-only auth (
local_authentication_enabled = false), bounded retention (90 days), optional daily cap. - Least-privilege custom roles: defined and assignable at the root MG;
assignments accept either a built-in
role_definition_nameor acustom_role_key, and a precondition enforces exactly one.
Works with Terraform and OpenTofu (>= 1.6), azurerm provider
>= 4.0, < 5.0.
Requirements
| Requirement | Version |
|---|---|
| Terraform / OpenTofu | >= 1.6 |
hashicorp/azurerm | >= 4.0, < 5.0 |
License
Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).
Usage code & full reference unlock after purchase
The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.
- Usage
- Inputs
- Outputs
- Notes