Skip to content

Templates Overview

Enterprise Service Hub (ESH) offers a robust templating system to streamline and secure the deployment of infrastructure resources. Templates empower users to deploy certified configurations and resources, ensuring consistency and adherence to best practices. This overview provides insights into the key aspects of ESH templates.

Key Features of ESH Templates

Git Repository Support

Template are stored in Git repositories and versioning is provided by Git tags. This provides industry standard traceability and accountability which is perfect for regulated environments.

  • Major Git Repositories: ESH supports integration with major Git repository providers, including:
  • GitHub
  • GitLab
  • Bitbucket
  • Azure Repos

Templates can be developed in any of these repository providers and ESH will download them for variable scanning and at time of deployment. This enables seamless version control and collaboration for template development.

Template Scanning

Templates are scanned by ESH when a Git tag is downloaded using the Template Versioning UI. When ESH scans a template it reads in all its variables and their associated types and builds an API schema specifically for that template version. This enabled the ESH console to render appropriate forms for deployments where the required variables are entered. ESH makes use of all Terraform variable types and renders forms appropriate for the type. An example is shown below:

Template Variable Types

Terraform-Powered Templates

  • Flexible Infrastructure as Code (IaC): ESH templates are written in Terraform, providing a powerful and flexible approach to defining and provisioning infrastructure resources.

    ESH provides sample templates for you to build on, here are a few to get you started:

    • AWS S3 Bucket - (https://github.com/Enterprise-Self-Service/template-sample-aws-s3)
    • Azure Storage Account - (https://github.com/Enterprise-Self-Service/template-sample-azure-storage-account)
    • GCP Cloud Storage Bucket - (https://github.com/Enterprise-Self-Service/template-sample-gcp-storage-bucket)

    We publish more each week so check (https://github.com/Enterprise-Self-Service/) to see the full list.

  • Template Development Environment: ESH has a Template developer role. Users with that role are able to create templates and deploy them even though they are not certified. It is recommended that an administrator allow these users to only deploy to development and sandbox accounts as they may not be secure. Template developers have the freedom to deploy and test their templates in designated environments. This allows them to fine-tune configurations and ensure the templates meet desired outcomes before certifying them for production use.

Deployment Approval

Certain templates might deploy resources that should be treated with a bit more control, such as a template to deploy an AWS account. Where this is the case, turn on Deployment Approval and any deployment using the template will be queued for administrator approval.

Template Groups

Templates are added to Resource Groups so that sets of Templates can be managed in the Roles Based Access Control system as though they were a single entity. This makes it easier to manage large numbers of Template variations and which user groups have access to them.

Template Certification

Templates can only be deployed by end users if they are certified. A single version of a template can be certified, but prior versions already used in deployments are still valid and are not able to be deleted since they are in use.

Template Descriptions

Not much information can be derived from a template name. In order for users to choose appropriate Templates for their needs, freeform descriptions allow the developer to document what will be provisioned by the template. These descriptions are displayed in the Deployments form thus facilitating users choices.

Security Feedback Loop

TFSec Reports for Developers

Security is paramount. ESH integrates with TFSec to perform security scans on templates. Feedback from these scans helps template developers refine their offerings to meet security standards.

The Template developer receives instant feedback as soon as they download a new version.

TFSec Report summary for a Template version

Clicking the summary will reveal the detailed report to assist the developer in remediating the issues.

TFSec report for a template version

Policy-Based Certification

  • Open Policy Agent Integration: Certified templates undergo rigorous policy checks using Open Policy Agent (OPA). ESH provides standard policies, but organizations can customize them to align with their specific needs.

  • Policy Enforcement: If a template fails policy checks, it is placed in a queue for review and approval by a security administrator. This ensures that only compliant templates are deployed.

Summary

ESH Templates are a pivotal component of the platform, promoting consistency, security, and efficiency in infrastructure provisioning. By empowering users with certified Templates and providing robust security checks, ESH ensures that end users are enabled but locked into the organizations best practices.

Explore our detailed documentation to learn more about using templates.

Learn about managing Templates here