I'm about to create three different environments within my Azure Subscription. Dev, Test and Prod.
However, I am unsure whether it is common practice to use one Key Vault that contain secrets from all three environments or should I create three separate Key Vaults, one for each RG?
What is "Best Practice" when it comes to this?
The recommended choice is to use a vault per application per environment (development, pre-production, and production), per region. This helps you not share secrets across environments and regions. It will also reduce the threat in case of a breach.
Related
If one has multiple environments(dev/qa/prod) in different subscriptions, there might be some restrictions with Azure DevOPs pipelines. I think currently Azure DevOps cannot span multiple subscription.
Considering this, will it be a good design to say have multiple synapse workspaces(one for each environment - dev/qa/prod) for each project in the same subscription but different resource groups?
There is always more than one way to do things but I do not think one subscription is always the right answer. It brings a bit of risk that someone could accidentally 'deploy to prod', and although this could happen in any situation, having only one subscription makes this more likely. The environments should of course be properly ring-fenced with permissions, resource groups, resource locks, clearly defined release pipelines with gateways etc which will help reduce that risk.
Multiple subscriptions, or at least a dedicated prod subscription housing a single prod environment and a non-prod subscription housing dev, test, QA (and other environments) is another option. This should reduce the risk of a single subscription but introduces additional complexity.
One way to think about it then, and what is best for your organisation is to think about a grid or matrix, with axes for Risk, DevOps maturity and Complexity versus number of Azure subscriptions you have. Ask a series of questions to help decide your position on this chart. A simple example and some sample questions:
Regarding "easy life", DevOps engineers and architects do not think like this and you shouldn't either.
You should have a single Subscription and within that subscription you can have multiple resource groups like Dev/Prod/QA. Deploy and manage your resources for different environment under a corresponding resource group for easy and hustle free experience.
Check the below diagram for your reference.
For better understanding, refer Microsoft official document.
Currently, I'm storing all key/value pairs in Application Settings, but I'm not happy with this approach. What is the recommended way to store settings for dev, test, stage, and prod? I need to make sure that prod settings are not visible to developers. Is there a way to create 4 different JSON files and define access permissions on them? Or do I need to create 4 different Function apps (or subscriptions)?
Azure App Configuration is a relatively new service that sounds like it could help in terms of managing the config values centrally with more control than individual instance App Settings.
Beyond that, you could perhaps build segregation by limiting devs to pushing code only and not accessing the hosting environment (Azure portal, etc). The layer in between would be something like Azure DevOps or Github Actions that has access to Azure, while devs are limited to pushing code that triggers deployment.
Also worth reminding ourselves that devs ultimately have a lot of access by virtue of writing the code. If they want to get at runtime data, they can, somehow. If you consider the devs untrusted, you may have bigger problems. If it's just a matter of preventing mistakes, a solid devops process is the key.
Currently my company is moving all our products Azure and as part of migration we are using Azure key vault for storing secret keys. We have around 10 to 15 products and for each product we use review, integration, staging and production environment.
I don't see an option to configure secrets to different environment and products as in Vault Enterprise which we currently use. I am here to ask a best approach to configure secret keys for different products and corresponding environments in Azure key vault. So that it will easy to manage the secrets on Azure key vault.
Note: We do have around 5 to 10 keys for each environment.
We had good experiences with using dedicated KeyVaults for each environment. The main advantage of using a "KeyVault per Stage" approach is that you can have the same key name in every KeyVault. This really saves you from a lot of complexity when consuming the values later on. Also, if you decide to create a new environment or drop an existing one, you don't have to worry about affecting other environments.
We usually also extend this to also create a dedicated KeyVault per product. As such, you will have "only what you need" and it is quite transparent. If you have a lot of "shared values", you could also create "common" KeyVaults instead.
If you use Azure Pipelines, it can be very nice to link the KeyVaults to a stage in the pipeline. This also works with YAML pipelines. Again, having the same secret name in each environment helps a lot in this case, since each environment can be identical.
Sidenote: With Azure Pipelines, you could also store some secrets as "secret variables". Probably not enough for your case, but I wanted to make sure you know.
You must use variables in the pipeline that will contain values from the key vault, then, just set the variables to the related product / environment.
For more info:
https://zimmergren.net/using-azure-key-vault-secrets-from-azure-devops-pipeline/
https://stefanstranger.github.io/2019/06/26/PassingVariablesfromStagetoStage/
I would like to use a single keyvault, share among multiple teams. I want to maintain certficates, secrets and keys and use RBAC to allow users, Groups, Service Principals to insure they only have access to those Objects they have access to ?
As mentioned in the comment, you can't.
The granularity of the data tier access control is not such meticulous, the user/service principal/group either access all the secrets or not access all the secrets, the same for keys and certificates.
At this point in the features available in the product, you cannot control or deploy RBAC's at data plane for customized access to KV entities such as secrets, keys, and certificates.
You may consider creating multiple instances of vaults to deploy such a pattern. At the same time, you should also voice your opinion on the feedback portal.
I want to deploy multiple machines across various geographical regions to serve my application in a Development and Production environment; I'm coming from Google Cloud Platform where my solution would be to create 2 projects:
project-dev
project-prod
With that I have complete freedom of creating resources in any region/zone in either project/environment.
The closest thing to this I have found on Azure is Resource Groups, but those are tied to a specified region, which is not ideal for me. Is there a better way, rather than creating a resource group in EACH region I choose to deploy resources for both environments as follows:
project-dev-east-us
project-dev-west-us
project-dev-west-eu
project-dev-east-as
project-prod-east-us
project-prod-west-us
project-prod-west-eu
project-prod-east-as
Resource groups are tied to regions, but resource inside are not, so you can have resources from multiple regions in a single resource group. but resource group is like a folder on a hard drive. its just a way to logically organize things, nothing more.