Building a Landing Zone in Azure China with Terraform

As businesses increasingly move their operations to the cloud, it becomes essential to have a well-designed and secure cloud environment. This is where Cloud Landing Zones come in, providing a framework for businesses to build and manage their cloud infrastructure. A Landing Zone is a pre-built cloud environment that is designed to be scalable, secure, and compliant, allowing businesses to quickly deploy their workloads while adhering to their organizational policies and standards.

This article will explore the benefits of building a Landing Zone in Azure China, a specialized cloud environment for businesses operating in China. We will discuss how to leverage Terraform, a popular infrastructure as a code tool, to automate the creation and management of the Landing Zone infrastructure.

Benefits of Building a Landing Zone in Azure China

Building a Landing Zone in Azure China has several advantages:

Differences between a Landing Zone in Azure Global and Azure China

There are several key differences between a Landing Zone in Azure Global and Azure China. Some of these differences include:

Setting up the Azure China Environment

To build a Landing Zone in Azure China, you will first need to create an Azure China account and set up a subscription. Here are the steps to follow:

Understanding Terraform

Terraform is an open-source tool that enables you to create, change, and version your infrastructure as code. With Terraform, you can define your infrastructure components using simple and declarative language, and then apply those definitions to create and manage your cloud resources. This approach offers several benefits over traditional manual processes, including:

To get started with Terraform, you will need to create a Terraform project and define your infrastructure components using the Terraform configuration language. This language is simple and declarative, making it easy to define your infrastructure components using a few lines of code.

Setting Up Terraform for Azure China

Terraform uses a concept called providers to interact with cloud platforms such as Azure. Providers are plugins that enable Terraform to interact with cloud resources using the cloud provider’s API. To use Terraform with Azure China, you will need to install the Azure provider plugin.

The Azure Provider enables the configuration of infrastructure in Microsoft Azure through the utilization of the Azure Resource Manager API’s. However, connecting it to an Azure China account presents a challenge, specifically regarding authentication. It should be noted that attempting to establish a connection using the examples found in the documentation pages is unlikely to succeed. This is primarily due to the disparity between the APIs for Azure China and the international standard APIs. To overcome this obstacle, it is necessary to specify “environment = ‘china'” during the provider definition process, as shown below:

Additionally, if Azure CLI is being utilized, it is imperative to configure it to leverage the APIs of the China region. This can be achieved by executing the following command:

$ az cloud set –name AzureChinaCloud

Creating the Azure China Landing Zone Infrastructure

An Azure Landing Zone is an Azure cloud infrastructure environment designed to provide a standardized and secure foundation for deploying Azure resources. It typically includes a set of pre-defined subscriptions and associated services that are specifically chosen to address the needs of the organization.
The Azure Landing Zone which we’ve created is being developed following the Microsoft-recommended Cloud Adoption Framework, which deploys infrastructure resources in Azure to establish foundational controls necessary for the effective management of an organization’s cloud estate.
The framework enforces policies, deploys resources, and utilizes templates to instill confidence in organizations as they begin using Azure.

The subscription architecture for this Landing Zone will be simplified, consisting of a Tenant Root Group that will serve as the management group. Under the Tenant Root Group, the Contoso management group will be established, which will contain the following groups:

Within each Azure subscription, we have deployed pre-defined services that are tailored to support the specific area that the subscription is intended to cover. These pre-defined services are organized into categories, including:

By deploying these pre-defined services within each subscription, we ensure that the specific needs and requirements of each area are adequately addressed, and resources are utilized efficiently.

Deploying Workloads to the Landing Zone

Once you have defined your infrastructure components using Terraform, you can apply those definitions to your cloud environment to create and manage your resources. Terraform offers several commands to help you manage your infrastructure, including plan, validate, apply, and destroy. With these commands, you can preview changes, validate code, apply changes, and tear down resources when you no longer need them.

In addition to Terraform’s commands, we have taken an additional step towards streamlining our workflow by incorporating continuous integration and continuous deployment (CI/CD) pipelines and pre-commit hooks. This enables developers to automatically conform to writing valid, well-documented code. We use Bitbucket pipelines to automate our CI/CD process.

In a nutshell, Our CI/CD pipeline consists of two steps, one for pull requests and one for the master branch. The pull request step validates the Terraform code, checks formatting, and ensures the required dependencies are installed. The master branch step does the same, but also applies the infrastructure changes to the cloud environment. This is achieved by setting the necessary environment variables and running the terraform apply command with the -auto-approve flag. The whole pipeline is explained in detail in the next section.

Explaining the CI/CD Pipeline

First, the pipeline defines the Docker image that will be used to run the pipeline. In this case, the image used is hashicorp/terraform:latest. This means that the pipeline will be run inside a Docker container based on the latest version of the HashiCorp Terraform image available on Docker Hub:

image: hashicorp/terraform:latest

Next, the pipeline defines two sections: one for pull requests and one for the master branch.

pipelines:
pull-requests:
“*”:
– step:
script:
– terraform init
– terraform validate
– terraform fmt –check
branches:
‘master’:
– step:
script:
– apk update && apk add bash py-pip && apk add –virtual=build gcc libffi-dev musl-dev openssl-dev python-dev make && pip install azure-cli && apk del –purge build
– terraform init
– terraform validate
– export TF_VAR_subscription_id=$ARM_SUBSCRIPTION_ID
– export TF_VAR_tenant_id=$ARM_TENANT_ID
– export TF_VAR_client_id=$ARM_CLIENT_ID
– export TF_VAR_client_secret=$ARM_CLIENT_SECRET
– export TF_VAR_region=$ARM_REGION
– terraform apply -auto-approve

The pull-requests section applies to any pull requests made to the repository, while the branches section applies only to the master branch.

For both sections, the pipeline defines a step that contains the actual commands that will be run when the pipeline is triggered.

The script section contains a series of Bash commands that will be run inside the Docker container.

For both the pull request and master branch sections, the pipeline starts by updating the Alpine package index and installing some packages required for the subsequent steps. Specifically, the pipeline installs Bash, pip, and the Azure CLI.

The pipeline then initializes Terraform using the terraform init command. This command initializes the Terraform working directory and downloads any required providers and modules:

– terraform init

The pipeline then runs the terraform validate command to check the validity of the Terraform configuration files.

– terraform validate

The pipeline also checks that the Terraform configuration files are properly formatted using the terraform fmt –check command.

– terraform fmt –check

For the master branch section, the pipeline sets some environment variables using values from the corresponding Azure environment variables. Specifically, the pipeline sets the TF_VAR_subscription_id, TF_VAR_tenant_id, TF_VAR_client_id, TF_VAR_client_secret, and TF_VAR_region variables to the values of $ARM_SUBSCRIPTION_ID, $ARM_TENANT_ID, $ARM_CLIENT_ID, $ARM_CLIENT_SECRET, and $ARM_REGION, respectively.

Finally, I would like to highlight that although we are using Bitbucket pipelines as our CI/CD provider in this context, the concept can certainly be replicated with other similar providers such as GitLab, GitHub, CircleCI, TravisCI, and others. The overall process and principles of CI/CD remain the same regardless of the specific tool or platform being used.

How Rahi Can Support Businesses Adopt Azure in China

We are a global IT solutions provider that has extensive experience helping businesses adopt Azure in China.
Our team of experts can provide a range of services to support your adoption of the Azure platform, including:

Our team has already helped many Western companies successfully adopt and integrate Azure in China, and we can also bring that expertise to your business. With our support, you can leverage the power of Azure to drive your digital transformation and grow your business in China.

Conclusion

Building a Landing Zone in Azure China with Terraform provides several benefits for businesses operating in China. By using Azure China, businesses can comply with local regulations, access services optimized for China’s unique needs, and benefit from enhanced security and privacy measures. Using Terraform to automate infrastructure as code makes it easier to manage and scale infrastructure, reduce errors, and increase efficiency.