Option to create a landing zone management group for brownfield subscriptions

[simonhutson]

Describe the feature end to end, including deployment scenario details under which the feature would occur.

The following document describes an example approach that transitions an environment to the Azure landing zone conceptual architecture by duplicating the landing zone management group with policies in audit only mode. With this approach, you can quickly access the new desired target architecture and then assess the application or workload subscriptions for compliance. This approach eliminates the risk of affecting the application teams because the policies are in audit only mode.

https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/align-approach-duplicate-brownfield-audit-only

It would be useful to have an option to deploy a brownfield landing zone management group and policies as part of the standard Bicep deployment.

Why is this feature important. Describe why this would be important for your organization and others. Would this impact similar orgs in the same way?

Increasing numbers of customers have previously deployed Azure and are now looking to adopt infrastructure as code and ALZ best practices. A brownfield management group option would accelerate their migrations.

Please provide the correlation id associated with your error or bug.

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Can you describe any alternatives that you have taken since this feature does not exist?

No response

Feature Implementation

No response

Check previous GitHub issues

• I have searched the issues for this item and found no duplicate

Code of Conduct

• I agree to follow this project's Code of Conduct

[oZakari]

Hi @simonhutson, I agree that this is a valid ask. Probably not something we will get to in the near term, but will add to the backlog and consider our options.

[ThojoUno]

You could achieve this today with the current release of ALZ-Bicep. Update the cd.yaml pipeline and update the parameter defaults to false for:

1. subscription_placement, false
2. connectivity_resource_group, false
3. hub_and_spoke, false

Leave all the other parameter defaults to true.

This will deploy the documented management group structure, policy definitions, initiatives, and assignments, and enable logging for new resource deployments.

If you already have an Intermediate Root management group, define a new one on your Tenant root in your parameters.json, example - contoso2, and leave your existing (contoso) Intermediate root management structure in place.

I would recommend disabling the subscription_placement and slowly move non-production subscriptions first to either the landingzones-online or landingzones-corp management group depending on whether you are hosting internal, or internet-facing applications. Once you've tested non-production workloads with the new policies and monitoring, make a plan to move production subscriptions..