Setup your Organization
In order for ESH to be deployed across the organization the following activities are necessary:
- Setup your branding
- Setup initial admin users at various levels of authority depending on their roles. This allows the Organization Admin to delegate setup and access control to the appropriate teams
- Create Tenants to represent the teams that will be given access to ESH
- Create Targets to represent all the destinations to which users will be able to deploy resources
- Create Templates for the users to deploy
- Create Resource Groups for fine grained access control (optional).
- Create end users and allocate them to appropriate Tenants
The setup process can be undertaken in the following order.
Setup Organization Branding
It is possible to set the logo, header background, header text color and the accent color that is used for buttons and other elements. See Settings for details.
Setup Organization Admin Users
Decide which team/ users are going to be responsible for the organization administrative tasks. Create the additional Organization admin users who will then be able to assist in undertaking the tasks set out in this guide.
Create Tenants
Create all the organizations Tenants, these would be teams such as DevOps, SRE, Cloud admin, Cyber, Database Engineering and all the non IT function teams that need to self serve infrastructure resources.
There maybe a need to break Tenants up by geographical region, such as DevOps USA, Devops Asia Pac etc, since Tenant admins can be granted access to manage specific Tenants. When deciding structure remember, a Tenant admin can be an admin of multiple Tenants.
By default, every Tenant gets a default Resource Group. By default this group has access to all the Targets and Templates created by the Tenant.
For information on setting up Tenants, refer to Tenant Setup Guide.
Setup Other Administrator User Roles
In a large organization, early onboarding of these users is useful as they are able to assist in the setup process.
Create Tenant Admins
A Tenant admin can be granted access to multiple Tenants, therefore, give thought to the ideal structure, whether it be based around the functional responsibilities of the team, or their geographic location. These users have the ability to manage:
- Users within their Tenants, and manage the resources the users have access to such as Targets and Templates. Note, a Tenant admin can not create other Tenant admins, but they can create Template Admins and Users
- Localized Templates - Templates can be created and granted to Tenants the admin is authorized to access. Note, you will likely want to have organization managed Templates that can be allocated to Tenants but the ability to create templates locally to Tenants can be advantageous by not relying on global teams to undertake this task
- Localized Targets - Similarly to Templates, Targets can be managed at a Tenant level or Organization level
Create Template Admins
Template admins create Templates and deploy them to Targets to which that have been allocated for testing purposes. It is usually a good idea to make Template administration a function of DevOps teams, or spin off teams dedicated to providing a catalog of Self Service resources packaged as Templates.
In a multi-cloud environment, it might be appropriate to have Template admins per cloud since they need to be expert in the cloud they are creating resources for. It is likely that in setting up the Tenants you have created appropriate Tenants for the Template admins to be granted access to.
Create Security Admins
Security admins have access to two areas of ESH specifically pertaining to security:
- Open Policy Agent policy management console. There they can review and edit policies that Templates are required to adhere to in order to be certified.
- The Template Approvals dashboard. Security admins are responsible for reviewing Templates that fail security scans when a Template developer attempts to certify them. It is common for scans to not pass policy checks, as an example, Templates need to be able to create IAM roles for the resources they are deploying, but those roles should be reviewed to ensure they are not overly permissive before allowing end users to deploy those Templates.
Create Targets
Targets are destinations for deployments such as AWS Accounts, Azure Subscriptions etc. Depending on your organizations structure and size, setting up Targets can either performed by a central team such as global cloud admins, or can be delegated to specific Tenant admininstrators who could create Targets for their domain of responsiblity.
If appropriate, an Organization admin could create all the organizations Targets ready for allocation to and use by Tenants. For information on setting up Targets, refer to Target Setup Guide.
Create Templates
Users with Template Admin or greater role can create templates. Refer to the Template Developer Guide for information on developing templates.
Create Resource Groups (optional)
Every Tenant automatically has two default Resource Groups, one for Targets and one for Template, any Template or Target created is assigned to at least one of the pertaining Resource Groups. A User level user can be assigned to a Tenant and it's default Resource Groups, or alternatively, it can be assigned to alternative Resource Groups thus reducing the resources they have access to. An example might be where you wish a user to be able to create compute instances but not databases. If database templates were in the default Tenant Template Resource Group, they would have access to create databases, but giving them access to a compute resource Template Resource Group instead would limit their access.
We suggest to not create addional Resource Groups on initial organization setup but rather to use this feature on an as needs basis and build a strategy when the use case becomes clear.
Create End Users
You have now created or have in motion all the building on blocks of building your ESH organization. When you are happy the steps above have been completed, it's time to create users. At that point users will be able to deploy Certified Templates to Targets to which they have been granted access.
Summary
When you have completed the tasks above you should have a fully working ESH environment that your organizations users can use to deploy any resources foer which you have created Templates. There is no limit to what you can deploy, just search for sample Terraform, load it into ESH and enjoy the benefits of self-service.