search

aliyun / alibabacloud-landing-zone

alibabacloud-landing-zone
MIT License
51 stars 22 forks source link

[Feature Request] Documentation around CGC (Cloud Governance Center) #74

Open SennaSemakula opened 4 weeks ago

SennaSemakula commented 4 weeks ago

Is your feature request related to a problem? Please describe. I'm trying to figure out whether to adopt this project instead of using Cloud Governance Center. I want to provide a way to maintain my landing zone configuration on Alibaba Cloud using Github.

Describe the solution you'd like Documentation how how this differs from https://www.alibabacloud.com/en/product/cloud_governance_center?_p_lc=1 or how I can use both.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Is this project recommended for production use?

SennaSemakula commented 4 weeks ago

@daxingplay @wibud would be great to get a response. I'm quite interested in the terraform modules you have created

daxingplay commented 4 weeks ago

It depends on your scenario. If you want standard landing zone without too much customizations, CGC would be a good choice. But if you want to control by yourself totally, then use Terraform. Personally, I would recommend you to use CGC as a start to have a basic and foundational layout for your landing zone such as the multi-account environment, and then use Terraform to have further customizations such as networking, security service configurations (Firewall etc.). Cause Alibaba Cloud Landing Zone framework has 8 design areas, from our past experiences, customers usually have much more customized requirements on networking, security, O&M part.

SennaSemakula commented 4 weeks ago

Many thanks for the prompt response @daxingplay :)

Is it possible to setup with CGC first and then use terraform modules to provision accounts and guardrails later?

Ideally we will want to have a yaml file in GitHub to define member accounts similar to:

memberAccounts:
  - name: SharedServices
    description: The SharedServices account
    email: <shared-services>@example.com  <----- UPDATE EMAIL ADDRESS
    organizationalUnit: Infrastructure
  - name: Network
    description: The Network account
    email: <network>@example.com  <----- UPDATE EMAIL ADDRESS
    organizationalUnit: Infrastructure

and for folders:

organizationUnits:
  - name: Finance
  - name: Operations

Also having the ability to store guardrails and apply them to accounts/folders.

The pipeline will run on github and create these resources based on those yaml files. Would you say this is possible with terraform customisation?

daxingplay commented 3 weeks ago

CGC can help you to create a basic multi account hierarchy. You can create more member accounts(networking, operations etc.) as well as additional organization units on top of that. However we currently don't provide any tools to parse a configuration file like the one you mentioned. You may need to parse the YAML file by yourself and trigger Terraform pipelines according to the configurations you defined in that file. But this (landing zone customization) is already in our roadmap, any suggestions will be appreciated.

SennaSemakula commented 3 weeks ago

But this (landing zone customization) is already in our roadmap, any suggestions will be appreciated.

That's great to hear! To confirm you're already looking at a way people can customise landing zone configuration and build on top of CGC?

In terms of suggestions, I think look at AWS' open source solution: https://github.com/awslabs/landing-zone-accelerator-on-aws. They do things very well and there are some areas which can be improved. Essentially they allow you to customise Landing Zone configuration declaratively (using yaml) on top of their managed service Control Tower (which is very similar to CGC).

A good starting point would be defining a baseline: declarative interface that will allow customers to achieve the following:

  1. Able to create accounts
  2. Create folders (OUs)
  3. Apply guardrails to folders (OUs) or accounts

From that baseline you can slowly iterate into building more features such as defining networking resources in your LZ

daxingplay commented 2 days ago

But this (landing zone customization) is already in our roadmap, any suggestions will be appreciated.

That's great to hear! To confirm you're already looking at a way people can customise landing zone configuration and build on top of CGC?

In terms of suggestions, I think look at AWS' open source solution: https://github.com/awslabs/landing-zone-accelerator-on-aws. They do things very well and there are some areas which can be improved. Essentially they allow you to customise Landing Zone configuration declaratively (using yaml) on top of their managed service Control Tower (which is very similar to CGC).

A good starting point would be defining a baseline: declarative interface that will allow customers to achieve the following:

  1. Able to create accounts

  2. Create folders (OUs)

  3. Apply guardrails to folders (OUs) or accounts

From that baseline you can slowly iterate into building more features such as defining networking resources in your LZ

Thanks for your input, it's really helpful. Will get back to you when we have a clear roadmap for Landing Zone customization on top of CGC.