Deploy a Mission Enclave Landing Zone manually¶

This document provides guidance on how to deploy a Mission Enclave Landing Zone starter using manual methods.

Prerequisites¶

Before you begin, ensure you have met the following requirements:

Azure Subscription: You need an Azure subscription to create resources in Azure. If you don't have one, you can create a free account.
Azure CLI or Azure PowerShell: You need either Azure CLI or Azure PowerShell installed and configured to interact with your Azure account. You can download them from here and here respectively.
Terraform: You will need Terraform installed to deploy the infrastructure. You can download Terraform from here.
Knowledge of Azure Landing Zones: This project involves deploying and managing Azure Landing Zones resources. Familiarity with Azure Landing Zones and its concepts is recommended.

Quickstart¶

Below is an example of a Terraform deployment that uses all the defaults in the TFVARS folder to deploy the landing zone to one subscription.

NOTE: Since this reference implementation is designed to use remote state, you will need to comment out the backend "local" {} block in the versions.tf file. This will allow you to deploy the landing zone without having to deploy the remote state storage account first.

cd infrastructure/terraform
terraform init
terraform plan --out anoa.dev.plan --var-file tfvars/parameters.tfvars --var "subscription_id_hub=<<subscription_id>>" --var "vm_admin_password=<<vm password>>" # supply some parameters, approve, copy the output values
terraform apply anoa.dev.plan

Manual Deployment¶

Mission Enclave Landing Zone can be deployed with command-line tools provided with the Terraform CLI in PowerShell.

Command Line Deployment Using the Terraform CLI in PowerShell¶

Use the Terraform CLI command terraform to deploy Mission Enclave Landing Zone across one or many subscriptions. The following sections describe how to deploy Mission Enclave Landing Zone using the Terraform CLI in PowerShell.

Single Subscription Deployment¶

To deploy Mission Enclave Landing Zone into a single subscription, you must first login to Azure.

Log in using the Azure CLI.

# AZ CLI
az cloud set -n AzureCloud
az login

Set the Environment¶

# AZ CLI
$env:ARM_ENVIRONMENT = "public"

NOTE: If you are deploying to Azure US Government, set the environment to usgovernment.

Terraform init¶

Before provisioning any Azure resources with Terraform you must initialize a working directory.

Navigate to the directory in the repository that contains the Mission Enclave Landing Zone Starter Terraform modules and configuration files:
```
cd infrastructure/terraform
```

NOTE: Since this reference implementation is designed to use remote state, you will need to comment out the backend "local" {} block in the versions.tf file. This will allow you to deploy the landing zone without having to deploy the remote state storage account first. For more information on remote state, see the Remote State documentation.

Execute terraform init
```
terraform init
```

Terraform Plan¶

After initializing the directory, use terraform plan to provision the resources plan described in infrastructure/terraform.

From the directory in which you executed terraform init execute terraform plan with the --var-file parameter to specify the path to the parameters.tfvars file:
```
terraform apply --var-file tfvars/parameters.tfvars --out "anoa.dev.plan"
```

You'll be prompted for a Hub subscription ID and VM Password.

Supply the subscription ID you want to use for the Hub network:

> terraform plan
var.subscription_id_hub
If specified, identifies the Platform subscription for "Hub" for resource deployment and correct placement in the Management Group hierarchy.

Enter a value:

Supply the VM Admin Password you want to use for the Bastion VM:

```plaintext
var.vm_admin_password
The password for the administrator account for the Bastion VM.

Enter a value:

NOTE: If you want to skip the prompts, you can supply the values on the command line using the --var parameter. For more information, see the Terraform CLI documentation.

Terraform Apply¶

Now run terraform apply, by default, Terraform will inspect the state of your environment to determine what resource creation, modification, or deletion needs to occur from the terraform plan using the output plan and then prompt you for your approval before taking action.

From the directory in which you executed terraform init execute terraform apply with the anoa.de.plan parameter:
```
terraform apply "anoa.dev.plan"
```

NOTE: Since you are using a output plan file, you will not be prompted for approval to deploy.

The deployment will begin. These commands will deploy all of the resources that make up Mission Enclave LZ. Deployment could take up to 45 minutes.

Apply Complete¶

When it's complete, you'll see some output values that will be necessary if you want to stand up new workload spoke, or add-on:

Apply complete! Resources: 166 added, 0 changed, 0 destroyed.

Example Outputs:

hub_virtual_network_id = /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/anoa-hub-networking-rg/providers/Microsoft.Network/virtualNetworks/anoa-hub-vnet
hub_virtual_network_name = "anoa-hub-core-dev-vnet"
firewall_private_ip = "0.0.0.0"
log_analytics_workspace_id = /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/anoa-hub-networking-rg/providers/microsoft.operationalinsights/workspaces/anoa-hub-logs-dev-law
...

Deploying to Other Clouds¶

When deploying to another cloud, like Azure US Government, first set the cloud and log in.

Logging into AzureUSGovernment:

# AZ CLI
az cloud set -n AzureUsGovernment
az login

Deploying to Multiple Subscriptions¶

To deploy Mission Enclave Landing Zone into multiple subscriptions, follow the same steps as deploying to Single Subscription. The only difference is that you will need to add the subscription ID for each subscription you are deploying to on the terraform plan.

Example:

> terraform plan --var-file tfvars/parameters.tfvars --out "anoa.dev.plan" -var "subscription_id_hub=00000000-0000-0000-0000-000000000000" -var "subscription_id_identity=00000000-0000-0000-0000-000000000000" -var "subscription_id_operations="\00000000-0000-0000-0000-000000000000" -var "subscription_id_devsecops=00000000-0000-0000-0000-000000000000" -var "vm_admin_password=Password1234!"

Cleanup¶

If you want to delete an Mission Enclave Landing Zone deployment you can use terraform destroy. If you have deployed more than one Terraform template, e.g., if you have deployed Landing Zone and then Add-on, run the terraform destroy commands in the reverse order that you applied them. For example:

# Deploy core MLZ resources
cd infrastructure/terraform
terraform apply

# Destroy core MLZ resources
cd infrastructure/terraform
terraform destroy

Running terraform destroy for infrastructure/terraform looks like this:

From the directory in which you executed terraform init and terraform apply execute terraform destroy:
```
terraform destroy
```
You'll be prompted for a subscription ID. Supply the subscription ID you want to used previously:
```
> terraform destroy
var.hub_subid
Subscription ID for the deployment

Enter a value: 
```
Terraform will then inspect the state of your Azure environment and compare it with what is described in Terraform state. Eventually, you'll be prompted for your approval to destroy resources. Supply yes:
```
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

Enter a value: yes
```

This command will attempt to remove all the resources that were created by terraform apply and could take up to 45 minutes.