Announcing our new Subscription Vending IaC Modules for Bicep & Terraform

We're excited to announce the release of the subscription vending IaC Modules! These modules are designed to help you streamline and automate the process of provisioning Azure subscriptions, making it easier than ever to get started with Azure.

 

We heard loud and clear feedback from our customers & partners that we did a great job helping them accelerate their Cloud Platforms with Azure Landing Zones. And that we also helped accelerate the deployment of complex workloads like Azure Virtual Desktop, Azure VMware Solution, and more via our Application Landing Zones Accelerators. But, we didn’t help customers easily achieve the design principle of Subscription Democratization. Until now!

 

The Subscription Vending IaC Modules are available for use with two popular infrastructure-as-code (IaC) tools: Bicep and Terraform. These modules have been created by the Customer Architecture & Engineering (CAE) team within Microsoft’s Global Customer Success (GCS) organization (the same team behind Azure Landing Zones) and are designed to help you implement the best practices for subscription provisioning.

 

Using these modules, you can quickly and easily provision new Azure subscriptions that are pre-configured to meet your organization's specific needs and help your application teams get access to the Azure subscriptions they need, faster. The modules include parameters/variables for Role-Based Access Control, Networking, Tags and much more.

 

 

• A list of Platform and Application Landing Zone Implementation Options and Accelerators can be found here: Deploy Azure landing zones - Azure Architecture Center | Microsoft Learn. 
• You can also find the definition of Platform and Application Landing Zones here: What is an Azure landing zone? - Cloud Adoption Framework | Microsoft Learn.

You can use the new Subscription Vending IaC Modules with or without Azure Landing Zones. If you already have Azure Landing Zones set up, the modules can help you automate the subscription provisioning process for application landing zones and ensure that all subscriptions are aligned with your organization's requirements and allow you to place them in the desired Management Group to enforce your compliance and governance requirements with Azure Policy.

 

However, if you don't have Azure Landing Zones set up, you can still use the modules to quickly create new subscriptions to meet your application teams requirements using the same flexibility provided in the modules.

 

TIP! You can also use the modules with existing Azure Subscriptions!

 

Here are some of the key features and benefits of the Subscription Vending IaC Modules:

 

• Easy to use: The modules are designed to be user-friendly, with clear documentation and straightforward parameter/variable inputs.
• Automation: The modules automate many of the time-consuming and error-prone tasks involved in provisioning Azure subscriptions, saving you time and effort.
• Flexibility: The modules can be customized to meet your requirements via their parameter/variable inputs.
• Standardization: By using the modules, you can ensure that all of your Azure subscriptions are created using a consistent approach, reducing the risk of configuration errors and making it easier to manage your subscriptions at scale.

To get started with the subscription vending IaC modules, head over to the GitHub repositories, below, for the Bicep and Terraform modules and check out their wikis:

• Bicep lz vending
• Terraform lz vending

An example of creating a new subscription and peering to a hub Virtual Network using the Bicep module is show below:

 

 

 

 

 

targetScope = 'managementGroup' @description('Specifies the location for resources.') param location string = 'uksouth' module sub001 'br/public:lz/sub-vending:1.2.2' = { name: 'sub-bicep-lz-vending-example-001' params: { subscriptionAliasEnabled: true subscriptionBillingScope: '/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456' subscriptionAliasName: 'sub-bicep-lz-vending-example-001' subscriptionDisplayName: 'sub-bicep-lz-vending-example-001' subscriptionTags: { test: 'true' } subscriptionWorkload: 'Production' subscriptionManagementGroupAssociationEnabled: true subscriptionManagementGroupId: 'alz-landingzones-corp' virtualNetworkEnabled: true virtualNetworkLocation: location virtualNetworkResourceGroupName: 'rsg-${location}-net-001' virtualNetworkName: 'vnet-${location}-001' virtualNetworkAddressSpace: [ '10.0.0.0/16' ] virtualNetworkResourceGroupLockEnabled: false virtualNetworkPeeringEnabled: true hubNetworkResourceId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rsg-uks-net-hub-001/providers/Microsoft.Network/virtualNetworks/vnet-uks-hub-001' } }

 

 

 

 

Further examples are available for the Bicep module.

The Bicep module is also available on the Bicep Public Module Registry

 

An example of creating a new subscription and peering to a hub Virtual Network using the Terraform module is show below:

 

 

 

 

 

module "lz_vending" { source = "Azure/lz-vending/azurerm" version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints location = "northeurope" # subscription variables subscription_alias_enabled = true subscription_billing_scope = "/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456" subscription_display_name = "mysub" subscription_alias_name = "mysub" subscription_workload = "DevTest" # virtual network variables virtual_network_enabled = true virtual_networks = { vnet1 = { name = "spoke" address_space = ["192.168.1.0/24"] resource_group_name = "rg-networking" hub_peering_enabled = true hub_network_resource_id = azurerm_virtual_network.example.id } } }

 

 

 

 

Further examples are available for the Terraform module.

The Terraform module is also available on the Terraform Registry

 

For more information on subscription vending and using the modules in a process, check out the following resources:

• Subscription vending - Cloud Adoption Framework | Microsoft Learn
• Subscription vending implementation guidance - Azure Architecture Center | Microsoft Learn

We hope you find the subscription vending IaC modules useful in streamlining and automating your Azure subscription provisioning process!

 

And if you find a feature missing or have a question, please raise a GitHub issue on the respective repository above.

 

We also published guidance on “Should we create a new Azure Subscription every time or should we reuse Azure Subscriptions?” in the ALZ FAQ which we advise reviewing if you are planning to have a large number of subscriptions (thousands, not hundreds).