We're excited to announce the release of the subscription vending IaC Modules! These modules are designed to help you streamline and automate the process of provisioning Azure subscriptions, making it easier than ever to get started with Azure.
We heard loud and clear feedback from our customers & partners that we did a great job helping them accelerate their Cloud Platforms with Azure Landing Zones. And that we also helped accelerate the deployment of complex workloads like Azure Virtual Desktop, Azure VMware Solution, and more via our Application Landing Zones Accelerators. But, we didn’t help customers easily achieve the design principle of Subscription Democratization. Until now!
The Subscription Vending IaC Modules are available for use with two popular infrastructure-as-code (IaC) tools: Bicep and Terraform. These modules have been created by the Customer Architecture & Engineering (CAE) team within Microsoft’s Global Customer Success (GCS) organization (the same team behind Azure Landing Zones) and are designed to help you implement the best practices for subscription provisioning.
Using these modules, you can quickly and easily provision new Azure subscriptions that are pre-configured to meet your organization's specific needs and help your application teams get access to the Azure subscriptions they need, faster. The modules include parameters/variables for Role-Based Access Control, Networking, Tags and much more.
- A list of Platform and Application Landing Zone Implementation Options and Accelerators can be found here: Deploy Azure landing zones - Azure Architecture Center | Microsoft Learn.
- You can also find the definition of Platform and Application Landing Zones here: What is an Azure landing zone? - Cloud Adoption Framework | Microsoft Learn.
You can use the new Subscription Vending IaC Modules with or without Azure Landing Zones. If you already have Azure Landing Zones set up, the modules can help you automate the subscription provisioning process for application landing zones and ensure that all subscriptions are aligned with your organization's requirements and allow you to place them in the desired Management Group to enforce your compliance and governance requirements with Azure Policy.
However, if you don't have Azure Landing Zones set up, you can still use the modules to quickly create new subscriptions to meet your application teams requirements using the same flexibility provided in the modules.
TIP! You can also use the modules with existing Azure Subscriptions!
Here are some of the key features and benefits of the Subscription Vending IaC Modules:
- Easy to use: The modules are designed to be user-friendly, with clear documentation and straightforward parameter/variable inputs.
- Automation: The modules automate many of the time-consuming and error-prone tasks involved in provisioning Azure subscriptions, saving you time and effort.
- Flexibility: The modules can be customized to meet your requirements via their parameter/variable inputs.
- Standardization: By using the modules, you can ensure that all of your Azure subscriptions are created using a consistent approach, reducing the risk of configuration errors and making it easier to manage your subscriptions at scale.
To get started with the subscription vending IaC modules, head over to the GitHub repositories, below, for the Bicep and Terraform modules and check out their wikis:
Or you can now see our recent Azure Enablement Show video below:
An example of creating a new subscription and peering to a hub Virtual Network using the Bicep module is show below:
targetScope = 'managementGroup'
@description('Specifies the location for resources.')
param location string = 'uksouth'
module sub001 'br/public:lz/sub-vending:1.2.2' = {
name: 'sub-bicep-lz-vending-example-001'
params: {
subscriptionAliasEnabled: true
subscriptionBillingScope: '/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456'
subscriptionAliasName: 'sub-bicep-lz-vending-example-001'
subscriptionDisplayName: 'sub-bicep-lz-vending-example-001'
subscriptionTags: {
test: 'true'
}
subscriptionWorkload: 'Production'
subscriptionManagementGroupAssociationEnabled: true
subscriptionManagementGroupId: 'alz-landingzones-corp'
virtualNetworkEnabled: true
virtualNetworkLocation: location
virtualNetworkResourceGroupName: 'rsg-${location}-net-001'
virtualNetworkName: 'vnet-${location}-001'
virtualNetworkAddressSpace: [
'10.0.0.0/16'
]
virtualNetworkResourceGroupLockEnabled: false
virtualNetworkPeeringEnabled: true
hubNetworkResourceId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rsg-uks-net-hub-001/providers/Microsoft.Network/virtualNetworks/vnet-uks-hub-001'
}
}
Further examples are available for the Bicep module.
The Bicep module is also available on the Bicep Public Module Registry
An example of creating a new subscription and peering to a hub Virtual Network using the Terraform module is show below:
module "lz_vending" {
source = "Azure/lz-vending/azurerm"
version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
location = "northeurope"
# subscription variables
subscription_alias_enabled = true
subscription_billing_scope = "/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456"
subscription_display_name = "mysub"
subscription_alias_name = "mysub"
subscription_workload = "DevTest"
# virtual network variables
virtual_network_enabled = true
virtual_networks = {
vnet1 = {
name = "spoke"
address_space = ["192.168.1.0/24"]
resource_group_name = "rg-networking"
hub_peering_enabled = true
hub_network_resource_id = azurerm_virtual_network.example.id
}
}
}
Further examples are available for the Terraform module.
The Terraform module is also available on the Terraform Registry
For more information on subscription vending and using the modules in a process, check out the following resources:
- Subscription vending - Cloud Adoption Framework | Microsoft Learn
- Subscription vending implementation guidance - Azure Architecture Center | Microsoft Learn
We hope you find the subscription vending IaC modules useful in streamlining and automating your Azure subscription provisioning process!
And if you find a feature missing or have a question, please raise a GitHub issue on the respective repository above.
We also published guidance on “Should we create a new Azure Subscription every time or should we reuse Azure Subscriptions?” in the ALZ FAQ which we advise reviewing if you are planning to have a large number of subscriptions (thousands, not hundreds).
Microsoft
