diff --git a/infra/settings/resourceOrganization/azureResources.yaml b/infra/settings/resourceOrganization/azureResources.yaml index 4e1fca3b..26684176 100644 --- a/infra/settings/resourceOrganization/azureResources.yaml +++ b/infra/settings/resourceOrganization/azureResources.yaml @@ -1,32 +1,17 @@ -# yaml-language-server: $schema=./azureResources.shema.json -# -# Microsoft Dev Box accelerator: Resource Groups Configuration -# ======================================================= -# -# Purpose: Defines the resource group organization structure for environments. -# This configuration aligns with Azure Landing Zone principles by segregating resources -# based on their functional purpose (workload, security, monitoring, connectivity). -# +# azureResources.yaml +# ------------------------------------------------------- +# Purpose: Defines resource group organization for Dev Box environments. +# Follows Azure Landing Zone principles for segregation by function. # References: # - Microsoft Dev Box accelerator: https://evilazaro.github.io/DevExp-DevBox/docs/configureresources/resourceorganization/ # - Azure Landing Zones: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ # - Azure Resource Groups: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal # Workload Resource Group -# ----------------------- -# Purpose: Contains the primary Dev Box workload resources including: -# - Dev Center resources -# - Dev Box definitions -# - Dev Box pools -# - Project resources -# -# Best practice: Separate application workloads from infrastructure components -# to enable independent scaling, access control, and lifecycle management. -workload: +workload: # Main application resources create: true name: devexp-workload description: prodExp - tags: environment: dev # Deployment environment (dev, test, prod) division: Platforms # Business division responsible for the resource @@ -38,51 +23,31 @@ workload: resources: ResourceGroup # Resource type # Security Resource Group -# ---------------------- -# Purpose: Contains security-related resources including: -# - Key Vaults for secret management -# - Microsoft Defender for Cloud configurations -# - Network Security Groups -# - Private endpoints -# -# Best practice: Isolate security resources to apply stricter access controls -# and enable separate monitoring/auditing of security components. -security: +security: # Security-related resources (Key Vaults, NSGs, Defender, etc.) create: true name: devexp-security description: prodExp - tags: - environment: dev - division: Platforms - team: DevExP - project: Contoso-DevExp-DevBox - costCenter: IT - owner: Contoso - landingZone: Workload - resources: ResourceGroup + environment: dev # Deployment environment + division: Platforms # Business division + team: DevExP # Team + project: Contoso-DevExp-DevBox # Project name + costCenter: IT # Cost center + owner: Contoso # Owner + landingZone: Workload # Landing zone + resources: ResourceGroup # Resource type # Monitoring Resource Group -# ------------------------ -# Purpose: Contains monitoring and observability resources including: -# - Log Analytics workspaces -# - Application Insights components -# - Azure Monitor alerts and action groups -# - Dashboard and reporting resources -# -# Best practice: Centralize monitoring resources to provide a unified view -# of operational health and simplify diagnostic activities. -monitoring: +monitoring: # Monitoring and observability resources create: true name: devexp-monitoring description: prodExp - tags: - environment: dev - division: Platforms - team: DevExP - project: Contoso-DevExp-DevBox - costCenter: IT - owner: Contoso - landingZone: Workload - resources: ResourceGroup \ No newline at end of file + environment: dev # Deployment environment + division: Platforms # Business division + team: DevExP # Team + project: Contoso-DevExp-DevBox # Project name + costCenter: IT # Cost center + owner: Contoso # Owner + landingZone: Workload # Landing zone + resources: ResourceGroup # Resource type \ No newline at end of file diff --git a/infra/settings/security/security.yaml b/infra/settings/security/security.yaml index 974f1084..38866eb1 100644 --- a/infra/settings/security/security.yaml +++ b/infra/settings/security/security.yaml @@ -1,40 +1,39 @@ + # yaml-language-server: $schema=./security.schema.json -# +# ------------------------------------------------------- # Azure Key Vault Configuration -# ---------------------------- -# This file defines the configuration for an Azure Key Vault resource -# used for storing sensitive credentials and secrets in the development environment. - -# Purpose: Centralized management of secrets, keys, and certificates\ -# for secure access by applications and services in the Contoso development environment. -# References: +# ------------------------------------------------------- +# Purpose: Centralized management of secrets, keys, and certificates for secure access by applications and services in the Contoso development environment. +# This file defines the configuration for an Azure Key Vault resource used for storing sensitive credentials and secrets in the development environment. +# +# References: # - Microsoft Dev Box accelerator: https://evilazaro.github.io/DevExp-DevBox/docs/configureresources/security/ # - Azure Key Vault documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts # - Azure Key Vault best practices: https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices -# Whether to create the Key Vault resource +# Top-level flag: Should the Key Vault resource be created? create: true -# Key Vault configuration +# Key Vault configuration block keyVault: # Basic settings - name: contoso # Name of the Key Vault (must be globally unique) - description: Development Environment Key Vault # Purpose of this Key Vault - secretName: gha-token # Name of the GitHub Actions token secret + name: contoso # Globally unique Key Vault name + description: Development Environment Key Vault # Purpose of this Key Vault + secretName: gha-token # Name of the GitHub Actions token secret # Security settings - enablePurgeProtection: true # Prevents permanent deletion of secrets even by authorized users - enableSoftDelete: true # Enables recovery of deleted secrets within retention period - softDeleteRetentionInDays: 7 # Number of days deleted secrets remain recoverable (7-90 days) - enableRbacAuthorization: true # Uses Azure RBAC for access control instead of vault access policies + enablePurgeProtection: true # Prevent permanent deletion of secrets + enableSoftDelete: true # Allow recovery of deleted secrets within retention period + softDeleteRetentionInDays: 7 # Retention period for deleted secrets (7-90 days) + enableRbacAuthorization: true # Use Azure RBAC for access control - # Resource organization + # Resource organization tags tags: - environment: dev # Deployment environment (dev/test/staging/prod) - division: Platforms # Organizational division responsible for this resource - team: DevExP # Team that owns this resource - project: Contoso-DevExp-DevBox # Project associated with this resource - costCenter: IT # Cost center for billing and chargeback - owner: Contoso # Resource owner - landingZone: security # Azure landing zone classification - resources: ResourceGroup # Resource grouping identifier \ No newline at end of file + environment: dev # Deployment environment (dev/test/staging/prod) + division: Platforms # Organizational division + team: DevExP # Owning team + project: Contoso-DevExp-DevBox # Associated project + costCenter: IT # Cost center for billing + owner: Contoso # Resource owner + landingZone: security # Azure landing zone classification + resources: ResourceGroup # Resource grouping identifier \ No newline at end of file diff --git a/infra/settings/workload/devcenter.yaml b/infra/settings/workload/devcenter.yaml index c66b62fa..d946b8eb 100644 --- a/infra/settings/workload/devcenter.yaml +++ b/infra/settings/workload/devcenter.yaml @@ -171,36 +171,37 @@ projects: - name: "eShop" description: "eShop project." + # Network configuration for eShop project network: - name: eShop - create: true - resourceGroupName: "eShop-connectivity-RG" - virtualNetworkType: Managed + name: eShop # Name of the virtual network + create: true # Should the network be created? + resourceGroupName: "eShop-connectivity-RG" # Resource group for network + virtualNetworkType: Managed # Type of virtual network addressPrefixes: - - 10.0.0.0/16 + - 10.0.0.0/16 # Address space for VNet subnets: - - name: identityProvider-subnet + - name: eShop-subnet # Subnet name properties: - addressPrefix: 10.0.1.0/24 + addressPrefix: 10.0.1.0/24 # Subnet address range tags: - environment: dev - division: Platforms - team: DevExP - project: DevExP-DevBox - costCenter: IT - owner: Contoso - resources: Network + environment: dev # Deployment environment + division: Platforms # Organizational division + team: DevExP # Team responsible + project: DevExP-DevBox # Project name + costCenter: IT # Cost center for billing + owner: Contoso # Resource owner + resources: Network # Resource type identifier # Project identity configuration - controls project-level security identity: - type: SystemAssigned + type: SystemAssigned # Managed identity type roleAssignments: - - azureADGroupId: "9d42a792-2d74-441d-8bcb-71009371725f" - azureADGroupName: "eShop Developers" + - azureADGroupId: "9d42a792-2d74-441d-8bcb-71009371725f" # Azure AD group ID + azureADGroupName: "eShop Developers" # Azure AD group name azureRBACRoles: - - name: "Contributor" - id: "b24988ac-6180-42a0-ab88-20f7382dd24c" - scope: Project + - name: "Contributor" # RBAC role name + id: "b24988ac-6180-42a0-ab88-20f7382dd24c" # RBAC role ID + scope: Project # Role scope - name: "Dev Box User" id: "45d50f46-0b78-4001-a660-4198cbe8cd05" scope: Project @@ -217,21 +218,21 @@ projects: # Dev Box pools - collections of Dev Boxes with specific configurations # Best practice: Create role-specific pools with appropriate tools and settings pools: - - name: "backend-engineer" - imageDefinitionName: "eShop-backend-engineer" - vmSku: general_i_32c128gb512ssd_v2 - - name: "frontend-engineer" - imageDefinitionName: "eShop-frontend-engineer" - vmSku: general_i_16c64gb256ssd_v2 + - name: "backend-engineer" # Pool for backend engineers + imageDefinitionName: "eShop-backend-engineer" # Image definition for backend + vmSku: general_i_32c128gb512ssd_v2 # VM SKU for backend pool + - name: "frontend-engineer" # Pool for frontend engineers + imageDefinitionName: "eShop-frontend-engineer" # Image definition for frontend + vmSku: general_i_16c64gb256ssd_v2 # VM SKU for frontend pool # Project-specific environment types # Defines which deployment environments are available to the project environmentTypes: - - name: "dev" + - name: "dev" # Development environment deploymentTargetId: "" - - name: "staging" + - name: "staging" # Staging environment deploymentTargetId: "" - - name: "UAT" + - name: "UAT" # User Acceptance Testing environment deploymentTargetId: "" # Project-specific catalogs - repositories containing project configurations