Microsoft
Good standing point, and appreciate the blog. I've been looking at Azure Landing Zones with Terraform recently and firstly, there seems to be at least 2 version - Enterprise Scale and the non-ES Az Landing Zone.
What's not clear is which version is applicable for the types of subscription / enrolment type. Both seems both covers EA, and others with or without the use of Rover. What I'm interested in is the ALZ for CSP, thus any steps that needing to request new subscriptions are not applicable.
Unless I've missed something, the MG for Identity is pointless and rather confusing (also anti-pattern). From the official GitHub page:
>> "This capability doesn't deploy any resources. If you want to update policy settings related to the identity management group, use the configure_identity_resources input variable."
From what I could gather, the purposes is to leverage Azure Policies to help with guardrails when it comes to identity, but applying it to it's own Management Group without any resources seems to defeat the point. In a real-world setup, should these polices be applicable to Azure resources within the Workload scope(s)?
Also, it seems I have to dig much deeper into the lib/../.../etc to change some of the pre-baked parts such as the MG for 'Connectivity', 'Identity' and 'Management'. For example, my customers only wants to have the 'Management' MG, and move the 'Connectivity' somewhere else. My point is, the original design of the Landing Zones made some assumptions that might be the most suitable as a set of defaults.
Joe
