← ashishdholakiya.com Enterprise Azure Landing Zone — Portfolio Project ⌨ GitHub Repo
Portfolio Project — Cloud Solution Architect
● In Progress Microsoft Azure Terraform IaC GitHub Actions GitOps Enterprise Governance DevSecOps

Enterprise Azure
Landing Zone.
Built for Scale.

A production-style Azure Enterprise Landing Zone built with Terraform modular IaC, GitHub Actions GitOps automation, OIDC-based passwordless authentication, and enterprise governance — simulating how large-scale organizations build secure, governed, and automated Azure cloud platforms.

Role
Cloud Solution Architect / DevOps Architect / Platform Engineer
Cloud Platform
Microsoft Azure
IaC Tooling
Terraform — Modular + Remote Backend
Automation
GitHub Actions GitOps Pipeline
Security Model
OIDC Passwordless Authentication
Design Approach
Enterprise Patterns on Personal Subscription
TerraformGitHub ActionsAzure AD / Entra IDOIDC FederationAzure StoragePowerShellGitIaCGitOpsDevSecOps
Business Problems Solved

What This Solves

Eight critical enterprise cloud challenges addressed by this landing zone implementation.

🔀
Inconsistent Azure deployments across teams and environments
🤚
Manual infrastructure provisioning with high error risk
📋
Lack of governance, tagging standards and naming conventions
💰
Poor cost visibility and no resource lifecycle management
🔓
Weak security practices and credential exposure risks
📄
No Infrastructure-as-Code standardization across projects
⚙️
Lack of CI/CD and GitOps automation for infrastructure
📈
Difficulty scaling across subscriptions and environments
Solution Overview

The Platform Built

A modular Azure Landing Zone platform using Terraform and GitHub Actions with eight core capabilities.

🗄️
Centralized Terraform Remote Backend
Azure Storage Account + Blob container state management with locking, team collaboration support, and enterprise deployment readiness. Zero state corruption risk.
🔄
GitOps-Based Infrastructure Deployment
GitHub Actions triggered on code push and pull requests. Environment-aware execution with automatic validation — eliminating manual cloud deployment dependency.
📝
Enterprise Naming Convention Framework
Standardized Azure resource naming using Terraform locals. Operational consistency, easier governance, simplified resource identification, and enterprise scalability built-in.
🏷️
Standardized Tagging Strategy
Organization-wide tagging framework covering environment, project, owner, cost center, and deployment metadata. Enables cost tracking, compliance reporting, and automation.
🔐
Secure OIDC Authentication
Passwordless Azure authentication via GitHub OIDC integration. Zero client secrets in repository, enterprise-grade security, and modern cloud-native identity model.
🧩
Modular Reusable Terraform Architecture
Reusable infrastructure modules following enterprise patterns. Multi-environment readiness with environment-specific configuration and scalable repository structure.
Target Architecture

Enterprise Architecture Layers

The full target architecture simulates a real enterprise Azure platform engineering implementation across four layers.

🔵 Source Control — GitHub
Terraform Modules
Environment Configs
GitHub Actions Workflows
OIDC Federated Identity
Docs & Diagrams
↓ GitOps Trigger — Push / Pull Request
🟢 CI/CD Automation — GitHub Actions
terraform fmt
terraform validate
terraform init
terraform plan
Security scanning
Policy validation
Approval gate
terraform apply
↓ Passwordless OIDC Authentication
🟡 State Management — Azure Storage
Remote Terraform Backend
Blob State Container
State Locking
Team Collaboration
↓ Infrastructure Provisioning
🔷 Azure Platform — Target Enterprise
Management Groups
Multi-Subscription
Hub-and-Spoke Network
Shared Services
Identity Subscription
Azure Policy
Defender for Cloud
AKS-Ready Networking
GitOps Pipeline

GitHub Actions CI/CD Flow

Fully automated pipeline triggered on every code push — environment-aware, validation-first, enterprise DevOps structure.

01
📤
Git Commit
Developer pushes to GitHub branch
02
🔐
OIDC Auth
Passwordless Azure login via federation
03
TF Format
terraform fmt consistency check
04
⚙️
TF Init
Remote backend initialisation
05
🔍
TF Validate
Configuration & syntax validation
06
📋
TF Plan
Infrastructure change preview
07
🛡️
Security Scan
Policy & security validation
08
🚀
TF Apply
Azure infrastructure deployment
Terraform Modules

Planned Module Library

Complete Terraform module library covering all enterprise Azure infrastructure layers.

🌐
Networking Modules
Hub-and-Spoke Foundation
  • Virtual Network (Hub + Spoke)
  • Subnet Module with delegation support
  • Network Security Groups
  • Route Tables
  • Private DNS Zones
  • Azure Firewall simulation
🔒
Security Modules
Zero-Trust Security Baseline
  • Azure Key Vault
  • Managed Identity automation
  • RBAC assignment module
  • Azure Policy (Policy-as-Code)
  • Defender for Cloud integration
  • Private Endpoints
📊
Monitoring Modules
Centralized Observability
  • Log Analytics Workspace
  • Azure Monitor integration
  • Alerts and Action Groups
  • Diagnostic logging
🧱
Platform Modules
Shared Services Foundation
  • Storage Account module
  • Recovery Services Vault
  • Backup Policies
  • Azure Container Registry
  • AKS-ready networking foundation
Governance Standards

Naming & Tagging

Enterprise naming conventions and organization-wide tagging standards implemented in Terraform.

rg-adlz-dev-cin-01
rg
Resource Type
-
adlz
Platform ID
-
dev
Environment
-
cin
Region Code
-
01
Instance No.
environmentdev / prod
projectenterprise-azure-lz
managed_byterraform
ownerashish-dholakiya
cost_centerpersonal-lab
deployed_bygithub-actions
business_unitplatform-engineering
application_namelanding-zone
Repository

Enterprise Repository Structure

Production-ready repository layout with clear separation of environments, modules, and documentation.

enterprise-azure-landingzone-lite/ ├── .github/ │ └── workflows/ │ ├── terraform-dev-plan.yml # Validate on push │ └── terraform-dev-apply.yml # Apply on approval ├── bootstrap/ │ └── backend-setup/ # Initial Azure setup ├── environments/ │ ├── dev/ │ │ ├── backend.tf # Remote state config │ │ ├── locals.tf # Naming conventions │ │ ├── main.tf # Root module calls │ │ ├── variables.tf # Input variables │ │ ├── outputs.tf # Output values │ │ └── terraform.tfvars # ⚠ Excluded from Git │ └── prod/ # Production environment ├── modules/ │ ├── resource-group/ ✅ Implemented │ ├── virtual-network/ # Planned Phase 2 │ ├── subnet/ │ ├── network-security-group/ │ ├── key-vault/ │ ├── storage-account/ │ ├── log-analytics/ │ ├── monitoring/ │ ├── firewall/ │ └── aks-foundation/ ├── docs/ │ ├── architecture/ │ └── diagrams/ └── README.md
Current Status

Implementation Progress

Live tracking of completed and in-progress components.

Azure Remote Terraform Backend configured and operational
Azure Storage-based State Management with locking active
Resource Group Terraform Module created and deployed
Enterprise Naming Convention implemented via locals.tf
Standardized Common Tagging Framework fully implemented
GitHub Actions Terraform CI/CD Pipeline operational
OIDC-based Azure Authentication configured for GitHub Actions
Terraform state migration completed — zero data loss
Terraform validate ✅ complete — plan execution being validated
Roadmap

What's Coming Next

Phased roadmap to evolve the landing zone into a full enterprise-grade Azure platform.

Phase 2
Networking Layer
  • Virtual Network module
  • Hub-and-Spoke architecture
  • Network Security Groups
  • Route Tables
  • Azure Firewall simulation
  • AKS-ready networking
Phase 3
Security & Monitoring
  • Azure Key Vault module
  • Managed Identity automation
  • Log Analytics Workspace
  • Azure Monitor + Alerts
  • Defender for Cloud
  • Policy-as-Code integration
Phase 4
Full Enterprise Platform
  • Multi-subscription architecture
  • Management Group hierarchy
  • Automated Terraform Apply
  • Recovery Services + Backup
  • Azure Container Registry
  • Production environment
Business Value

Benefits to Your Organization

Enterprise patterns that translate directly to measurable business outcomes at scale.

Operational Benefits
Faster provisioning, reduced deployment errors, standardized infrastructure, and fully automated deployments that eliminate manual toil.
🔒
Security Benefits
Reduced credential exposure, enterprise-grade OIDC authentication, and governance-first architecture with zero secrets in code.
💰
Financial Benefits
Better cost visibility through standardized tagging, resource lifecycle management, and simplified cost allocation across teams.
Cloud Solution Architect & AI Strategist · Mumbai, India
← Back to Portfolio AzureOps AI BoardRoom DocMind Get In Touch