Open SennaSemakula opened 3 months ago
@daxingplay @wibud would be great to get a response. I'm quite interested in the terraform modules you have created
It depends on your scenario. If you want standard landing zone without too much customizations, CGC would be a good choice. But if you want to control by yourself totally, then use Terraform. Personally, I would recommend you to use CGC as a start to have a basic and foundational layout for your landing zone such as the multi-account environment, and then use Terraform to have further customizations such as networking, security service configurations (Firewall etc.). Cause Alibaba Cloud Landing Zone framework has 8 design areas, from our past experiences, customers usually have much more customized requirements on networking, security, O&M part.
Many thanks for the prompt response @daxingplay :)
Is it possible to setup with CGC first and then use terraform modules to provision accounts and guardrails later?
Ideally we will want to have a yaml file in GitHub to define member accounts similar to:
memberAccounts:
- name: SharedServices
description: The SharedServices account
email: <shared-services>@example.com <----- UPDATE EMAIL ADDRESS
organizationalUnit: Infrastructure
- name: Network
description: The Network account
email: <network>@example.com <----- UPDATE EMAIL ADDRESS
organizationalUnit: Infrastructure
and for folders:
organizationUnits:
- name: Finance
- name: Operations
Also having the ability to store guardrails and apply them to accounts/folders.
The pipeline will run on github and create these resources based on those yaml files. Would you say this is possible with terraform customisation?
CGC can help you to create a basic multi account hierarchy. You can create more member accounts(networking, operations etc.) as well as additional organization units on top of that. However we currently don't provide any tools to parse a configuration file like the one you mentioned. You may need to parse the YAML file by yourself and trigger Terraform pipelines according to the configurations you defined in that file. But this (landing zone customization) is already in our roadmap, any suggestions will be appreciated.
But this (landing zone customization) is already in our roadmap, any suggestions will be appreciated.
That's great to hear! To confirm you're already looking at a way people can customise landing zone configuration and build on top of CGC?
In terms of suggestions, I think look at AWS' open source solution: https://github.com/awslabs/landing-zone-accelerator-on-aws. They do things very well and there are some areas which can be improved. Essentially they allow you to customise Landing Zone configuration declaratively (using yaml) on top of their managed service Control Tower (which is very similar to CGC).
A good starting point would be defining a baseline: declarative interface that will allow customers to achieve the following:
From that baseline you can slowly iterate into building more features such as defining networking resources in your LZ
But this (landing zone customization) is already in our roadmap, any suggestions will be appreciated.
That's great to hear! To confirm you're already looking at a way people can customise landing zone configuration and build on top of CGC?
In terms of suggestions, I think look at AWS' open source solution: https://github.com/awslabs/landing-zone-accelerator-on-aws. They do things very well and there are some areas which can be improved. Essentially they allow you to customise Landing Zone configuration declaratively (using yaml) on top of their managed service Control Tower (which is very similar to CGC).
A good starting point would be defining a baseline: declarative interface that will allow customers to achieve the following:
Able to create accounts
Create folders (OUs)
Apply guardrails to folders (OUs) or accounts
From that baseline you can slowly iterate into building more features such as defining networking resources in your LZ
Thanks for your input, it's really helpful. Will get back to you when we have a clear roadmap for Landing Zone customization on top of CGC.
Is your feature request related to a problem? Please describe. I'm trying to figure out whether to adopt this project instead of using Cloud Governance Center. I want to provide a way to maintain my landing zone configuration on Alibaba Cloud using Github.
Describe the solution you'd like Documentation how how this differs from https://www.alibabacloud.com/en/product/cloud_governance_center?_p_lc=1 or how I can use both.
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.
Additional context Is this project recommended for production use?