PoC Azure Landing Zone I – Subscription 단일 구성

by Posted on

PoC Azure Landing Zone 은 엔터프라이즈급 전체 구성을 다 하기보다는, 핵심 컴포넌트만 빠르게 배치해서 클라우드 거버넌스·네트워크·보안 구조를 검증하는 목적에 맞춰야 합니다.

PoC Azure Landing Zone I

PoC(Proof of Concept) Azure Landing Zone 이라도 Policy & RBAC까지 포함하면 훨씬 “거버넌스 체감”이 됩니다.
아래 예시는 Subscription 내 단일 PoC 버전 으로 구성된 네트워크·보안·모니터링에 더해, 정책(Policy) + RBAC(Role Assignment)까지 적용된 PoC Landing Zone Terraform 코드입니다.

📊 구성 내용

  • Resource Groups: network-rg, security-rg, management-rg
  • Hub VNET + Subnet
  • Log Analytics Workspace (모니터링)
  • Defender for Cloud Security Contact
  • Policy: Environment 태그가 없는 리소스 그룹 생성 차단
  • RBAC: 특정 사용자/그룹(Object ID)에게 Owner 역할 부여
terraform {
  required_version = ">= 1.5.0"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.100"
    }
  }
}

provider "azurerm" {
  features {}
}

# ======================
# Variables
# ======================
variable "prefix" {
  type        = string
  default     = "poclz"
  description = "Landing Zone prefix"
}

variable "location" {
  type        = string
  default     = "koreacentral"
  description = "Azure region"
}

variable "owner_object_id" {
  type        = string
  description = "RBAC 할당 대상 사용자/그룹의 AAD Object ID"
}

# ======================
# Resource Groups
# ======================
resource "azurerm_resource_group" "network_rg" {
  name     = "${var.prefix}-network-rg"
  location = var.location
}

resource "azurerm_resource_group" "security_rg" {
  name     = "${var.prefix}-security-rg"
  location = var.location
}

resource "azurerm_resource_group" "management_rg" {
  name     = "${var.prefix}-management-rg"
  location = var.location
}

# ======================
# Networking (Hub VNET + Subnet)
# ======================
resource "azurerm_virtual_network" "hub_vnet" {
  name                = "${var.prefix}-hub-vnet"
  location            = var.location
  resource_group_name = azurerm_resource_group.network_rg.name
  address_space       = ["10.10.0.0/16"]
}

resource "azurerm_subnet" "hub_subnet" {
  name                 = "hub-subnet"
  resource_group_name  = azurerm_resource_group.network_rg.name
  virtual_network_name = azurerm_virtual_network.hub_vnet.name
  address_prefixes     = ["10.10.1.0/24"]
}

# ======================
# Monitoring
# ======================
resource "azurerm_log_analytics_workspace" "log" {
  name                = "${var.prefix}-law"
  location            = var.location
  resource_group_name = azurerm_resource_group.management_rg.name
  sku                 = "PerGB2018"
  retention_in_days   = 30
}

# ======================
# Security Center
# ======================
resource "azurerm_security_center_contact" "security_contact" {
  email               = "security@example.com"
  phone               = "+821012345678"
  alert_notifications = true
  alerts_to_admins    = true
}

# ======================
# Azure Policy (예: 리소스 그룹에 태그 강제)
# =================

🚀 실행 예시

terraform init
terraform plan -var 'owner_object_id=00000000-1111-2222-3333-444444444444'
terraform apply -auto-approve

Post Views: 58

Published by 구름여행자

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!