This project has been archived. All ongoing work is under this org: Microsoft Federal- Azure NoOps.
All Terraform modules that are developed using Azure NoOps are located here: registry.terraform.io/namespaces/azurenoops
"NoOps automates platform administration and broaden communication between developers, cyber, and operations to achieve mission success."
Azure NoOps Accelerator is a flexible foundation that enables US Department of Defense and other Public Sector customers to quickly develop and maintain opinionated, policy-driven, and self-service enclaves in their Azure environments.
Delivered as a collection of infrastructure as code (IaC) module templates written and maintained in Bicep and Tereform, the NoOps Accelerator is intended to empower organizations on their journey towards a continuous deployment and governance model for their cloud infrastructure.
Learn more about the NoOps movement and philosophy here - What is NoOps?.
- Designed for US Government mission customers, with a specific focus on the US Department of Defense, Military Departments and coalition partners.
- Provide reusable and composable IaC modules that hyper-automate infrastructure deployment using Microsoft best practices.
- Simplify compliance management through automated audit, reporting, and remediation.
- Deliver example Platform modules that implement SCCA controls and follow Microsoft's SACA implementation guidance.
- Support deployment to Azure Commercial, Azure Government, Azure Government Secret, and Azure Government Top Secret clouds.
- Accelerate the US Government's use of Azure by easing the onboarding of mission workloads, spanning mission applications, data, artificial intelligence, and machine learning.
- The NoOps Accelerator cannot automate the approval for Authority to Operate (ATO) or equivalent compliance, governance and authorisation process, though it will enable Customers to collect, customize, and submit for ATO based on their departmental requirements.
- The NoOps Accelerator will not strive for 100% compliance on all deployed Azure Policies for reference implementations. Customers must review Microsoft Defender for Cloud Regulatory Compliance dashboard and apply appropriate exemptions.
Definitions of NoOps primitives.
| Primitive | Definition |
|---|---|
| AzResources | Wrap Azure Resource Providers so that they understand how to fit and work together. The most basic building blocks in NoOps. |
| Overlays | Extend AzResources with specific configurations or combine them to create more useful objects. For example, the kubernetesCluster overlay could be used to deploy a Private AKS Cluster rather than using the Microsoft.ContainerService/managedClusters AzResource to deploy a vanilla AKS cluster.Similarly, a virtualMachine overlay could be created that combines the deployment of a Microsoft.Network/networkInterfaces with a Microsoft.Compute/virtualmachine since you will rarely if ever deploy a VM without an associated NIC. |
| Platforms | Combine Overlays and AzResources to lay the networking required to support mission workloads. NoOps is provided with three SCCA-compliant hub-and-spoke landing zone platforms. The Quickstart above walks through the deployment of a SCCA-compliant hub-and-3-spoke platform. |
| Workloads | Combine Overlays and AzResources to create solutions that achieve mission and operational goals. For example, a kubernetesCluster overlay (Private AKS Cluster) could be combined with a Microsoft.ContainerRegistry AzResource to create a Dev Environment workload.Workloads can be deployed into either a new or an existing hub-peered virtual network. |
| Enclaves | Bring it all together -- combining a single Platform with one or more Workloads, mixing in Zero Trust governance and RBAC to enable the rapid, repeatable, auditable, and authorizable deployment of outcome-driven infrastructure. |
Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through customer usage attribution. The data is collected and governed by Microsoft's privacy policies, located at https://www.microsoft.com/trustcenter.
If you don't wish to send usage data to Microsoft, you can set the customerUsageAttribution.enabled setting to false in global/telemetry.json.
Project Bicep collects telemetry in some scenarios as part of improving the product.
While the NoOps Accelerator can be used to build all sorts of useful solutions, a simple place to start is deploying a workload platform. You can use the NoOps Accelerator to deploy SCCA-compliant landing zones based on Microsoft's SACA implementation guidance and Mission Landing Zone architecture.
These steps walk through how to use NoOps to deploy a hub and spoke architecture. At the conclusion, you will have five resource groups mapped to the following:
- Hub: SCCA-compliant networking hub (1 vnet, 1 resource group)
- Tier 0 (T0): Identity & Authorization (1 vnet, 1 resource group)
- Tier 1 (T1): Infrastructure Operations, and Logging (1 vnet, 2 resource groups)
- Tier 2 (T2): DevSecOps & Shared Services (1 vnet, 1 resource group)
To continue with the quick start you will need the following as a minimum.
- Git client
- Visual Studio Code (or alternative IDE of choice)
- Azure CLI
- Azure Bicep version 0.11.1 (030248df55) or later
A detailed and complete list of prerequisites is documented in the wiki.
Note: Don't have these? Try Azure Cloud Shell in your browser as an alternative.
-
Clone this repository and change directory to the
/src/bicep/platforms/lz-platform-scca-hub-3spokedirectorygit clone https://github.com/Azure/NoOpsAccelerator.git cd /src/bicep/platforms/lz-platform-scca-hub-3spoke -
Connect to your Azure Account and check the current context is for the subscription, tenant and environment you are deploying to and make changes where necessary.
az login az account show
-
Open the
/src/bicep/platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.jsonfile and replace the following parameters:"subscriptionId": "<<subscriptionId>>"with your SubscriptionId. Ensure all instances of this parameter are changed in this file.
Note: Multiple subscriptions may be configured (i.e., to have separate subscriptions for each 'tier' in the MLZ architecture) in the
parameters/deploy.parameters.jsonbut a single subscription is used for this quickstart. -
For the quickstart, a deployment into the current subscription can be completed using the following parameters and the
az sub create command:--name: (optional) The deployment name, which is visible in the Azure Portal under Subscription/Deployments.--location: (required) The Azure region to store the deployment metadata.--template-file: (required) The file path to thedeploy.biceptemplate.--parameters: (required for quickstart) The file path to theparameters/deploy.parameters.jsonfile
Here is an example that deploys the hub and spoke architecture into a single subscription and a chosen region of Azure Commercial:
# Replace with the Azure region you want to deploy to. location="<<your region>>" az deployment sub create \ --name deploy-noops-quickstart \ --location $location \ --template-file deploy.bicep \ --parameters @parameters/deploy.parameters.json
-
After a successful deployment, take a look at the enclaves folder for examples of complete, outcome-driven solutions built using the NoOps Accelerator. Also, be sure to take a look through our workloads and overlays folders explore how you can expand the platform you just deployed and solve your mission challenges.
-
Further example platform deployments and tutorials are available in the training folder.
Note: Don't forget to clean-up your environment by removing all of the resource groups locks and deleting the resource groups created by the deployment when you are done with this Quickstart.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
Please see the WIKI for guidance on how to support the Azure NoOps Accelerator, provide feedback or report issues.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
This project is greatly influenced by and owes a debt of gratitude to the following:
![microsoft-github-operations[bot] avatar](https://avatars.githubusercontent.com/in/41902?v=4 "microsoft-github-operations[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent