Azure NoOps Accelerator is a flexible foundation that enables DOD/Public Sector customers to develop/maintain opinionated self-service infrastructure in their Azure environment. These templates are created to help organizations move to a continious deployment of infrastructure.
Azure NoOps Accelerator Architecture supported up to IL6 (Top Secret) - Cloud Only Applications. This flexible foundation is applicable to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) with characteristics:
* Cloud-based services hosting sensitive (up to IL6 (Top Secret)) information
* No direct system to system network interconnections required with data centers
This implementation is specific to DOD/Public Sector organizations.
## Goals
* Designed for US Government mission customers
* Implements SCCA controls following Microsoft's SACA implementation guidance
* Deployable in Azure commercial, Azure Government, Azure Government Secret, and Azure Government Top Secret clouds
* Accelerate the use of Azure in DOD/Public Sector through onboarding multiple types of workloads including App Dev and Data & AI.
* Simplify compliance management through a single source of compliance, audit reporting and auto remediation.
* Deployment of DevOps frameworks & business processes to improve agility
* Written as Bicep and Terraform templates
## Non-Goals
* Automatic approval for Authority to Operate (ATO). Customers must collect evidence, customize to meet their departmental requirements and submit for Authority to Operate based on their risk profile, requirements and process.
* Compliant on all Azure Policies when the reference implementation is deployed. This is due to the shared responsibility of cloud and customers can choose the Azure Policies to exclude. For example, using Azure Firewall is an Azure Policy that will be non-compliant since majority of the DOD/Public Sector customers use Network Virtual Appliances. Customers must review Microsoft Defender for Cloud Regulatory Compliance dashboard and apply appropriate exemptions.
Azure NoOps is “not about the elimination of ops; it is about the elimination of manual handoffs and low-value, rote administration.” Think of NoOps is the next evolution of DevOps. We want NoOps Accelerator to drive mission success with an outcome-based approach to deliver continuous value to enable the warfighter.
3. Continuous Real Time Observability, Telemetry, and Monitoring.
4. Process and Automation is Top Priority.
### DevOps Mindset
Driving the DevOps mindset will prepare your team to handle collaboration, change control and the continuous deployment. Much of this is common to your developers but maybe new to cyber & operations.
### Roles & Skillsets
To have success with NoOps, you will need:
* Development staff that is capable with modern DevOps practices & tools such as source control (Git), & Continuous Integration/Delivery (CI/CD).
* Cyber Security Staff would take ownership of policy-oriented development in coordination with the Development staff.
* Operations staff to define architecture that meets the policy needs which is coded by the Development staff.
### Shared Responsibility Model
Even though development, cyber & operations team members have specific roles and responsibilities, it is the collaboration between these three groups that will make NoOps successful.
### Leadership Support
Policy-driven governance is a core tenet of NoOps that requires direct leadership input. Many operations organizations do not have development staff which is necessary for NoOps success therefore leadership should be aware of the potential staffing gap.
## What are we solving for with the NoOps Accelerator?
### Mission Outcome Success
All in one solution that takes the best practices from Mission Landing Zone architecture and creates a full ATO compliant enclave.
### Security & Governance at Scale
Policy-Driven guardrails using in-band and out-of-band polices ensure that deployed workloads and applications are compliant with your command’s cyber-security and compliance requirements, and therefore a securing a path on driving mission outcomes. Policy-driven governance is one of the key design principles of this accelerator.
Using pre-configured templates and policy-driven resources where core systems administration tasks are fully automated allows developers to focus on driving mission outcomes.
## Architecture
See [architecture documentation](docs/NoOpsAccelerator-Architecture.md) for detailed walkthrough of design.
Deployment to Azure is supported using GitHub Actions and can be adopted for other automated deployment systems like Gitlab, Jenkins, etc.
The automation is built with Azure Bicep and Azure Resource Manager template.
## Onboarding to GitHub Actions
See the following onboarding guides for setup instructions:
* GitHub Actions Setup provides guidance on considerations and recommended practices when creating and configuring your GitHub environment.
* GitHub Actions Scripts provides guidance on the scripts available to help simplify the onboarding process to Azure Landing Zones design using GitHub Actions.
* GitHub Actions provides guidance on the manual steps for onboarding to the Azure Landing Zones design using GitHub Actions.
## SCCA Compliant Hub/Spoke Design(Referred as Mission Landing Zone)
NoOps Accelerator can be used to create a SCCA Compliant Hub/Spoke Design(Referred as Mission Landing Zone) based on the [Azure Mission Landing Zone Conceptual Architecture][mlz_architecture].
The [NoOps Accelerator - SCCA Compliant Hub/Spoke Design(Referred as Mission Landing Zone)](src/bicep/platforms/lz-platform-scca-hub-3spoke/) is set up in a hub and spoke design with Logging, separated by tiers: T0 (Identity and Authorization), T1 (Infrastructure Operations), T2 (DevSecOps and Shared Services), and multiple T3s (Workloads).
Access control can be configured to allow separation of duties between all tiers.
## Bicep Modules
In the [src\bicep](src/bicep) directory contains all of the modules required to deploy NoOps Accelerator components.
## Terraform Modules
> NOTE: Currently Terraform modules are not complete. We are working on the Bicep modules first, as this is native to Azure ARM.
In the [src\terraform](src/terraform) directory contains all of the modules required to deploy NoOps Accelerator components.
This is still a work in progress. We wanted to concentrate on the bicep modules first as there is native support in Azure.
Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through [customer usage attribution](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). The data is collected and governed by Microsoft's privacy policies, located at [https://www.microsoft.com/trustcenter](https://www.microsoft.com/trustcenter).
If you don't wish to send usage data to Microsoft, you can set the `customerUsageAttribution.enabled` setting to `false` in `global/telemetry.json`.
Project Bicep [collects telemetry in some scenarios](https://github.com/Azure/bicep/blob/main/README.md#telemetry) as part of improving the product.
Please see the [Support and Feedback Guide](https://github.com/Azure/NoOpsAccelerator/blob/update-repo/SUPPORT.md). To report a security issue please see our [security guidance](https://github.com/Azure/NoOpsAccelerator/blob/update-repo/SECURITY.md).
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow
