Landing Zone Accelerator is an open source infrastructure as code (IaC) solution from Alibaba Cloud based on Terraform. It supports automated deployment of traditional and AI landing zone architectures, follows cloud best practices, and provides modular extension capabilities.-Cloud Adoption Framework(CAF)-阿里云帮助中心

Landing Zone Accelerator is a solution from Alibaba Cloud that automates the setup of a landing zone. It accelerates the deployment of your landing zone architecture on the cloud.

Background

Previously, you could build a landing zone architecture through a guided process in the Alibaba Cloud Cloud Governance Center or manually in the Alibaba Cloud Management Console by following the Alibaba Cloud Landing Zone solution. To make this process more efficient, we introduced Landing Zone Accelerator (LZA). LZA helps you quickly build a landing zone architecture that follows cloud best practices. You can use LZA to automate the setup of a landing zone for traditional cloud resources or an AI landing zone for AI services.

The design of Alibaba Cloud Landing Zone Accelerator (LZA) follows Alibaba Cloud Landing Zone Best Practices. Use Landing Zone Accelerator to build your landing zone if you have the following requirements:

You plan to manage Alibaba Cloud resources using Terraform-based infrastructure as code (IaC).
You want to build a landing zone or AI landing zone architecture through automation.
You want to build a reusable, stateful, and versioned landing zone infrastructure.

Important

This solution does not guarantee full compliance on its own. It provides the infrastructure on which other supporting solutions can be integrated. The information in this implementation guide is not exhaustive. You must review, evaluate, and approve this solution based on your organization's specific security features, tools, and configurations. You and your organization are responsible for identifying applicable regulatory requirements and ensuring compliance with all of them. Although this solution discusses technical and administrative requirements, it does not help you comply with non-technical administrative requirements.

Solution overview

Landing Zone Accelerator is an open source project built entirely on Terraform. You can download the complete source code to get full access to the Terraform code in Landing Zone Accelerator. Using Terraform-based infrastructure as code (IaC), you can build a cloud IT governance architecture that follows best practices and meets your enterprise requirements. You can also freely extend the solutions provided in Alibaba Cloud Landing Zone. Note that deploying Landing Zone Accelerator does not guarantee the compliance of your cloud resources. Compliance depends on your actual resource and compliance rule configurations.

Landing Zone Accelerator is a free, open source solution. You only pay for the billable cloud resources that you enable.
Landing Zone Accelerator can be deployed in all regions that support landing zones. This includes regions on the Alibaba Cloud China Website (www.aliyun.com) and the Alibaba Cloud International Website (www.alibabacloud.com).

Open source repository

https://github.com/aliyun/landing-zone-accelerator-on-alibaba-cloud

Supported solutions

The Landing Zone Accelerator source code includes the setup code for the six core modules of a landing zone by default. These modules are Resource Management, Identity and Permissions, Financial Management, Network Planning, Security Protection, and Compliance Audit. After you download the source code, you can select the modules and code that you need. The default resource configurations in Landing Zone Accelerator are provided as examples and are not intended for direct use in a production environment. After you download the source code, you must modify the resource configurations to meet your deployment needs.

You can use Landing Zone Accelerator to build landing zone and AI landing zone architectures on Alibaba Cloud. You can manage traditional cloud resources and AI resources within the same landing zone architecture after a single deployment. You can also deploy two separate instances to manage them independently as needed.

Project structure

The Landing Zone Accelerator architecture contains three modules: `modules`, `components`, and `test`. They are defined as follows:

modules

These are the most granular, low-level modules. A resource is typically abstracted into a module if it meets the following conditions:

It is responsible for creating and configuring a single product.
The number of Terraform resources or datasources used is two or more.

components

`components` are high-level encapsulations of `modules`. The development standards are the same as for Terraform modules. A functional module or submodule of a landing zone is abstracted into a component.

test

`test` is the module for testing the `components` module. It covers all submodules in `components`. In practice, you can refer to the invocation methods in the `test` module to encapsulate and call the `components` module for your business.

The complete project structure is as follows:

.
├── README-CN.md
├── README.md
├── components/
│   ├── account-factory/
│   │   ├── account/
│   │   └── baseline/
│   ├── guardrails/
│   │   ├── detective/
│   │   └── preventive/
│   ├── identity/
│   │   └── cloudsso/
│   ├── log-archive/
│   │   ├── actiontrail/
│   │   ├── config/
│   │   └── log-audit/
│   ├── network/
│   │   ├── cen/
│   │   └── dmz/
│   ├── resource-structure/
│   │   ├── accounts/
│   │   └── folders/
│   ├── security/
│   │   ├── bastion-host/
│   │   ├── cloud-firewall/
│   │   ├── kms/
│   │   ├── security-center/
│   │   └── wafv3/
│   └── wafv3-template/
├── modules/
│   ├── cen-vpc-attach/
│   ├── cloudsso-users-and-groups/
│   ├── cms/
│   ├── config-configuration-recorder/
│   ├── contact/
│   ├── dmz-vpc-egress/
│   ├── eip/
│   ├── kms-instance/
│   ├── nat-gateway/
│   ├── oss-bucket/
│   ├── preset-tag/
│   ├── private-zone/
│   ├── ram-role/
│   ├── ram-security-preference/
│   ├── sls-logstore/
│   ├── sls-project/
│   ├── vpc/
│   └── wafv3-template/
└── test/
    └── components/
        ├── account-factory/
        ├── cloudsso/
        ├── guardrails/
        ├── log-archive/
        ├── network/
        ├── resource-structure/
        ├── security/
        └── wafv3-template/

Runtime environment

For enterprise use, integrate Landing Zone Accelerator into your internal IaC CI/CD pipeline to build enterprise-level IaC management capabilities. If you do not have an internal IaC architecture or want to deploy Landing Zone Accelerator in a cloud-hosted runtime environment, contact your account manager to obtain an enterprise-level IaC architecture solution that suits your needs.

Multi-environment applications

Because `modules` and `components` both follow Terraform module development standards, you can create business-level encapsulations on top of `components` for multiple environments. This lets you manage multiple environments or multiple independent landing zone architectures within a single project. This approach supports scenarios such as multiple environments or subsidiaries in an enterprise.

Example:

.
├── deployments/
│   ├── dev
│   ├── beta
│   ├── prod
├── components/
├── modules/
└── test/

Policy separation

If you have many policy-related configurations and want to separate the policy content from the Terraform code, Landing Zone Accelerator supports this. For more information, see the implementation in `test/components/guardrails/preventive/main.tf`.

FAQ

Who maintains the open source Landing Zone Accelerator, and are community contributions supported?

Landing Zone Accelerator is an official open source project from Alibaba Cloud, and community contributions are welcome. You can submit pull requests (PRs) or issues in the open source repository.

Does Landing Zone Accelerator include all solutions from Alibaba Cloud Landing Zone?

Landing Zone Accelerator includes the basic framework for the six core modules of a landing zone and covers the most common solutions for cloud IT governance architecture. However, it does not include all solutions from the landing zone. You can add extensions as needed.

Is Landing Zone Accelerator a complete, ready-to-use, enterprise-level IaC architecture?

Landing Zone Accelerator only contains the business code for building a landing zone. It does not include enterprise-level IaC capabilities such as CI/CD pipelines or multi-user collaboration. You need to add these enterprise-level IaC capabilities during deployment. If you do not have an internal IaC architecture or want to deploy Landing Zone Accelerator in a cloud-hosted runtime environment, contact your account manager to obtain an enterprise-level IaC architecture solution that suits your needs.