Getting Started
Request your Landing Zone
At current time, a TDF BL consumer can request the following types of Azure Hardened Subscriptions :
Innovate Landing Zone Innovate Landing Zone with Corporate Addon
The overview document describe des features offered to the TDF BL consumers and help them to choose.
How to enroll peoples for a TDF Identity
Every user that will need to access to your Azure hardened subscription must have a valid Azure AD Account in the Thales Digital Factory Azure AD tenant. You can request user creation in Post-it, you can enroll it to your Azure subscription as documented How to manage group membership of my Azure AD Security groups.
How to enroll my peoples in my Landing Zone
As a Lead developer on my Azure Hardened subscription, I have privilege to manage role assignments at any scope within my azure subscription. You can manage role assignment for your service principal at the following level:
Subscription Resource Group Resource
The only limitation related to role assignment are:
You cannot assign Owner built-in role You cannot assign User Access Administrator built-in role You cannot assign Resource policy contributor built-in role
We recommend that you assign the Lead Developer custom role available in your Landing Zone through the groups we created for you during the provisionning of the Landing Zone
My first requests
How to enroll for a GitLab repo
TDF BL consumers can request a dedicated GitLab Repo as documented here: https://gitlab.thalesdigital.io/just-do-it/it-sre/hardened-landing-zone-documentation/-/blob/master/how-to-guides/using-gitlab-dedicated-runner.md#using-a-gitlab-dedicated-runner
How to request a Service Principal for my CI/CD Pipeline
Process to request a service principal is available here: Using Service Principal
How to assign my Service Principal to my Subscription
As a Lead developer on my Azure Hardened subscription, I have privilege to manage Role assignments at any scope within my subscription. You can manage role assignment for your service principal at the following level:
- Subscription
- Resource Group
- Resource
The only limitation related to role assignment are:
- You cannot assign Owner built-in role
- You cannot assign User Access Administrator built-in role
- You cannot assign Resource policy contributor built-in role
How to change ownership of My service principal
As owner of a Service principal, I can assign ownership to another Azure AD user from the TDF Azure AD Tenant.
Connect to the resources in your Landing Zone with Corporate Addon using ZScaler
Request for ZScaler licence and access must be made using Post-it
How to build my own dedicated GitLab runners
Within a Landing Zone with Corporate Addon, you may need a dedicated Gitlab Runner (connected to the Corporate Gitlab).
Detailed documentation is available here: How to build my own GitLab dedicated runner.
How to deploy a first demonstration workload
Have a look on our Samples in the documentation if you need some example of Reference Architecture and Terraform code to deploy them.
How to expose my web-based workloads
Exposing Web-based workload is possible on a Landing Zone deployed with Corporate Addon but limited to internal access (from Thales RIE networks). Workloads hosted in a Landing Zone without Corporate Addon can be exposed to Internet using an Azure Application Gateway as documented here : deploy Azure Application Gateway.
How to deploy Azure DataBricks in a Landing Zone with Coporate Addon
Due to special network requirements for Azure DataBricks, the solution cannot be deployed with direct VNET integration. Document Deploy Azure DataBricks in Private Link scenario provide a step by step guidance to deploy Azure DataBricks.