DevExp-DevBox/infra/settings/workload/devcenter.yaml at main · Evilazaro/DevExp-DevBox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
# yaml-language-server: $schema=./devcenter.schema.json
# =============================================================================
# File: devcenter.yaml
# Purpose: Dev Center Configuration for Microsoft Dev Box Accelerator
# Description: Defines the Dev Center resource, projects, catalogs, and environment types
# =============================================================================
#
# This configuration establishes a centralized developer workstation platform with
# role-specific configurations and appropriate access controls.
#
# References:
# - Microsoft Dev Box accelerator: https://evilazaro.github.io/DevExp-DevBox/docs/configureresources/workload/
# - Dev Center documentation: https://learn.microsoft.com/en-us/azure/dev-box/overview-what-is-microsoft-dev-box
# - Azure RBAC roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

# =============================================================================
# Dev Center Core Settings
# =============================================================================
name: 'devexp'
catalogItemSyncEnableStatus: 'Enabled'
microsoftHostedNetworkEnableStatus: 'Enabled'
installAzureMonitorAgentEnableStatus: 'Enabled'

# Identity configuration for the Dev Center resource
# Defines how the Dev Center authenticates and what permissions it has
identity:
  type: 'SystemAssigned'

  # Role assignments section - defines permissions for Dev Center operation
  roleAssignments:
    # Dev Center role assignments
    # These roles control who can manage the Dev Center and its projects
    # Best practice: Assign roles based on team responsibilities
    # The following roles follow the principle of least privilege and best practices described in https://learn.microsoft.com/en-us/azure/dev-box/concept-dev-box-deployment-guide#organizational-roles-and-responsibilities guidance.
    devCenter:
      - id: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
        name: 'Contributor' # Azure Contributor role for Dev Center management
        scope: 'Subscription'
      - id: '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
        name: 'User Access Administrator'
        scope: 'Subscription'
      - id: '4633458b-17de-408a-b874-0445c86b69e6'
        name: 'Key Vault Secrets User'
        scope: 'ResourceGroup'
      - id: 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7'
        name: 'Key Vault Secrets Officer'
        scope: 'ResourceGroup'

    orgRoleTypes:
      # Dev Manager role - for users who manage Dev Box deployments
      # These users can configure Dev Box definitions but typically don't use Dev Boxes
      - type: DevManager
        azureADGroupId: '54fd94a1-e116-4bc8-8238-caae9d72bd12' # Azure AD group ID for Dev Managers. You must create this group in Azure AD and replace the <Azure AD group ID>, the default value in this example is "Platform Engineering Team"
        azureADGroupName: 'Platform Engineering Team'

        # RBAC roles assigned to Dev Managers
        azureRBACRoles:
          # DevCenter Project Admin role allows managing project settings
          - name: 'DevCenter Project Admin'
            id: '331c37c6-af14-46d9-b9f4-e1909e1b95a0'
            scope: ResourceGroup

# Catalogs section - defines repositories containing Dev Box configurations
# These catalogs provide centralized, version-controlled configuration
# Best practice: Use Git repositories for configuration-as-code approach
catalogs:
  - name: 'customTasks'
    type: gitHub
    visibility: public
    uri: 'https://github.com/microsoft/devcenter-catalog.git'
    branch: 'main'
    path: './Tasks'

# Environment Types section - defines deployment environments for applications
# Each environment type represents a different stage in the development lifecycle
# Best practice: Create environments that match your SDLC stages (dev, test, prod)
environmentTypes:
  - name: 'dev'
    deploymentTargetId: '' # Empty for default subscription target. If you want to deploy to a specific target, provide the target ID here.
  - name: 'staging'
    deploymentTargetId: '' # Empty for default subscription target. If you want to deploy to a specific target, provide the target ID here.
  - name: 'uat'
    deploymentTargetId: '' # Empty for default subscription target. If you want to deploy to a specific target, provide the target ID here.

# Projects section - defines distinct projects within the Dev Center
# Each project has its own Dev Box configurations, catalogs, and permissions
# Best practice: Create separate projects for different teams or workstreams
projects:
  - name: 'eShop'
    description: 'eShop project.'

    # Network configuration for eShop project
    network:
      name: eShop # Name of the virtual network
      create: true # Should the network be created?
      resourceGroupName: 'eShop-connectivity-RG' # Resource group for network
      virtualNetworkType: Managed # Type of virtual network
      addressPrefixes:
        - 10.0.0.0/16 # Address space for VNet
      subnets:
        - name: eShop-subnet # Subnet name
          properties:
            addressPrefix: 10.0.1.0/24 # Subnet address range
      tags:
        environment: dev # Deployment environment
        division: Platforms # Organizational division
        team: DevExP # Team responsible
        project: DevExP-DevBox # Project name
        costCenter: IT # Cost center for billing
        owner: Contoso # Resource owner
        resources: Network # Resource type identifier

    # Project identity configuration - controls project-level security
    identity:
      type: SystemAssigned # Managed identity type
      roleAssignments:
        - azureADGroupId: 'b9968440-0caf-40d8-ac36-52f159730eb7' # Azure AD group ID
          azureADGroupName: 'eShop Engineers' # Azure AD group name
          azureRBACRoles:
            - name: 'Contributor' # RBAC role name
              id: 'b24988ac-6180-42a0-ab88-20f7382dd24c' # RBAC role ID
              scope: Project # Role scope
            - name: 'Dev Box User'
              id: '45d50f46-0b78-4001-a660-4198cbe8cd05'
              scope: Project
            - name: 'Deployment Environment User'
              id: '18e40d4e-8d2e-438d-97e1-9528336e149c'
              scope: Project
            - name: 'Key Vault Secrets User'
              id: '4633458b-17de-408a-b874-0445c86b69e6'
              scope: ResourceGroup
            - id: 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7'
              name: 'Key Vault Secrets Officer'
              scope: ResourceGroup

    # Dev Box pools - collections of Dev Boxes with specific configurations
    # Best practice: Create role-specific pools with appropriate tools and settings
    pools:
      - name: 'backend-engineer' # Pool for backend engineers
        imageDefinitionName: 'eshop-backend-dev' # Image definition for backend
        vmSku: general_i_32c128gb512ssd_v2 # VM SKU for backend pool
      - name: 'frontend-engineer' # Pool for frontend engineers
        imageDefinitionName: 'eshop-frontend-dev' # Image definition for frontend
        vmSku: general_i_16c64gb256ssd_v2 # VM SKU for frontend pool

    # Project-specific environment types
    # Defines which deployment environments are available to the project
    environmentTypes:
      - name: 'dev' # Development environment
        deploymentTargetId: ''
      - name: 'staging' # Staging environment
        deploymentTargetId: ''
      - name: 'UAT' # User Acceptance Testing environment
        deploymentTargetId: ''

    # Project-specific catalogs - repositories containing project configurations
    catalogs:
      - name: 'environments'
        type: environmentDefinition
        sourceControl: gitHub
        visibility: private
        uri: 'https://github.com/Evilazaro/eShop.git'
        branch: 'main'
        path: '/.devcenter/environments'
      - name: 'devboxImages'
        type: imageDefinition
        sourceControl: gitHub
        visibility: private
        uri: 'https://github.com/Evilazaro/eShop.git'
        branch: 'main'
        path: '/.devcenter/imageDefinitions'

    # Project-specific tags for resource governance and organization
    # Best practice: Apply consistent tags for cost allocation and ownership
    tags:
      environment: 'dev' # Identifies the deployment environment
      division: 'Platforms' # Organizational division responsible for the project
      team: 'DevExP' # Team responsible for implementation
      project: 'DevExP-DevBox' # Project name for cost allocation
      costCenter: 'IT' # Financial tracking designation
      owner: 'Contoso' # Resource ownership
      resources: 'Project' # Resource type identifier

# Top-level tags applied to the Dev Center resource
# Best practice: Implement consistent tagging across all Azure resources
# for improved governance, cost management, and operational tracking
tags:
  environment: 'dev' # Identifies the deployment environment
  division: 'Platforms' # Organizational division responsible for the resource
  team: 'DevExP' # Team responsible for implementation
  project: 'DevExP-DevBox' # Project name for cost allocation
  costCenter: 'IT' # Financial tracking designation
  owner: 'Contoso' # Resource ownership
  resources: 'DevCenter' # Resource type identifier