https://github.com/julie-ng/cloudkube-example-sandbox

Infra as Code for Sandbox Demo
https://github.com/julie-ng/cloudkube-example-sandbox

azure devops-at-scale infra-as-code management terraform

Last synced: 2 months ago
JSON representation

Infra as Code for Sandbox Demo

• Host: GitHub
• URL: https://github.com/julie-ng/cloudkube-example-sandbox
• Owner: julie-ng
• License: mit
• Created: 2021-03-21T07:35:51.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2021-05-05T08:52:15.000Z (about 4 years ago)
• Last Synced: 2025-02-01T02:41:57.345Z (4 months ago)
• Topics: azure, devops-at-scale, infra-as-code, management, terraform
• Language: HCL
• Homepage:
• Size: 94.7 KB
• Stars: 1
• Watchers: 3
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# cloudkube-example-sandbox

### Use Case

A central cloud operations team deploys a sandbox for a developer team. 



_Note: Managed Identities are illustrated for example scenario considerations described below._

## Resources deployed

### Infrastructure

The Terraform scripts in this repository deploy:

| Resource | Description |

|:--|:--|

| Azure Resource Group | Sandbox logical and security boundary |

| Azure Key Vault | Can be pre-populated with credentials for team |

| Azure Container Registry | Team stores their Docker images here |

### Considerations for DevOps at Organizations

This repo does not do much because it's  demo. In real life however, the most common use case is to bootstrap a sandbox that is pre-configured to connect with shared resources, especially networking (think hub and spoke architectures).

Here are some other considerations to think about.

- What permissions at which scope do teams receive?_Why?_

- Why should every team get their own Azure Container Registry?

  

### Example: Managed Identities

As an exercise, imagine we also bootstrap the following:

| Managed Identity | Role | Description |

|:--|:--|:--|

| `ci-mi` | `AcrPush` | CI/CD tools need to push images |

| `cluster-mi` | `AcrPull` | Tools, e.g. Kubernetes cluster needs to be able to pull images |

| `team-mi` | `Contributor` | Team needs to manage this resource |

For additional details see the following documentation:

- [Azure Container Registry Roles](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles)

- [What are managed identities for Azure resources?](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)

**Bonus Question**  

Why does `team-mi` have a solid and blue colored border? How is it different from the other 2 managed identities illustrated above?

## Disclaimer

This is an example for **learning** DevOps in real life. It is neither a reference implementation nor reference architecture.