FYI - New blueprint from Azure. Feedback/discussion welcome. https://github.com/Azure-Samples/aks-platform-engineering

Thanks for the share, good read!

NIce diagram! From a security/best practices POV, I’m not a fan of forking or putting a private key in the terraform directory. Accidents happen and forks last forever. https://www.linkedin.com/posts/peterwarnock_anyone-can-access-deleted-and-private-rep[…]722161926144-bgdN?utm_source=share&utm_medium=member_desktop

Thanks for the review and feedback @Pete Warnock! Agree this is something we want to avoid. We do have the

private_ssh_deploy_key

in the .gitignore file. This is also a sample repo and as mentioned in the document, when the repo is public we do not use the SSH key at all. The instructions also for creating that SSH key are only for a source-code read only access to that repo, so even if someone stole that private key they shouldn't be able to do much. Happy to receive suggestions for improvements because we want people to know how to make this work in the event they need to make the repo private for whatever the reason.

@David Tesar I think the code and the documentation have decent safeguards. I just think that users rush through demos and maybe even make that their starting point and don’t carefully read the instructions. In haste, they use an over-provisioned key and accidentally commit it. Without going down the rabbit hole of having a tool generate the templates in a new repo, this approach seems fine unless you want to detail the steps for them to make their own project akin to TF tutorials.

Now we need a blueprint with Azure DevOps Pipelines instead of GitHub actions, and Bicep instead of Terraform. 😛

The only terraform there is to provision the management cluster and the rest is CAPZ/ASO or crossplane. You could write a bicep file to provision the management cluster. The Azure devops is an easy switch.