terraform-azurerm-caf-enterprise-scale VS terraform-example-foundation

I'm planning to use the official landing zone module developped by MSFT, but it's a big bite. https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki

u/Ok-Inspection3886 Great question! Under the hood we use the Azure landing zones terraform module which is recommended by Azure when using Terraform if you're interested in "Platform Landing Zones". The module itself deploys custom policies and also allows users to add additional custom policies relatively easy.

Honestly, https://github.com/Azure/terraform-azurerm-caf-enterprise-scale does a pretty good job at deploying a landing zone-architecture, is active and maintained. I wouldnt try to re-invent the work Microsoft are doing themself but rather contribute to that project and build tools around the existing module. An issue I often hear from people is that they have a hard time visualizing which policies are added on parent management groups and how to exclude/adjust them.

To add to the links, azure released their own version of terraformer (I've never used it myself but if your deployments are on azure it may fill the gaps where terraformer fails) https://techcommunity.microsoft.com/t5/azure-tools-blog/announcing-azure-terrafy-and-azapi-terraform-provider-previews/ba-p/3270937 also https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main covers creating terraform to create stuff like policies not managed by the standard azurerm terraform module. Best of luck!

The azure environment I'm working on has the Terraform Module for Cloud Adoption Framework Enterprise-scale implemented, so how is the right pattern to connect the cosmos DB with the Hub VNet and also be able to receive data from external sources?

Microsoft provides a an excellent enterprise scale terraform setup here: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale

- How do we secure?

You can use this approach for each step along the way, how to secure secrets in your cloud? code? IaC? container deployments? CI/CD?

If we assume infra / app is code, the tooling matters a lot less. How do you provision certificates via IaC? How do you grant IAM to resources and how do you revoke?

There are examples like https://github.com/terraform-google-modules/terraform-exampl... of more advanced IaC architectures, but you can start as small or as complex as you want and evolve if done properly.

Personally, I love me some Kubernetes + ArgoCD (GitOps) + Google Workload Identity + Google Secret Manager, but I am 100% biased.

Also looked for something similar, and unfortunately didnt find one. Based our enterprise repo off the caf model (not using the module) similar to this google repo: https://github.com/terraform-google-modules/terraform-example-foundation

How did I tackle this exam? 1. On github there is an example foundation for GCP on terraform. https://github.com/terraform-google-modules/terraform-example-foundation I went through this week after week to help me learn. I made customizations and I deployed and destroyed over and over again, making changes. I used this to create a basic organization with a website, this is how I learnt.

If you are looking to setup a new cloud project with Terraform, then that is an another thing. For GCP, Google offers a toolkit: https://github.com/terraform-google-modules/terraform-example-foundation

https://github.com/terraform-google-modules/terraform-example-foundation maybe have a look at the layer approach from Google?