Platform Engineering and Azure Vending Machine

Trent Steenholdt
February 15, 2024

5 minutes to read

Tags: azureautomationvendingmachine

In the modern world of cloud computing, the efficiency of resource management is paramount, not just for getting to market quicker but also for ensuring governance, security, and costings are never compromised! One way to achieve this is by automating Azure Subscriptions, commonly known in the community as “subscription vending” or “vending machine”.

What is Azure Subscription Vending?

Azure Subscription Vending, part of the Microsoft Cloud Adoption Framework’s landing zone concept, automates the provisioning of Azure subscriptions. This approach ensures a streamlined, governance-compliant pathway for managing the lifecycle of Azure resources, critical for organisations looking to efficiently scale their operations in the cloud.

Why Do It?

Traditionally, subscriptions were seen as monolithic, typically coupled with environments like “Development”, “Test”, and “Production”. While this served well for many years, the rapid consumption of services within Azure Cloud has made these boundaries too broad. Monolithic subscriptions often become havens for wastage, cost overruns, and poor governance.

Subscription Vending with automation aims to break down the logical separation of resources for specific needs. For example, a Data Landing Zone might live in its own subscription for each environment (Dev, Test, Prod), coupled back to a centralised core services subscription for networking, firewalls, and DNS. This creates a ringfence around your Data Landing Zone, simplifying governance and cost control.

In the diagram above, the vending machine focuses on deploying “Landing Zone A2”.

Platform Engineering and Subscription Vending

Platform engineering, an emerging field focused on enhancing application delivery and business value, aligns well with Azure and subscription vending. It’s all about enabling teams to fully leverage the platform, where subscription automation incorporates governance and cost management into solutions from the outset.

Getting Started

Getting started with Azure Vending Machine is straightforward. While experts like Insight can assist, the open-source community provides ample resources for Operations teams to set up independently.

Using Bicep and PowerShell, here’s a basic setup using CI/CD (note: this example is not best practice):

1. Check out Azure/bicep-lz-vending, which has done much of the work already.
2. Fork the repository for a local copy.
3. Create a service principal in Azure with Owner rights to the appropriate root management group.
4. Create necessary connections/secrets in GitHub Actions.
5. Create the repository variables like:
   • MANAGEMENT_GROUP_ID as the management group id to create the subscriptions under (as part of a previous step in this example it’s the root management group)
   • LOCATION as the Azure Region to deploy the subscription into. E.g “australiaeast”
   • AZURE_CLIENT_ID as the Service Principal Client ID
   • AZURE_TENANT_ID as the tenant ID the Service Principal lives in
   • AZURE_SUBSCRIPTION_ID as an existing (manually deployed) subscription the Service Principal has access to. OIDC connections expect the subscription ID. If you don’t want to have a manual subscription or simply dont have one you can use the traditional Service Principal secret method for azure/login.

6. Deploy the bicep file using a pipeline similar to the example below.

       
    name: Landing Zone Subscription
   
    on:
      push:
        branches:
          - main
   
    permissions:
      id-token: write
   
    env:
      managementGroupId: ${{ vars.MANAGEMENT_GROUP_ID }}
      location: ${{ vars.LOCATION }}
      templateFile: ./main.bicep
      templateParameterFile1: ./subscription1.parameters.bicepparam
   
    jobs:
      Deploy:
        runs-on: ubuntu-latest
        steps:
          - name: Checkout Repository
            uses: actions/checkout@v3
               
          - name: Azure Login
            uses: azure/login@v1.4.5
            with:
              client-id: ${{ secrets.AZURE_CLIENT_ID }}
              tenant-id: ${{ secrets.AZURE_TENANT_ID }}
              subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
               
          - name: Deployment Subscription 1
            uses: azure/powershell@v1
            with:
              inlineScript: |
                $inputObject = @{
                  DeploymentName        = 'lz-vend-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63])
                  ManagementGroupId     = '${{ env.managementGroupId }}' 
                  Location              = '${{ env.location }}'
                  TemplateParameterFile = '${{ env.templateParameterFile1 }}' 
                  TemplateFile          = '${{ env.templateFile }}'
                }
                New-AzManagementGroupDeployment @inputObject
       
   

7. To manage more subscriptions, simply update the pipeline with additional steps and specify different parameter files.

Conclusion

The combination of Azure Subscription Vending and platform engineering presents a powerful approach to managing cloud resources. Not only does it simplify the provisioning and management of Azure subscriptions, but it also aligns with broader business objectives, enabling faster delivery of applications and services with higher business value.

For more detailed guidance on implementing subscription vending and leveraging platform engineering in Azure, check out the Azure Cloud Adoption Framework’s section on Subscription Vending. This resource offers in-depth insights into the process, including practical implementation examples aligned with modern platform engineering practices.

Share on Twitter (X) Share on LinkedIn