Skip to main content
Glama
cloudcwfranck

@cloudcraftwithfranck/govcloud-mcp

by cloudcwfranck
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

landing_zone_reference

Generate Azure Landing Zone architecture from Microsoft's Enterprise Scale reference. Outputs management hierarchy, policy assignments, hub-spoke topology, and Bicep scaffold aligned with CAF and ALZ accelerator.

Instructions

Generate Azure Landing Zone architecture grounded in the official Microsoft Enterprise Scale reference implementation (github.com/Azure/Enterprise-Scale). Returns Management Group hierarchy, policy assignments, hub-spoke topology, and Bicep scaffold aligned with CAF and ALZ accelerator.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
scenarioYesLanding zone deployment scenario
impactLevelYesTarget compliance impact level
cspYesCloud service provider environment
missionTypeYesDescribe the workload (e.g. "Navy legal case management")
subscriptionCountYesApproximate number of workload subscriptions

Implementation Reference

  • src/tools/architecture/landing-zone-reference.ts:84-177 (handler)
    The main handler function `handleLandingZoneReference` that executes the tool logic. It validates inputs with Zod, fetches ESLZ grounding content from GitHub (README.md + policies.json), retrieves the ESLZ ARM template directory listing, constructs a detailed grounding section, and calls Anthropic Claude with a specialized system prompt to generate the landing zone architecture. Returns the AI response with ESLZ attribution.
    export async function handleLandingZoneReference(args: unknown): Promise<string> {
  return runTool('landing_zone_reference', args, Schema, async (params0) => {
    const params = {
      ...params0,
      csp: (params0.csp as string)
        .replace('gcc-high', 'azure-gcc-high')
        .replace('azure-gov', 'azure-government') as typeof params0.csp,
    };
    // Fetch ESLZ grounding content in parallel
    const [archDoc, allPolicies] = await Promise.all([
      fetchEslzContent('README.md'),
      fetchEslzContent('eslzArm/managementGroupTemplates/policyDefinitions/policies.json'),
    ]);

    // Fetch GitHub directory listing for eslzArm to show real template names
    let templateList = '';
    try {
      const ghResponse = await fetch(
        'https://api.github.com/repos/Azure/Enterprise-Scale/contents/eslzArm',
        {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            'User-Agent': 'govcloud-mcp/1.0.0',
          },
        }
      );
      if (ghResponse.ok) {
        const contents = await ghResponse.json() as Array<{ name: string }>;
        if (Array.isArray(contents)) {
          templateList = contents.map((f) => f.name).join(', ');
        }
      }
    } catch {
      // Non-fatal — continue without template list
    }

    const eslzAvailable = !!(archDoc || allPolicies);

    const securityPolicySummary = extractRelevantPolicies(
      allPolicies,
      'SC',
      ['defender', 'security center', 'key vault', 'encryption', 'tls', 'https']
    );

    const networkPolicySummary = extractRelevantPolicies(
      allPolicies,
      'SC',
      ['network', 'firewall', 'dns', 'private endpoint', 'nsg', 'vnet']
    );

    const groundingSection = eslzAvailable
      ? `
## Official Microsoft Enterprise Scale Reference Content

### Azure Landing Zones Architecture Overview (github.com/Azure/Enterprise-Scale):
${archDoc.slice(0, 5000)}

### ALZ Security Policy Definitions (161 official policies, filtered for security/networking):
**Security controls:**
${securityPolicySummary || '(unavailable)'}

**Network controls:**
${networkPolicySummary || '(unavailable)'}

${templateList ? `### Available ESLZ ARM Template Directories:\n${templateList}` : ''}
`
      : '(ESLZ grounding content unavailable — responding from base knowledge)';

    const response = await anthropic.messages.create({
      model: MODEL,
      max_tokens: getTokenBudget('landing_zone_reference'),
      system: LANDING_ZONE_SYSTEM,
      messages: [
        {
          role: 'user',
          content: `Generate a complete Azure Landing Zone architecture for:

**Scenario:** ${params.scenario}
**Impact Level:** ${params.impactLevel}
**CSP:** ${params.csp}
**Mission:** ${params.missionType}
**Scale:** ${params.subscriptionCount} subscriptions

${groundingSection}

Ground your recommendations in the official ESLZ content above. Where you reference architecture patterns, explicitly cite alignment with the Azure/Enterprise-Scale reference implementation. Include all required sections with specific configuration values.`,
        },
      ],
    });

    const text = response.content[0].type === 'text' ? response.content[0].text : '';
    return eslzAvailable ? text + ESLZ_ATTRIBUTION : text;
  });
}
  • src/tools/architecture/landing-zone-reference.ts:10-52 (schema)
    The tool definition object including the name 'landing_zone_reference', description, input schema (scenario, impactLevel, csp, missionType, subscriptionCount), and the Zod validation schema enforcing enums and string constraints.
    export const landingZoneReferenceTool = {
  name: 'landing_zone_reference',
  description:
    'Generate Azure Landing Zone architecture grounded in the official Microsoft Enterprise Scale reference implementation (github.com/Azure/Enterprise-Scale). Returns Management Group hierarchy, policy assignments, hub-spoke topology, and Bicep scaffold aligned with CAF and ALZ accelerator.',
  inputSchema: {
    type: 'object' as const,
    properties: {
      scenario: {
        type: 'string',
        enum: ['greenfield-government', 'brownfield-migration', 'sovereign-landing-zone', 'mission-landing-zone'],
        description: 'Landing zone deployment scenario',
      },
      impactLevel: {
        type: 'string',
        enum: ['fedramp-moderate', 'fedramp-high', 'il4', 'il5'],
        description: 'Target compliance impact level',
      },
      csp: {
        type: 'string',
        enum: ['azure-government', 'azure-gcc-high', 'gcc-high', 'azure-gov'],
        description: 'Cloud service provider environment',
      },
      missionType: {
        type: 'string',
        description: 'Describe the workload (e.g. "Navy legal case management")',
      },
      subscriptionCount: {
        type: 'string',
        enum: ['1-3', '4-10', '11-50', '50+'],
        description: 'Approximate number of workload subscriptions',
      },
    },
    required: ['scenario', 'impactLevel', 'csp', 'missionType', 'subscriptionCount'],
  },
};

const Schema = z.object({
  scenario: z.enum(['greenfield-government', 'brownfield-migration', 'sovereign-landing-zone', 'mission-landing-zone']),
  impactLevel: z.enum(['fedramp-moderate', 'fedramp-high', 'il4', 'il5']),
  csp: z.enum(['azure-government', 'azure-gcc-high', 'gcc-high', 'azure-gov']),
  missionType: z.string().min(1).max(500),
  subscriptionCount: z.enum(['1-3', '4-10', '11-50', '50+']),
});
  • src/tools/index.ts:10-40 (registration)
    Import of `landingZoneReferenceTool` and `handleLandingZoneReference` from the architecture module, inclusion in the `allTools` array (line 40), and routing of the 'landing_zone_reference' case to the handler (line 70).
    import { landingZoneReferenceTool, handleLandingZoneReference } from './architecture/landing-zone-reference.js';
import { serviceSelectTool, handleServiceSelect } from './architecture/azure-service-selector.js';
import { gccHighTool, handleGccHigh } from './architecture/gcc-high-guidance.js';
import { privateEndpointTool, handlePrivateEndpoint } from './architecture/private-endpoint-map.js';

import { bigbangValidateTool, handleBigbangValidate } from './platform-one/bigbang-validate.js';
import { bigbangHardenTool, handleBigbangHarden } from './platform-one/bigbang-harden.js';
import { ironbankLookupTool, handleIronbankLookup } from './platform-one/ironbank-lookup.js';
import { addonConfiguratorTool, handleAddonConfigurator } from './platform-one/addon-configurator.js';

import { pipelineAuditTool, handlePipelineAudit } from './pipeline/pipeline-audit.js';
import { signingConfigTool, handleSigningConfig } from './pipeline/signing-config.js';
import { devsecopsScoreCardTool, handleDevsecopsScorecard } from './pipeline/devsecops-scorecard.js';

import { sspSectionTool, handleSspSection } from './documents/ssp-section.js';
import { contingencyPlanTool, handleContingencyPlan } from './documents/contingency-plan.js';

import { govcloudQuickstartTool, handleGovcloudQuickstart } from './govcloud-quickstart.js';

export const allTools = [
  // Compliance
  bicepAnalyzeTool,
  bicepRemediateTool,
  controlLookupTool,
  controlNarrativeTool,
  poamGenerateTool,
  atoReadinessTool,
  oscalFragmentTool,
  // Architecture
  landingZoneTool,
  landingZoneReferenceTool,
  • src/utils/github-fetcher.ts:1-181 (helper)
    Helper utilities used by the handler: `fetchEslzContent` (fetches files from Azure/Enterprise-Scale GitHub repo with caching), `extractRelevantPolicies` (filters policy JSON for security/network controls), and `ESLZ_ATTRIBUTION` (attribution string appended to responses).
    import { logger } from './logger.js';

const ESLZ_BASE = 'https://raw.githubusercontent.com/Azure/Enterprise-Scale/main';

interface CacheEntry {
  content: string;
  fetchedAt: number;
}

const cache = new Map<string, CacheEntry>();
const CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour

export function clearEslzCache(): void {
  cache.clear();
}

export async function fetchEslzContent(path: string): Promise<string> {
  const cached = cache.get(path);
  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
    logger.info('eslz', `Cache hit: ${path}`);
    return cached.content;
  }

  const url = `${ESLZ_BASE}/${path}`;
  try {
    const response = await fetch(url, {
      headers: {
        Accept: 'text/plain',
        'User-Agent': 'govcloud-mcp/1.0.0',
      },
    });

    if (!response.ok) {
      logger.warn('eslz', `Failed to fetch ${path}`, { status: response.status });
      return '';
    }

    const content = await response.text();
    cache.set(path, { content, fetchedAt: Date.now() });
    logger.info('eslz', `Fetched and cached: ${path}`, { bytes: content.length });
    return content;
  } catch (err) {
    logger.warn('eslz', `Network error fetching ${path}`, { error: String(err) });
    return '';
  }
}

export async function fetchEslzJson(path: string): Promise<object | null> {
  const content = await fetchEslzContent(path);
  if (!content) return null;
  try {
    return JSON.parse(content);
  } catch {
    logger.warn('eslz', `Failed to parse JSON from ${path}`);
    return null;
  }
}

export async function fetchEslzBatch(paths: string[]): Promise<Map<string, string>> {
  const results = await Promise.allSettled(
    paths.map(async (path) => ({ path, content: await fetchEslzContent(path) }))
  );

  const map = new Map<string, string>();
  for (const result of results) {
    if (result.status === 'fulfilled') {
      map.set(result.value.path, result.value.content);
    }
  }
  return map;
}

// Extract up to 10 policy display names + descriptions from an ESLZ ARM policy definition file.
// Handles both the legacy resources[] format and the modern $fxv#N variables format.
export function extractRelevantPolicies(
  policyJson: string,
  controlFamily: string,
  services: string[]
): string {
  if (!policyJson) return '';
  try {
    const parsed = JSON.parse(policyJson);
    const serviceTerms = services.map((s) => s.toLowerCase());
    const familyLower = controlFamily.toLowerCase();

    // Build a flat list of { name, displayName, description } from whatever structure is present
    const allPolicies: Array<{ name: string; displayName: string; description: string }> = [];

    // Modern ESLZ format: variables.$fxv#N contain individual policy JSON strings
    const variables: Record<string, unknown> = parsed?.variables ?? {};
    for (const [key, val] of Object.entries(variables)) {
      if (!key.startsWith('$fxv#') || typeof val !== 'string') continue;
      try {
        const p = JSON.parse(val);
        const props = (p?.properties ?? {}) as Record<string, string>;
        allPolicies.push({
          name: (p?.name as string) ?? '',
          displayName: props.displayName ?? '',
          description: props.description ?? '',
        });
      } catch {
        // Skip unparseable entries
      }
    }

    // Legacy format: resources array
    if (allPolicies.length === 0) {
      const resources: Array<Record<string, unknown>> = parsed?.resources ?? [];
      for (const r of resources) {
        const props = (r.properties ?? {}) as Record<string, string>;
        allPolicies.push({
          name: (r.name as string) ?? '',
          displayName: props.displayName ?? '',
          description: props.description ?? '',
        });
      }
    }

    const relevant = allPolicies
      .filter(({ name, displayName, description }) => {
        const n = name.toLowerCase();
        const d = displayName.toLowerCase();
        const desc = description.toLowerCase();
        return (
          n.includes(familyLower) || d.includes(familyLower) || desc.includes(familyLower) ||
          serviceTerms.some((s) => n.includes(s) || d.includes(s) || desc.includes(s))
        );
      })
      .slice(0, 10)
      .map(({ displayName, name, description }) =>
        `- **${displayName || name}**: ${description || '(no description)'}`
      )
      .join('\n');

    return relevant || 'No specific policies found for these services.';
  } catch {
    return '';
  }
}

// Pull the section from the architecture doc most relevant to a control family.
// Returns up to 2000 chars of relevant content.
export function extractRelevantArchGuidance(archDoc: string, controlFamily: string): string {
  if (!archDoc) return '';
  const familyKeywords: Record<string, string[]> = {
    AC: ['identity', 'access', 'rbac', 'entra', 'conditional access', 'pim'],
    SC: ['encryption', 'network', 'tls', 'key vault', 'private endpoint', 'firewall'],
    AU: ['logging', 'monitoring', 'diagnostic', 'log analytics', 'sentinel'],
    IA: ['identity', 'authentication', 'mfa', 'cac', 'piv', 'entra'],
    SI: ['defender', 'vulnerability', 'threat', 'security center', 'patch'],
    CM: ['policy', 'configuration', 'azure policy', 'blueprint', 'management'],
    CP: ['backup', 'recovery', 'availability', 'geo-redundant', 'rpo', 'rto'],
    IR: ['incident', 'alert', 'sentinel', 'monitoring', 'response'],
    SA: ['architecture', 'design', 'landing zone', 'management group'],
    RA: ['assessment', 'scanning', 'defender', 'vulnerability'],
  };

  const terms = familyKeywords[controlFamily] ?? [controlFamily.toLowerCase()];
  const lines = archDoc.split('\n');
  const relevant: string[] = [];
  let capturing = false;
  let capturedChars = 0;
  const MAX_CHARS = 2000;

  for (const line of lines) {
    const lower = line.toLowerCase();
    if (terms.some((t) => lower.includes(t))) {
      capturing = true;
    }
    if (capturing) {
      relevant.push(line);
      capturedChars += line.length;
      if (capturedChars >= MAX_CHARS) break;
    }
  }

  return relevant.join('\n').trim();
}

export const ESLZ_ATTRIBUTION = `\n\n---\n*Architecture guidance grounded in the official Microsoft [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale) reference implementation — ${new Date().toISOString().split('T')[0]}*`;
  • src/utils/tool-runner.ts:15-56 (helper)
    Configuration entries for the tool in the runner: token budget of 4096 (line 15) and timeout of 90000ms (line 56) to allow extra time for ESLZ fetch + AI generation.
      landing_zone_reference: 4096,
  pipeline_audit: 6144,
  ato_readiness: 4096,
  control_lookup: 4096,
  poam_generate: 2048,
  oscal_fragment: 4096,
  addon_configurator: 4096,
  private_endpoint_map: 4096,
  devsecops_scorecard: 3072,
  bigbang_validate: 3072,
  gcc_high_guidance: 2048,
  signing_config: 2048,
  azure_service_selector: 2048,
  ironbank_lookup: 1024,
  govcloud_quickstart: 1024,
  bicep_analyze: 4096,
};

// Per-tool timeouts (ms)
export const TOOL_TIMEOUTS: Record<string, number> = {
  ironbank_lookup: 15000,
  azure_service_selector: 15000,
  govcloud_quickstart: 5000,
  gcc_high_guidance: 20000,
  signing_config: 20000,
  control_lookup: 30000,
  bicep_analyze: 30000,
  bigbang_validate: 30000,
  pipeline_audit: 30000,
  devsecops_scorecard: 30000,
  ato_readiness: 30000,
  poam_generate: 25000,
  private_endpoint_map: 30000,
  addon_configurator: 45000,
  oscal_fragment: 45000,
  control_narrative: 60000,
  ssp_section: 25000,
  contingency_plan: 60000,
  bigbang_harden: 60000,
  bicep_remediate: 60000,
  landing_zone_design: 60000,
  landing_zone_reference: 90000, // extra time for ESLZ fetch + generation

Tool Definition Quality

B3.4/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries full burden. It lists outputs but does not disclose behavioral traits like side effects, authentication needs, or limitations. The description is minimal beyond stating what is returned.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise with two informative sentences. It front-loads the purpose and source, then lists outputs. Every sentence adds value.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given no output schema, the description appropriately lists the main outputs (Management Group hierarchy, policy assignments, etc.). However, it lacks details on format or structure, which would enhance completeness for a complex architecture tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already documents all parameters. The description adds overall context (referencing official implementation) but does not provide additional meaning for individual parameters beyond what is in the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool generates Azure Landing Zone architecture based on Microsoft's reference implementation and lists specific outputs. It is specific but does not explicitly differentiate from the sibling tool 'landing_zone_design'.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage for generating reference architectures but provides no explicit guidance on when to use this tool versus alternatives, nor when not to use it.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cloudcwfranck/govcloud-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server