A central cloud operations team deploys a sandbox for a developer team.
Note: Managed Identities are illustrated for example scenario considerations described below.
The Terraform scripts in this repository deploy:
| Resource | Description |
|---|---|
| Azure Resource Group | Sandbox logical and security boundary |
| Azure Key Vault | Can be pre-populated with credentials for team |
| Azure Container Registry | Team stores their Docker images here |
This repo does not do much because it's demo. In real life however, the most common use case is to bootstrap a sandbox that is pre-configured to connect with shared resources, especially networking (think hub and spoke architectures).
Here are some other considerations to think about.
- What permissions at which scope do teams receive?Why?
- Why should every team get their own Azure Container Registry?
As an exercise, imagine we also bootstrap the following:
| Managed Identity | Role | Description |
|---|---|---|
ci-mi |
AcrPush |
CI/CD tools need to push images |
cluster-mi |
AcrPull |
Tools, e.g. Kubernetes cluster needs to be able to pull images |
team-mi |
Contributor |
Team needs to manage this resource |
For additional details see the following documentation:
Bonus Question
Why does team-mi have a solid and blue colored border? How is it different from the other 2 managed identities illustrated above?
This is an example for learning DevOps in real life. It is neither a reference implementation nor reference architecture.