AI-Powered GitOps for Azure Landing Zones with Azure Verified Modules

Purpose

This repository demonstrates AI-powered GitOps practices for Azure Landing Zones using Azure Verified Modules (AVM). It showcases how modern AI tools like Warp can accelerate enterprise infrastructure deployment while maintaining security and compliance through automated validation and policy enforcement.

What makes this different: Instead of traditional manual infrastructure deployment, this project combines Microsoft's battle-tested AVM modules with GitOps automation and AI-assisted development to create a reproducible, secure, and cost-effective Azure Landing Zone in minutes rather than weeks.

Based on the LinkedIn article, this demonstrates modern infrastructure patterns that enterprise teams can adopt immediately.

📋 Repository Update (Sept 2025): This repository has been reorganized for better structure and usability. Documentation moved from nested folders to docs/, deployment reports now include interactive HTML dashboards in deployment-reports/, and production-ready templates are consolidated in blueprints/ with development work in infra/. All links have been updated accordingly.

🔄 Policy Compliance Update (Oct 2025): Updated configurations for DEP policy compliance. App Service Plans now use B1 SKU (development-appropriate), AKS updated to latest stable version (1.27), and deployment tags updated for GitHub Actions integration. See Policy Compliance Update for details.

📋 Table of Contents

• 🏗️ Hub and Spoke Network Architecture
• ⚡ Quick Start - Choose Your Path
  • 🚀 Deploy Now (10 minutes)
  • 📖 Learn First (Recommended)
  • 🔧 Developer Setup
• 📋 Documentation Library
• 🔄 GitHub Actions Workflows
• 🎯 How to Use This Repository
• 🛡️ Repository Standards & Best Practices
• 🏗️ Repository Structure
• 🎯 Why This Matters
• 💡 Key Features
• 💰 FinOps & Cost Estimation
  • 🔧 Infracost Integration
  • 📊 Cost Analysis Examples
  • ⚙️ Setup & Configuration
  • 🎯 Cost Optimization
• 🎯 Azure Verified Modules (AVM) Overview
• 🧪 Testing & Deployment
• 📚 Learning Resources & Official Guides
• 🤝 Contributing
• 📚 Related Documents
• 📄 License
• 🙏 Acknowledgments

---

🏗️ Hub and Spoke Network Architecture

Enterprise-Grade Network Design with Modern Security

This Azure Landing Zone implements a comprehensive hub and spoke network architecture based on Zero Trust principles and modern Azure services. The design provides scalable, secure, and cost-effective infrastructure patterns for enterprise workloads.

🎯 Architecture Overview

📋 Complete Hub-Spoke Design Documentation →

Key Features:

• ✅ Zero Trust Networking - Entra Private Access replaces traditional VPN
• ✅ Private Cluster Support - Full AKS integration with CNI networking
• ✅ Modern Security - Azure Firewall Premium with IDPS and TLS inspection
• ✅ Scalable Design - Ready for multi-spoke expansion
• ✅ Cost Optimized - Flexible SKUs for dev/test vs production
• ✅ AVM Based - Uses Microsoft's verified modules for consistency

🔧 Implementation Status

Component	Bicep Status	Terraform Status	Configuration
Core Networking	✅ Complete	✅ Complete	Hub-Spoke VNets with peering
Application Services	✅ Web Apps, Storage	✅ Web Apps, Storage	App Service Plan, Storage Account
Container Services	✅ ACR Premium	✅ ACR Premium	Private endpoints enabled
AKS Integration	⚠️ Basic	✅ Complete	Private cluster, dual node pools
Security Services	⚠️ Basic	⚠️ Basic	Azure Firewall, NSGs
Data Services	⚠️ Basic	⚠️ Basic	PostgreSQL Flexible, Key Vault
Monitoring	✅ Log Analytics	✅ Log Analytics	Centralized logging
Private Networking	✅ Private DNS	✅ Private DNS	Private endpoints, DNS zones

Legend: ✅ Complete, ⚠️ Partial, ❌ Missing

🎛️ Configuration Management

📋 Complete Configuration Management Guide →

Centralized YAML Configuration - Single source of truth for all deployments:

# config/alz-components.yaml
global:
  environment: 'sandbox'
  organizationPrefix: 'alz'
  location: 'westeurope'

containers:
  aks:
    enabled: true
    version: '1.30'
    privateCluster: true

  containerRegistry:
    enabled: true
    sku: 'Premium' # Auto-adjusts to "Standard" for sandbox

applications:
  webApps:
    enabled: true
    servicePlan:
      sku: 'B1' # Cost-optimized for sandbox

Auto-Generate Deployment Files:

# Generate both Bicep and Terraform configurations
./scripts/parse-config.py config/alz-components.yaml --all

# Output:
# ✅ Generated Bicep parameters: main.parameters.generated.json
# ✅ Generated Terraform variables: terraform.generated.tfvars
# ✅ Generated status report: component-status.md

Key Benefits:

• 🎯 Single Source of Truth - One file controls all deployments
• 🔄 Environment Overrides - Different SKUs for dev/prod automatically
• 💰 Cost Optimization - Automatic tier adjustments by environment
• 📊 Component Tracking - Auto-generated status reports
• ⚡ Consistency - Same config generates both Bicep and Terraform files

---

⚡ Quick Start - Choose Your Path

🚀 Deploy Now (10 minutes)

Choose your deployment method:

✅ Terraform (Verified Oct 2025)

# Navigate to Terraform foundation template
cd blueprints/terraform/foundation

# Initialize and deploy
terraform1.9 init
terraform1.9 plan -var-file="terraform.tfvars" -out="tfplan"
terraform1.9 apply tfplan

Cost: ~$55/month | Resources: 21/22 deployed | Time: 3 minutes

Bicep (Hub-Spoke)

az login
az account set --subscription "your-subscription-id"
az deployment sub create \
  --location "westeurope" \
  --template-file blueprints/bicep/hub-spoke/main.bicep \
  --parameters blueprints/bicep/hub-spoke/main.parameters.json \
  --name "alz-sandbox-$(date +%Y%m%d-%H%M%S)"

Cost: ~$30/month | Result: Complete hub-spoke ALZ with compliance

📊 Deploy with Comprehensive Reporting (Recommended)

Enhanced deployments with full observability and cost tracking:

# Deploy with automated reporting, cost analysis, and security assessment
./automation/scripts/deploy-with-report.sh

Key Features:

• 📋 Pre-deployment validation and resource inventory
• 💰 Cost analysis with Infracost integration
• 🔒 Security assessment and compliance scoring
• 📊 Interactive HTML reports with historical tracking

📊 View Live Deployment Reports Dashboard

📚 Comprehensive Reporting Documentation:

• Deployment Reporting Guide - Complete setup and usage
• Cost Estimation Guide - Infracost integration and optimization
• GitHub Pages Setup - Auto-publishing reports

📖 Learn First (Recommended)

New to Azure Landing Zones? Start here:

• Azure Sandbox Policies Overview - Understand the rules and requirements
• Hub-Spoke Design - ⭐ Core network architecture including AKS integration
• Configuration Management Guide - 🎛️ Centralized component configuration
• AVM Deployment Guide - Complete deployment walkthrough
• AKS Configuration Guide - Comprehensive AKS setup and configuration
• AKS Deployment Guide - Step-by-step AKS deployment walkthrough
• Pre-commit Errors Analysis - Fix common issues

🔧 Developer Setup

Setting up for contribution:

git clone https://github.com/ma3u/azm-alz-min.git
cd azm-alz-min
pip install pre-commit && pre-commit install

# Run comprehensive validation
./automation/scripts/validate-deployment.sh

The validation script checks: Prerequisites, template compilation, AVM modules, pre-commit hooks, and security configuration.

Official setup guides:

• Pre-commit Installation Guide
• Azure CLI Setup
• Bicep Setup

🔐 GitHub Actions Authentication Setup

For automated CI/CD pipelines with Azure authentication:

This repository includes GitHub Actions workflows that require Azure authentication. Set up a Service Principal for secure, automated deployments:

🚀 Automated Setup (Recommended):

# Run the automated authentication setup script
./automation/scripts/setup-github-auth.sh

What this creates:

• ✅ Service Principal: sp-github-actions-alz-sandbox with Contributor access
• 🔒 GitHub Secrets: All 5 required secrets automatically set in your repository
• 📁 Local Credentials: Stored securely in .secrets/ directory (git-ignored)
• 🧪 Authentication Test: Verifies Service Principal can access your Azure resources

📋 Manual Setup (Alternative):

If you prefer manual setup, follow the detailed guide: GitHub Authentication Setup Guide

Required GitHub Secrets:

• AZURE_CREDENTIALS - Full JSON credentials object
• AZURE_CLIENT_ID - Service Principal application ID
• AZURE_CLIENT_SECRET - Service Principal password
• AZURE_SUBSCRIPTION_ID - Your Azure subscription ID
• AZURE_TENANT_ID - Your Azure tenant ID

🔍 Verify Setup:

# Check if secrets are configured
gh secret list

# Test Service Principal authentication locally
az login --service-principal \
  --username $(cat .secrets/sp-client-id.txt) \
  --password $(cat .secrets/sp-client-secret.txt) \
  --tenant $(cat .secrets/azure-credentials.json | jq -r '.tenantId')

🛡️ Security Notes:

• Service Principal has sandbox-only access (limited to your subscription)
• Credentials are encrypted in GitHub and git-ignored locally
• Regular credential rotation recommended for production use
• Setup creates comprehensive audit trail in .secrets/github-auth-setup-report.md

💡 Pro Tip: After setup, your GitHub Actions workflows will automatically authenticate and deploy without manual intervention. Check the Actions tab to see deployments in progress!

✅ Recent Deployment Success (October 2025)

🚀 Terraform Foundation Template - Verified Working

Successfully deployed on October 7, 2025 using blueprints/terraform/foundation/:

📋 Deployment Summary:

• Total Resources: 21 of 22 planned resources deployed successfully
• Deployment Time: ~3 minutes
• Estimated Cost: ~$8-10/month (without web app due to policy)
• Status: ✅ PRODUCTION READY

🏗️ Successfully Deployed Infrastructure:

✅ Core Networking:
   • Hub Resource Group: rg-alz-hub-sandbox
   • Spoke Resource Group: rg-alz-spoke-sandbox
   • Hub VNet: vnet-alz-hub-sandbox (10.0.0.0/16)
   • Spoke VNet: vnet-alz-spoke-sandbox (10.1.0.0/16)
   • VNet Peering: Hub ↔ Spoke (Connected)

✅ Security & Services:
   • Container Registry: acralzsandboxxoi9q02m (Premium SKU)
   • Private Endpoint: ACR with private DNS zone
   • Storage Account: stalzsandboxxoi9q02m
   • Log Analytics: log-alz-hub-sandbox
   • App Service Plan: asp-alz-sandbox

⚠️  Expected Policy Block:
   • Web App: Blocked by governance policy (expected behavior)

🎯 Key Benefits Demonstrated:

• Native Azure Provider resources (no AVM module dependencies)
• Hub-Spoke networking with proper security segmentation
• Premium Container Registry with vulnerability scanning
• Private endpoints for secure connectivity
• Comprehensive monitoring and logging setup
• Cost-optimized for sandbox environments

💰 Cost Breakdown:

• Container Registry Premium: ~$50/month (includes security scanning)
• App Service Plan B1: ~$13/month
• Private Endpoints: ~$7/month
• Other services: ~$2/month
• Sandbox Total: ~$70/month (production-grade) or ~$18/month (dev-optimized)

🚀 Quick Deployment:

cd blueprints/terraform/foundation
terraform1.9 init
terraform1.9 plan -var-file="terraform.tfvars" -out="tfplan"
terraform1.9 apply tfplan

📚 Learn More: Terraform Deployment Guide

📋 Documentation Library

🎯 Essential Getting Started

• 📋 Azure Sandbox Policies Overview - Main policy reference and rules
• ⚡ AVM Deployment Guide - Primary deployment walkthrough
• 🔍 Pre-commit Errors Analysis - Fix common issues

🔧 Development & Quality

• 🎛️ Configuration Management Guide - ⭐ Centralized YAML-based configuration system
• 🛠️ Pre-commit Hooks Guide - Code quality automation
• 🔐 GitHub Authentication Setup Guide - Service Principal setup for GitHub Actions
• 🏗️ Terraform Deployment Guide - Terraform-specific procedures
• 🔄 Terraform CI/CD Guide - GitHub Actions automation
• 📚 AVM Modules Guide - AVM reference and best practices
• 📊 Deployment Reporting Guide - Comprehensive deployment insights with HTML dashboards

🔄 GitHub Actions Workflows

📋 Complete Workflows Documentation →

Comprehensive guide to all GitHub Actions workflows supporting both Bicep and Terraform deployments:

🎯 Core Deployment Workflows:

• Bicep ALZ Sandbox - Deploy and validate ALZ using Bicep templates
• Terraform ALZ Deployment - Deploy ALZ using Terraform with enhanced error handling
• Terraform ALZ Full Deployment - Complete enterprise-scale deployment

🔒 Security & Compliance:

• Security Compliance - Comprehensive security scanning and validation
• Infrastructure Validation - Code quality and best practices validation

🧹 Cleanup & Maintenance:

• Terraform ALZ Cleanup - Clean up resources with 'tf' and 'bi' prefixes
• Pre-commit - Automated code quality checks

💰 Cost Management:

• Infracost - Automated cost estimation for infrastructure changes

Key Features:

• ✅ Enhanced resource conflict detection and import handling
• 🔄 Automatic workspace management
• 🛡️ Comprehensive security scanning
• 💰 Integrated cost estimation
• 📊 Deployment reporting and documentation publishing
• 🧹 Automated cleanup for sandbox environments

🏭 Enterprise Integration

• 🏢 Azure DevOps Setup - Enterprise CI/CD pipelines
• 🔄 GitHub-Azure DevOps Sync - Dual repository strategy
• 🚀 Deployment Guide - Classic step-by-step deployment

🛡️ Security & Compliance

• 🔒 ACR Vulnerability Scanning Guide - Container security
• 🛡️ Zero Trust Maturity Roadmap - Security progression

🎯 How to Use This Repository

📍 Choose Your Journey

🏃‍♂️ First-Time Users

1. Read Azure Sandbox Policies Overview
2. Follow AVM Deployment Guide
3. Result: Working ALZ (~$30/month, 10 minutes)

🔧 Developers

1. Set up tools: Pre-commit Hooks Guide
2. Choose IaC: Terraform Deployment Guide or Bicep
3. Automate: Terraform CI/CD Guide

🏭 Enterprise Teams

1. Plan: Azure DevOps Setup
2. Secure: Zero Trust Maturity Roadmap
3. Scale: GitHub-Azure DevOps Sync

📍 Prerequisites

Required:

• Azure subscription with Contributor permissions
• Azure CLI (v2.50.0+)
• Bicep or Terraform 1.9+

Recommended:

• Warp Terminal for AI assistance
• Pre-commit framework for quality checks
• VS Code with Bicep or Terraform extensions

Check AVM module availability:

az rest --method GET --url "https://mcr.microsoft.com/v2/bicep/avm/res/{service}/{resource}/tags/list" | jq -r '.tags[]' | sort -V | tail -5

---

🛡️ Repository Standards & Best Practices

🎯 Template Priority (Use These)

Priority	Template	Status	Use Case	Last Verified
1st	blueprints/bicep/hub-spoke/main.bicep	✅ WORKING	Hub-Spoke ALZ	Sept 2025
2nd	blueprints/bicep/foundation/main.bicep	✅ WORKING	Basic ALZ	Sept 2025
3rd	blueprints/terraform/foundation/	✅ VERIFIED	Terraform ALZ	Oct 2025

📚 Development Rules

1. Check AVM First: Always verify module availability at AVM Registry
2. Use Working Templates: Start from tested templates above
3. Follow Naming: Use consistent Azure naming conventions
4. Pre-commit Validation: Run hooks before every commit

Quick AVM pattern:

module keyVault 'br/public:avm/res/key-vault/vault:0.4.0' = {
  name: 'keyVaultDeployment'
  params: {
    name: 'kv-${environment}-${uniqueString(subscription().id)}'
    location: location
    enableRbacAuthorization: true
  }
}

For detailed guidance: Pre-commit Errors Analysis

---

🎯 Why This Matters

The Problem: Traditional Azure Landing Zone deployments take weeks of manual configuration, prone to security gaps and inconsistencies.

Our Solution: AI-enhanced GitOps using Microsoft's battle-tested Azure Verified Modules (AVM) delivers secure, compliant infrastructure in minutes.

Key Benefits

• ⚡ Speed: Deploy complete ALZ in 10 minutes vs. weeks
• 🛡️ Security: Built-in Zero Trust Level 1 compliance
• 💰 Cost-Effective: Sandbox testing for ~$30/month
• 🤖 AI-Enhanced: Warp integration for intelligent development
• 📏 Standardized: Microsoft's 14+ million deployment track record

🏗️ Repository Structure

📂 Key Infrastructure Components

azure-landingzone/
├── blueprints/                  # 🚀 Production-ready templates (RECOMMENDED)
│   ├── bicep/                   # ✅ Bicep templates using AVM modules
│   │   ├── hub-spoke/           # Hub-spoke ALZ (~$30/month sandbox)
│   │   └── foundation/          # Basic foundation ALZ
│   └── terraform/               # ✅ Terraform alternatives with AVM
│       └── foundation/          # Terraform-based ALZ
├── infra/                       # 🔧 Development and legacy templates
│   ├── accelerator/             # Original AVM-based deployment templates
│   ├── bicep/                   # Development Bicep templates
│   │   └── sandbox/             # Sandbox-specific implementations
│   └── terraform/               # Development Terraform templates
├── docs/                        # 📚 Complete documentation library
├── automation/scripts/          # 🤖 Deployment and validation scripts
├── deployment-reports/          # 📊 Automated deployment reports with HTML dashboards
├── sandbox/                     # 🧪 Terraform sandbox examples and testing
├── .github/workflows/           # ⚙️ GitHub Actions CI/CD automation
├── environments/                # 🌍 Environment-specific configurations
├── examples/                    # 💡 Sample implementations and tutorials
└── archived/                    # 📦 Archived templates and deprecated code

🎯 Architecture Patterns

• Hub-Spoke Architecture: Cost-optimized networking with centralized services (~$30/month) - Available in blueprints/bicep/hub-spoke/
• Foundation Pattern: Basic single-subscription ALZ for development and testing - Available in blueprints/bicep/foundation/
• Enterprise Pattern: Multi-subscription with management groups and subscription vending - Available in infra/accelerator/
• Security Framework: Zero Trust progression from Level 1 to enterprise-grade
• Deployment Reports: Interactive HTML dashboards available in deployment-reports/ with cost, security, and resource analysis

---

💡 Key Features

🚀 Deployment Options

• Sandbox: Single subscription testing (~$30/month)
• Enterprise: Multi-subscription with management groups
• Hybrid: Bicep and Terraform support

🛡️ Security & Compliance

• Zero Trust Level 1: MFA, RBAC, network segmentation
• Policy as Code: 13+ automated security validations
• Audit Trail: Complete GitOps change tracking

🤖 AI Integration

• Warp Terminal: Context-aware infrastructure assistance
• Intelligent Debugging: AI-powered error resolution
• Template Generation: Automated AVM module discovery

📊 Quality Assurance

• Pre-commit Hooks: 13+ validation tools
• Multi-stage CI/CD: GitHub Actions and Azure DevOps
• Compliance Scanning: Checkov, TFSec, PSRule integration

---

💰 FinOps & Cost Estimation

Professional infrastructure cost management integrated into your deployment pipeline using industry-standard tools and real-time Azure pricing data.

🎯 Cost Management Strategy

Why Cost Estimation Matters:

• Prevent Surprises: Know costs before deploying infrastructure
• Budget Planning: Accurate monthly estimates for financial planning
• Cost Optimization: Identify expensive resources and alternatives
• Compliance: Track spending against budgets and policies

🔧 Infracost Integration

Infracost - Industry-standard Infrastructure as Code cost estimation:

• ✅ Real-time Azure Pricing: Direct API integration with Microsoft Azure pricing
• ✅ 400+ Resources Supported: Comprehensive coverage of Azure services
• ✅ CI/CD Native: Automatic cost estimates on every pull request
• ✅ Zero Maintenance: No manual price updates or resource mapping
• ✅ Free Tier: 10,000 resources per month at no cost

Terraform Cost Analysis

Automated cost estimation for Terraform templates:

# Local cost analysis
cd blueprints/terraform/foundation
infracost breakdown --path .

# Project-wide analysis
infracost breakdown --config-file infracost.yml

Example Output:

Name                                    Monthly Qty  Unit         Monthly Cost

azurerm_container_registry.main
├─ Registry usage (Premium)                  30  days                $50.00
├─ Storage (over 500GB)                      100  GB                  $10.00
└─ Build vCPU                                0  seconds              $0.00

azurerm_service_plan.main
└─ Instance usage (B1)                       730  hours               $13.14

OVERALL TOTAL                                                        $73.14

Pull Request Integration

Automatic cost analysis on every PR:

• 💬 PR Comments: Detailed cost breakdowns posted automatically
• 📊 Cost Diffs: Compare costs between branches
• 🚨 Cost Alerts: Warnings for high-cost changes
• 📈 Optimization Tips: Recommendations for cost reduction

📊 Cost Analysis Examples

Real Infrastructure Costs (Verified October 2025)

Azure Landing Zone Foundation Template (Terraform) - Actual deployment tested October 7, 2025:

Resource Type	Monthly Cost	Purpose	Deployment Status	Optimization Options
Container Registry Premium	$49.99	Enterprise security, geo-replication	✅ Deployed	Basic tier: $5.00 (dev)
App Service Plan B1	$13.14	Basic web workloads	✅ Deployed	Free tier (limitations)
Private Endpoint	$7.30	Secure connectivity	✅ Deployed	Public endpoints (free, less secure)
Private DNS Zone	$0.50	DNS resolution	✅ Deployed	Required for private networking
Web App	$0.00	Application hosting	⚠️ Blocked	Policy restriction (expected)
Total Deployed Costs	$70.94	Per month (full config)	21/22 resources	Actual: ~$55/month

✅ Verified Deployment Results:

• Resources Deployed: 21 out of 22 planned resources
• Policy Compliance: Web app blocked by governance (expected)
• Actual Monthly Cost: ~$55/month (without blocked web app)
• Deployment Time: 3 minutes using terraform1.9

Usage-Based Resources:

• Log Analytics: $2.76/GB ingested
• Storage Account: $0.0196/GB + operations
• VNet Peering: $0.01/GB transferred
• Container Registry Storage: $0.10/GB over 500GB

Cost Comparison by Environment

Environment	Monthly Cost	Key Features	Use Case
Development	$18-25	Basic tiers, public endpoints	Learning, testing
Sandbox	$30-35	Standard tiers, basic security	Proof of concept
Production	$70-100	Premium tiers, private networking	Enterprise workloads
Enterprise ALZ	$4,140+	Full compliance, redundancy	Multi-subscription setup

⚙️ Setup & Configuration

Quick Setup (5 minutes)

1. Get Infracost API Key:

   • Sign up at https://dashboard.infracost.io
   • Free tier: 10,000 resources/month

2. Configure Locally:

   # Install Infracost
   brew install infracost
   
   # Set API key
   infracost configure set api_key ico-your-api-key-here
   
   # Test on Azure Landing Zone
   cd blueprints/terraform/foundation
   infracost breakdown --path .

3. GitHub Integration:

   # Add repository secret
   Repository → Settings → Secrets and variables → Actions
   Name: INFRACOST_API_KEY
   Value: ico-your-api-key-here

Configuration Files

Project Configuration (infracost.yml):

version: 0.1
projects:
  - path: blueprints/terraform/foundation
    name: alz-terraform-foundation
    terraform_plan_flags: -var-file=terraform.tfvars
currency: USD

Usage Patterns (infracost-usage.yml):

resource_usage:
  azurerm_log_analytics_workspace.main:
    monthly_data_ingestion_gb: 50 # Monitoring data

  azurerm_storage_account.main:
    storage_gb: 1000 # Application data
    monthly_tier_1_requests: 100000 # Read operations

🎯 Cost Optimization

Development Environment Optimization

Reduce costs to ~$18/month:

# terraform.tfvars - Development settings
enable_container_registry = false        # Save $50/month
# OR
container_registry_sku = "Basic"         # Save $45/month
enable_private_endpoints = false         # Save $8/month
app_service_plan_sku = "F1"              # Free tier (limitations)

Production Cost Management

Optimize without sacrificing security:

• Reserved Instances: 37% savings for predictable workloads
• Azure Hybrid Benefit: Use existing Windows licenses
• Auto-shutdown: Schedule VM downtime for dev/test environments
• Right-sizing: Monitor actual usage vs. allocated resources

Cost Monitoring Dashboard

Track costs across environments:

• 📊 GitHub Actions Summary: Automatic cost tracking in workflows
• 📈 Deployment Reports: Cost breakdown in HTML dashboards
• 🚨 Budget Alerts: Configurable thresholds for cost overruns
• 📱 Mobile Notifications: Slack/Teams integration for cost alerts

🔍 Troubleshooting & Best Practices

Common Issues

Issue: Infracost shows "price not found"

# Solution: Update to latest module versions
terraform init -upgrade
infracost breakdown --path .

Issue: Cost estimates seem high

# Solution: Check for premium SKUs
grep -r "Premium\|Standard" *.tf
# Consider Basic tiers for development

Best Practices

1. Regular Reviews: Review cost estimates monthly
2. Environment Parity: Keep cost configurations aligned across environments
3. Team Training: Ensure developers understand cost implications
4. Budget Monitoring: Set up Azure Cost Management budgets for actual tracking
5. Automation: Use Infracost in CI/CD for every infrastructure change

📚 Cost Resources

Documentation

• Complete Cost Estimation Guide - Detailed setup and usage
• Infracost Test Results - Real-world analysis results
• Cost Optimization Examples - Savings strategies

Tools & APIs

• Infracost Documentation - Official Infracost docs
• Azure Pricing Calculator - Manual cost estimation
• Azure Cost Management - Actual spend tracking

---

🎯 Azure Verified Modules (AVM) Overview

Azure Verified Modules represents Microsoft's production-ready Infrastructure as Code standard with 14+ million deployments and full enterprise support.

Why AVM?

• ✅ Battle-Tested: 14+ million real deployments
• ✅ Microsoft Backed: Full FTE team support
• ✅ Security Built-in: Compliance and best practices by default
• ✅ Consistent: Standardized patterns across all Azure services

Learn more: AVM Documentation | AVM Modules Guide

🧪 Testing & Deployment

Sandbox Testing (Recommended Start)

Cost-effective validation: Test all AVM patterns in a single subscription for ~$30/month without Management Group requirements.

Quick deployment:

az login
az deployment sub create \
  --location "westeurope" \
  --template-file blueprints/bicep/hub-spoke/main.bicep \
  --parameters blueprints/bicep/hub-spoke/main.parameters.json \
  --name "alz-sandbox-$(date +%Y%m%d-%H%M%S)"

Learn more: AVM Deployment Guide | Terraform Deployment Guide

Enterprise Production

Full-scale ALZ: Management groups, subscription vending, compliance policies, and Zero Trust Level 1 security framework.

Key components: Hub-spoke networking, private endpoints, policy enforcement, cost management, monitoring.

Learn more: Azure DevOps Setup | Zero Trust Maturity Roadmap

---

📚 Learning Resources & Official Guides

🎯 Microsoft Official Documentation

• Azure Landing Zones - Microsoft's official ALZ guidance
• Azure Verified Modules - Complete AVM reference
• AVM Bicep Registry - Source code for all AVM Bicep modules
• AVM Terraform Registry - Terraform AVM modules search
• Azure Well-Architected Framework - Enterprise architecture principles
• Azure Bicep Documentation - Infrastructure as Code with Bicep

🚀 Deployment Tutorials

• Azure CLI Tutorial - Get started with Azure CLI
• Terraform on Azure - Official Terraform + Azure guide
• GitHub Actions for Azure - CI/CD automation
• Azure DevOps Pipelines - Enterprise CI/CD

🛡️ Security & Compliance

• Azure Security Benchmark - Security baseline
• Zero Trust Architecture - Microsoft Zero Trust guidance
• Azure Policy - Governance and compliance
• Azure RBAC - Access control best practices

🤖 AI-Enhanced Development

• Warp Terminal - AI-powered terminal for developers
• GitHub Copilot - AI pair programming
• Azure OpenAI Service - Enterprise AI services

---

🤝 Contributing

We welcome contributions! Please follow our development workflow:

1. Fork the repository
2. Create feature branch: git checkout -b feature/new-feature
3. Install pre-commit hooks: pre-commit install
4. Make changes and test locally
5. Submit Pull Request

Development guidelines: Pre-commit Hooks Guide

---

📚 Related Documents

🎯 Essential Getting Started

• 📋 Azure Sandbox Policies Overview - Main policy reference and rules
• ⚡ AVM Deployment Guide - Primary deployment walkthrough
• 🔍 Pre-commit Errors Analysis - Fix common issues

🔧 Development & Quality

• 🛠️ Pre-commit Hooks Guide - Code quality automation
• 🏗️ Terraform Deployment Guide - Terraform-specific procedures
• 🔄 Terraform CI/CD Guide - GitHub Actions automation
• 📖 AVM Modules Guide - AVM reference and best practices

🏭 Enterprise Integration

• 🏢 Azure DevOps Setup - Enterprise CI/CD pipelines
• 🔄 GitHub-Azure DevOps Sync - Dual repository strategy
• 🚀 Deployment Guide - Classic step-by-step deployment

🛡️ Security & Compliance

• 🔒 ACR Vulnerability Scanning Guide - Container security
• 🛡️ Zero Trust Maturity Roadmap - Security progression

---

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

---

🙏 Acknowledgments

Special thanks to:

• Azure Landing Zones Community for enterprise-grade architecture guidance and patterns
• Azure Verified Modules (AVM) Community for production-ready Infrastructure as Code modules
• VS Code Extension Teams for Terraform and Bicep development tools
• Warp Team for building AI-enhanced development workflows

---

📝 Article: AI-Powered GitOps for Azure Landing Zones 🏗️ AVM Version: 0.4.0+ 📅 Last Updated: 2025-09-28 👨‍💻 Author: Matthias Buchhorn-Roth