3.2 KiB
title, type, source-type, category, tags, date-added, video-source, audio-source, status
| title | type | source-type | category | tags | date-added | video-source | audio-source | status | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CTP Topic 25 Labs Landing Zone overview - ITOM teams | cloud-learning | video | DevOps & SRE/01_AWS-Landing-Zone |
|
2026-04-14 | nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 25_ Labs Landing Zone overview - ITOM teams.mp4 | summarized (Gemini 摘要) |
CTP Topic 25 Labs Landing Zone overview - ITOM teams
Source: NAS /volume2/work/Public Cloud Learning Sessions/CTP _ Topic 25_ Labs Landing Zone overview - ITOM teams.mp4
Type: VIDEO | Category: 01_AWS-Landing-Zone
Status: 🟡 Awaiting Whisper transcription → Summary
摘要
Labs Landing Zone Overview
The Labs landing zone is based on the Gruntworks reference architecture and AWS standards, utilizing a multi-account strategy. The entire stack is managed through infrastructure as code (Terraform), using a library of common functions accessible for review and modification. Everything should be managed using Terraform or some other code-based mechanism.
Key components include:
- Shared Account: Hosts the Jenkins master for the CI/CD pipeline (Gruntworks production grade), hardened AMIs, and a Docker container store.
- Logs Account: Secure storage for AWS Config and CloudTrail logs, with access controlled by the security team.
- Security Account: Manages user accounts and access, primarily for cross-account access and shared accounts, with most access being federated.
- Core Accounts:
- Active Directory: Manages Windows instances and IDPs (all in Swimford.net).
- DNS: Manages AWS Swimford.net, allowing for local domains or referencing the wider infrastructure.
- Network Account: Central hub for network communication, managing traffic via Transit Gateway and JetPult firewall. All internet access is routed through here, managed by the network team via tags. Pulse VPN access is also managed here, providing access to the micro focus network.
- Shared Service Accounts: Provide access to services like monitoring (45 arc site) and Qualys.
- Product Account: The primary working environment, built to standard infrastructure-as-code modules. It can have multiple accounts (production, staging, development). Logs are shipped to the logs account, and Jenkins manages automation within the account.
When deploying a product account, key requirements include defining IP address ranges and agreeing on specific tags with the network team for firewall access. Access through that firewall is all managed by tags. The team recommends using their Terraform modules for deploying subnets.
The standard Jenkins-based pipelines scan GitHub Enterprise repositories for changes, running Terragrunt plans or applies based on the branch. Internet connectivity is restricted; access to specific corporate network locations requires a request to the network services team. The pipelines are continuously being improved for robustness and security, including pre-commit checks and Fortify scans.
关键概念
行动项
相关视频
配对视频笔记链接(生成后填入)
最后更新: 2026-04-14