MoreIQPlatform
Architecture
DevOps Services
DEVOPS Version 1 (WIP) Last Review Date: August, 2024

Documentation Overview

covers:

DevOps Subscription

Overview

  • The More IQ DevOps subscription sub-miq-devops provides devops services supporting Azure DevOps projects targetting workload subscriptions, like More Core subcriptions, in the Landing Zones management group.
  • The DevOps Subscription is the central location for self-hosted Azure DevOps agent pool infrasturcture including Scale Set Agent Pools, Managed DevOps Pools, Container Instances and Azure Kubernetes Service based agents.
  • The shared build agents have the permissions to provision into all other subscriptions and resources in the More IQ Landing Zones management group.
  • The rg-spoke resource group contains the devops-spoke-vnet VNet which is peered to the regional hub allowing resources within the subscription to communicate with other Landing Zones.
  • The following diagram shows the overall resource topology of the DevOps subscription.
    DevOps Subscription Topology

Note: No secrets are to be added into the site

Access

  • Access to this site is for members of the MoreCore team, and permitted subcontractors.
  • Access is controlled via

Dev Center

  • The use of services like Dev Box and Managed DevOps Pools requires an instance of Dev Center to organise, separate and govern resources.
  • The segmentation of Dev Center into Dev projects for each workload allows delegation of operation and support of Managed DevOps Pools to workload teams.
  • The rg-miq-devcenter resource group contains the miq-devcenter Dev Center. All Dev Projects in the subscription are in this DevCenter.
  • The rg-identity resource group contains the umi user managed identity which has the contributor role for the rg-devops resource group.
  • Each workload team is provisioned a Managed DevOps Pool and supporting resources in a templated resource group as described below.

DevOps shared pools and image galleries

  • As part of Landing Zone Vending operations, each workload team has a collection of Azure DevOps Projects and supporting Managed DevOps Pools created and delegated to them.
  • Each team's resources are provisioned in to a resource group named rg-devops-(project or pool name).
  • A Dev Center Dev Project is created in the project resource group, associated with the pools subsequently provisioned for the team.
  • The Managed DevOps Pools provide a managed VMSS connected to the Azure DevOps Project.
  • A user assigned managed identity is also provisioned and assigned to the VMs of the Managed DevOps Pool to control the identity used by teams when their pipelines provision infrastructure or access Azure resources.
  • Service Connection mapping to the user assigned managed identity is created in the Azure DevOps Project.
  • The team will also have access to images in the shared devops compute gallery for storing images if required.
  • Azure DevOps projects can also be optionally allowed to utilise the shared linux and windows managed devops pools. In this case, no user assigned managed identity is assigned to these pools.
ConnectivityAzure DevOps