slaiyer
commented
3 years ago @mikhailshilkov you asked me to note "specific areas where you’d love to see the components for Azure" here. Any suggestions are welcome.
Having set up prototypes, I'm looking to use Pulumi extensively for provisioning production stacks at Azure using Python. We make use of the following resources as of now, with areas of enhancement that I have identified so far:
- AKS: Separate system and user node pools, RBAC, Linux profile for nodes (SSH crypto settings, etc.), ephemeral OS disks (automatically set maximum OS disk size based on VM cache size?)
- Kubernetes: Utility functions around image pull secrets creation, service account patching, general best practices enforcement
- SQL server: DB server Private Endpoint (avoid 0.0.0.0 hell), geo-replication/backups, export DB endpoint/credentials
- Azure Files: File share via Private Endpoint, NFS-related optimizations (root squash, etc.), geo-replication/backups, export file share endpoint/credentials
The common themes I'm looking to optimize are:
- Security: SOC 2, ISO 27001, network lockdown (ingress/egress whitelisting, firewalls, etc.), alerts
- High availability: Availability zones, active-active/federated clusters across regions
- Business continuation plan/disaster recovery: Geo-replicated backups, failovers
- Performance: SKU recommendations for various components
There is a lot of potential for a library that layers of top of the nextgen Azure provider and offers higher-level conveniences on top of the core Azure building blocks.
This would have similarities to the current
awsxandkubernetesxlibraries, but focused on patterns that are most common in Azure, and where the current level of abstraction in the Azure APIs is sufficiently far from the common use cases.This functionality would be hand-designed APIs on top of the auto-generated nextgen Azure provider. It may ship inside the existing provider or as a separate package or packages.
We will use this issue to collect areas where there is an opportunity to add a higher-level or more opinionated layer on top of the core nextgen Azure provider.