VENDING Version 1 (WIP) Last Review Date: August, 2024

Documentation Overview

covers:

Landing Zone Subscription Preparation

Overview

Landing Zone Subscription Preparation is the process of preparing a subscription for use in the Landing Zones Vending process and creating all the required Azure role assignments to support terraform identity provisioning A landing zone name has two components, system and environment (dev, test, demo, prod) seperated by an single quote eg. morecore-dev where the system is morecore and environment is dev

Access

• Access to this site is for members of the MoreCore team, and permitted subcontractors.
• Access is controlled via

Landing Zone Placement

• Landing Zones must be placed in a management group to inherit policies and role assignments
• Navigate to Management Groups Blade (opens in a new tab)
• Find the Subscription and Move to the correct Management Group.

Landing Zone Resource Provider

• Most resource provider enablement is handled in IaC.
• To enable using terraform via a managed identity in the subscription in a landing zone, the Microsoft/ManagedIdentity provider must be registered.

MIQ-MGMT Plan identity role assignments

• The MIQ-MGMT Plan managed identity requires the Azure Landing Zones Subscription Reader (miq-mgmt) role assigned to the new landing zone subscription
  
  
  

MIQ-MGMT Apply identity role assignments

• The MIQ-MGMT Apply managed identity requires the Azure Landing Zones Subscription Owner (miq-mgmt) role assigned to the new landing zone subscription.
• The role is a Custom Privileged Administrator role
• The role assignment requires a condition that allows role assignments for the identity.