The open source launchpad provides the base GitOps capabilities required to enable your infrastructure as code environment on Azure to deploy the Cloud Adoption Framework Terraform landing zones. It is a foundation set of service from a security, governance and provisioning perspective that will take ownership of the lifecycle management of your landing zones. Apart from the Azure running costs the open source launchpad does not require a specific license to run. The project is supported by the open source community and you can fill issues to request new features or report a defect.
The following components are deployed by the open source launchpad:
The main objectives of the launchpad are:
- Remote state management
- GitOps services to control everything through git
Please follow this manual procedure before running launchpad_opensource here
To support the features set of the open source light launchpad you need to get:
| Access context | Required privileges |
|---|---|
| Azure Active Directory | Need global admin role to give application permissions consent (see below) |
| Subscription | Owner Role |
| Azure DevOps | Administrator (organization) |
The initial user require the following Azure Active Directory roles:
- Application Administrator - Create Azure AD application and service principals, grant admin consent.
- User Administrator - Create Azure AD group, add users to group.
- Guest Inviter - Create user guest.
The CAF landing zone framework follow a hierarchy of agent pools designed to apply a reduction of privileges.
Create an agent pool to host the Azure self-hosted agent created by the landing zone. This self-hosted agent is responsible of deploying the landing zones and connecting to the private interface of the Azure services to deploy and configure the application using an Azure DevOps pipeline.
To access the Azure DevOps service, the Azure DevOps container running on the self-hosted agent virtual machine need to authenticate the Azure DevOps service using a Personal Access Token or PAT.
The PAT token requires the scope "Read & Manage" on the Agent Pools.
Permissions requirement and details on security credentials used are detailed in the following document.
The open source launchpad has been tested on:
- MSDN Subscriptions
- Enterprise Agreement
Note if you deploy in an Azure subscription created outside an Enterprise Agreement you will not be able to leverage the subscription lifecycle management (create subscriptions as code).
The open source launchpad stores all landing zones states into a geo-replicated Azure storage account. You can initialize the launchpad using the CAF rover dev container toolbox. The CAF rover is a versioned container that contains the launchpad and rover command. When you initialize the launchpad you are asked to define an Azure region. This Azure region will be the primary region used to store the remote state and any related secrets and keys.
The following services are deployed:
- Storage account - stores all landing zones Terraform states
- Virtual network - isolates the traffic between the different services like storage account, Key Vault, DevOps agents.
- Key Vault - Azure HSM to store the secrets generated by the launchpad. Various access policies are defined on the Key Vault:
- Grant access to an Azure AD group. Members from that group (DevOps engineer) can access from the CAF rover to build or improve an existing landing zone.
- Grant access to the Azure DevOps agents to the secrets
The current version only support Azure DevOps organizations. To deploy the launchpad you need to reference an Azure DevOps projects. When you deploy the launchpad the following services are enabled:
- Git Repository - stores a master repository of your private launchpad, your landing zones and blueprints.
- Configuration Registry - stores the configuration settings for the landing zones across different environments
- Self hosted build agents - build artifacts and push them into repositories
- Self hosted release agents - release agent to deploy the landing zones
- Identity - Create a set of Azure AD applications, security groups and managed service identities to enable a least privilege GitOps environment. For example when a DevOps engineer deploys a landing zones the CAF rover uses the logged-in Azure session to check if the user has access to the Key Vault access policy. If the DevOps engineer is member of the Azure AD security group the rover will pull some secrets and impersonate the Terraform deployments under that Azure AD application's privileges. We use that pattern to simplify the transition to a pipeline execution that only support Azure AD applications or MSIs.
- Subscription management (create, delete) github link #6
- Cross-tenant management through Azure Light House (enterprise and managed service providers) github link #7
- Public IP address removal github link #8
- Password less to avoid password rotation github link #9
- Landing zone pipeline registration and execution github link #10
- Transparent data encryption with BYOK github link #11
- Private link / Service endpoint between services github link #12
- VPN Gateway server for point to site access to the launchpad environment from the CAF rover github link #13
- Azure Active Directory MFA
- Azure Active Directory Privileged Identity Management
- Bastion for troubleshooting and human investigation github link #14
Not finding your feature, fill an issue to document it and start contributing by submitting a PR
Ready to give it a go in your environment? Read the on-boarding guide
Interested in improving the open source launchpad? Read the following developer guide.