├── .gitattributes ├── .github └── workflows │ ├── build.yml │ └── pull-request.yml ├── .gitignore ├── .pre-commit-config.yaml ├── .terraform-docs.yml ├── LICENSE ├── README.md ├── amplify.yml ├── amplify ├── config.tf └── main.tf ├── compliance ├── README.md └── cfmm │ ├── README.md │ ├── cost-management │ ├── billing-to-different-legal-entities.md │ ├── budget-approval-process.md │ ├── chargeback-at-full-cost-allocation.md │ ├── chargeback-via-consumption-cost-allocation.md │ ├── consumption-based-pay-per-use-for-internal-services.md │ ├── global-cost-optimization-via-reservations.md │ ├── individual-project-cost-optimization-via-reservations.md │ ├── monthly-cloud-project-billing-report.md │ ├── monthly-cloud-project-carbon-footprint-report.md │ ├── monthly-cloud-tenant-billing-report.md │ ├── pay-per-use-for-internal-services.md │ ├── private-cloud-pay-per-use-chargeback.md │ └── quota-management.md │ ├── iam │ ├── federated-identity-and-authentication.md │ ├── identity-and-access-management-alignment.md │ ├── identity-lifecycle-management.md │ ├── privileged-access-management.md │ ├── resource-authorization-management.md │ └── service-account-management.md │ ├── security-and-compliance │ ├── centralized-audit-logs.md │ ├── centralized-workload-and-infrastructure-logs.md │ ├── certified-isms-compliance.md │ ├── cloud-resource-tagging.md │ ├── cloud-siem.md │ ├── cloud-tenant-tagging.md │ ├── control-access-to-landing-zones.md │ ├── guided-cloud-onboarding.md │ ├── incident-management-process.md │ ├── multi-cloud-tagging-policy.md │ ├── resource-configuration-policies.md │ ├── resource-configuration-scanning.md │ ├── service-and-location-restrictions.md │ ├── shared-responsibility-model-alignment.md │ └── soc-integration.md │ ├── service-ecosystem │ ├── 3rd-party-paas-service-integration.md │ ├── api-gateway-to-on-premises-apis.md │ ├── cloud-to-cloud-interconnects.md │ ├── foundation-service-platform.md │ ├── in-house-paas-service-integration.md │ ├── individual-service-provisioning.md │ ├── internal-service-marketplace.md │ ├── kubernetes-cluster-as-a-service.md │ ├── managed-bastion-hosts.md │ ├── managed-cloud-provider-support-contracts.md │ ├── managed-data-lake-access.md │ ├── managed-devops-toolchain.md │ ├── managed-dns-services.md │ ├── managed-internet-egress.md │ ├── managed-key-vault.md │ ├── managed-ssl-certificates.md │ ├── on-premise-network-connection.md │ ├── shared-container-registry.md │ ├── shared-vm-image-repository.md │ ├── tenant-to-tenant-transit-networks.md │ ├── virtual-machine-service.md │ └── virtual-network-service.md │ ├── tenant-management │ ├── cloud-native-landing-zone.md │ ├── cloud-tenant-database.md │ ├── container-platform-landing-zone.md │ ├── data-science-landing-zone.md │ ├── lift-and-shift-landing-zone.md │ ├── link-cloud-tenants-to-cmdbeam.md │ ├── modular-landing-zones.md │ ├── multi-cloud-tenant-database-integrated-with-lifecycle-management.md │ ├── playground-sandbox-environments.md │ ├── resource-hierarchy.md │ ├── self-service-multi-cloud-tenant-database.md │ ├── tenant-deprovisioning-decommissioning.md │ ├── tenant-inventory-reconciliation.md │ └── tenant-provisioning.md │ ├── update.sh │ └── update.ts ├── docs ├── .gitignore ├── .vuepress │ ├── config.ts │ ├── public │ │ ├── images │ │ │ └── hero.png │ │ └── robots.txt │ └── theme │ │ └── plugins │ │ └── plausible │ │ ├── client │ │ ├── clientAppSetup.ts │ │ ├── composables │ │ │ ├── index.ts │ │ │ ├── setupPlausible.ts │ │ │ └── usePlausible.ts │ │ └── index.ts │ │ ├── index.ts │ │ └── shared │ │ ├── index.ts │ │ └── types.ts ├── README.md ├── assets │ └── modular-landing-zone.png ├── concept │ ├── README.md │ ├── bootstrapping.md │ ├── compliance.md │ ├── goals.md │ └── modular-landing-zones.md ├── guide │ ├── README.md │ ├── best-practices.md │ ├── faq.md │ ├── how-to-compliance.md │ ├── how-to-document.md │ └── how-to-kit-module.md ├── modules │ └── README.md ├── package-lock.json ├── package.json ├── reference │ ├── assets │ │ ├── collie-tenant-analyze-tags.png │ │ ├── collie-tenant-costs.png │ │ ├── collie-tenant-iam.png │ │ └── collie-tenant-list.png │ ├── compliance-commands.md │ ├── foundation-commands.md │ ├── kit-commands.md │ ├── repository.md │ └── tenant-commands.md └── tutorial │ ├── README.md │ ├── assets │ ├── collie-foundation-new-add-platform.png │ └── collie-foundation-new.png │ └── deploy-first-module.md ├── flake.lock ├── flake.nix └── kit ├── README.md ├── aks └── buildingblocks │ ├── github-connector │ ├── backplane │ │ ├── main.tf │ │ ├── output.tf │ │ ├── variables.tf │ │ └── versions.tf │ └── buildingblock │ │ ├── .gitignore │ │ ├── github.tf │ │ ├── kubernetes.tf │ │ ├── repo_content │ │ ├── Dockerfile │ │ └── workflow.yml │ │ ├── variables.tf │ │ └── versions.tf │ └── postgresql │ ├── backplane │ ├── kubernetes.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf │ └── buildingblock │ ├── .gitignore │ ├── main.tf │ ├── variables.tf │ └── versions.tf ├── aws ├── admin-accounts │ └── root │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── main.tf │ │ ├── modules │ │ ├── billing-admins │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── variables.tf │ │ └── organization-policies │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ └── variables.tf │ │ ├── variables.tf │ │ └── versions.tf ├── bootstrap │ ├── README.md │ ├── cfn-tf-deploy.policy.json │ ├── documentation.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── buildingblocks │ └── s3_bucket │ │ ├── backplane │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── iam.tf │ │ ├── outputs.tf │ │ └── versions.tf │ │ └── buildingblock │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── provider.tf │ │ ├── terragrunt.tftest.hcl │ │ ├── variables.tf │ │ └── versions.tf └── util │ └── iam-user │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── azure ├── aviatrix │ ├── README.md │ ├── aviatrix.spn.tf │ ├── documentation.tf │ ├── outputs.tf │ ├── template │ │ └── platform-module │ │ │ └── terragrunt.hcl │ ├── variables.tf │ └── versions.tf ├── billing │ ├── README.md │ ├── documentation.tf │ ├── outputs.tf │ ├── resources.alert.tf │ ├── resources.group.tf │ ├── template │ │ └── platform-module │ │ │ └── terragrunt.hcl │ ├── variables.tf │ └── versions.tf ├── bootstrap │ ├── README.md │ ├── documentation.tf │ ├── main.tf │ ├── outputs.tf │ ├── resources.docs-uami.tf │ ├── resources.groups.tf │ ├── resources.key-vault.tf │ ├── resources.validation-uami.tf │ ├── template │ │ ├── platform-module │ │ │ └── terragrunt.hcl │ │ └── platform │ │ │ └── platform.hcl │ ├── terraform-state │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf │ ├── variables.tf │ └── versions.tf ├── buildingblocks │ ├── automation │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── resources.bb-spn.tf │ │ ├── resources.tfstates.tf │ │ ├── template │ │ │ └── platform-module │ │ │ │ └── terragrunt.hcl │ │ └── variables.tf │ ├── budget-alert │ │ ├── README.md │ │ ├── backplane │ │ │ ├── README.md │ │ │ ├── documentation.tf │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ │ └── buildingblock │ │ │ ├── budget-alert.tftest.hcl │ │ │ ├── icon.svg │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── template │ │ │ └── platform-module │ │ │ │ └── terragrunt.hcl │ │ │ ├── variables.tf │ │ │ └── versions.tf │ ├── connectivity │ │ ├── README.md │ │ ├── backplane │ │ │ ├── README.md │ │ │ ├── documentation.tf │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── template │ │ │ │ └── platform-module │ │ │ │ │ └── terragrunt.hcl │ │ │ ├── variables.tf │ │ │ └── versions.tf │ │ └── buildingblock │ │ │ ├── connectivity.tftest.hcl │ │ │ ├── icon.png │ │ │ ├── main.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ ├── custom-permissions │ │ ├── backplane │ │ │ ├── README.md │ │ │ ├── documentation.tf │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ │ └── buildingblock │ │ │ ├── custom-permissions.tftest.hcl │ │ │ ├── main.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ ├── github-repo │ │ ├── README.md │ │ ├── backplane │ │ │ ├── documentation.tf │ │ │ ├── main.tf │ │ │ ├── template │ │ │ │ └── platform-module │ │ │ │ │ └── terragrunt.hcl │ │ │ ├── terragrunt.hcl │ │ │ └── variables.tf │ │ └── buildingblock │ │ │ ├── README.md │ │ │ ├── icon.png │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── provider.tf │ │ │ └── variables.tf │ ├── key-vault │ │ ├── backplane │ │ │ ├── README.md │ │ │ ├── documentation.tf │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ │ └── buildingblock │ │ │ ├── README.md │ │ │ ├── key-vault.tftest.hcl │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ ├── postgresql-database │ │ └── buildingblock │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ ├── postgresql │ │ ├── backplane │ │ │ ├── README.md │ │ │ ├── documentation.tf │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ │ └── buildingblock │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ ├── starterkit │ │ ├── backplane │ │ │ ├── README.md │ │ │ ├── documentation.tf │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── resources.bbtfstate.tf │ │ │ ├── resources.github.tf │ │ │ ├── resources.starterkit-spn.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ │ └── buildingblock │ │ │ ├── .gitignore │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── resources.azure.app.tf │ │ │ ├── resources.azure.cicd.tf │ │ │ ├── resources.github.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ └── subscription │ │ ├── README.md │ │ ├── backplane │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── template │ │ │ └── platform-module │ │ │ │ └── terragrunt.hcl │ │ ├── variables.tf │ │ └── versions.tf │ │ ├── buildingblock │ │ ├── main.tf │ │ ├── variables.tf │ │ └── versions.tf │ │ └── template │ │ └── platform-module │ │ └── terragrunt.hcl ├── landingzones │ ├── cloud-native │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── template │ │ │ └── platform-module │ │ │ │ └── terragrunt.hcl │ │ ├── variables.tf │ │ └── versions.tf │ ├── container-platform │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── lib │ │ │ └── policy_assignments │ │ │ │ └── policy_assignment_kubernetes_pod_security_baseline.tmpl.json │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── template │ │ │ └── platform-module │ │ │ │ └── terragrunt.hcl │ │ ├── variables.tf │ │ └── versions.tf │ ├── corp-online │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── lib │ │ │ └── corp │ │ │ │ ├── policy_assignments │ │ │ │ ├── policy_assignment_es_audit_network_changes.tmpl.json │ │ │ │ ├── policy_assignment_es_audit_pednszones.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_hybridnetworking.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_peering_to_non_approved.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_public_endpoints.tmpl.json │ │ │ │ ├── policy_assignment_es_deny_public_ip_on_nic.tmpl.json │ │ │ │ └── policy_assignment_es_deploy_private_dns_zones.tmpl.json │ │ │ │ ├── policy_definitions │ │ │ │ ├── policy_definition_es_audit_network_changes.json │ │ │ │ ├── policy_definition_es_audit_privatelinkdnszones.json │ │ │ │ ├── policy_definition_es_deny_private_dns_zones.json │ │ │ │ └── policy_definition_es_deny_vnet_peering_to_non_approved_vnets.json │ │ │ │ └── policy_sets │ │ │ │ ├── policy_set_definition_es_deny_publicpaasendpoints.tmpl.json │ │ │ │ └── policy_set_definition_es_deploy_private_dns_zones.tmpl.json │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── template │ │ │ └── platform-module │ │ │ │ └── terragrunt.hcl │ │ └── variables.tf │ ├── sandbox │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── lib │ │ │ ├── policy_assignments │ │ │ │ └── policy_assignment_es_enforce_alz_sandbox.tmpl.json │ │ │ ├── policy_definitions │ │ │ │ └── policy_definition_es_deny_vnet_peer_cross_sub.json │ │ │ └── policy_sets │ │ │ │ └── policy_set_definition_es_enforce_alz_sandbox.tmpl.json │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── template │ │ │ └── platform-module │ │ │ │ └── terragrunt.hcl │ │ ├── variables.tf │ │ └── versions.tf │ └── serverless │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── lib │ │ ├── policy_assignments │ │ │ ├── policy_assignment_collie_allow_only_serverless_resources.tmpl.json │ │ │ └── policy_assignment_es_deny_storage_http.tmpl.json │ │ └── policy_definitions │ │ │ └── policy_definition_collie_allow_only_serverless_resources.json │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── template │ │ └── platform-module │ │ │ └── terragrunt.hcl │ │ └── variables.tf ├── logging │ ├── README.md │ ├── documentation.tf │ ├── lib │ │ └── policy_assignments │ │ │ └── policy_assignment_es_deploy_azactivity_log.tmpl.json │ ├── main.tf │ ├── outputs.tf │ ├── template │ │ └── platform-module │ │ │ └── terragrunt.hcl │ ├── variables.tf │ └── versions.tf ├── meshplatform │ ├── README.md │ ├── documentation.tf │ ├── main.tf │ ├── outputs.tf │ ├── template │ │ └── platform-module │ │ │ └── terragrunt.hcl │ └── variables.tf ├── networking │ ├── README.md │ ├── documentation.tf │ ├── locals.tf │ ├── outputs.tf │ ├── resources.firewall.tf │ ├── resources.group.tf │ ├── resources.network.tf │ ├── template │ │ └── platform-module │ │ │ └── terragrunt.hcl │ ├── variables.tf │ └── versions.tf ├── organization-hierarchy │ ├── README.md │ ├── documentation.tf │ ├── lib │ │ ├── policy_assignments │ │ │ ├── policy_assignment_es_audit_rsg_locations.tmpl.json │ │ │ ├── policy_assignment_es_deny_classic_resources.tmpl.json │ │ │ ├── policy_assignment_es_deny_resource_locations.tmpl.json │ │ │ ├── policy_assignment_es_deny_rsg_locations.tmpl.json │ │ │ ├── policy_assignment_es_deny_storage_http.tmpl.json │ │ │ ├── policy_assignment_es_deny_subnet_without_nsg.tmpl.json │ │ │ ├── policy_assignment_es_enforce_gr_keyvault.tmpl.json │ │ │ └── policy_assignment_es_enforce_tls_ssl.tmpl.json │ │ ├── policy_definitions │ │ │ ├── policy_definition_es_append_appservice_httpsonly.json │ │ │ ├── policy_definition_es_append_appservice_latesttls.json │ │ │ ├── policy_definition_es_append_redis_disablenonsslport.json │ │ │ ├── policy_definition_es_append_redis_sslenforcement.json │ │ │ ├── policy_definition_es_deny_appserviceapiapp_http.json │ │ │ ├── policy_definition_es_deny_appservicefunctionapp_http.json │ │ │ ├── policy_definition_es_deny_appservicewebapp_http.json │ │ │ ├── policy_definition_es_deny_mysql_http.json │ │ │ ├── policy_definition_es_deny_postgresql_http.json │ │ │ ├── policy_definition_es_deny_redis_http.json │ │ │ ├── policy_definition_es_deny_sql_mintls.json │ │ │ ├── policy_definition_es_deny_sqlmi_mintls.json │ │ │ ├── policy_definition_es_deny_storage_mintls.json │ │ │ ├── policy_definition_es_deny_subnet_without_nsg.json │ │ │ ├── policy_definition_es_deploy_mysql_sslenforcement.json │ │ │ ├── policy_definition_es_deploy_postgresql_sslenforcement.json │ │ │ ├── policy_definition_es_deploy_sql_mintls.json │ │ │ ├── policy_definition_es_deploy_sqlmi_mintls.json │ │ │ └── policy_definition_es_deploy_storage_sslenforcement.json │ │ └── policy_sets │ │ │ ├── policy_set_definition_es_enforce_encrypttransit.tmpl.json │ │ │ └── policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json │ ├── main.tf │ ├── outputs.tf │ ├── template │ │ └── platform-module │ │ │ └── terragrunt.hcl │ ├── variables.tf │ └── versions.tf ├── pam │ ├── README.md │ ├── documentation.tf │ ├── main.tf │ ├── resources.memberships.tf │ ├── template │ │ └── platform-module │ │ │ └── terragrunt.hcl │ ├── variables.tf │ └── versions.tf ├── tenants │ ├── README.md │ ├── subscription │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf │ ├── tenant-example-network │ │ ├── README.md │ │ └── template │ │ │ └── platform-module │ │ │ ├── documentation.tf │ │ │ ├── main.tf │ │ │ └── terragrunt.hcl │ └── tenant-example │ │ ├── README.md │ │ └── template │ │ └── platform-module │ │ ├── documentation.tf │ │ ├── main.tf │ │ └── terragrunt.hcl └── util │ └── azure-policies │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── resources.policy_assignments.tf │ ├── resources.policy_definitions.tf │ ├── resources.policy_sets.tf │ └── variables.tf ├── foundation └── docs │ ├── README.md │ ├── main.tf │ ├── template │ └── platform-module │ │ ├── terragrunt.hcl │ │ └── vuepress │ │ ├── docs │ │ ├── .vuepress │ │ │ └── config.ts │ │ ├── README.md │ │ └── concepts.md │ │ └── package.json │ ├── variables.tf │ └── versions.tf ├── gcp ├── admin │ ├── billing-account │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── main.tf │ │ ├── modules │ │ │ └── collie-billing-view │ │ │ │ ├── README.md │ │ │ │ ├── main.tf │ │ │ │ ├── outputs.tf │ │ │ │ └── variables.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf │ └── organization │ │ ├── README.md │ │ ├── documentation.tf │ │ ├── main.tf │ │ ├── variables.tf │ │ └── versions.tf └── bootstrap │ ├── README.md │ ├── documentation.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── github ├── icon.png └── repository │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── provider.tf │ └── variables.tf ├── ionos └── virtual-data-center │ ├── README.md │ ├── config.tf │ ├── icon.png │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── ovh ├── bootstrap │ ├── README.md │ ├── documentation.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf └── buildingblocks │ ├── projects │ └── buildingblock │ │ ├── README.md │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf │ └── projects_users │ └── buildingblock │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── projects.tftest.hcl │ ├── variables.tf │ └── versions.tf ├── sap-btp ├── icon.png └── subaccount │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── provider.tf │ └── variables.tf └── stackit ├── bootstrap ├── README.md ├── documentation.tf ├── main.tf ├── outputs.tf ├── variables.tf └── versions.tf └── buildingblocks └── projects └── buildingblock ├── README.md ├── main.tf ├── outputs.tf ├── projects.tftest.hcl ├── variables.tf └── versions.tf /.gitattributes: -------------------------------------------------------------------------------- 1 | # Force LF file endings for all text files 2 | * text eol=lf 3 | 4 | # Denote all files that are truly binary and should not be modified. 5 | *.png binary 6 | *.jpg binary -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: build 2 | on: 3 | push: 4 | branches: [ main ] 5 | pull_request: 6 | branches: [ main ] 7 | merge_group: 8 | 9 | jobs: 10 | pre-commit: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v4 14 | 15 | - uses: meshcloud/setup-collie@main 16 | 17 | - uses: nixbuild/nix-quick-install-action@v26 18 | with: 19 | nix_on_tmpfs: true 20 | 21 | - uses: rrbutani/use-nix-shell-action@v1 22 | with: 23 | devShell: .#github_actions # use a special github actions shell 24 | 25 | - name: ensure all pre-commit hooks pass 26 | run: pre-commit run --all-files --show-diff-on-failure 27 | 28 | -------------------------------------------------------------------------------- /.github/workflows/pull-request.yml: -------------------------------------------------------------------------------- 1 | name: auto pull request 2 | 3 | on: 4 | push: 5 | branches: [ "feature/auto-backporting" ] 6 | 7 | jobs: 8 | pull_request: 9 | runs-on: ubuntu-latest 10 | steps: 11 | 12 | - uses: actions/checkout@v4 13 | 14 | - name: Check if PR exists 15 | id: check_pr 16 | run: | 17 | existing_pr=$(gh pr list --state open --head feature/auto-backporting | wc -l) 18 | if [ "$existing_pr" -gt 0 ]; then 19 | echo "A pull request for the branch feature/auto-backporting already exists." 20 | else 21 | gh pr create --base main --head feature/auto-backporting --draft \ 22 | --title "[latest likvid kits] update latest kits from likvid-cloudfoundation" \ 23 | --body "The latest kits from likvid-cloudfoundation builds on the prod branch." 24 | fi 25 | env: 26 | GH_TOKEN: ${{ github.token }} 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .terraform 2 | .terraform.lock.hcl 3 | .terragrunt-cache 4 | 5 | .idea 6 | 7 | # These are autogenerated based on all kits in the collie hub. 8 | docs/modules 9 | !docs/modules/README.md 10 | 11 | # Ignoring folders that are autogenerated when running vuepress in the docs kit module. 12 | kit/foundation/docs/template/node_modules 13 | kit/foundation/docs/template/yarn.lock 14 | kit/foundation/docs/template/docs/.vuepress/.cache 15 | kit/foundation/docs/template/docs/.vuepress/.temp 16 | 17 | # collie files 18 | .collie 19 | foundations/ 20 | 21 | # Buildingblock configuration provider 22 | generated-provider.tf -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/antonbabenko/pre-commit-terraform 3 | rev: v1.81.0 4 | hooks: 5 | - id: terraform_docs 6 | args: 7 | - --args=--config=.terraform-docs.yml 8 | - id: terraform_fmt 9 | - id: terragrunt_fmt 10 | - repo: https://github.com/pre-commit/pre-commit-hooks 11 | rev: v4.4.0 # Use the ref you want to point at 12 | hooks: 13 | - id: trailing-whitespace 14 | exclude: "^compliance/" 15 | -------------------------------------------------------------------------------- /.terraform-docs.yml: -------------------------------------------------------------------------------- 1 | formatter: "markdown" # this is required 2 | 3 | version: "" 4 | 5 | recursive: 6 | enabled: false 7 | path: kit 8 | 9 | content: "" 10 | 11 | output: 12 | file: "README.md" 13 | mode: inject 14 | template: |- 15 | 16 | {{ .Content }} 17 | 18 | 19 | sort: 20 | enabled: true 21 | by: name 22 | 23 | sections: 24 | hide: 25 | - providers 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![collie-hub build](https://github.com/meshcloud/collie-hub/actions/workflows/build.yml/badge.svg)](https://github.com/meshcloud/collie-hub/actions/workflows/build.yml) 2 | # Collie Hub 3 | Collie Hub is the place to find ready-to-use kit modules that help you 4 | build cloud landing zones for your organization and accelerate your cloud journey with [Collie CLI](https://github.com/meshcloud/collie-cli). 5 | 6 | ![modular landing zone](./docs/assets/modular-landing-zone.png) 7 | 8 | This repository contains: 9 | 10 | - `/docs` the source code generating the [collie hub website](https://collie.cloudfoundation.org) 11 | - `/kit` a collection of reusable modules implementing common best practices for building [modular landing zones](https://cloudfoundation.meshcloud.io/maturity-model/tenant-management/modular-landing-zones.html) 12 | 13 | ## Community, Discussion, Support 14 | 15 | Collie is a 🌤️ [cloudfoundation.org community](https://cloudfoundation.org/?ref=github-collie-cli) project. Reach out to us on the [cloudfoundation.org slack](http://cloudfoundationorg.slack.com). 16 | -------------------------------------------------------------------------------- /amplify.yml: -------------------------------------------------------------------------------- 1 | version: 1 2 | frontend: 3 | buildpath: docs 4 | phases: 5 | preBuild: 6 | commands: 7 | - cd docs 8 | - npm ci 9 | build: 10 | commands: 11 | - npm run docs:build 12 | artifacts: 13 | baseDirectory: docs/.vuepress/dist 14 | files: 15 | - '**/*' 16 | cache: 17 | paths: 18 | - docs/node_modules/**/* 19 | -------------------------------------------------------------------------------- /amplify/config.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "gcs" { 3 | bucket = "meshcloud-tf-states" 4 | prefix = "meshcloud-prod/collie-hub/amplify" 5 | } 6 | } -------------------------------------------------------------------------------- /compliance/README.md: -------------------------------------------------------------------------------- 1 | # Compliance 2 | 3 | In this section you can find a reference of the compliance frameworks that we evaluate our cloud foundation against. 4 | 5 | - Cloud Foundation Maturity Model: a description of cloud foundation capabilities 6 | 7 | ## Compliance Statements 8 | 9 | [Kit modules](/kit/) can include compliance statements to document how the module implence controls imposed by the foundation's compliance framework. Having compliance statements documented in kit modules enables us to generate compliance documentation. 10 | -------------------------------------------------------------------------------- /compliance/cfmm/README.md: -------------------------------------------------------------------------------- 1 | # Cloud Foundation Maturity Model 2 | 3 | The meshcloud Cloud Foundation Maturity Model is a model of cloud foundation capabilities... 4 | 5 | TODO: auto-generate this folder from CFMM database? -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/billing-to-different-legal-entities.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Billing to different legal entities 3 | summary: >- 4 | Support billing cloud workloads to different legal entities of an enterprise 5 | for compliance or organizational reasons. 6 | 7 | --- 8 | 9 | # Billing to different legal entities 10 | 11 | Support billing cloud workloads to different legal entities of an enterprise for compliance or organizational reasons. 12 | 13 | Learn more about the [Billing to different legal entities Building Block](https://cloudfoundation.org/maturity-model/cost-management/billing-to-different-legal-entities.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/budget-approval-process.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Budget Approval Process 3 | summary: Budgets are approved by controllers / people with budget responsibility 4 | 5 | --- 6 | 7 | # Budget Approval Process 8 | 9 | Budgets are approved by controllers / people with budget responsibility 10 | 11 | Learn more about the [Budget Approval Process Building Block](https://cloudfoundation.org/maturity-model/cost-management/budget-approval-process.html) on the Cloud Foundation website. 12 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/chargeback-at-full-cost-allocation.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Chargeback at full cost allocation 3 | summary: >- 4 | Application teams are transparently charged for resource consumption in their 5 | cloud tenant as well as for any shared overhead cost incurred by the cloud 6 | foundation team for providing its services. 7 | 8 | --- 9 | 10 | # Chargeback at full cost allocation 11 | 12 | Application teams are transparently charged for resource consumption in their cloud tenant as well as for any shared overhead cost incurred by the cloud foundation team for providing its services. 13 | 14 | Learn more about the [Chargeback at full cost allocation Building Block](https://cloudfoundation.org/maturity-model/cost-management/chargeback-at-full-cost-allocation.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/chargeback-via-consumption-cost-allocation.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Chargeback via consumption cost allocation 3 | summary: >- 4 | Application teams are transparently charged for the resource consumption as it 5 | is charged from the cloud provider. 6 | 7 | --- 8 | 9 | # Chargeback via consumption cost allocation 10 | 11 | Application teams are transparently charged for the resource consumption as it is charged from the cloud provider. 12 | 13 | Learn more about the [Chargeback via consumption cost allocation Building Block](https://cloudfoundation.org/maturity-model/cost-management/chargeback-via-consumption-cost-allocation.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/consumption-based-pay-per-use-for-internal-services.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Consumption based pay-per-use for internal Services 3 | summary: >- 4 | Enable fine-grained pay-per-use options for managed services offered on the 5 | cloud foundation, e.g. pay per API request, per GB/h stored etc. 6 | 7 | --- 8 | 9 | # Consumption based pay-per-use for internal Services 10 | 11 | Enable fine-grained pay-per-use options for managed services offered on the cloud foundation, e.g. pay per API request, per GB/h stored etc. 12 | 13 | Learn more about the [Consumption based pay-per-use for internal Services Building Block](https://cloudfoundation.org/maturity-model/cost-management/consumption-based-pay-per-use-for-internal-services.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/global-cost-optimization-via-reservations.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Global Cost Optimization via Reservations 3 | summary: >- 4 | Cloud providers offer different programs offering lower pay-per-use rates in 5 | exchange for making spend or resource reservation commitments (e.g. reserved 6 | instances). Centrally plan resource demand to take advantage of cost 7 | optimization opportunities offered by cloud providers. 8 | 9 | --- 10 | 11 | # Global Cost Optimization via Reservations 12 | 13 | Cloud providers offer different programs offering lower pay-per-use rates in exchange for making spend or resource reservation commitments (e.g. reserved instances). Centrally plan resource demand to take advantage of cost optimization opportunities offered by cloud providers. 14 | 15 | Learn more about the [Global Cost Optimization via Reservations Building Block](https://cloudfoundation.org/maturity-model/cost-management/global-cost-optimization-via-reservations.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/individual-project-cost-optimization-via-reservations.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Individual Project Cost Optimization via Reservations 3 | summary: >- 4 | Enable application teams to take advantage of cloud provider cost optimization 5 | opportunities available on individual cloud tenants like instance 6 | reservations. The chargeback process considers any resulting pre-payments and 7 | benefits out of these reservations. A system is in place to manage associated 8 | utilization risks. 9 | 10 | --- 11 | 12 | # Individual Project Cost Optimization via Reservations 13 | 14 | Enable application teams to take advantage of cloud provider cost optimization opportunities available on individual cloud tenants like instance reservations. The chargeback process considers any resulting pre-payments and benefits out of these reservations. A system is in place to manage associated utilization risks. 15 | 16 | Learn more about the [Individual Project Cost Optimization via Reservations Building Block](https://cloudfoundation.org/maturity-model/cost-management/individual-project-cost-optimization-via-reservations.html) on the Cloud Foundation website. 17 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/monthly-cloud-project-billing-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Monthly Cloud Project Billing Report 3 | summary: >- 4 | Application teams can view a monthly billing report listing all incurred 5 | charges aggregated across all cloud platforms and cloud services making up 6 | their application. 7 | 8 | --- 9 | 10 | # Monthly Cloud Project Billing Report 11 | 12 | Application teams can view a monthly billing report listing all incurred charges aggregated across all cloud platforms and cloud services making up their application. 13 | 14 | Learn more about the [Monthly Cloud Project Billing Report Building Block](https://cloudfoundation.org/maturity-model/cost-management/monthly-cloud-project-billing-report.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/monthly-cloud-project-carbon-footprint-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Monthly Cloud Project Carbon Footprint Report 3 | summary: >- 4 | Application teams can view a monthly report listing the consumption-based 5 | carbon footprint caused by their cloud usage. This enables sustainability 6 | reporting and gives teams feedback towards achieving sustainability goals. 7 | 8 | --- 9 | 10 | # Monthly Cloud Project Carbon Footprint Report 11 | 12 | Application teams can view a monthly report listing the consumption-based carbon footprint caused by their cloud usage. This enables sustainability reporting and gives teams feedback towards achieving sustainability goals. 13 | 14 | Learn more about the [Monthly Cloud Project Carbon Footprint Report Building Block](https://cloudfoundation.org/maturity-model/cost-management/monthly-cloud-project-carbon-footprint-report.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/monthly-cloud-tenant-billing-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Monthly cloud tenant billing report 3 | summary: >- 4 | Application teams can view a monthly cloud tenant billing report listing all 5 | incurred charges for cloud resource consumption. 6 | 7 | --- 8 | 9 | # Monthly cloud tenant billing report 10 | 11 | Application teams can view a monthly cloud tenant billing report listing all incurred charges for cloud resource consumption. 12 | 13 | Learn more about the [Monthly cloud tenant billing report Building Block](https://cloudfoundation.org/maturity-model/cost-management/monthly-cloud-tenant-billing-report.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/pay-per-use-for-internal-services.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Pay-per-Use for internal Services 3 | summary: >- 4 | Enable usage based chargeback for internal, managed IT services offered via 5 | the cloud foundation (see Landing Zone building Blocks). Application teams can 6 | book services from a single marketplace and get a single "invoice" for 7 | chargeback. 8 | 9 | --- 10 | 11 | # Pay-per-Use for internal Services 12 | 13 | Enable usage based chargeback for internal, managed IT services offered via the cloud foundation (see Landing Zone building Blocks). Application teams can book services from a single marketplace and get a single "invoice" for chargeback. 14 | 15 | Learn more about the [Pay-per-Use for internal Services Building Block](https://cloudfoundation.org/maturity-model/cost-management/pay-per-use-for-internal-services.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/private-cloud-pay-per-use-chargeback.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Private Cloud pay-per-use chargeback 3 | summary: >- 4 | Resource consumption on multi-tenant private cloud platforms such as 5 | OpenStack, Cloud Foundry or OpenShift is billed according to a pay-per-use 6 | pricing model. 7 | 8 | --- 9 | 10 | # Private Cloud pay-per-use chargeback 11 | 12 | Resource consumption on multi-tenant private cloud platforms such as OpenStack, Cloud Foundry or OpenShift is billed according to a pay-per-use pricing model. 13 | 14 | Learn more about the [Private Cloud pay-per-use chargeback Building Block](https://cloudfoundation.org/maturity-model/cost-management/private-cloud-pay-per-use-chargeback.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/cost-management/quota-management.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Quota Management 3 | summary: >- 4 | Quotas are a simple mechanism for protecting cloud foundations and application 5 | teams against unforeseen spikes in usage/spend. 6 | 7 | --- 8 | 9 | # Quota Management 10 | 11 | Quotas are a simple mechanism for protecting cloud foundations and application teams against unforeseen spikes in usage/spend. 12 | 13 | Learn more about the [Quota Management Building Block](https://cloudfoundation.org/maturity-model/cost-management/quota-management.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/iam/federated-identity-and-authentication.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Federated Identity and Authentication 3 | summary: >- 4 | Integration Cloud Platform IAM systems with Enterprise IAM landscape incl. 5 | federated authentication. 6 | 7 | --- 8 | 9 | # Federated Identity and Authentication 10 | 11 | Integration Cloud Platform IAM systems with Enterprise IAM landscape incl. federated authentication. 12 | 13 | Learn more about the [Federated Identity and Authentication Building Block](https://cloudfoundation.org/maturity-model/iam/federated-identity-and-authentication.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/iam/identity-and-access-management-alignment.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Identity and Access Management Alignment 3 | summary: >- 4 | The cloud foundation team can make make decisions about governing identities 5 | and access permissions across cloud platforms and landing zones. A process is 6 | in place to align decisions with responsible IAM stakeholders of the 7 | organization. 8 | 9 | --- 10 | 11 | # Identity and Access Management Alignment 12 | 13 | The cloud foundation team can make make decisions about governing identities and access permissions across cloud platforms and landing zones. A process is in place to align decisions with responsible IAM stakeholders of the organization. 14 | 15 | Learn more about the [Identity and Access Management Alignment Building Block](https://cloudfoundation.org/maturity-model/iam/identity-and-access-management-alignment.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/iam/identity-lifecycle-management.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Identity Lifecycle Management 3 | summary: >- 4 | Identities are consistently governed across throughout the entire lifecycle 5 | from provisioning to deprovisioning. 6 | 7 | --- 8 | 9 | # Identity Lifecycle Management 10 | 11 | Identities are consistently governed across throughout the entire lifecycle from provisioning to deprovisioning. 12 | 13 | Learn more about the [Identity Lifecycle Management Building Block](https://cloudfoundation.org/maturity-model/iam/identity-lifecycle-management.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/iam/privileged-access-management.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Privileged Access Management 3 | summary: >- 4 | Implement appropriate security controls for privileged access as defined in 5 | the Authorization Concept. These must cover access to administrative cloud 6 | platform roles (e.g. Global Admins, Global Readers) and shared services (e.g. 7 | on-premise connectivity hubs). 8 | 9 | --- 10 | 11 | # Privileged Access Management 12 | 13 | Implement appropriate security controls for privileged access as defined in the Authorization Concept. These must cover access to administrative cloud platform roles (e.g. Global Admins, Global Readers) and shared services (e.g. on-premise connectivity hubs). 14 | 15 | Learn more about the [Privileged Access Management Building Block](https://cloudfoundation.org/maturity-model/iam/privileged-access-management.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/iam/resource-authorization-management.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Resource Authorization Management 3 | summary: >- 4 | Establish consistent guidelines and guardrails for managing authorization to 5 | cloud resources in Landing Zones. Authorization management should consider key 6 | principles like segregation of duties, need-to-know and separation of 7 | privileged and unprivileged roles. 8 | 9 | --- 10 | 11 | # Resource Authorization Management 12 | 13 | Establish consistent guidelines and guardrails for managing authorization to cloud resources in Landing Zones. Authorization management should consider key principles like segregation of duties, need-to-know and separation of privileged and unprivileged roles. 14 | 15 | Learn more about the [Resource Authorization Management Building Block](https://cloudfoundation.org/maturity-model/iam/resource-authorization-management.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/iam/service-account-management.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Service Account Management 3 | summary: >- 4 | Managed provisioning and inventory of Service Accounts including their 5 | permission sets. Enables central enforcement of compliance policies for 6 | technical users like re-certification, credential strength and credential 7 | rotation. 8 | 9 | --- 10 | 11 | # Service Account Management 12 | 13 | Managed provisioning and inventory of Service Accounts including their permission sets. Enables central enforcement of compliance policies for technical users like re-certification, credential strength and credential rotation. 14 | 15 | Learn more about the [Service Account Management Building Block](https://cloudfoundation.org/maturity-model/iam/service-account-management.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/centralized-audit-logs.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Centralized audit logs 3 | summary: >- 4 | Audit logs from all cloud tenants (API/resource access) are centrally 5 | collected and stored. 6 | 7 | --- 8 | 9 | # Centralized audit logs 10 | 11 | Audit logs from all cloud tenants (API/resource access) are centrally collected and stored. 12 | 13 | Learn more about the [Centralized audit logs Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/centralized-audit-logs.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/centralized-workload-and-infrastructure-logs.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Centralized workload and infrastructure logs 3 | summary: >- 4 | Audit logs from cloud workloads and infrastructure (e.g. network flow logs) 5 | are centrally collected and stored. 6 | 7 | --- 8 | 9 | # Centralized workload and infrastructure logs 10 | 11 | Audit logs from cloud workloads and infrastructure (e.g. network flow logs) are centrally collected and stored. 12 | 13 | Learn more about the [Centralized workload and infrastructure logs Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/centralized-workload-and-infrastructure-logs.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/certified-isms-compliance.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Certified ISMS Compliance 3 | summary: >- 4 | Landing zones and its operation by the cloud foundation team are certified 5 | according to an information security management system like ISO 27001 or C5. 6 | 7 | --- 8 | 9 | # Certified ISMS Compliance 10 | 11 | Landing zones and its operation by the cloud foundation team are certified according to an information security management system like ISO 27001 or C5. 12 | 13 | Learn more about the [Certified ISMS Compliance Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/certified-isms-compliance.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/cloud-resource-tagging.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Cloud Resource Tagging 3 | summary: >- 4 | Cloud resources are tagged using a consistent tagging strategy to facilitate 5 | security and compliance processes for cloud workloads. 6 | 7 | --- 8 | 9 | # Cloud Resource Tagging 10 | 11 | Cloud resources are tagged using a consistent tagging strategy to facilitate security and compliance processes for cloud workloads. 12 | 13 | Learn more about the [Cloud Resource Tagging Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/cloud-resource-tagging.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/cloud-siem.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Cloud SIEM 3 | summary: >- 4 | Audit logs for cloud tenants and cloud workloads are systematically analyzed 5 | for anomalies. 6 | 7 | --- 8 | 9 | # Cloud SIEM 10 | 11 | Audit logs for cloud tenants and cloud workloads are systematically analyzed for anomalies. 12 | 13 | Learn more about the [Cloud SIEM Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/cloud-siem.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/cloud-tenant-tagging.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Cloud Tenant Tagging 3 | summary: >- 4 | Cloud tenants are tagged using a consistent tagging strategy to facilitate 5 | cloud platform operations. 6 | 7 | --- 8 | 9 | # Cloud Tenant Tagging 10 | 11 | Cloud tenants are tagged using a consistent tagging strategy to facilitate cloud platform operations. 12 | 13 | Learn more about the [Cloud Tenant Tagging Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/cloud-tenant-tagging.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/control-access-to-landing-zones.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Control Access to Landing Zones 3 | summary: >- 4 | Implement automated policies to steer application teams to appropriate cloud 5 | platforms and landing zones based on metadata about the application team. 6 | 7 | --- 8 | 9 | # Control Access to Landing Zones 10 | 11 | Implement automated policies to steer application teams to appropriate cloud platforms and landing zones based on metadata about the application team. 12 | 13 | Learn more about the [Control Access to Landing Zones Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/control-access-to-landing-zones.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/guided-cloud-onboarding.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Guided Cloud Onboarding 3 | summary: >- 4 | Application teams are guided through the organizational (e.g. budget) and 5 | regulatory (e.g. compliance) cloud onboarding duties. 6 | 7 | --- 8 | 9 | # Guided Cloud Onboarding 10 | 11 | Application teams are guided through the organizational (e.g. budget) and regulatory (e.g. compliance) cloud onboarding duties. 12 | 13 | Learn more about the [Guided Cloud Onboarding Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/guided-cloud-onboarding.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/incident-management-process.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Incident Management Process 3 | summary: >- 4 | There's a clear owner for every cloud tenant responsible for incident 5 | management. Incidents are automatically routed to these owners. 6 | 7 | --- 8 | 9 | # Incident Management Process 10 | 11 | There's a clear owner for every cloud tenant responsible for incident management. Incidents are automatically routed to these owners. 12 | 13 | Learn more about the [Incident Management Process Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/incident-management-process.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/multi-cloud-tagging-policy.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Multi-Cloud Tagging Policy 3 | summary: >- 4 | Define and enforce a consistent tagging of cloud tenants and resource across 5 | multiple cloud platforms. 6 | 7 | --- 8 | 9 | # Multi-Cloud Tagging Policy 10 | 11 | Define and enforce a consistent tagging of cloud tenants and resource across multiple cloud platforms. 12 | 13 | Learn more about the [Multi-Cloud Tagging Policy Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/multi-cloud-tagging-policy.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/resource-configuration-policies.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Resource Configuration Policies 3 | summary: >- 4 | Policies control the configuration of resources to enforce security and 5 | compliance standards like preventing public access to object storage buckets. 6 | 7 | --- 8 | 9 | # Resource Configuration Policies 10 | 11 | Policies control the configuration of resources to enforce security and compliance standards like preventing public access to object storage buckets. 12 | 13 | Learn more about the [Resource Configuration Policies Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/resource-configuration-policies.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/resource-configuration-scanning.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Resource Configuration Scanning 3 | summary: >- 4 | Scan cloud resource configurations against a catalog of configuration policies 5 | for potential security risks and compliance violations. 6 | 7 | --- 8 | 9 | # Resource Configuration Scanning 10 | 11 | Scan cloud resource configurations against a catalog of configuration policies for potential security risks and compliance violations. 12 | 13 | Learn more about the [Resource Configuration Scanning Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/resource-configuration-scanning.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/service-and-location-restrictions.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Service and Location Restrictions 3 | summary: >- 4 | Basic policies on cloud resources restrict access to incompliant cloud 5 | services and cloud regions (geographic locations). 6 | 7 | --- 8 | 9 | # Service and Location Restrictions 10 | 11 | Basic policies on cloud resources restrict access to incompliant cloud services and cloud regions (geographic locations). 12 | 13 | Learn more about the [Service and Location Restrictions Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/service-and-location-restrictions.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/shared-responsibility-model-alignment.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Shared Responsibility Model Alignment 3 | summary: >- 4 | The cloud foundation team can make decisions about the shared responsibility 5 | model clarifying responsibilities between application teams, the cloud 6 | foundation and cloud providers. A process is in place to align decisions with 7 | relevant stakeholders in the organization. 8 | 9 | --- 10 | 11 | # Shared Responsibility Model Alignment 12 | 13 | The cloud foundation team can make decisions about the shared responsibility model clarifying responsibilities between application teams, the cloud foundation and cloud providers. A process is in place to align decisions with relevant stakeholders in the organization. 14 | 15 | Learn more about the [Shared Responsibility Model Alignment Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/shared-responsibility-model-alignment.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/security-and-compliance/soc-integration.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: SOC Integration 3 | summary: >- 4 | Virtual machines are integrated into a central Security Operations Center 5 | (SOC) solution like tenable.io or Qualys. The cloud inventory of existing 6 | machines is reconciled against the SOC to ensure completeness. 7 | 8 | --- 9 | 10 | # SOC Integration 11 | 12 | Virtual machines are integrated into a central Security Operations Center (SOC) solution like tenable.io or Qualys. The cloud inventory of existing machines is reconciled against the SOC to ensure completeness. 13 | 14 | Learn more about the [SOC Integration Building Block](https://cloudfoundation.org/maturity-model/security-and-compliance/soc-integration.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/3rd-party-paas-service-integration.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: 3rd party PaaS Service Integration 3 | summary: >- 4 | Application teams can leverage third-party PaaS providers for managed services 5 | like DBaaS, observability platforms or analytics. Teams can manage 6 | service-lifecycle and IAM in self-service and are transparently charged for 7 | all consumption cost incurred. 8 | 9 | --- 10 | 11 | # 3rd party PaaS Service Integration 12 | 13 | Application teams can leverage third-party PaaS providers for managed services like DBaaS, observability platforms or analytics. Teams can manage service-lifecycle and IAM in self-service and are transparently charged for all consumption cost incurred. 14 | 15 | Learn more about the [3rd party PaaS Service Integration Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/3rd-party-paas-service-integration.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/api-gateway-to-on-premises-apis.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: API Gateway to on-premises APIs 3 | summary: >- 4 | Provide managed API (L7) connectivity to APIs running in on-premise 5 | environments. 6 | 7 | --- 8 | 9 | # API Gateway to on-premises APIs 10 | 11 | Provide managed API (L7) connectivity to APIs running in on-premise environments. 12 | 13 | Learn more about the [API Gateway to on-premises APIs Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/api-gateway-to-on-premises-apis.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/cloud-to-cloud-interconnects.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Cloud to Cloud interconnects 3 | summary: >- 4 | Provides managed connectivity between cloud tenants on different cloud 5 | platforms via centrally managed transit networks. 6 | 7 | --- 8 | 9 | # Cloud to Cloud interconnects 10 | 11 | Provides managed connectivity between cloud tenants on different cloud platforms via centrally managed transit networks. 12 | 13 | Learn more about the [Cloud to Cloud interconnects Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/cloud-to-cloud-interconnects.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/foundation-service-platform.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Foundation Service Platform 3 | summary: >- 4 | Offer cloud infrastructure services managed by the cloud foundation team from 5 | a self-service platform. 6 | 7 | --- 8 | 9 | # Foundation Service Platform 10 | 11 | Offer cloud infrastructure services managed by the cloud foundation team from a self-service platform. 12 | 13 | Learn more about the [Foundation Service Platform Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/foundation-service-platform.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/in-house-paas-service-integration.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: In-house PaaS Service Integration 3 | summary: >- 4 | In-house teams provide PaaS services for commonly needed infrastructure 5 | services like DBaaS, observability platforms or analytics. Teams can manage 6 | service-lifecycle and IAM in self-service and are transparently charged for 7 | all consumption cost incurred. 8 | 9 | --- 10 | 11 | # In-house PaaS Service Integration 12 | 13 | In-house teams provide PaaS services for commonly needed infrastructure services like DBaaS, observability platforms or analytics. Teams can manage service-lifecycle and IAM in self-service and are transparently charged for all consumption cost incurred. 14 | 15 | Learn more about the [In-house PaaS Service Integration Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/in-house-paas-service-integration.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/individual-service-provisioning.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Individual Service Provisioning 3 | summary: >- 4 | Cloud foundation teams can offer individual services and customizations 5 | through a standardized process. 6 | 7 | --- 8 | 9 | # Individual Service Provisioning 10 | 11 | Cloud foundation teams can offer individual services and customizations through a standardized process. 12 | 13 | Learn more about the [Individual Service Provisioning Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/individual-service-provisioning.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/internal-service-marketplace.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Internal Service Marketplace 3 | summary: "Teams offer services to other teams and make them accessible on a marketplace that is integrated with \U0001F4B5 Cost Management and \U0001F510 IAM ." 4 | 5 | --- 6 | 7 | # Internal Service Marketplace 8 | 9 | Teams offer services to other teams and make them accessible on a marketplace that is integrated with 💵 Cost Management and 🔐 IAM . 10 | 11 | Learn more about the [Internal Service Marketplace Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/internal-service-marketplace.html) on the Cloud Foundation website. 12 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/kubernetes-cluster-as-a-service.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Kubernetes Cluster as a Service 3 | summary: >- 4 | Provides Kubernetes Clusters as a Service. These are deployed as workloads 5 | into the customer's cloud tenants. 6 | 7 | --- 8 | 9 | # Kubernetes Cluster as a Service 10 | 11 | Provides Kubernetes Clusters as a Service. These are deployed as workloads into the customer's cloud tenants. 12 | 13 | Learn more about the [Kubernetes Cluster as a Service Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/kubernetes-cluster-as-a-service.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/managed-bastion-hosts.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Managed bastion hosts 3 | summary: >- 4 | Application teams can use a managed service to access resources on private 5 | cloud networks using managed bastion hosts or gateway services. These gateways 6 | are hardened and centrally audited. 7 | 8 | --- 9 | 10 | # Managed bastion hosts 11 | 12 | Application teams can use a managed service to access resources on private cloud networks using managed bastion hosts or gateway services. These gateways are hardened and centrally audited. 13 | 14 | Learn more about the [Managed bastion hosts Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/managed-bastion-hosts.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/managed-cloud-provider-support-contracts.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Managed Cloud Provider Support Contracts 3 | summary: >- 4 | Application teams can enroll their tenants in support contracts and/or 5 | enterprise support agreements from cloud providers. Teams can access support 6 | in self-service and are transparently charged for support fees incurred. 7 | 8 | --- 9 | 10 | # Managed Cloud Provider Support Contracts 11 | 12 | Application teams can enroll their tenants in support contracts and/or enterprise support agreements from cloud providers. Teams can access support in self-service and are transparently charged for support fees incurred. 13 | 14 | Learn more about the [Managed Cloud Provider Support Contracts Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/managed-cloud-provider-support-contracts.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/managed-data-lake-access.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Managed Data Lake access 3 | summary: >- 4 | Application teams can get managed access to central data warehouses and data 5 | lakes to combine this data with processing and infrastructure in their own 6 | cloud tenants. 7 | 8 | --- 9 | 10 | # Managed Data Lake access 11 | 12 | Application teams can get managed access to central data warehouses and data lakes to combine this data with processing and infrastructure in their own cloud tenants. 13 | 14 | Learn more about the [Managed Data Lake access Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/managed-data-lake-access.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/managed-devops-toolchain.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Managed DevOps Toolchain 3 | summary: >- 4 | Application teams can use DevOps tools that are integrated with the cloud 5 | tenants used by the team. Any required service account or automation user 6 | credentials are automatically maintained and rotated. 7 | 8 | --- 9 | 10 | # Managed DevOps Toolchain 11 | 12 | Application teams can use DevOps tools that are integrated with the cloud tenants used by the team. Any required service account or automation user credentials are automatically maintained and rotated. 13 | 14 | Learn more about the [Managed DevOps Toolchain Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/managed-devops-toolchain.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/managed-dns-services.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Managed DNS Services 3 | summary: >- 4 | Application teams can manage DNS Zones and Records for their cloud workloads 5 | in self-service. 6 | 7 | --- 8 | 9 | # Managed DNS Services 10 | 11 | Application teams can manage DNS Zones and Records for their cloud workloads in self-service. 12 | 13 | Learn more about the [Managed DNS Services Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/managed-dns-services.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/managed-internet-egress.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Managed Internet Egress 3 | summary: >- 4 | Application teams can connect cloud tenants to internet egress using managed 5 | infrastructure that ensures compliance and cost efficiency (network 6 | separation, proxies etc.). 7 | 8 | --- 9 | 10 | # Managed Internet Egress 11 | 12 | Application teams can connect cloud tenants to internet egress using managed infrastructure that ensures compliance and cost efficiency (network separation, proxies etc.). 13 | 14 | Learn more about the [Managed Internet Egress Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/managed-internet-egress.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/managed-key-vault.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Managed Key Vault 3 | summary: >- 4 | Managed key management services that allow application teams to securely store 5 | and retrieve credentials in the cloud. The key management service 6 | configuration is aligned with the organization's policies for cryptography and 7 | secret management. 8 | 9 | --- 10 | 11 | # Managed Key Vault 12 | 13 | Managed key management services that allow application teams to securely store and retrieve credentials in the cloud. The key management service configuration is aligned with the organization's policies for cryptography and secret management. 14 | 15 | Learn more about the [Managed Key Vault Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/managed-key-vault.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/managed-ssl-certificates.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Managed SSL Certificates 3 | summary: >- 4 | Application teams can request and renew SSL certificates for their cloud 5 | workloads in self-service. 6 | 7 | --- 8 | 9 | # Managed SSL Certificates 10 | 11 | Application teams can request and renew SSL certificates for their cloud workloads in self-service. 12 | 13 | Learn more about the [Managed SSL Certificates Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/managed-ssl-certificates.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/on-premise-network-connection.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: On-Premise Network Connection 3 | summary: >- 4 | Provides managed IP (L3) connectivity to on-premises networks. This is 5 | commonly implemented using hub&spoke network architectures and a combination 6 | of VPNs or private network peerings. 7 | 8 | --- 9 | 10 | # On-Premise Network Connection 11 | 12 | Provides managed IP (L3) connectivity to on-premises networks. This is commonly implemented using hub&spoke network architectures and a combination of VPNs or private network peerings. 13 | 14 | Learn more about the [On-Premise Network Connection Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/on-premise-network-connection.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/shared-container-registry.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Shared container registry 3 | summary: A central repository provides hardened container images. 4 | 5 | --- 6 | 7 | # Shared container registry 8 | 9 | A central repository provides hardened container images. 10 | 11 | Learn more about the [Shared container registry Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/shared-container-registry.html) on the Cloud Foundation website. 12 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/shared-vm-image-repository.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Shared VM Image Repository 3 | summary: A central repository provides hardened virtual machine images. 4 | 5 | --- 6 | 7 | # Shared VM Image Repository 8 | 9 | A central repository provides hardened virtual machine images. 10 | 11 | Learn more about the [Shared VM Image Repository Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/shared-vm-image-repository.html) on the Cloud Foundation website. 12 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/tenant-to-tenant-transit-networks.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Tenant to Tenant Transit Networks 3 | summary: >- 4 | Provides managed connectivity between cloud tenants on the same cloud platform 5 | via centrally managed transit networks. 6 | 7 | --- 8 | 9 | # Tenant to Tenant Transit Networks 10 | 11 | Provides managed connectivity between cloud tenants on the same cloud platform via centrally managed transit networks. 12 | 13 | Learn more about the [Tenant to Tenant Transit Networks Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/tenant-to-tenant-transit-networks.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/virtual-machine-service.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Virtual Machine Service 3 | summary: Provides VMs as a service for lift & shift and cloud newcomers. 4 | 5 | --- 6 | 7 | # Virtual Machine Service 8 | 9 | Provides VMs as a service for lift & shift and cloud newcomers. 10 | 11 | Learn more about the [Virtual Machine Service Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/virtual-machine-service.html) on the Cloud Foundation website. 12 | -------------------------------------------------------------------------------- /compliance/cfmm/service-ecosystem/virtual-network-service.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Virtual Network Service 3 | summary: >- 4 | A virtual network service provides a pre-configured virtual network. It is a 5 | pre-requisite for higher-level services built on virtual networks. 6 | 7 | --- 8 | 9 | # Virtual Network Service 10 | 11 | A virtual network service provides a pre-configured virtual network. It is a pre-requisite for higher-level services built on virtual networks. 12 | 13 | Learn more about the [Virtual Network Service Building Block](https://cloudfoundation.org/maturity-model/service-ecosystem/virtual-network-service.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/cloud-native-landing-zone.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Cloud-native Landing Zone 3 | summary: >- 4 | A dedicated landing zone optimized for cloud-native workloads enables quick 5 | onboarding and efficient operations. 6 | 7 | --- 8 | 9 | # Cloud-native Landing Zone 10 | 11 | A dedicated landing zone optimized for cloud-native workloads enables quick onboarding and efficient operations. 12 | 13 | Learn more about the [Cloud-native Landing Zone Building Block](https://cloudfoundation.org/maturity-model/tenant-management/cloud-native-landing-zone.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/cloud-tenant-database.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Cloud Tenant Database 3 | summary: >- 4 | A central database provides information about cloud tenants using a unified 5 | schema. The database records essential metadata like the responsible owner of 6 | the tenant and a cost center for chargeback. 7 | 8 | --- 9 | 10 | # Cloud Tenant Database 11 | 12 | A central database provides information about cloud tenants using a unified schema. The database records essential metadata like the responsible owner of the tenant and a cost center for chargeback. 13 | 14 | Learn more about the [Cloud Tenant Database Building Block](https://cloudfoundation.org/maturity-model/tenant-management/cloud-tenant-database.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/container-platform-landing-zone.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Container Platform Landing Zone 3 | summary: >- 4 | A dedicated landing zone offering a developer-centric experience for building 5 | and running container-based applications on the cloud on top of a container 6 | platform. 7 | 8 | --- 9 | 10 | # Container Platform Landing Zone 11 | 12 | A dedicated landing zone offering a developer-centric experience for building and running container-based applications on the cloud on top of a container platform. 13 | 14 | Learn more about the [Container Platform Landing Zone Building Block](https://cloudfoundation.org/maturity-model/tenant-management/container-platform-landing-zone.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/data-science-landing-zone.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Data Science Landing Zone 3 | summary: >- 4 | A landing zone optimized for data science workloads like AI/ML models and 5 | self-service data analysis. 6 | 7 | --- 8 | 9 | # Data Science Landing Zone 10 | 11 | A landing zone optimized for data science workloads like AI/ML models and self-service data analysis. 12 | 13 | Learn more about the [Data Science Landing Zone Building Block](https://cloudfoundation.org/maturity-model/tenant-management/data-science-landing-zone.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/lift-and-shift-landing-zone.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Lift & Shift Landing Zone 3 | summary: >- 4 | A dedicated landing zone optimized for lift & shift workloads enables quick 5 | onboarding and efficient operations. 6 | 7 | --- 8 | 9 | # Lift & Shift Landing Zone 10 | 11 | A dedicated landing zone optimized for lift & shift workloads enables quick onboarding and efficient operations. 12 | 13 | Learn more about the [Lift & Shift Landing Zone Building Block](https://cloudfoundation.org/maturity-model/tenant-management/lift-and-shift-landing-zone.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/link-cloud-tenants-to-cmdbeam.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Link Cloud Tenants to CMDB/EAM 3 | summary: >- 4 | Maintain a link between cloud tenants and a central CMDB/EAM repository (e.g. 5 | IT System identifier, Application Id). Linking cloud tenants to CMDB/EAM 6 | systems is a foundational capability that enables use cases like basic 7 | chargeback, systematic risk assessment and change management. 8 | 9 | --- 10 | 11 | # Link Cloud Tenants to CMDB/EAM 12 | 13 | Maintain a link between cloud tenants and a central CMDB/EAM repository (e.g. IT System identifier, Application Id). Linking cloud tenants to CMDB/EAM systems is a foundational capability that enables use cases like basic chargeback, systematic risk assessment and change management. 14 | 15 | Learn more about the [Link Cloud Tenants to CMDB/EAM Building Block](https://cloudfoundation.org/maturity-model/tenant-management/link-cloud-tenants-to-cmdbeam.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/modular-landing-zones.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Modular Landing Zones 3 | summary: >- 4 | Landing Zones are extendable with with optional services. These services have 5 | their own lifecycle and can be reconfigured during the lifespan of a tenant. 6 | The modular design allows combining services like LEGO® blocks. 7 | 8 | --- 9 | 10 | # Modular Landing Zones 11 | 12 | Landing Zones are extendable with with optional services. These services have their own lifecycle and can be reconfigured during the lifespan of a tenant. The modular design allows combining services like LEGO® blocks. 13 | 14 | Learn more about the [Modular Landing Zones Building Block](https://cloudfoundation.org/maturity-model/tenant-management/modular-landing-zones.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/multi-cloud-tenant-database-integrated-with-lifecycle-management.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Multi-cloud tenant database integrated with lifecycle management 3 | summary: >- 4 | A central database of all multi-cloud tenants initiates tenant provisioning 5 | and deprovisioning processes. The database acts as an authoritative source of 6 | tenants and ensures tenant metadata is always up to date. 7 | 8 | --- 9 | 10 | # Multi-cloud tenant database integrated with lifecycle management 11 | 12 | A central database of all multi-cloud tenants initiates tenant provisioning and deprovisioning processes. The database acts as an authoritative source of tenants and ensures tenant metadata is always up to date. 13 | 14 | Learn more about the [Multi-cloud tenant database integrated with lifecycle management Building Block](https://cloudfoundation.org/maturity-model/tenant-management/multi-cloud-tenant-database-integrated-with-lifecycle-management.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/playground-sandbox-environments.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Playground / Sandbox Environments 3 | summary: >- 4 | Application teams can quickly provision cloud environments for experimentation 5 | and learning. Playgrounds use relaxed policies (e.g. more cloud services are 6 | allowed) but come with time- or spend-limits that are tightly controlled. 7 | Expired playgrounds are automatically deprovisioned. 8 | 9 | --- 10 | 11 | # Playground / Sandbox Environments 12 | 13 | Application teams can quickly provision cloud environments for experimentation and learning. Playgrounds use relaxed policies (e.g. more cloud services are allowed) but come with time- or spend-limits that are tightly controlled. Expired playgrounds are automatically deprovisioned. 14 | 15 | Learn more about the [Playground / Sandbox Environments Building Block](https://cloudfoundation.org/maturity-model/tenant-management/playground-sandbox-environments.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/resource-hierarchy.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Resource Hierarchy 3 | summary: >- 4 | Define a cloud resource hierarchy structure that facilitates tenant isolation 5 | and policy enforcement. Maintain the integrity of this hierarchy to ensure 6 | capabilities built atop of it remain effective. 7 | 8 | --- 9 | 10 | # Resource Hierarchy 11 | 12 | Define a cloud resource hierarchy structure that facilitates tenant isolation and policy enforcement. Maintain the integrity of this hierarchy to ensure capabilities built atop of it remain effective. 13 | 14 | Learn more about the [Resource Hierarchy Building Block](https://cloudfoundation.org/maturity-model/tenant-management/resource-hierarchy.html) on the Cloud Foundation website. 15 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/self-service-multi-cloud-tenant-database.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Self-Service Multi-Cloud Tenant Database 3 | summary: >- 4 | Application teams can register, update and remove tenant metadata in a central 5 | multi-cloud tenant database in self service. 6 | 7 | --- 8 | 9 | # Self-Service Multi-Cloud Tenant Database 10 | 11 | Application teams can register, update and remove tenant metadata in a central multi-cloud tenant database in self service. 12 | 13 | Learn more about the [Self-Service Multi-Cloud Tenant Database Building Block](https://cloudfoundation.org/maturity-model/tenant-management/self-service-multi-cloud-tenant-database.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/tenant-deprovisioning-decommissioning.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Tenant Deprovisioning / Decommissioning 3 | summary: >- 4 | Establish a process for safely decommissioning and deprovisioning cloud 5 | tenants that are no longer needed by application teams. 6 | 7 | --- 8 | 9 | # Tenant Deprovisioning / Decommissioning 10 | 11 | Establish a process for safely decommissioning and deprovisioning cloud tenants that are no longer needed by application teams. 12 | 13 | Learn more about the [Tenant Deprovisioning / Decommissioning Building Block](https://cloudfoundation.org/maturity-model/tenant-management/tenant-deprovisioning-decommissioning.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/tenant-inventory-reconciliation.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Tenant Inventory Reconciliation 3 | summary: >- 4 | The inventory of cloud tenants is automatically reconciled against the tenants 5 | actually present in the cloud platforms. This allows organizations to detect 6 | "shadow IT" or "dark matter" in the cloud. A process is in place to adopt 7 | these existing tenants into the prescribed governance model. 8 | 9 | --- 10 | 11 | # Tenant Inventory Reconciliation 12 | 13 | The inventory of cloud tenants is automatically reconciled against the tenants actually present in the cloud platforms. This allows organizations to detect "shadow IT" or "dark matter" in the cloud. A process is in place to adopt these existing tenants into the prescribed governance model. 14 | 15 | Learn more about the [Tenant Inventory Reconciliation Building Block](https://cloudfoundation.org/maturity-model/tenant-management/tenant-inventory-reconciliation.html) on the Cloud Foundation website. 16 | -------------------------------------------------------------------------------- /compliance/cfmm/tenant-management/tenant-provisioning.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Tenant Provisioning 3 | summary: >- 4 | On-demand provisioning of primitive cloud tenants (e.g. AWS Accounts, Azure 5 | Subscriptions etc.). 6 | 7 | --- 8 | 9 | # Tenant Provisioning 10 | 11 | On-demand provisioning of primitive cloud tenants (e.g. AWS Accounts, Azure Subscriptions etc.). 12 | 13 | Learn more about the [Tenant Provisioning Building Block](https://cloudfoundation.org/maturity-model/tenant-management/tenant-provisioning.html) on the Cloud Foundation website. 14 | -------------------------------------------------------------------------------- /compliance/cfmm/update.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | deno run --allow-read --allow-write --allow-net update.ts 4 | 5 | -------------------------------------------------------------------------------- /docs/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .temp 3 | .cache 4 | dist -------------------------------------------------------------------------------- /docs/.vuepress/public/images/hero.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/docs/.vuepress/public/images/hero.png -------------------------------------------------------------------------------- /docs/.vuepress/public/robots.txt: -------------------------------------------------------------------------------- 1 | User-agent: * 2 | Allow: / 3 | 4 | User-agent: ReadableBot 5 | Disallow: / 6 | -------------------------------------------------------------------------------- /docs/.vuepress/theme/plugins/plausible/client/clientAppSetup.ts: -------------------------------------------------------------------------------- 1 | import { defineClientAppSetup } from '@vuepress/client'; 2 | 3 | import { setupPlausible } from './composables/setupPlausible'; 4 | 5 | export default defineClientAppSetup(() => { 6 | setupPlausible(); 7 | }); 8 | -------------------------------------------------------------------------------- /docs/.vuepress/theme/plugins/plausible/client/composables/index.ts: -------------------------------------------------------------------------------- 1 | export * from "./setupPlausible"; 2 | export * from "./usePlausible"; 3 | -------------------------------------------------------------------------------- /docs/.vuepress/theme/plugins/plausible/client/composables/usePlausible.ts: -------------------------------------------------------------------------------- 1 | import { inject } from "vue"; 2 | import { PlausibleRef, plausibleSymbol } from "./setupPlausible"; 3 | 4 | export const usePlausible = (): PlausibleRef => { 5 | const plausible = inject(plausibleSymbol); 6 | if (!plausible) { 7 | throw new Error("usePlausible() is called without provider."); 8 | } 9 | 10 | return plausible; 11 | }; 12 | -------------------------------------------------------------------------------- /docs/.vuepress/theme/plugins/plausible/client/index.ts: -------------------------------------------------------------------------------- 1 | export * from "../shared"; 2 | export * from "./composables/usePlausible"; 3 | -------------------------------------------------------------------------------- /docs/.vuepress/theme/plugins/plausible/index.ts: -------------------------------------------------------------------------------- 1 | import { path } from "@vuepress/utils"; 2 | import type { Plugin, PluginObject } from "@vuepress/core"; 3 | 4 | import { PlausiblePluginOptions } from "./shared"; 5 | 6 | export const plausiblePlugin: Plugin = (options) => { 7 | const defaultOptions: Partial = { 8 | stubEventTracking: false, 9 | enableAutoPageviews: true, 10 | enableAutoOutboundTracking: false, 11 | trackerOptions: { 12 | hashMode: false, // hashMode does not make sense for vuepress' routing 13 | }, 14 | }; 15 | 16 | const pluginObj: PluginObject = { 17 | name: "vuepress-plugin-plausible", 18 | multiple: false, 19 | clientAppSetupFiles: path.resolve(__dirname, "./client/clientAppSetup.ts"), 20 | define: { 21 | __PLAUSIBLE_OPTIONS__: Object.assign({}, defaultOptions, options), 22 | }, 23 | }; 24 | 25 | return pluginObj; 26 | }; 27 | 28 | export default plausiblePlugin; 29 | -------------------------------------------------------------------------------- /docs/.vuepress/theme/plugins/plausible/shared/index.ts: -------------------------------------------------------------------------------- 1 | export * from "./types"; 2 | -------------------------------------------------------------------------------- /docs/.vuepress/theme/plugins/plausible/shared/types.ts: -------------------------------------------------------------------------------- 1 | import type { PlausibleOptions } from "plausible-tracker"; 2 | 3 | export interface PlausiblePluginOptions { 4 | enableAutoPageviews?: boolean; 5 | enableAutoOutboundTracking?: boolean; 6 | trackerOptions: PlausibleOptions; 7 | } 8 | -------------------------------------------------------------------------------- /docs/assets/modular-landing-zone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/docs/assets/modular-landing-zone.png -------------------------------------------------------------------------------- /docs/concept/README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | This section explains various fundamental concepts of building landing zones with collie. 4 | If you're looking to solve a particular problem and want to understand **how** to work with collie, please check out 5 | the [Guides](../guide/README.md) or [Tutorials](../tutorial/README.md) section instead. 6 | 7 | - [Goals of collie](goals.md) provides an overview of the motivation behind collie and the opinions shaping its core workflows 8 | - [Bootstrapping](./bootstrapping.md) explains what you need to consider when bootstrapping a platform 9 | - [Modular Landing Zones](./modular-landing-zones.md) explains what you need to consider for delivering multiple landing zones 10 | - [Compliance](./compliance.md) provides an overview of implementing compliance control frameworks in your landing zones -------------------------------------------------------------------------------- /docs/concept/modular-landing-zones.md: -------------------------------------------------------------------------------- 1 | # Modular Landing Zones 2 | 3 | Modular landing zones allow a platform team to assemble landing zones from different modules. 4 | This approach enables platform teams to provide landing zones tailored to specific categories of uses cases, rather than providing a "one-size fits all" landing zone. 5 | 6 | You can learn more about this approach in the Cloud Foundation Maturity Model building block [Modular Landing Zones](https://cloudfoundation.meshcloud.io/maturity-model/tenant-management/modular-landing-zones.html). 7 | -------------------------------------------------------------------------------- /docs/guide/README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | This section contains problem-oriented guides that aim to help you working with collie to build landing zones. 4 | 5 | - [Customizing Kit Modules](./how-to-kit-module.md) gives you an overview of how to create and customize kit modules 6 | - [Documenting Kit Modules](./how-to-document.md) explains how to create and manage documentation for your landing zones 7 | - [Managing Compliance](./how-to-compliance.md) gives you an overview about managing compliance for your landing zones 8 | - [Best Practices](./best-practices.md) provides an overview of some best practices working with collie and its underlying tools like terraform and terragrunt 9 | - [FAQ](./faq.md) answers frequently asked questions about building landing zones with collie 10 | -------------------------------------------------------------------------------- /docs/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "collie-hub", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "scripts": { 7 | "docs:dev": "vuepress dev", 8 | "docs:build": "vuepress build" 9 | }, 10 | "author": "", 11 | "private": true, 12 | "devDependencies": { 13 | "vuepress": "^2.0.0-beta.35" 14 | }, 15 | "dependencies": { 16 | "plausible-tracker": "^0.3.4" 17 | }, 18 | "overrides": { 19 | "vite": "2.8.6" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /docs/reference/assets/collie-tenant-analyze-tags.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/docs/reference/assets/collie-tenant-analyze-tags.png -------------------------------------------------------------------------------- /docs/reference/assets/collie-tenant-costs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/docs/reference/assets/collie-tenant-costs.png -------------------------------------------------------------------------------- /docs/reference/assets/collie-tenant-iam.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/docs/reference/assets/collie-tenant-iam.png -------------------------------------------------------------------------------- /docs/reference/assets/collie-tenant-list.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/docs/reference/assets/collie-tenant-list.png -------------------------------------------------------------------------------- /docs/reference/compliance-commands.md: -------------------------------------------------------------------------------- 1 | # Compliance Commands 2 | 3 | > Note: this section of the documentation is under constrution. 4 | 5 | ## compliance tree 6 | 7 | ## compliance new 8 | 9 | ## compliance import -------------------------------------------------------------------------------- /docs/reference/foundation-commands.md: -------------------------------------------------------------------------------- 1 | # Foundation Commands 2 | 3 | > Note: this section of the documentation is under constrution. 4 | 5 | ## foundation docs 6 | 7 | `collie foundation docs ` will prepare markdown documentation for your foundation from your collie repository. 8 | 9 | This command first collects documentation files from the following locations 10 | 11 | 1. `README.md` files from platforms in your collie repository 12 | 2. `documentation_md` output from every platform module via `terragrunt output -raw` 13 | 3. documentation template from `kit/foundation/docs/template` 14 | 15 | Collie then emits the output to `foundations/*/.docs`. 16 | 17 | ### Preview Documentation 18 | 19 | The official [foundation docs module](modules/../../../kit/foundation/docs/README.md) from collie hub sets up 20 | the static site generator [vuepress](https://v2.vuepress.vuejs.org) to generate a documentation page from this markdown page. 21 | 22 | You can pass the optional `--preview` flag to compile and launch this website locally. 23 | 24 | > `collie foundation docs --preview` dependes on node.js and npm 25 | -------------------------------------------------------------------------------- /docs/reference/kit-commands.md: -------------------------------------------------------------------------------- 1 | # Kit Commands 2 | 3 | > Note: this section of the documentation is under constrution. 4 | -------------------------------------------------------------------------------- /docs/tutorial/assets/collie-foundation-new-add-platform.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/docs/tutorial/assets/collie-foundation-new-add-platform.png -------------------------------------------------------------------------------- /docs/tutorial/assets/collie-foundation-new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/docs/tutorial/assets/collie-foundation-new.png -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "nixpkgs": { 4 | "locked": { 5 | "lastModified": 1725001927, 6 | "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=", 7 | "owner": "nixos", 8 | "repo": "nixpkgs", 9 | "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421", 10 | "type": "github" 11 | }, 12 | "original": { 13 | "owner": "nixos", 14 | "ref": "nixos-24.05", 15 | "repo": "nixpkgs", 16 | "type": "github" 17 | } 18 | }, 19 | "root": { 20 | "inputs": { 21 | "nixpkgs": "nixpkgs" 22 | } 23 | } 24 | }, 25 | "root": "root", 26 | "version": 7 27 | } 28 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/github-connector/backplane/variables.tf: -------------------------------------------------------------------------------- 1 | variable "tfstates_resource_manager_id" { 2 | type = string 3 | nullable = false 4 | } 5 | 6 | variable "tfstates_resource_group_name" { 7 | type = string 8 | nullable = false 9 | } 10 | 11 | variable "tfstates_storage_account_name" { 12 | type = string 13 | nullable = false 14 | } 15 | 16 | variable "tfstates_storage_container_name" { 17 | type = string 18 | nullable = false 19 | } 20 | 21 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/github-connector/backplane/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "4.4.0" 8 | } 9 | 10 | azuread = { 11 | source = "hashicorp/azuread" 12 | version = "3.1.0" 13 | } 14 | 15 | kubernetes = { 16 | source = "hashicorp/kubernetes" 17 | version = "2.35.1" 18 | } 19 | } 20 | } 21 | 22 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/github-connector/buildingblock/.gitignore: -------------------------------------------------------------------------------- 1 | config.tf 2 | terraform.tfvars 3 | likvid-bank-devops-toolchain-team.private-key.pem 4 | kubeconfig.yml 5 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/github-connector/buildingblock/repo_content/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest 2 | 3 | CMD ["sleep", "3600"] 4 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/github-connector/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "namespace" { 2 | description = "Associated namespace in AKS." 3 | type = string 4 | } 5 | 6 | variable "github_repo" { 7 | type = string 8 | } 9 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/github-connector/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | github = { 4 | source = "integrations/github" 5 | version = "6.5.0" 6 | } 7 | 8 | kubernetes = { 9 | source = "hashicorp/kubernetes" 10 | version = "2.35.1" 11 | } 12 | 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/postgresql/backplane/variables.tf: -------------------------------------------------------------------------------- 1 | variable "tfstates_resource_manager_id" { 2 | type = string 3 | nullable = false 4 | } 5 | 6 | variable "tfstates_resource_group_name" { 7 | type = string 8 | nullable = false 9 | } 10 | 11 | variable "tfstates_storage_account_name" { 12 | type = string 13 | nullable = false 14 | } 15 | 16 | variable "tfstates_storage_container_name" { 17 | type = string 18 | nullable = false 19 | } 20 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/postgresql/backplane/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "4.4.0" 8 | } 9 | 10 | azuread = { 11 | source = "hashicorp/azuread" 12 | version = "3.1.0" 13 | } 14 | 15 | kubernetes = { 16 | source = "hashicorp/kubernetes" 17 | version = "2.35.1" 18 | } 19 | } 20 | } 21 | 22 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/postgresql/buildingblock/.gitignore: -------------------------------------------------------------------------------- 1 | config.tf 2 | terraform.tfvars 3 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/postgresql/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "workspace_identifier" { 2 | type = string 3 | description = "The meshStack workspace identifier." 4 | } 5 | 6 | variable "project_identifier" { 7 | type = string 8 | description = "The meshStack project identifier." 9 | } 10 | 11 | variable "name" { 12 | type = string 13 | description = "User selected part of the name." 14 | 15 | validation { 16 | condition = length(var.name) < 16 17 | error_message = "Name must be fewer than 16 characters long." 18 | } 19 | 20 | validation { 21 | condition = length(regexall("^[0-9a-z]+$", var.name)) > 0 22 | error_message = "Name must only contain lowercase letters and numbers." 23 | } 24 | } 25 | 26 | variable "namespace" { 27 | description = "Associated namespace in AKS." 28 | type = string 29 | } 30 | -------------------------------------------------------------------------------- /kit/aks/buildingblocks/postgresql/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "4.4.0" 8 | } 9 | 10 | random = { 11 | source = "hashicorp/random" 12 | version = "3.6.3" 13 | } 14 | 15 | kubernetes = { 16 | source = "hashicorp/kubernetes" 17 | version = "2.35.1" 18 | } 19 | } 20 | } 21 | 22 | -------------------------------------------------------------------------------- /kit/aws/admin-accounts/root/documentation.tf: -------------------------------------------------------------------------------- 1 | output "documentation_md" { 2 | value = < `${data.aws_caller_identity.current.account_id}`. 12 | 13 | Outputs the following credentials: 14 | 15 | - AWS_ACCESS_KEY_ID 16 | - AWS_SECRET_ACCESS_KEY 17 | 18 | These credentials can be used as environment variable (encrypted!) inputs when configuring the buildingblock definition. 19 | 20 | To obtain the credentials, run the following command: 21 | 22 | `collie foundation deploy --platform aws --module buildingblocks/s3_bucket/backplane -- output credentials` 23 | 24 | EOF 25 | } 26 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/backplane/iam.tf: -------------------------------------------------------------------------------- 1 | data "aws_caller_identity" "current" {} 2 | 3 | resource "aws_iam_user" "buildingblock_s3_user" { 4 | name = "buildingblock-s3-user" 5 | } 6 | 7 | data "aws_iam_policy_document" "s3_full_access" { 8 | statement { 9 | actions = [ 10 | "s3:*", 11 | ] 12 | 13 | resources = [ 14 | "arn:aws:s3:::*", 15 | ] 16 | } 17 | } 18 | 19 | resource "aws_iam_policy" "buildingblock_s3_policy" { 20 | name = "buildingblock-s3-policy" 21 | description = "Policy for the ${aws_iam_user.buildingblock_s3_user.name} user" 22 | policy = data.aws_iam_policy_document.s3_full_access.json 23 | } 24 | 25 | resource "aws_iam_user_policy_attachment" "buildingblock_s3_user_policy_attachment" { 26 | user = aws_iam_user.buildingblock_s3_user.name 27 | policy_arn = aws_iam_policy.buildingblock_s3_policy.arn 28 | } 29 | 30 | resource "aws_iam_access_key" "buildingblock_s3_access_key" { 31 | user = aws_iam_user.buildingblock_s3_user.name 32 | } 33 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/backplane/outputs.tf: -------------------------------------------------------------------------------- 1 | output "credentials" { 2 | sensitive = true 3 | value = { 4 | AWS_ACCESS_KEY_ID = aws_iam_access_key.buildingblock_s3_access_key.id 5 | AWS_SECRET_ACCESS_KEY = aws_iam_access_key.buildingblock_s3_access_key.secret 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/backplane/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = "~> 5.77.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/buildingblock/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_s3_bucket" "main" { 2 | bucket = var.bucket_name 3 | tags = { 4 | "managed-by" = "meshStack" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/buildingblock/outputs.tf: -------------------------------------------------------------------------------- 1 | output "bucket_name" { 2 | value = aws_s3_bucket.main.bucket 3 | } 4 | 5 | output "bucket_arn" { 6 | value = aws_s3_bucket.main.arn 7 | } 8 | 9 | output "bucket_uri" { 10 | value = "s3://${aws_s3_bucket.main.id}" 11 | } 12 | 13 | output "bucket_domain_name" { 14 | value = aws_s3_bucket.main.bucket_domain_name 15 | } 16 | 17 | output "bucket_regional_domain_name" { 18 | value = aws_s3_bucket.main.bucket_regional_domain_name 19 | } 20 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/buildingblock/provider.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = var.region 3 | } 4 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/buildingblock/terragrunt.tftest.hcl: -------------------------------------------------------------------------------- 1 | run "verify" { 2 | assert { 3 | condition = aws_s3_bucket.main.bucket == var.bucket_name 4 | error_message = "did not produce the correct bucket name" 5 | } 6 | 7 | assert { 8 | condition = aws_s3_bucket.main.tags["managed-by"] == "meshStack" 9 | error_message = "incorrect tag value for 'managed-by'" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "The AWS region" 3 | type = string 4 | default = "eu-central-1" 5 | } 6 | 7 | variable "bucket_name" { 8 | description = "The name of the S3 bucket" 9 | type = string 10 | } 11 | -------------------------------------------------------------------------------- /kit/aws/buildingblocks/s3_bucket/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = "~> 5.77.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /kit/aws/util/iam-user/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_iam_user" "user" { 2 | name = var.iam_user_name 3 | } 4 | 5 | resource "aws_iam_policy" "policy" { 6 | name = var.iam_user_name 7 | description = var.iam_policy_description 8 | policy = var.iam_policy_policy 9 | } 10 | 11 | resource "aws_iam_user_policy_attachment" "user-policy-attach" { 12 | user = aws_iam_user.user.name 13 | policy_arn = aws_iam_policy.policy.arn 14 | } 15 | 16 | // todo: this needs better handling with rotation 17 | resource "aws_iam_access_key" "key" { 18 | user = aws_iam_user.user.name 19 | } -------------------------------------------------------------------------------- /kit/aws/util/iam-user/outputs.tf: -------------------------------------------------------------------------------- 1 | output "iam_access_key_id" { 2 | value = aws_iam_access_key.key.id 3 | } 4 | 5 | output "iam_access_key_secret" { 6 | value = aws_iam_access_key.key.secret 7 | sensitive = true 8 | } 9 | -------------------------------------------------------------------------------- /kit/aws/util/iam-user/variables.tf: -------------------------------------------------------------------------------- 1 | variable "iam_user_name" { 2 | type = string 3 | } 4 | 5 | variable "iam_policy_description" { 6 | type = string 7 | } 8 | 9 | variable "iam_policy_policy" { 10 | type = string 11 | } 12 | 13 | -------------------------------------------------------------------------------- /kit/azure/aviatrix/documentation.tf: -------------------------------------------------------------------------------- 1 | output "documentation_md" { 2 | value = < This is currently a proof of concept and not yet in production. 8 | 9 | EOF 10 | } 11 | -------------------------------------------------------------------------------- /kit/azure/aviatrix/outputs.tf: -------------------------------------------------------------------------------- 1 | output "client_id" { 2 | value = azuread_service_principal.aviatrix_deploy.client_id 3 | } 4 | 5 | output "client_secret" { 6 | value = azuread_application_password.aviatrix_deploy.value 7 | sensitive = true 8 | } 9 | 10 | output "client_principal_id" { 11 | value = azuread_service_principal.aviatrix_deploy.id 12 | } 13 | 14 | output "aviatrix_service_principal" { 15 | value = azuread_application.aviatrix_deploy.display_name 16 | } 17 | -------------------------------------------------------------------------------- /kit/azure/aviatrix/variables.tf: -------------------------------------------------------------------------------- 1 | variable "parent_management_group" { 2 | type = string 3 | nullable = false 4 | description = "id of the tenant management group" 5 | } 6 | 7 | variable "service_principal_name" { 8 | type = string 9 | nullable = false 10 | default = "avaitrix_deploy_spn" 11 | description = "id of the tenant management group" 12 | } 13 | 14 | variable "allowed_user_group_id" { 15 | type = list(string) 16 | nullable = false 17 | description = "id of the authorized id which can do changes" 18 | } 19 | 20 | variable "location" { 21 | type = string 22 | description = "The Azure location used for creating policy assignments establishing this landing zone's guardrails." 23 | } 24 | -------------------------------------------------------------------------------- /kit/azure/aviatrix/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "~> 3.81.0" 8 | } 9 | 10 | azuread = { 11 | source = "hashicorp/azuread" 12 | version = "~> 2.46.0" 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /kit/azure/billing/outputs.tf: -------------------------------------------------------------------------------- 1 | output "billing_admins_azuread_group_id" { 2 | value = azuread_group.billing_admins.id 3 | } 4 | 5 | output "billing_readers_azuread_group_id" { 6 | value = azuread_group.billing_readers.id 7 | } 8 | -------------------------------------------------------------------------------- /kit/azure/billing/resources.alert.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_consumption_budget_management_group" "tenant_root_group" { 2 | name = var.budget_name 3 | management_group_id = var.scope 4 | 5 | amount = var.budget_amount 6 | time_grain = "Monthly" 7 | 8 | time_period { 9 | start_date = var.budget_time_period[0].start 10 | end_date = var.budget_time_period[0].end 11 | } 12 | 13 | notification { 14 | enabled = true 15 | threshold = 90.0 16 | operator = "EqualTo" 17 | 18 | contact_emails = var.contact_mails 19 | } 20 | 21 | notification { 22 | enabled = false 23 | threshold = 100.0 24 | operator = "GreaterThan" 25 | threshold_type = "Forecasted" 26 | 27 | contact_emails = var.contact_mails 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /kit/azure/billing/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "~> 3.71.0" 8 | } 9 | 10 | azuread = { 11 | source = "hashicorp/azuread" 12 | version = "~> 2.41.0" 13 | } 14 | } 15 | } 16 | 17 | -------------------------------------------------------------------------------- /kit/azure/bootstrap/outputs.tf: -------------------------------------------------------------------------------- 1 | output "platform_engineers_azuread_group_id" { 2 | value = azuread_group.platform_engineers.id 3 | } 4 | 5 | output "platform_engineers_azuread_group_displayname" { 6 | value = azuread_group.platform_engineers.display_name 7 | } 8 | 9 | output "platform_engineers_members" { 10 | value = var.platform_engineers_members[*].email 11 | } 12 | 13 | output "module_storage_account_resource_id" { 14 | value = module.terraform_state.storage_account_resource_id 15 | } 16 | 17 | output "parent_management_group" { 18 | value = data.azurerm_management_group.parent.name 19 | } 20 | 21 | output "documentation_uami_client_id" { 22 | value = length(azurerm_user_assigned_identity.docs) > 0 ? azurerm_user_assigned_identity.docs[0].client_id : null 23 | } 24 | 25 | output "validation_uami_client_id" { 26 | value = length(azurerm_user_assigned_identity.validation) > 0 ? azurerm_user_assigned_identity.validation[0].client_id : null 27 | } 28 | 29 | output "azurerm_key_vault" { 30 | value = azurerm_key_vault.key_vault 31 | } 32 | 33 | output "azurerm_key_vault_rg_name" { 34 | value = azurerm_resource_group.key_vault.name 35 | } 36 | -------------------------------------------------------------------------------- /kit/azure/bootstrap/resources.groups.tf: -------------------------------------------------------------------------------- 1 | data "azuread_users" "platform_engineers_members" { 2 | # unfortunately mail_nicknames attribute does not work on our AADs because we don't sync from on-premise 3 | # so we have to use user prinicpal names for lookups 4 | user_principal_names = var.platform_engineers_members[*].upn 5 | } 6 | 7 | resource "azuread_group" "platform_engineers" { 8 | display_name = var.platform_engineers_group 9 | description = "Privileged Cloud Foundation group. Members have full access to deploy cloud foundation infrastructure and landing zones." 10 | security_enabled = true 11 | owners = [data.azuread_client_config.current.object_id] 12 | members = toset(data.azuread_users.platform_engineers_members.object_ids) 13 | } 14 | -------------------------------------------------------------------------------- /kit/azure/bootstrap/resources.key-vault.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | 3 | resource "azurerm_resource_group" "key_vault" { 4 | name = var.key_vault.resource_group_name 5 | location = var.terraform_state_storage.location 6 | } 7 | 8 | resource "azurerm_key_vault" "key_vault" { 9 | name = var.key_vault.name 10 | location = var.terraform_state_storage.location 11 | resource_group_name = azurerm_resource_group.key_vault.name 12 | tenant_id = data.azurerm_client_config.current.tenant_id 13 | sku_name = "standard" 14 | soft_delete_retention_days = 7 15 | purge_protection_enabled = true 16 | enable_rbac_authorization = true 17 | } 18 | 19 | data "azurerm_role_definition" "keyvault" { 20 | name = "Key Vault Administrator" 21 | } 22 | 23 | resource "azurerm_role_assignment" "cloudfoundation_tfdeploy" { 24 | principal_id = azuread_group.platform_engineers.id 25 | scope = azurerm_key_vault.key_vault.id 26 | role_definition_name = data.azurerm_role_definition.keyvault.name 27 | } -------------------------------------------------------------------------------- /kit/azure/bootstrap/terraform-state/outputs.tf: -------------------------------------------------------------------------------- 1 | output "container_id" { 2 | description = "Resource manager id of the blob container for storing terraform states" 3 | value = azurerm_storage_container.tfstates.resource_manager_id 4 | } 5 | 6 | output "resource_group_name" { 7 | value = azurerm_resource_group.tfstates.name 8 | } 9 | 10 | output "storage_account_resource_id" { 11 | value = azurerm_storage_account.tfstates.id 12 | } 13 | 14 | output "storage_account_name" { 15 | value = azurerm_storage_account.tfstates.name 16 | } 17 | 18 | output "container_name" { 19 | value = azurerm_storage_container.tfstates.name 20 | } 21 | 22 | output "location" { 23 | value = azurerm_resource_group.tfstates.location 24 | } -------------------------------------------------------------------------------- /kit/azure/bootstrap/terraform-state/variables.tf: -------------------------------------------------------------------------------- 1 | variable "location" { 2 | type = string 3 | nullable = false 4 | description = "Azure location for deploying the storage account" 5 | } 6 | 7 | variable "terraform_state_config_file_path" { 8 | type = string 9 | nullable = false 10 | description = "tfstate-config file for running the bootstrap" 11 | } 12 | 13 | variable "cloudfoundation" { 14 | type = string 15 | nullable = false 16 | description = "cloudfoundation name to infer resource group for the statefiles" 17 | } 18 | 19 | variable "resource_group_name" { 20 | type = string 21 | nullable = true 22 | description = "explicitly override default resource_group_name (useful for migrating from legacy versions of this kit module)" 23 | } 24 | -------------------------------------------------------------------------------- /kit/azure/bootstrap/terraform-state/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "3.116.0" 8 | } 9 | 10 | random = { 11 | source = "hashicorp/random" 12 | version = "3.6.0" 13 | } 14 | 15 | local = { 16 | source = "hashicorp/local" 17 | version = "2.5.1" 18 | } 19 | } 20 | } 21 | 22 | -------------------------------------------------------------------------------- /kit/azure/bootstrap/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "3.116.0" 8 | } 9 | 10 | azuread = { 11 | source = "hashicorp/azuread" 12 | version = "2.53.1" 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/automation/documentation.tf: -------------------------------------------------------------------------------- 1 | output "documentation_md" { 2 | value = <", formatlist("- `%s`", azurerm_role_definition.buildingblock_deploy.permissions[0].actions))} | 15 | 16 | EOF 17 | description = "Markdown documentation with information about the Key Vault Building Block building block backplane" 18 | } 19 | 20 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/key-vault/backplane/outputs.tf: -------------------------------------------------------------------------------- 1 | output "role_definition_id" { 2 | value = azurerm_role_definition.buildingblock_deploy.id 3 | description = "The ID of the role definition that enables deployment of the building block to subscriptions." 4 | } 5 | 6 | output "role_definition_name" { 7 | value = azurerm_role_definition.buildingblock_deploy.name 8 | description = "The name of the role definition that enables deployment of the building block to subscriptions." 9 | } 10 | 11 | output "role_assignment_ids" { 12 | value = [for id in azurerm_role_assignment.buildingblock_deploy : id.id] 13 | description = "The IDs of the role assignments for the service principals." 14 | } 15 | 16 | output "role_assignment_principal_ids" { 17 | value = [for id in azurerm_role_assignment.buildingblock_deploy : id.principal_id] 18 | description = "The principal IDs of the service principals that have been assigned the role." 19 | } 20 | 21 | output "scope" { 22 | value = var.scope 23 | description = "The scope where the role definition and role assignments are applied." 24 | } 25 | 26 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/key-vault/backplane/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name" { 2 | type = string 3 | nullable = false 4 | default = "key-vault" 5 | description = "name of the building block, used for naming resources" 6 | validation { 7 | condition = can(regex("^[-a-z0-9]+$", var.name)) 8 | error_message = "Only alphanumeric lowercase characters and dashes are allowed" 9 | } 10 | } 11 | 12 | variable "scope" { 13 | type = string 14 | nullable = false 15 | description = "Scope where the building block should be deployable, typically the parent of all Landing Zones." 16 | } 17 | 18 | variable "principal_ids" { 19 | type = set(string) 20 | nullable = false 21 | description = "set of principal ids that will be granted permissions to deploy the building block" 22 | } 23 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/key-vault/backplane/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "3.116.0" 8 | } 9 | azuread = { 10 | source = "hashicorp/azuread" 11 | version = "3.1.0" 12 | } 13 | } 14 | } 15 | 16 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/key-vault/buildingblock/outputs.tf: -------------------------------------------------------------------------------- 1 | output "key_vault_id" { 2 | value = azurerm_key_vault.key_vault.id 3 | } 4 | 5 | output "key_vault_name" { 6 | value = azurerm_key_vault.key_vault.name 7 | } 8 | 9 | output "key_vault_resource_group" { 10 | value = azurerm_resource_group.key_vault.name 11 | } 12 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/key-vault/buildingblock/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | azurerm = { 4 | source = "hashicorp/azurerm" 5 | version = "4.18.0" 6 | } 7 | azuread = { 8 | source = "hashicorp/azuread" 9 | version = "3.1.0" 10 | } 11 | random = { 12 | source = "hashicorp/random" 13 | version = "3.6.3" 14 | } 15 | } 16 | } 17 | 18 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/key-vault/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "key_vault_name" { 2 | type = string 3 | nullable = false 4 | description = "The name of the key vault." 5 | } 6 | 7 | variable "key_vault_resource_group_name" { 8 | type = string 9 | nullable = false 10 | description = "The name of the resource group containing the key vault." 11 | } 12 | 13 | variable "location" { 14 | type = string 15 | description = "The location/region where the key vault is created." 16 | } 17 | 18 | variable "subscription_id" { 19 | type = string 20 | } 21 | 22 | variable "users" { 23 | type = list(object( 24 | { 25 | meshIdentifier = string 26 | username = string 27 | firstName = string 28 | lastName = string 29 | email = string 30 | euid = string 31 | roles = list(string) 32 | } 33 | )) 34 | description = "Users and their roles provided by meshStack (Note that users must exist in stackit)" 35 | } 36 | 37 | variable "public_network_access_enabled" { 38 | type = bool 39 | default = false 40 | } 41 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql-database/buildingblock/main.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_postgresql_database" "example" { 2 | name = var.database_name 3 | resource_group_name = var.resource_group_name 4 | server_name = var.server_name 5 | charset = var.charset 6 | collation = var.collation 7 | 8 | lifecycle { 9 | prevent_destroy = true 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql-database/buildingblock/outputs.tf: -------------------------------------------------------------------------------- 1 | output "database_name" { 2 | description = "The name of the created PostgreSQL database" 3 | value = azurerm_postgresql_database.example.name 4 | } 5 | 6 | output "database_id" { 7 | description = "The ID of the created PostgreSQL database" 8 | value = azurerm_postgresql_database.example.id 9 | } 10 | 11 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql-database/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "subscription_id" { 2 | description = "the Azure subscription id" 3 | type = string 4 | } 5 | 6 | variable "database_name" { 7 | description = "The name of the PostgreSQL database" 8 | type = string 9 | } 10 | 11 | variable "resource_group_name" { 12 | description = "The name of the resource group where the database will be created" 13 | type = string 14 | } 15 | 16 | variable "server_name" { 17 | description = "The name of the PostgreSQL server" 18 | type = string 19 | } 20 | 21 | variable "charset" { 22 | description = "Character set for the database" 23 | type = string 24 | default = "UTF8" 25 | } 26 | 27 | variable "collation" { 28 | description = "Collation for the database" 29 | type = string 30 | default = "English_United States.1252" 31 | } 32 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql-database/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.5.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "4.22.0" 8 | } 9 | } 10 | } 11 | 12 | # provider "azurerm" { 13 | # features {} 14 | # } 15 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql/backplane/documentation.tf: -------------------------------------------------------------------------------- 1 | output "documentation_md" { 2 | value = <", formatlist("- `%s`", azurerm_role_definition.buildingblock_deploy.permissions[0].actions))} | 15 | 16 | EOF 17 | description = "Markdown documentation with information about the Key Vault Building Block building block backplane" 18 | } 19 | 20 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql/backplane/main.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_definition" "buildingblock_deploy" { 2 | name = "${var.name}-deploy" 3 | description = "Enables deployment of the ${var.name} building block to subscriptions" 4 | scope = var.scope 5 | permissions { 6 | actions = [ 7 | "Microsoft.DBforPostgreSQL/servers/write", 8 | "Microsoft.DBforPostgreSQL/servers/read", 9 | "Microsoft.DBforPostgreSQL/servers/delete", 10 | "Microsoft.DBforPostgreSQL/servers/firewallRules/read", 11 | "Microsoft.DBforPostgreSQL/servers/firewallRules/write", 12 | "Microsoft.DBforPostgreSQL/servers/databases/read", 13 | "Microsoft.DBforPostgreSQL/servers/databases/write" 14 | ] 15 | } 16 | } 17 | 18 | resource "azurerm_role_assignment" "buildingblock_deploy" { 19 | for_each = var.principal_ids 20 | 21 | role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id 22 | principal_id = each.value 23 | scope = var.scope 24 | } 25 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql/backplane/outputs.tf: -------------------------------------------------------------------------------- 1 | output "role_definition_id" { 2 | value = azurerm_role_definition.buildingblock_deploy.id 3 | description = "The ID of the role definition that enables deployment of the building block to subscriptions." 4 | } 5 | 6 | output "role_definition_name" { 7 | value = azurerm_role_definition.buildingblock_deploy.name 8 | description = "The name of the role definition that enables deployment of the building block to subscriptions." 9 | } 10 | 11 | output "role_assignment_ids" { 12 | value = [for id in azurerm_role_assignment.buildingblock_deploy : id.id] 13 | description = "The IDs of the role assignments for the service principals." 14 | } 15 | 16 | output "role_assignment_principal_ids" { 17 | value = [for id in azurerm_role_assignment.buildingblock_deploy : id.principal_id] 18 | description = "The principal IDs of the service principals that have been assigned the role." 19 | } 20 | 21 | output "scope" { 22 | value = var.scope 23 | description = "The scope where the role definition and role assignments are applied." 24 | } 25 | 26 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql/backplane/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name" { 2 | type = string 3 | nullable = false 4 | default = "postgresql" 5 | } 6 | 7 | variable "scope" { 8 | type = string 9 | nullable = false 10 | description = "Scope where the building block should be deployable, typically the parent of all Landing Zones." 11 | } 12 | 13 | variable "principal_ids" { 14 | type = set(string) 15 | nullable = false 16 | description = "set of principal ids that will be granted permissions to deploy the building block" 17 | } 18 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql/backplane/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "3.116.0" 8 | } 9 | azuread = { 10 | source = "hashicorp/azuread" 11 | version = "3.1.0" 12 | } 13 | } 14 | } 15 | 16 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql/buildingblock/outputs.tf: -------------------------------------------------------------------------------- 1 | output "postgresql_server_name" { 2 | description = "The name of the PostgreSQL server" 3 | value = azurerm_postgresql_server.example.name 4 | } 5 | 6 | output "postgresql_fqdn" { 7 | description = "The fully qualified domain name of the PostgreSQL server" 8 | value = azurerm_postgresql_server.example.fqdn 9 | } 10 | 11 | output "postgresql_admin_username" { 12 | description = "The administrator username for PostgreSQL" 13 | value = azurerm_postgresql_server.example.administrator_login 14 | } 15 | 16 | output "postgresql_version" { 17 | description = "The PostgreSQL version" 18 | value = azurerm_postgresql_server.example.version 19 | } 20 | 21 | output "psql_admin_password" { 22 | description = "The administrator password for PostgreSQL" 23 | value = random_password.psql_admin_password.result 24 | sensitive = true 25 | } 26 | 27 | output "resource_group_name" { 28 | description = "The name of the resource group in which the PostgreSQL database is created" 29 | value = azurerm_resource_group.example.name 30 | } 31 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/postgresql/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.5.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "4.22.0" 8 | } 9 | random = { 10 | source = "hashicorp/random" 11 | version = "3.7.1" 12 | } 13 | } 14 | } 15 | 16 | # provider "azurerm" { 17 | # features {} 18 | # } 19 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/starterkit/backplane/resources.bbtfstate.tf: -------------------------------------------------------------------------------- 1 | resource "random_string" "resource_code" { 2 | length = 5 3 | special = false 4 | upper = false 5 | } 6 | 7 | resource "azurerm_resource_group" "tfstates" { 8 | name = "starterkit-buildingblock-tfstates" 9 | location = var.location 10 | } 11 | 12 | resource "azurerm_storage_account" "tfstates" { 13 | name = "tfstates${random_string.resource_code.result}" 14 | resource_group_name = azurerm_resource_group.tfstates.name 15 | location = azurerm_resource_group.tfstates.location 16 | account_tier = "Standard" 17 | account_replication_type = "GRS" 18 | shared_access_key_enabled = false 19 | } 20 | 21 | resource "azurerm_storage_container" "tfstates" { 22 | name = "tfstates" 23 | storage_account_name = azurerm_storage_account.tfstates.name 24 | container_access_type = "private" 25 | } 26 | 27 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/starterkit/backplane/resources.github.tf: -------------------------------------------------------------------------------- 1 | resource "github_repository" "staticwebsite_template" { 2 | name = "starterkit-template-azure-static-website" 3 | is_template = true 4 | } 5 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/starterkit/backplane/variables.tf: -------------------------------------------------------------------------------- 1 | variable "location" { 2 | type = string 3 | nullable = false 4 | description = "Azure location for deploying the building block terraform state storage account" 5 | } 6 | 7 | variable "scope" { 8 | type = string 9 | nullable = false 10 | description = "Scope where the building block should be deployable, typically a Sandbox Landing Zone Management Group" 11 | } 12 | 13 | # unfortunately we can't set up the app via terraform right now, so we need to manually set this up 14 | # outside of terraform an inject result as vars 15 | 16 | variable "github_app_id" { 17 | type = number 18 | description = "id of your GitHub App" 19 | } 20 | 21 | variable "github_app_installation_id" { 22 | type = number 23 | description = "id of your GitHub App installation as it appears in URLs on GitHub.com" 24 | } 25 | 26 | variable "github_org" { 27 | type = string 28 | description = "id of your GitHub organization as it appears in URLs on GitHub.com" 29 | } -------------------------------------------------------------------------------- /kit/azure/buildingblocks/starterkit/backplane/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "3.116.0" 8 | } 9 | 10 | azuread = { 11 | source = "hashicorp/azuread" 12 | version = "3.0.2" 13 | } 14 | 15 | github = { 16 | source = "integrations/github" 17 | version = "5.42.0" 18 | } 19 | 20 | random = { 21 | source = "hashicorp/random" 22 | version = "3.6.0" 23 | } 24 | 25 | time = { 26 | source = "hashicorp/time" 27 | version = "0.11.1" 28 | } 29 | } 30 | } 31 | 32 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/starterkit/buildingblock/.gitignore: -------------------------------------------------------------------------------- 1 | # ignore local files that allow connecting the local terraform environment to this building block's backend and providers 2 | config.tf 3 | *.private-key.pem 4 | terraform.tfvars 5 | 6 | # todo: ideally this ought to be comitted & locked to the runners OS (linux) but we curently don't have the process in place 7 | # to ensure this when running from a different development environment (e.g. macOS), so we leave it out for now 8 | .terraform.lock.hcl 9 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/starterkit/buildingblock/outputs.tf: -------------------------------------------------------------------------------- 1 | output "repository_html_url" { 2 | value = github_repository.repository.html_url 3 | } -------------------------------------------------------------------------------- /kit/azure/buildingblocks/starterkit/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "repo_name" { 2 | type = string 3 | default = "name of the created repository" 4 | } 5 | 6 | variable "visibility" { 7 | type = string 8 | default = "private" 9 | } 10 | 11 | variable "template_owner" { 12 | type = string 13 | } 14 | 15 | variable "template_repo" { 16 | type = string 17 | } 18 | 19 | variable "workspace_identifier" { 20 | type = string 21 | } 22 | 23 | variable "project_identifier" { 24 | type = string 25 | } 26 | 27 | # this variable is supposed to be used by an injected config.tf file for configuring the azurerm provider 28 | # tflint-ignore: terraform_unused_declarations 29 | variable "subscription_id" { 30 | type = string 31 | description = "the subscription id to which this building block shall be deployed" 32 | } 33 | 34 | variable "location" { 35 | type = string 36 | default = "westeurope" 37 | } 38 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/starterkit/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | github = { 6 | source = "integrations/github" 7 | version = "5.42.0" 8 | } 9 | 10 | azurerm = { 11 | source = "hashicorp/azurerm" 12 | version = "3.116.0" 13 | } 14 | 15 | azuread = { 16 | source = "hashicorp/azuread" 17 | version = "3.0.2" 18 | } 19 | 20 | random = { 21 | source = "hashicorp/random" 22 | version = "3.6.0" 23 | } 24 | } 25 | } 26 | 27 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/subscription/backplane/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name" { 2 | type = string 3 | nullable = false 4 | default = "budget-alert" 5 | description = "name of the building block, used for naming resources" 6 | validation { 7 | condition = can(regex("^[-a-z0-9]+$", var.name)) 8 | error_message = "Only alphanumeric lowercase characters and dashes are allowed" 9 | } 10 | } 11 | 12 | variable "scope" { 13 | type = string 14 | nullable = false 15 | description = "Scope where the building block should be deployable, typically the parent of all Landing Zones." 16 | } 17 | 18 | variable "principal_ids" { 19 | type = set(string) 20 | nullable = false 21 | description = "set of principal ids that will be granted permissions to deploy the building block" 22 | } -------------------------------------------------------------------------------- /kit/azure/buildingblocks/subscription/backplane/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "~> 3.116.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/subscription/buildingblock/main.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_subscription" "current" { 2 | } 3 | 4 | # workaround for https://github.com/hashicorp/terraform-provider-azurerm/issues/23014 5 | resource "terraform_data" "subscription_name" { 6 | provisioner "local-exec" { 7 | when = create 8 | command = "az account subscription rename --id ${data.azurerm_subscription.current.subscription_id} --name ${var.subscription_name}" 9 | } 10 | } 11 | 12 | 13 | // control placement in the LZ hierarchy 14 | resource "azurerm_management_group_subscription_association" "lz" { 15 | management_group_id = var.parent_management_group 16 | subscription_id = data.azurerm_subscription.current.id 17 | } 18 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/subscription/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "subscription_name" { 2 | description = "Display name for the subscription." 3 | nullable = false 4 | } 5 | 6 | variable "parent_management_group" { 7 | description = "Name or GUID of the parent management group. This will be looked up dynamically from Azure." 8 | nullable = false 9 | } 10 | -------------------------------------------------------------------------------- /kit/azure/buildingblocks/subscription/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "~> 3.116.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /kit/azure/landingzones/cloud-native/main.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_management_group" "cloudnative" { 2 | display_name = var.name 3 | parent_management_group_id = var.parent_management_group_id 4 | } 5 | 6 | resource "azurerm_management_group" "dev" { 7 | display_name = "${var.name}-dev" 8 | parent_management_group_id = azurerm_management_group.cloudnative.id 9 | 10 | lifecycle { 11 | ignore_changes = [subscription_ids] 12 | } 13 | } 14 | 15 | resource "azurerm_management_group" "prod" { 16 | display_name = "${var.name}-prod" 17 | parent_management_group_id = azurerm_management_group.cloudnative.id 18 | 19 | lifecycle { 20 | ignore_changes = [subscription_ids] 21 | } 22 | } -------------------------------------------------------------------------------- /kit/azure/landingzones/cloud-native/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/kit/azure/landingzones/cloud-native/outputs.tf -------------------------------------------------------------------------------- /kit/azure/landingzones/cloud-native/template/platform-module/terragrunt.hcl: -------------------------------------------------------------------------------- 1 | include "platform" { 2 | path = find_in_parent_folders("platform.hcl") 3 | expose = true 4 | } 5 | 6 | dependency "bootstrap" { 7 | config_path = "${path_relative_from_include()}/bootstrap" 8 | } 9 | 10 | dependency "organization-hierarchy" { 11 | config_path = "${path_relative_from_include()}/organization-hierarchy" 12 | } 13 | 14 | terraform { 15 | source = "${get_repo_root()}//kit/azure/landingzones/cloud-native" 16 | } 17 | 18 | generate "provider" { 19 | path = "provider.tf" 20 | if_exists = "overwrite" 21 | contents = <", g.members)} | ${g.description} |"])} 13 | EOF 14 | } 15 | -------------------------------------------------------------------------------- /kit/azure/pam/main.tf: -------------------------------------------------------------------------------- 1 | data "azuread_client_config" "current" {} 2 | 3 | data "azurerm_subscription" "current" {} 4 | 5 | # We have to do some pre-processing here in order to produce nice documentation. 6 | 7 | # fetch data about all actual PAM groups 8 | data "azuread_group" "pam_groups" { 9 | for_each = toset(var.pam_group_object_ids) 10 | 11 | object_id = each.key 12 | security_enabled = true 13 | } 14 | 15 | # fetch the actual members of those groups 16 | data "azuread_user" "pam_users" { 17 | for_each = toset(flatten([for g in data.azuread_group.pam_groups : g.members])) 18 | 19 | object_id = each.key 20 | } 21 | 22 | locals { 23 | # build map of of member object_ids to a "readable" format, e.g. using the mail attribute 24 | groups = [ 25 | for g in data.azuread_group.pam_groups : { 26 | display_name = g.display_name 27 | description = g.description 28 | members = [for m in g.members : data.azuread_user.pam_users[m].mail] 29 | } 30 | ] 31 | } -------------------------------------------------------------------------------- /kit/azure/pam/variables.tf: -------------------------------------------------------------------------------- 1 | variable "pam_group_object_ids" { 2 | description = "the object_ids of PAM groups used by the cloud foundation" 3 | type = list(string) 4 | } 5 | 6 | variable "pam_group_members" { 7 | description = "Optional: manage members for cloud foundation PAM groups via terraform" 8 | type = list(object({ 9 | group_object_id = string 10 | 11 | # other attributes would be possible (e.g. UPN or mail_nickname) with small changes to the terraform module 12 | members_by_mail = list(string) 13 | })) 14 | } 15 | -------------------------------------------------------------------------------- /kit/azure/pam/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "~> 3.71.0" 8 | } 9 | 10 | azuread = { 11 | source = "hashicorp/azuread" 12 | version = "~> 2.41.0" 13 | } 14 | } 15 | } 16 | 17 | -------------------------------------------------------------------------------- /kit/azure/tenants/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Azure Tenant (subscription) 3 | summary: | 4 | deploying a subscription to a landingzone 5 | compliance: 6 | - control: cfmm/cloud-native-landing-zone 7 | statement: | 8 | A dedicated landing zone optimized for cloud-native workloads enables quick 9 | onboarding and efficient operations. 10 | --- 11 | 12 | # Azure Tenant 13 | -------------------------------------------------------------------------------- /kit/azure/tenants/subscription/main.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_subscription" "current" { 2 | } 3 | 4 | // set name, tags 5 | resource "azurerm_subscription" "this" { 6 | subscription_id = data.azurerm_subscription.current.subscription_id 7 | subscription_name = var.subscription_name 8 | } 9 | 10 | // Select the parent management group. 11 | // We simply put in a data reference lookup here instead of using a terragrunt dependency since this is faster to 12 | // execute (no tf state lookup to fetch the output), less complexity (less code to get the same value). 13 | // Also tenants are arguably a different "level" of deployments separate from core infrastructure 14 | data "azurerm_management_group" "lz" { 15 | display_name = var.parent_management_group 16 | } 17 | 18 | // control placement in the LZ hierarchy 19 | resource "azurerm_management_group_subscription_association" "lz" { 20 | management_group_id = data.azurerm_management_group.lz.id 21 | subscription_id = data.azurerm_subscription.current.id 22 | } 23 | -------------------------------------------------------------------------------- /kit/azure/tenants/subscription/outputs.tf: -------------------------------------------------------------------------------- 1 | output "landingzone_managment_group" { 2 | value = var.parent_management_group 3 | description = "The name of the parent management group where the Subscription exisits" 4 | } 5 | 6 | output "subscription_name" { 7 | value = var.subscription_name 8 | description = "The name of the parent management group where the Subscription exisits" 9 | } 10 | -------------------------------------------------------------------------------- /kit/azure/tenants/subscription/variables.tf: -------------------------------------------------------------------------------- 1 | variable "subscription_name" { 2 | description = "Display name for the subscription." 3 | nullable = false 4 | } 5 | 6 | variable "parent_management_group" { 7 | description = "Display name of the parent management group. This will be looked up dynamically from Azure." 8 | nullable = false 9 | } 10 | -------------------------------------------------------------------------------- /kit/azure/tenants/subscription/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "~> 3.71.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /kit/azure/tenants/tenant-example-network/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Azure Tenant Example with Network 3 | summary: | 4 | Example Tenant 5 | compliance: 6 | - control: cfmm/cloud-native-landing-zone 7 | statement: | 8 | A dedicated landing zone optimized for cloud-native workloads enables quick 9 | onboarding and efficient operations. 10 | --- 11 | 12 | # Azure Tenant Example 13 | 14 | 15 | -------------------------------------------------------------------------------- /kit/azure/tenants/tenant-example/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Azure Tenant Example 3 | summary: | 4 | Example Tenant 5 | compliance: 6 | - control: cfmm/cloud-native-landing-zone 7 | statement: | 8 | A dedicated landing zone optimized for cloud-native workloads enables quick 9 | onboarding and efficient operations. 10 | --- 11 | 12 | # Azure Tenant Example 13 | 14 | 15 | -------------------------------------------------------------------------------- /kit/azure/tenants/tenant-example/template/platform-module/documentation.tf: -------------------------------------------------------------------------------- 1 | output "documentation_md" { 2 | value = < merge(user, { login = split("@", user.email)[0] }) } 4 | ) 5 | } 6 | resource "random_password" "user_passwords" { 7 | for_each = local.processed_users 8 | length = 16 9 | special = true 10 | override_special = "!@#$%^&*()-_=+[]{}<>?/" 11 | } 12 | 13 | resource "ovh_me_identity_user" "platform_users" { 14 | for_each = local.processed_users 15 | description = "likvid ovh platform users" 16 | email = each.value.email 17 | group = "ADMIN" 18 | login = "${each.value.login}-admin" 19 | password = random_password.user_passwords[each.key].result 20 | } 21 | -------------------------------------------------------------------------------- /kit/ovh/bootstrap/outputs.tf: -------------------------------------------------------------------------------- 1 | output "user_passwords" { 2 | value = { for k, v in random_password.user_passwords : k => v.result } 3 | sensitive = true 4 | } 5 | 6 | output "platform_users" { 7 | value = { for k, v in ovh_me_identity_user.platform_users : k => v.login } 8 | } 9 | -------------------------------------------------------------------------------- /kit/ovh/bootstrap/variables.tf: -------------------------------------------------------------------------------- 1 | variable "platform_admins" { 2 | type = list(object({ 3 | email = string 4 | })) 5 | } 6 | -------------------------------------------------------------------------------- /kit/ovh/bootstrap/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | ovh = { 4 | source = "ovh/ovh" 5 | version = "1.5.0" 6 | } 7 | 8 | random = { 9 | source = "hashicorp/random" 10 | version = "3.6.0" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /kit/ovh/buildingblocks/projects/buildingblock/outputs.tf: -------------------------------------------------------------------------------- 1 | output "tenant_id" { 2 | value = ovh_cloud_project.cloud_project.urn 3 | } 4 | 5 | output "ovh_login_link" { 6 | value = "https://www.ovh.com/manager/#/public-cloud/pci/projects/${ovh_cloud_project.cloud_project.id}" 7 | } 8 | -------------------------------------------------------------------------------- /kit/ovh/buildingblocks/projects/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "workspace_id" { 2 | type = string 3 | description = "Projects first block in name" 4 | } 5 | 6 | variable "project_id" { 7 | type = string 8 | description = "Projects last block in name" 9 | } 10 | 11 | variable "aws_account_id" { 12 | description = "this is for the tfstates Backend. in our case AWS." 13 | type = string 14 | } 15 | 16 | variable "users" { 17 | type = list(object( 18 | { 19 | meshIdentifier = string 20 | username = string 21 | firstName = string 22 | lastName = string 23 | email = string 24 | euid = string 25 | roles = list(string) 26 | } 27 | )) 28 | description = "Users and their roles provided by meshStack (Note that users must exist in stackit)" 29 | } 30 | -------------------------------------------------------------------------------- /kit/ovh/buildingblocks/projects/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | ovh = { 4 | source = "ovh/ovh" 5 | version = "1.5.0" 6 | } 7 | aws = { 8 | source = "hashicorp/aws" 9 | version = "5.65.0" 10 | } 11 | } 12 | } 13 | 14 | 15 | 16 | provider "ovh" { 17 | endpoint = "ovh-eu" 18 | } 19 | 20 | #TODO: we are using AWS as our Terraform backend. Its up to you where your TF state will hosted. 21 | terraform { 22 | backend "s3" { 23 | bucket = "buildingblocks-tfstates-p32kj" 24 | key = "terraform/ovh-project" 25 | region = "eu-central-1" 26 | } 27 | } 28 | 29 | provider "aws" { 30 | region = "eu-central-1" 31 | 32 | assume_role { 33 | role_arn = "arn:aws:iam::${var.aws_account_id}:role/LikvidBuildingBlockServiceRole" # Must match what's configured in automation backend 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /kit/ovh/buildingblocks/projects_users/buildingblock/outputs.tf: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /kit/ovh/buildingblocks/projects_users/buildingblock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "aws_account_id" { 2 | description = "this is for the tfstates Backend. in our case AWS." 3 | type = string 4 | } 5 | 6 | variable "users" { 7 | type = list(object( 8 | { 9 | meshIdentifier = string 10 | username = string 11 | firstName = string 12 | lastName = string 13 | email = string 14 | euid = string 15 | roles = list(string) 16 | } 17 | )) 18 | description = "Users and their roles provided by meshStack (Note that users must exist in stackit)" 19 | } 20 | -------------------------------------------------------------------------------- /kit/ovh/buildingblocks/projects_users/buildingblock/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | ovh = { 4 | source = "ovh/ovh" 5 | version = "1.5.0" 6 | } 7 | aws = { 8 | source = "hashicorp/aws" 9 | version = "5.65.0" 10 | } 11 | 12 | random = { 13 | source = "hashicorp/random" 14 | version = "3.6.0" 15 | } 16 | } 17 | } 18 | 19 | provider "ovh" { 20 | endpoint = "ovh-eu" 21 | } 22 | 23 | #TODO: we are using AWS as our Terraform backend. Its up to you where your TF state will hosted. 24 | terraform { 25 | backend "s3" { 26 | bucket = "buildingblocks-tfstates-p32kj" 27 | key = "terraform/ovh-project-users" 28 | region = "eu-central-1" 29 | } 30 | } 31 | 32 | provider "aws" { 33 | region = "eu-central-1" 34 | 35 | assume_role { 36 | role_arn = "arn:aws:iam::${var.aws_account_id}:role/LikvidBuildingBlockServiceRole" # Must match what's configured in automation backend 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /kit/sap-btp/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/meshcloud/collie-hub/d85e5dc0a4719c07265ae794c5ac03448b657b96/kit/sap-btp/icon.png -------------------------------------------------------------------------------- /kit/sap-btp/subaccount/main.tf: -------------------------------------------------------------------------------- 1 | resource "btp_subaccount" "subaccount" { 2 | name = "sa-${var.workspace}-${var.project}" 3 | subdomain = "sd-${var.workspace}-${var.project}" 4 | region = var.region 5 | } 6 | -------------------------------------------------------------------------------- /kit/sap-btp/subaccount/outputs.tf: -------------------------------------------------------------------------------- 1 | output "btp_subaccount_id" { 2 | value = btp_subaccount.subaccount.id 3 | } 4 | 5 | output "btp_subaccount_region" { 6 | value = btp_subaccount.subaccount.region 7 | } 8 | 9 | output "btp_subaccount_name" { 10 | value = btp_subaccount.subaccount.name 11 | } 12 | -------------------------------------------------------------------------------- /kit/sap-btp/subaccount/provider.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | btp = { 4 | source = "SAP/btp" 5 | version = "0.6.0-beta2" 6 | } 7 | } 8 | } 9 | 10 | provider "btp" { 11 | globalaccount = var.globalaccount 12 | # username: use BTP_USERNAME environment variable 13 | # password: use BTP_PASSWORD environment variable 14 | } 15 | -------------------------------------------------------------------------------- /kit/sap-btp/subaccount/variables.tf: -------------------------------------------------------------------------------- 1 | variable "globalaccount" { 2 | type = string 3 | description = "The subdomain of the global account in which you want to manage resources." 4 | } 5 | 6 | variable "region" { 7 | type = string 8 | description = "The region of the subaccount." 9 | } 10 | 11 | variable "workspace" { 12 | type = string 13 | description = "The meshStack workspace identifier." 14 | } 15 | 16 | variable "project" { 17 | type = string 18 | description = "The meshStack project identifier." 19 | } -------------------------------------------------------------------------------- /kit/stackit/bootstrap/documentation.tf: -------------------------------------------------------------------------------- 1 | output "documentation_md" { 2 | value = <