This folder initializes the minimum Azure foundation needed for DevOps-driven infrastructure deployments.
The initialization flow creates a dedicated identity resource group, provisions a user-assigned managed identity, optionally attaches workload federation, creates the target managed resource group, and grants delegated permission for controlled role assignment automation in that target scope.
The main template orchestrates the setup and delegates permission assignment logic to a focused module.
Delegation is intentionally constrained so the automation identity cannot assign or remove highly privileged RBAC roles, and all operational permissions stay scoped to the target managed resource group.