Day 3 Challenge

Automate the Azure Barista's Azure Landing Zones deployment with either Bicep or Terraform.


Today’s hacking is about getting hands on with some of the automation artifacts provided to help you deploy Azure Landing Zones quickly and consistently.

It does not matter which tooling is used to implement Azure Landing Zone. It is far more important that the end result matches the architecture, adheres to the five principles and covers the eight critical design areas than how you get there, and most organisations will already have their own preferred automation tools.


Today hacking give you the choice of paths to explore:

  1. Official Bicep modules
  2. Official Terraform module

Day 3 Challenge

The primary objective is to build out the architecture using the Infrastructure as Code (IaC) and (optionally) CI/CD tool of your choice.

Use a different management group tree for this exercise (use a different top level name, e.g AZBIaC)

  1. Implement the reference Azure Landing Zones architecture using the IaC tool of your choice
  2. Customise the existing management groups to meet the Azure Baristas requirements
  3. Add additional management groups and policy assignments (custom landing zones) to meet the Azure Baristas requirements

Stretch goals

You do not have to do these challenges in order, pick whichever ones are most appealing!

  1. Implement a canary management group branch
    • You can combine this with the primary objective if you want to retain the manually deployed system for comparison
  2. Implement a branch protection strategy to control changes to production
  3. Implement a subscription vending machine
    • You can mock up the subscription creation rather than using the real APIs

Official ARM resources

Official Bicep resources

⚠️ The Bicep resources are currently in preview.

Official Terraform module

Additional Terraform resources

Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

 Make a change