Home

Awesome

Azure Landing Zones for Canadian Public Sector

Introduction

The purpose of the reference implementation is to guide Canadian Public Sector customers on building Landing Zones in their Azure environment. The reference implementation is based on Cloud Adoption Framework for Azure and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using NIST SP 800-53 Rev. 4 and Canada Federal PBMM Regulatory Compliance Policy Sets.

Architecture supported up to Treasury Board of Canada Secretariat (TBS) Cloud Profile 3 - Cloud Only Applications. This profile is applicable to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) with characteristics:

This implementation is specific to Canadian Public Sector departments. Please see Implement Cloud Adoption Framework enterprise-scale landing zones in Azure if you are looking for implementation for other industries or customers.

Architecture

See architecture documentation for detailed walkthrough of design.

Deployment to Azure is supported using Azure DevOps Pipelines and can be adopted for other automated deployment systems like GitHub Actions, Jenkins, etc.

The automation is built with Project Bicep and Azure Resource Manager template.

GC 30-Day Cloud Guardrails

As part of the Government of Canada (GC) Cloud Operationalization Framework, the GC has provided a set of minimum guardrails to be implemented within the first 30-days of standing up a cloud environment.

See GC 30-Day Cloud Guardrails to find out how the reference implementations meet (or can meet) these requirements.

We recommend deploying the Guardrails Solution Accelerator for evidence collection. The solution provides continuous audit to the Canadian Public Sector customers' environment with a comprehensive workbook revealing the compliance status for each of the 12 GC 30-Day Cloud Guardrails controls.

Onboarding to Azure DevOps

See the following onboarding guides for setup instructions:

Goals

Non-Goals

Contributing

See Contributing Reference Implementation for information on building/running the code, contributing code, contributing examples and contributing feature requests or bug reports.

Telemetry

November 11, 2021 onward

Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through customer usage attribution. The data is collected and governed by Microsoft's privacy policies, located at https://www.microsoft.com/trustcenter.

If you don't wish to send usage data to Microsoft, you can set the customerUsageAttribution.enabled setting to false in config/telemetry.json. Learn more in our Azure DevOps Pipelines onboarding guide.

Project Bicep collects telemetry in some scenarios as part of improving the product.

Pre-November 11, 2021

This reference implementation does not collect any telemetry. Project Bicep collects telemetry in some scenarios as part of improving the product.

License

All files except for Super-Linter in the repository are subject to the MIT license.

Super-Linter in this project is provided as an example for enabling source code linting capabilities. It is subjected to the license based on it's repository.

Trademark

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.