-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introducing Utility Modules #947
Changes from 10 commits
da2a1fa
128a7d4
3818472
be444ae
0fc4556
cbeecc9
50fde19
9930413
97576cc
789bb50
9a7af6d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,7 +8,25 @@ url: /specs/shared/module-classifications/ | |
|
||
AVM defines two module classifications, **Resource Modules** and **Pattern Modules**, that can be created, published, and consumed, these are defined further in the table below: | ||
|
||
| Module Classification | Definition | Who is it for? | | ||
<!-- markdownlint-disable --> | ||
| Module Class | Definition | Who is it for? | | ||
| --------------------- | ---------- | -------------- | | ||
|**Resource Module** | Deploys a primary resource with WAF high priority/impact best practice configurations set by default, e.g., RBAC, Locks, Private Endpoints etc. (if supported). See [What does AVM mean by “WAF Aligned”?](/Azure-Verified-Modules/faq/#what-does-avm-mean-by-waf-aligned) <br><br> They MAY include related resources, e.g. VM contains disk & NIC. Focus should be on customer experience. A customer would expect that a VM module would include all required resources to provision a VM. <br><br> Furthermore, Resource Modules MUST NOT deploy external dependencies for the primary resource. E.g. a VM needs a vNet and Subnet to be deployed into, but the vNet will not be created by the VM Resource Module. <br><br> Finally, a resource can be anything such as Microsoft Defender for Cloud Pricing Plans, these are still resources in ARM and can therefore be created as a Resource Module. | People that want to craft bespoke architectures that default to WAF best practices, where appropriate, for each resource. <br><br> People that want to create pattern modules. | | ||
| **Pattern Module** | Deploys multiple resources, usually using Resource Modules. They can be any size but should help accelerate a common task/deployment/architecture. <br><br> Good candidates for pattern modules are those architectures that exist in [Azure Architecture Center](https://learn.microsoft.com/en-us/azure/architecture/), or other official documentation. <br><br> *Note:* It is feasible that pattern modules can contain other pattern modules, however, pattern modules MUST NOT contain references to non-AVM modules. | People that want to easily deploy patterns (architectures) using WAF best practices. | | ||
|**Resource Module** | Deploys a primary resource with WAF high priority/impact best practice configurations set by default, e.g., RBAC, Locks, Private Endpoints etc. (if supported). See [What does AVM mean by "WAF Aligned"?](/Azure-Verified-Modules/faq/#what-does-avm-mean-by-waf-aligned) <br><br> They MAY include related resources, e.g. VM contains disk & NIC. Focus should be on customer experience. A customer would expect that a VM module would include all required resources to provision a VM. <br><br> Furthermore, Resource Modules MUST NOT deploy external dependencies for the primary resource. E.g. a VM needs a vNet and Subnet to be deployed into, but the vNet will not be created by the VM Resource Module.<br><br> Finally, a resource can be anything such as Microsoft Defender for Cloud Pricing Plans, these are still resources in ARM and can therefore be created as a Resource Module. | People who want to craft bespoke architectures that default to WAF best practices, where appropriate, for each resource. <br><br> People who want to create pattern modules. | | ||
| **Pattern Module** | Deploys multiple resources, usually using Resource Modules. They can be any size but should help accelerate a common task/deployment/architecture. <br><br> Good candidates for pattern modules are those architectures that exist in [Azure Architecture Center](https://learn.microsoft.com/en-us/azure/architecture/), or other official documentation. <br><br> *Note:* Pattern modules can contain other pattern modules, however, pattern modules MUST NOT contain references to non-AVM modules. | People who want to easily deploy patterns (architectures) using WAF best practices. | | ||
| **Utility Module**<br>(draft,<br>see below) | Implements a function or routine that can be flexibly reused in resource or pattern modules - e.g., a function that retrieves the endpoint of an API or portal of a given environment. <br><br>It MUST NOT deploy any Azure resources other than deployment scripts. | People who want to leverage commonly used functions/routines/helpers in their module, instead of re-implementing them locally. | | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. One thing we 'could' call out regarding the deployment scripts though (unless it overcomplicating the definition) is that while the module should ONLY implement the deployment script - it should enable the user of the module to deploy it in a secure way by, for example, exposing the entire interface of the deployment script as per the AVM module (e.g., enable setting a subnet for private networking). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As discussed in the call today, details at this level will be further elaborated on at the related funtional/non-functional requirements pages. |
||
<!-- markdownlint-enable --> | ||
|
||
{{< hint title="PREVIEW" >}} | ||
|
||
ChrisSidebotham marked this conversation as resolved.
Show resolved
Hide resolved
|
||
The concept of **Utility Modules** will be introduced gradually, through some initial examples. The definition above is subject to change as additional details are worked out. | ||
|
||
The required automated tests and other workflow elements will be derived from the Pattern Modules' automation/CI environment as the concept matures. | ||
|
||
Utility modules will follow the below naming convention: | ||
|
||
- Bicep: `avm/utl/<hyphenated grouping/category name>/<hyphenated utility module name>`. Modules will be kept under the `avm/utl` folder in the BRM repository. | ||
- Terraform: `avm-utl-<utility-module-name>`. Repositories will be named after the utility module. | ||
|
||
All related documentation (functional and non-functional requirements, etc.) will also be published along the way. | ||
|
||
{{< /hint >}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this definition has been around for a while, but I'm not sure whether we should call out RBAC & Private Endpoints as examples for 'set by default' as nothing about the 2 is actually set by default. Also, we opted that setting 'Locks' is not contributing to WAF-alignment.
Instead, I'd recommend to call out items like 'Entra ID authentication', 'Firewalls' or 'Availability Zones'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rest (including the utility definition) reads well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.