About this project
Bicep-based Azure landing zone accelerator covering hub-spoke networking, identity, policy, and governance. Parameterised for multi-environment deployment with what-if dry-run gating built into the pipeline.
Background
Landing zone design is the foundation of everything that runs in Azure. Get it wrong and you spend years correcting networking topology, re-scoping policy initiatives, or untangling RBAC assignments that were made without a pattern. The goal with this accelerator was to establish an opinionated, enterprise-grade baseline that could be deployed consistently across dev, staging, and production with zero manual steps.
The hub-spoke topology was chosen for Accent Group's specific profile: multiple distinct workloads (retail, corporate, data platform) that need network isolation from each other but share connectivity to on-premises through a single hub. Peering management and user-defined routing are codified in Bicep so the topology is reproducible. Azure Policy initiatives at management group scope enforce the guardrails across all child subscriptions — things like required tags, allowed regions, and encryption at rest — without requiring individual subscription-level configuration.
The what-if gating in the GitHub Actions pipeline was non-negotiable. For infrastructure that controls networking and identity, you need to see the planned changes before they're applied, not after. Every pipeline run shows a what-if diff and pauses for approval before touching the live environment. That pattern has prevented several significant misconfigurations that would have been disruptive to recover from.
Highlights
- Hub-spoke virtual network topology with peering and UDR management
- Azure Policy initiatives for compliance at subscription and management-group scope
- Managed identity and RBAC assignments as code — no manual role assignments
- GitHub Actions pipeline with what-if gate before every apply
- Parameterised environments: dev, staging, production from a single template set