1402 lines
44 KiB
Markdown
1402 lines
44 KiB
Markdown
|
|
# Phoenix Operating Model
|
|||
|
|
|
|||
|
|
**Sankofa Phoenix Cloud Services — Enterprise-Grade Operating Model for Sovereign Governments**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Executive Summary
|
|||
|
|
|
|||
|
|
**Phoenix (Sankofa Cloud Services)** is a competing cloud services offering purpose-built to service **international and multi-national Sovereign Governments** and their contractors. Phoenix competes directly with Azure, AWS, and other cloud service providers while offering superior capabilities for sovereign deployments.
|
|||
|
|
|
|||
|
|
This operating model separates **commercial governance**, **technical tenancy**, and **content/devops control** while enabling clean interoperability across distributed, multi-region deployments. The model is designed to support:
|
|||
|
|
|
|||
|
|
- **International and multi-national sovereign governments** requiring multi-region landing zones
|
|||
|
|
- **Decentralized architecture** supporting distributed sovereignty
|
|||
|
|
- **Clouds for sovereignty** with regional data residency and compliance
|
|||
|
|
- **Enterprise-scale multi-tenancy** superior to Azure and AWS
|
|||
|
|
|
|||
|
|
This document is suitable for:
|
|||
|
|
- Architecture decks
|
|||
|
|
- Product specifications
|
|||
|
|
- Client-facing enterprise offering memos
|
|||
|
|
- Implementation guides
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Core Management Layers (Separation of Concerns)
|
|||
|
|
|
|||
|
|
Phoenix is structured around **five orthogonal but linked control planes**, each with its own hierarchy and access model. Planes reference each other through IDs—not shared control.
|
|||
|
|
|
|||
|
|
### The Five Control Planes
|
|||
|
|
|
|||
|
|
1. **Commercial Plane** – *Who pays*
|
|||
|
|
2. **Tenancy Plane** – *Who owns domains & identity*
|
|||
|
|
3. **Subscription Plane** – *What is provisioned*
|
|||
|
|
4. **Environment Plane** – *Where workloads run*
|
|||
|
|
5. **Content & DevOps Plane** – *What is built, governed, and deployed*
|
|||
|
|
|
|||
|
|
### Design Principles
|
|||
|
|
|
|||
|
|
- **Orthogonal Design**: Each plane operates independently
|
|||
|
|
- **ID-Based References**: Planes reference each other through IDs, not shared control
|
|||
|
|
- **Separation of Concerns**: Commercial, technical, and content concerns are separated
|
|||
|
|
- **Clean Interoperability**: Planes interoperate cleanly without tight coupling
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## I. Commercial Plane — Clients (Billing Profiles)
|
|||
|
|
|
|||
|
|
**Purpose:** Financial ownership, invoicing, entitlements, and contractual scope.
|
|||
|
|
|
|||
|
|
### Entity: Client (Billing Profile)
|
|||
|
|
|
|||
|
|
A **Client** represents a legal entity that contracts with Phoenix for cloud services. It is the financial and contractual boundary for billing and invoicing.
|
|||
|
|
|
|||
|
|
#### Attributes
|
|||
|
|
|
|||
|
|
- **Legal Entity**: Legal name, registration number, jurisdiction
|
|||
|
|
- **Contract & MSA**: Master Service Agreement, contract terms, SLAs
|
|||
|
|
- **Invoicing Configuration**: Invoice format, frequency, currency, payment terms
|
|||
|
|
- **Payment Instruments**: Credit cards, bank accounts, purchase orders
|
|||
|
|
- **Cost Centers / Departments**: Internal cost allocation structure
|
|||
|
|
- **Usage Aggregation & Chargeback**: Aggregation of usage across all tenants, chargeback to internal departments
|
|||
|
|
|
|||
|
|
#### Entity Schema
|
|||
|
|
|
|||
|
|
```graphql
|
|||
|
|
type Client {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
legalEntity: LegalEntity!
|
|||
|
|
contract: Contract
|
|||
|
|
msa: MSA
|
|||
|
|
invoicingConfig: InvoicingConfig!
|
|||
|
|
paymentInstruments: [PaymentInstrument!]!
|
|||
|
|
costCenters: [CostCenter!]!
|
|||
|
|
tenants: [Tenant!]!
|
|||
|
|
usageAggregation: UsageAggregation
|
|||
|
|
chargebackRules: [ChargebackRule!]!
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type LegalEntity {
|
|||
|
|
name: String!
|
|||
|
|
registrationNumber: String
|
|||
|
|
jurisdiction: String!
|
|||
|
|
taxId: String
|
|||
|
|
address: Address!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type Contract {
|
|||
|
|
id: ID!
|
|||
|
|
client: Client!
|
|||
|
|
startDate: DateTime!
|
|||
|
|
endDate: DateTime
|
|||
|
|
terms: String!
|
|||
|
|
sla: SLA!
|
|||
|
|
status: ContractStatus!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type InvoicingConfig {
|
|||
|
|
format: InvoiceFormat!
|
|||
|
|
frequency: InvoiceFrequency!
|
|||
|
|
currency: String!
|
|||
|
|
paymentTerms: String!
|
|||
|
|
billingAddress: Address!
|
|||
|
|
emailRecipients: [String!]!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum InvoiceFormat {
|
|||
|
|
PDF
|
|||
|
|
XML
|
|||
|
|
JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum InvoiceFrequency {
|
|||
|
|
MONTHLY
|
|||
|
|
QUARTERLY
|
|||
|
|
ANNUAL
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
### Key Rules
|
|||
|
|
|
|||
|
|
1. **A Client can own multiple Tenants**
|
|||
|
|
- Rationale: A single legal entity (e.g., a government agency) may operate multiple domains/identities
|
|||
|
|
- Example: A defense contractor may have separate tenants for classified and unclassified work
|
|||
|
|
- Enforcement: Database foreign key constraint (Tenant.clientId → Client.id)
|
|||
|
|
|
|||
|
|
2. **A Tenant cannot span multiple Clients**
|
|||
|
|
- Rationale: Billing and contractual boundaries must be clear
|
|||
|
|
- Example: A tenant cannot be shared between two different government agencies
|
|||
|
|
- Enforcement: Database constraint (Tenant.clientId is NOT NULL and UNIQUE per tenant)
|
|||
|
|
|
|||
|
|
3. **Billing is never tied directly to environments or repos**
|
|||
|
|
- Rationale: Billing operates at Client/Subscription level, not at operational level
|
|||
|
|
- Example: Costs are aggregated at Subscription level, not per environment or Git repository
|
|||
|
|
- Enforcement: Billing APIs only accept Client or Subscription IDs, not Environment or Content IDs
|
|||
|
|
|
|||
|
|
### Relationship to Existing Billing System
|
|||
|
|
|
|||
|
|
The existing Phoenix billing system (documented in `docs/tenants/BILLING_GUIDE.md`) currently tracks billing at the Tenant level. The new operating model introduces Client as the billing boundary:
|
|||
|
|
|
|||
|
|
- **Migration Path**: Existing tenants will be assigned to a default Client (or Clients can be created and tenants assigned)
|
|||
|
|
- **Billing Aggregation**: Client-level billing aggregates costs from all associated Tenants and Subscriptions
|
|||
|
|
- **Backward Compatibility**: Tenant-level billing queries remain available but aggregate to Client level
|
|||
|
|
|
|||
|
|
### Multi-National Client Structures
|
|||
|
|
|
|||
|
|
For international sovereign governments:
|
|||
|
|
|
|||
|
|
- **Single Client, Multiple Tenants**: One Client (the government) with multiple Tenants per nation/region
|
|||
|
|
- **Multiple Clients, Coordinated Tenants**: Separate Clients per nation with coordinated Tenant structures
|
|||
|
|
- **Federated Billing**: Cross-border billing aggregation while maintaining sovereignty
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## II. Tenancy Plane — Tenants (Domains)
|
|||
|
|
|
|||
|
|
**Purpose:** Identity, domain ownership, trust boundaries, and security isolation.
|
|||
|
|
|
|||
|
|
### Entity: Tenant
|
|||
|
|
|
|||
|
|
A **Tenant** represents an identity and domain boundary. It is the security blast-radius boundary and owns all identity, domain, and security configuration.
|
|||
|
|
|
|||
|
|
#### Attributes
|
|||
|
|
|
|||
|
|
- **Primary Domain(s)**: One or more domains owned by the tenant (e.g., `agency.gov`, `agency.sankofa.nexus`)
|
|||
|
|
- **Identity Provider**: SSO configuration (Entra, Okta, Keycloak, etc.)
|
|||
|
|
- **Global RBAC Namespace**: Root namespace for all RBAC within the tenant
|
|||
|
|
- **Data Residency / Sovereignty Flags**: Regional data residency requirements, sovereignty flags
|
|||
|
|
- **Compliance Profile**: Compliance requirements (ISO, SOC, HIPAA, government-specific standards)
|
|||
|
|
- **Multi-Region Support**: Whether tenant spans multiple regions
|
|||
|
|
- **Regional Data Residency Requirements**: Per-region data residency rules
|
|||
|
|
- **Cross-Border Governance Settings**: Governance rules for cross-border operations
|
|||
|
|
|
|||
|
|
#### Entity Schema
|
|||
|
|
|
|||
|
|
```graphql
|
|||
|
|
type Tenant {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
primaryDomains: [String!]!
|
|||
|
|
identityProvider: IdentityProvider!
|
|||
|
|
rbacNamespace: String!
|
|||
|
|
dataResidencyFlags: [DataResidencyFlag!]!
|
|||
|
|
complianceProfile: ComplianceProfile!
|
|||
|
|
client: Client!
|
|||
|
|
subscriptions: [Subscription!]!
|
|||
|
|
environments: [Environment!]!
|
|||
|
|
regions: [Region!]!
|
|||
|
|
keycloakRealmId: String
|
|||
|
|
multiRegionEnabled: Boolean!
|
|||
|
|
regionalDataResidency: [RegionalDataResidency!]!
|
|||
|
|
crossBorderGovernance: CrossBorderGovernance
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type IdentityProvider {
|
|||
|
|
type: IdentityProviderType!
|
|||
|
|
config: JSON!
|
|||
|
|
ssoEnabled: Boolean!
|
|||
|
|
mfaRequired: Boolean!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum IdentityProviderType {
|
|||
|
|
KEYCLOAK
|
|||
|
|
AZURE_AD
|
|||
|
|
OKTA
|
|||
|
|
GOOGLE_WORKSPACE
|
|||
|
|
CUSTOM_SAML
|
|||
|
|
CUSTOM_OIDC
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type ComplianceProfile {
|
|||
|
|
standards: [ComplianceStandard!]!
|
|||
|
|
certifications: [Certification!]!
|
|||
|
|
auditRequirements: [AuditRequirement!]!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum ComplianceStandard {
|
|||
|
|
ISO_27001
|
|||
|
|
ISO_27017
|
|||
|
|
ISO_27018
|
|||
|
|
SOC_2
|
|||
|
|
SOC_3
|
|||
|
|
HIPAA
|
|||
|
|
PCI_DSS
|
|||
|
|
GDPR
|
|||
|
|
CCPA
|
|||
|
|
FEDRAMP
|
|||
|
|
ITAR
|
|||
|
|
CUSTOM
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type DataResidencyFlag {
|
|||
|
|
region: Region!
|
|||
|
|
requirement: DataResidencyRequirement!
|
|||
|
|
enforcement: DataResidencyEnforcement!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum DataResidencyRequirement {
|
|||
|
|
REQUIRED
|
|||
|
|
PREFERRED
|
|||
|
|
PROHIBITED
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum DataResidencyEnforcement {
|
|||
|
|
HARD
|
|||
|
|
SOFT
|
|||
|
|
ADVISORY
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
### Key Rules
|
|||
|
|
|
|||
|
|
1. **One Tenant → many Subscriptions**
|
|||
|
|
- Rationale: A tenant can have multiple service subscriptions
|
|||
|
|
- Example: A tenant may have separate subscriptions for compute, data, and AI services
|
|||
|
|
- Enforcement: Database foreign key (Subscription.tenantId → Tenant.id)
|
|||
|
|
|
|||
|
|
2. **One Tenant → many Environments**
|
|||
|
|
- Rationale: Environments are scoped to tenants for security isolation
|
|||
|
|
- Example: A tenant may have DEV, STAGING, and PROD environments
|
|||
|
|
- Enforcement: Environment belongs to Subscription, which belongs to Tenant
|
|||
|
|
|
|||
|
|
3. **Tenant is the security blast-radius boundary**
|
|||
|
|
- Rationale: Security incidents are contained within tenant boundaries
|
|||
|
|
- Example: A compromised tenant cannot access another tenant's resources
|
|||
|
|
- Enforcement: Network isolation, RBAC namespace isolation, data isolation
|
|||
|
|
|
|||
|
|
### Relationship to Existing Tenant Management
|
|||
|
|
|
|||
|
|
The existing Phoenix tenant management (documented in `docs/tenants/TENANT_MANAGEMENT.md`) aligns with this model:
|
|||
|
|
|
|||
|
|
- **Tenant Tiers**: FREE, STANDARD, ENTERPRISE, SOVEREIGN map to Subscription types
|
|||
|
|
- **Keycloak Integration**: Each tenant gets a Keycloak realm (when `KEYCLOAK_MULTI_REALM=true`)
|
|||
|
|
- **Custom Domains**: Tenant primary domains support custom domain configuration
|
|||
|
|
- **Quotas**: Tenant quotas map to Subscription quotas and limits
|
|||
|
|
|
|||
|
|
### Keycloak Realm Mapping
|
|||
|
|
|
|||
|
|
- **One Tenant = One Keycloak Realm**: Each tenant has its own Keycloak realm for complete identity isolation
|
|||
|
|
- **Realm Name**: Typically matches Tenant ID or primary domain
|
|||
|
|
- **Federated Identity**: Tenants can federate with external identity providers (Entra, Okta, etc.)
|
|||
|
|
|
|||
|
|
### Multi-National Tenant Structures
|
|||
|
|
|
|||
|
|
For international sovereign governments:
|
|||
|
|
|
|||
|
|
- **Per-Nation Tenants**: Separate tenant per nation with coordinated governance
|
|||
|
|
- **Federated Tenants**: Tenants that share identity federation but maintain isolation
|
|||
|
|
- **Cross-Border Tenants**: Tenants that span multiple nations with regional data residency
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## III. Subscription Plane — Subscriptions
|
|||
|
|
|
|||
|
|
**Purpose:** Logical containers for services, quotas, and spend.
|
|||
|
|
|
|||
|
|
### Entity: Subscription
|
|||
|
|
|
|||
|
|
A **Subscription** represents a service bundle provisioned to a tenant. It defines what services are available, quotas, limits, and cost tracking.
|
|||
|
|
|
|||
|
|
#### Attributes
|
|||
|
|
|
|||
|
|
- **Service Bundles**: Compute, data, AI, storage, networking, etc.
|
|||
|
|
- **Quotas & Limits**: Resource quotas, rate limits, capacity limits
|
|||
|
|
- **Cost Tracking**: Cost aggregation, budget tracking, spending alerts
|
|||
|
|
- **Policy Packs**: Security policies, networking policies, data access policies
|
|||
|
|
- **Feature Entitlements**: Enabled features, beta features, premium features
|
|||
|
|
- **Multi-Region Subscriptions**: Whether subscription spans multiple regions
|
|||
|
|
|
|||
|
|
#### Entity Schema
|
|||
|
|
|
|||
|
|
```graphql
|
|||
|
|
type Subscription {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
tenant: Tenant!
|
|||
|
|
client: Client!
|
|||
|
|
type: SubscriptionType!
|
|||
|
|
serviceBundles: [ServiceBundle!]!
|
|||
|
|
quotas: Quotas
|
|||
|
|
limits: Limits
|
|||
|
|
costTracking: CostTracking!
|
|||
|
|
policyPacks: [PolicyPack!]!
|
|||
|
|
featureEntitlements: [FeatureEntitlement!]!
|
|||
|
|
environments: [Environment!]!
|
|||
|
|
regions: [Region!]!
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum SubscriptionType {
|
|||
|
|
SHARED_PLATFORM
|
|||
|
|
PRODUCT
|
|||
|
|
SANDBOX
|
|||
|
|
INNOVATION
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type ServiceBundle {
|
|||
|
|
service: ServiceType!
|
|||
|
|
enabled: Boolean!
|
|||
|
|
quotas: ServiceQuotas
|
|||
|
|
limits: ServiceLimits
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum ServiceType {
|
|||
|
|
COMPUTE
|
|||
|
|
STORAGE
|
|||
|
|
NETWORKING
|
|||
|
|
DATABASE
|
|||
|
|
AI_ML
|
|||
|
|
ANALYTICS
|
|||
|
|
SECURITY
|
|||
|
|
MONITORING
|
|||
|
|
BACKUP
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type Quotas {
|
|||
|
|
compute: ComputeQuotas
|
|||
|
|
storage: StorageQuotas
|
|||
|
|
network: NetworkQuotas
|
|||
|
|
custom: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type ComputeQuotas {
|
|||
|
|
vcpu: Int
|
|||
|
|
memory: Int # GB
|
|||
|
|
instances: Int
|
|||
|
|
gpu: Int
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type PolicyPack {
|
|||
|
|
name: String!
|
|||
|
|
type: PolicyPackType!
|
|||
|
|
policies: [Policy!]!
|
|||
|
|
enforcement: PolicyEnforcement!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum PolicyPackType {
|
|||
|
|
SECURITY
|
|||
|
|
NETWORKING
|
|||
|
|
DATA_ACCESS
|
|||
|
|
COMPLIANCE
|
|||
|
|
CUSTOM
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum PolicyEnforcement {
|
|||
|
|
HARD
|
|||
|
|
SOFT
|
|||
|
|
ADVISORY
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
### Subscription Types
|
|||
|
|
|
|||
|
|
1. **Shared Platform Subscription**
|
|||
|
|
- Purpose: Shared infrastructure and platform services
|
|||
|
|
- Use Cases: Common platform services, shared networking, centralized monitoring
|
|||
|
|
- Characteristics: Shared resources, cost-efficient, managed by platform team
|
|||
|
|
|
|||
|
|
2. **Product Subscriptions**
|
|||
|
|
- Purpose: Dedicated resources for specific products or applications
|
|||
|
|
- Use Cases: Production workloads, customer-facing applications
|
|||
|
|
- Characteristics: Dedicated resources, higher quotas, production SLAs
|
|||
|
|
|
|||
|
|
3. **Sandbox / Innovation Subscriptions**
|
|||
|
|
- Purpose: Experimental and development environments
|
|||
|
|
- Use Cases: Proof of concepts, experimentation, learning
|
|||
|
|
- Characteristics: Lower quotas, relaxed policies, cost-optimized
|
|||
|
|
|
|||
|
|
### Key Rules
|
|||
|
|
|
|||
|
|
1. **Subscriptions live inside a Tenant**
|
|||
|
|
- Rationale: Subscriptions inherit tenant identity and security boundaries
|
|||
|
|
- Example: All subscriptions for a tenant share the same identity provider
|
|||
|
|
- Enforcement: Database foreign key (Subscription.tenantId → Tenant.id, NOT NULL)
|
|||
|
|
|
|||
|
|
2. **Subscriptions are mapped to one Client billing profile**
|
|||
|
|
- Rationale: Billing aggregation happens at Client level
|
|||
|
|
- Example: All subscription costs for a tenant roll up to the tenant's Client
|
|||
|
|
- Enforcement: Subscription.clientId → Client.id (via Tenant.clientId)
|
|||
|
|
|
|||
|
|
### Multi-Region Subscription Patterns
|
|||
|
|
|
|||
|
|
- **Regional Subscriptions**: Separate subscription per region for regional data residency
|
|||
|
|
- **Global Subscriptions**: Single subscription spanning multiple regions
|
|||
|
|
- **Hybrid Subscriptions**: Mix of regional and global services
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## IV. Environment Plane — Environments
|
|||
|
|
|
|||
|
|
**Purpose:** Operational isolation for lifecycle stages.
|
|||
|
|
|
|||
|
|
### Entity: Environment
|
|||
|
|
|
|||
|
|
An **Environment** represents a lifecycle stage where workloads run. It provides network isolation, data isolation, and deployment policies.
|
|||
|
|
|
|||
|
|
#### Attributes
|
|||
|
|
|
|||
|
|
- **Network Isolation**: Network boundaries, firewall rules, network policies
|
|||
|
|
- **Data Isolation**: Data boundaries, encryption, access controls
|
|||
|
|
- **Deployment Policies**: Deployment rules, approval workflows, promotion policies
|
|||
|
|
- **Runtime Secrets**: Secrets management, key rotation, access controls
|
|||
|
|
- **Compliance Overlays**: Compliance requirements specific to environment
|
|||
|
|
- **Regional Scope**: Region where environment is deployed
|
|||
|
|
|
|||
|
|
#### Entity Schema
|
|||
|
|
|
|||
|
|
```graphql
|
|||
|
|
type Environment {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
type: EnvironmentType!
|
|||
|
|
subscription: Subscription!
|
|||
|
|
networkIsolation: NetworkIsolation!
|
|||
|
|
dataIsolation: DataIsolation!
|
|||
|
|
deploymentPolicies: [DeploymentPolicy!]!
|
|||
|
|
runtimeSecrets: [Secret!]!
|
|||
|
|
complianceOverlays: [ComplianceOverlay!]!
|
|||
|
|
region: Region
|
|||
|
|
promotionFlow: PromotionFlow
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum EnvironmentType {
|
|||
|
|
DEV
|
|||
|
|
INT
|
|||
|
|
UAT
|
|||
|
|
STAGING
|
|||
|
|
PROD
|
|||
|
|
REGULATED
|
|||
|
|
SOVEREIGN
|
|||
|
|
AIR_GAPPED
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type NetworkIsolation {
|
|||
|
|
vpcId: String
|
|||
|
|
subnetIds: [String!]!
|
|||
|
|
firewallRules: [FirewallRule!]!
|
|||
|
|
networkPolicies: [NetworkPolicy!]!
|
|||
|
|
allowedConnections: [NetworkConnection!]!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type DataIsolation {
|
|||
|
|
encryptionAtRest: Boolean!
|
|||
|
|
encryptionInTransit: Boolean!
|
|||
|
|
accessControls: [AccessControl!]!
|
|||
|
|
dataBoundaries: [DataBoundary!]!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type DeploymentPolicy {
|
|||
|
|
name: String!
|
|||
|
|
type: DeploymentPolicyType!
|
|||
|
|
rules: [DeploymentRule!]!
|
|||
|
|
approvalRequired: Boolean!
|
|||
|
|
approvers: [String!]!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum DeploymentPolicyType {
|
|||
|
|
AUTOMATED
|
|||
|
|
MANUAL_APPROVAL
|
|||
|
|
POLICY_DRIVEN
|
|||
|
|
SCHEDULED
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type PromotionFlow {
|
|||
|
|
fromEnvironment: Environment
|
|||
|
|
toEnvironment: Environment!
|
|||
|
|
policies: [PromotionPolicy!]!
|
|||
|
|
approvalRequired: Boolean!
|
|||
|
|
automated: Boolean!
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
### Environment Types
|
|||
|
|
|
|||
|
|
#### Standard Environments
|
|||
|
|
|
|||
|
|
1. **DEV** (Development)
|
|||
|
|
- Purpose: Developer workstations and development workloads
|
|||
|
|
- Characteristics: Relaxed policies, high developer access, cost-optimized
|
|||
|
|
- Access: Developers, DevOps engineers
|
|||
|
|
|
|||
|
|
2. **INT** (Integration)
|
|||
|
|
- Purpose: Integration testing and component testing
|
|||
|
|
- Characteristics: Moderate policies, limited access, test data
|
|||
|
|
- Access: QA engineers, integration testers
|
|||
|
|
|
|||
|
|
3. **UAT** (User Acceptance Testing)
|
|||
|
|
- Purpose: User acceptance testing and validation
|
|||
|
|
- Characteristics: Production-like policies, business user access, production-like data
|
|||
|
|
- Access: Business users, QA engineers
|
|||
|
|
|
|||
|
|
4. **STAGING**
|
|||
|
|
- Purpose: Pre-production validation and final testing
|
|||
|
|
- Characteristics: Production-equivalent policies, limited access, production data copies
|
|||
|
|
- Access: Release managers, senior engineers
|
|||
|
|
|
|||
|
|
5. **PROD** (Production)
|
|||
|
|
- Purpose: Production workloads serving end users
|
|||
|
|
- Characteristics: Strictest policies, minimal access, production data
|
|||
|
|
- Access: Operators, on-call engineers (read-only for most)
|
|||
|
|
|
|||
|
|
#### Specialized Environments
|
|||
|
|
|
|||
|
|
6. **REGULATED**
|
|||
|
|
- Purpose: Regulated workloads requiring specific compliance
|
|||
|
|
- Characteristics: Enhanced compliance overlays, audit logging, restricted access
|
|||
|
|
- Use Cases: Healthcare (HIPAA), Finance (PCI-DSS), Government (FedRAMP)
|
|||
|
|
|
|||
|
|
7. **SOVEREIGN**
|
|||
|
|
- Purpose: Sovereign workloads requiring data residency
|
|||
|
|
- Characteristics: Regional data residency, sovereignty flags, cross-border restrictions
|
|||
|
|
- Use Cases: Government data, national security, sovereign cloud deployments
|
|||
|
|
|
|||
|
|
8. **AIR-GAPPED**
|
|||
|
|
- Purpose: Classified workloads with no external connectivity
|
|||
|
|
- Characteristics: Complete network isolation, no internet access, physical security
|
|||
|
|
- Use Cases: Classified government systems, critical infrastructure
|
|||
|
|
|
|||
|
|
### Key Rules
|
|||
|
|
|
|||
|
|
1. **Environments belong to Subscriptions**
|
|||
|
|
- Rationale: Environments inherit subscription quotas and policies
|
|||
|
|
- Example: PROD environment uses Product Subscription quotas
|
|||
|
|
- Enforcement: Database foreign key (Environment.subscriptionId → Subscription.id, NOT NULL)
|
|||
|
|
|
|||
|
|
2. **Promotion flows are policy-driven, not manual**
|
|||
|
|
- Rationale: Automated, auditable promotion reduces human error
|
|||
|
|
- Example: Code promotion from DEV → STAGING → PROD follows defined policies
|
|||
|
|
- Enforcement: PromotionFlow policies are enforced by CI/CD pipelines
|
|||
|
|
|
|||
|
|
3. **PROD access is always the most restricted**
|
|||
|
|
- Rationale: Production environments require highest security
|
|||
|
|
- Example: PROD requires MFA, approval workflows, and audit logging
|
|||
|
|
- Enforcement: RBAC policies enforce stricter access controls for PROD environments
|
|||
|
|
|
|||
|
|
### Multi-Region Environment Patterns
|
|||
|
|
|
|||
|
|
- **Regional Environments**: Separate environment per region for data residency
|
|||
|
|
- **Global Environments**: Single environment spanning multiple regions
|
|||
|
|
- **Hybrid Environments**: Mix of regional and global components
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## V. Content & DevOps Plane (Separate but Integrated)
|
|||
|
|
|
|||
|
|
**Purpose:** What is built, governed, and deployed—separate from billing and tenancy.
|
|||
|
|
|
|||
|
|
This plane is intentionally **not** embedded into billing or tenancy. It operates independently but integrates with the other planes through IDs.
|
|||
|
|
|
|||
|
|
### A. Enterprise Content Management Hierarchy
|
|||
|
|
|
|||
|
|
#### Entity Model
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
Enterprise
|
|||
|
|
└── Portfolio
|
|||
|
|
└── Product / Program
|
|||
|
|
└── Application / Service
|
|||
|
|
└── Component / Module
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
#### Entity Schema
|
|||
|
|
|
|||
|
|
```graphql
|
|||
|
|
type Enterprise {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
portfolios: [Portfolio!]!
|
|||
|
|
ownership: Ownership!
|
|||
|
|
governance: Governance!
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type Portfolio {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
enterprise: Enterprise!
|
|||
|
|
products: [Product!]!
|
|||
|
|
ownership: Ownership!
|
|||
|
|
governance: Governance!
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type Product {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
portfolio: Portfolio!
|
|||
|
|
applications: [Application!]!
|
|||
|
|
ownership: Ownership!
|
|||
|
|
governance: Governance!
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type Application {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
product: Product!
|
|||
|
|
components: [Component!]!
|
|||
|
|
gitRepos: [GitRepo!]!
|
|||
|
|
ownership: Ownership!
|
|||
|
|
governance: Governance!
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type Component {
|
|||
|
|
id: ID!
|
|||
|
|
name: String!
|
|||
|
|
application: Application!
|
|||
|
|
contentType: ContentType!
|
|||
|
|
content: Content!
|
|||
|
|
ownership: Ownership!
|
|||
|
|
governance: Governance!
|
|||
|
|
version: String!
|
|||
|
|
lineage: [LineageEntry!]!
|
|||
|
|
createdAt: DateTime!
|
|||
|
|
updatedAt: DateTime!
|
|||
|
|
metadata: JSON
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
enum ContentType {
|
|||
|
|
SOURCE_CODE
|
|||
|
|
IAC
|
|||
|
|
PIPELINE
|
|||
|
|
CONFIG_TEMPLATE
|
|||
|
|
DOCUMENTATION
|
|||
|
|
DATA_SCHEMA
|
|||
|
|
AI_MODEL
|
|||
|
|
PROMPT
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type Ownership {
|
|||
|
|
owner: String!
|
|||
|
|
team: String
|
|||
|
|
department: String
|
|||
|
|
contact: String
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type Governance {
|
|||
|
|
approvalWorkflows: [ApprovalWorkflow!]!
|
|||
|
|
complianceTags: [ComplianceTag!]!
|
|||
|
|
accessControls: [AccessControl!]!
|
|||
|
|
retentionPolicies: [RetentionPolicy!]!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type ApprovalWorkflow {
|
|||
|
|
name: String!
|
|||
|
|
steps: [ApprovalStep!]!
|
|||
|
|
required: Boolean!
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
type ApprovalStep {
|
|||
|
|
approver: String!
|
|||
|
|
role: String!
|
|||
|
|
timeout: Int
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
#### Content Types
|
|||
|
|
|
|||
|
|
1. **Source Code**: Application source code, libraries, dependencies
|
|||
|
|
2. **IaC (Infrastructure as Code)**: Terraform, Pulumi, Bicep, CloudFormation
|
|||
|
|
3. **Pipelines**: CI/CD pipeline definitions, workflow configurations
|
|||
|
|
4. **Configuration Templates**: Environment configs, deployment templates
|
|||
|
|
5. **Documentation**: Technical docs, runbooks, architecture diagrams
|
|||
|
|
6. **Data Schemas**: Database schemas, data models, API schemas
|
|||
|
|
7. **AI Models / Prompts**: ML models, AI prompts, training data
|
|||
|
|
|
|||
|
|
#### Governance
|
|||
|
|
|
|||
|
|
- **Ownership at Each Level**: Clear ownership from Enterprise to Component
|
|||
|
|
- **Approval Workflows**: Required approvals for changes at each level
|
|||
|
|
- **Compliance Tagging**: Compliance tags for regulatory requirements
|
|||
|
|
- **Versioning & Lineage**: Complete version history and lineage tracking
|
|||
|
|
|
|||
|
|
### B. Git & DevOps Integration Model
|
|||
|
|
|
|||
|
|
#### Git Structure
|
|||
|
|
|
|||
|
|
**Enterprise Git Organization**:
|
|||
|
|
- Repositories mapped to **Product / Service** level
|
|||
|
|
- Branch strategy enforced by policy
|
|||
|
|
- Protected branches for regulated environments
|
|||
|
|
- Multi-region Git repository patterns
|
|||
|
|
|
|||
|
|
**Repository Mapping**:
|
|||
|
|
```
|
|||
|
|
Enterprise Git Org
|
|||
|
|
├── portfolio-1/
|
|||
|
|
│ ├── product-a/
|
|||
|
|
│ │ ├── application-1/ (repo)
|
|||
|
|
│ │ └── application-2/ (repo)
|
|||
|
|
│ └── product-b/
|
|||
|
|
│ └── application-3/ (repo)
|
|||
|
|
└── portfolio-2/
|
|||
|
|
└── product-c/
|
|||
|
|
└── application-4/ (repo)
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
**Branch Strategy**:
|
|||
|
|
- **main/master**: Production-ready code
|
|||
|
|
- **develop**: Integration branch
|
|||
|
|
- **feature/***: Feature branches
|
|||
|
|
- **release/***: Release branches
|
|||
|
|
- **hotfix/***: Production hotfixes
|
|||
|
|
|
|||
|
|
**Protected Branches**:
|
|||
|
|
- **PROD environments**: Require approval, no direct pushes
|
|||
|
|
- **REGULATED environments**: Additional compliance checks
|
|||
|
|
- **SOVEREIGN environments**: Regional approval requirements
|
|||
|
|
|
|||
|
|
#### CI/CD Integration
|
|||
|
|
|
|||
|
|
**Environment-Aware Pipelines**:
|
|||
|
|
- Pipelines detect target environment from branch or configuration
|
|||
|
|
- Environment-specific policies are applied automatically
|
|||
|
|
- Deployment requires explicit environment selection
|
|||
|
|
|
|||
|
|
**Deployment Requirements**:
|
|||
|
|
1. **Subscription Authorization**: Pipeline verifies subscription has required services
|
|||
|
|
2. **Environment Approval**: Automated or manual approval based on environment type
|
|||
|
|
3. **Policy Validation**: Security, compliance, and governance policies are validated
|
|||
|
|
|
|||
|
|
**GitOps for Infrastructure**:
|
|||
|
|
- Infrastructure changes via Git commits
|
|||
|
|
- ArgoCD syncs Git state to infrastructure
|
|||
|
|
- Crossplane provisions infrastructure resources
|
|||
|
|
- Integration with existing ArgoCD infrastructure (see `gitops/README.md`)
|
|||
|
|
|
|||
|
|
#### Promotion Flow
|
|||
|
|
|
|||
|
|
**Standard Promotion Flow**:
|
|||
|
|
```
|
|||
|
|
Code Commit
|
|||
|
|
↓
|
|||
|
|
CI (Test, Scan, Build)
|
|||
|
|
↓
|
|||
|
|
Artifact Registry
|
|||
|
|
↓
|
|||
|
|
Environment Promotion (Policy-Driven)
|
|||
|
|
↓
|
|||
|
|
Subscription Deployment
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
**Policy-Driven Promotion**:
|
|||
|
|
- **Automated**: DEV → INT → UAT (automated if tests pass)
|
|||
|
|
- **Approval Required**: UAT → STAGING (requires approval)
|
|||
|
|
- **Strict Approval**: STAGING → PROD (requires multiple approvals, compliance checks)
|
|||
|
|
|
|||
|
|
**Critical Principle**:
|
|||
|
|
> **Git never directly deploys to PROD without environment + subscription authorization.**
|
|||
|
|
|
|||
|
|
**Enforcement**:
|
|||
|
|
- CI/CD pipelines check environment type
|
|||
|
|
- PROD deployments require:
|
|||
|
|
- Subscription authorization
|
|||
|
|
- Environment approval workflow
|
|||
|
|
- Policy validation (security, compliance)
|
|||
|
|
- Audit logging
|
|||
|
|
|
|||
|
|
**Multi-Region Promotion**:
|
|||
|
|
- Regional promotion flows for data residency
|
|||
|
|
- Cross-region promotion with governance approval
|
|||
|
|
- Sovereign promotion with regional compliance checks
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## VI. Hierarchical Access Model (RBAC)
|
|||
|
|
|
|||
|
|
### Access Roles by Plane
|
|||
|
|
|
|||
|
|
#### 1. Commercial Access
|
|||
|
|
|
|||
|
|
- **Finance Admin**: Full access to Client billing, invoicing, payment instruments
|
|||
|
|
- **Billing Viewer**: Read-only access to billing and cost data
|
|||
|
|
- **Cost Center Owner**: Access to specific cost center data and chargeback
|
|||
|
|
|
|||
|
|
#### 2. Tenant Access
|
|||
|
|
|
|||
|
|
- **Tenant Owner**: Full control over tenant, identity, domains, subscriptions
|
|||
|
|
- **Security Admin**: Security configuration, compliance, audit access
|
|||
|
|
- **Identity Admin**: Identity provider configuration, user management
|
|||
|
|
- **Compliance Officer**: Compliance configuration, audit, reporting
|
|||
|
|
|
|||
|
|
#### 3. Subscription Access
|
|||
|
|
|
|||
|
|
- **Subscription Owner**: Full control over subscription, quotas, policies
|
|||
|
|
- **Platform Admin**: Platform services administration
|
|||
|
|
- **Service Operator**: Service-specific operations
|
|||
|
|
- **Read-only Auditor**: Read-only access for auditing
|
|||
|
|
|
|||
|
|
#### 4. Environment Access
|
|||
|
|
|
|||
|
|
- **Environment Owner**: Full control over environment configuration
|
|||
|
|
- **Release Manager**: Promotion approval, release management
|
|||
|
|
- **Operator**: Runtime operations, monitoring, troubleshooting
|
|||
|
|
- **Observer**: Read-only access for monitoring
|
|||
|
|
|
|||
|
|
#### 5. Content & DevOps Access
|
|||
|
|
|
|||
|
|
- **Enterprise Architect**: Enterprise-level architecture decisions
|
|||
|
|
- **Portfolio Lead**: Portfolio-level governance and decisions
|
|||
|
|
- **Product Owner**: Product-level decisions and priorities
|
|||
|
|
- **Dev Lead**: Development team leadership
|
|||
|
|
- **Contributor**: Code contribution, development
|
|||
|
|
- **Reviewer**: Code review, approval
|
|||
|
|
- **Release Approver**: Release approval for production
|
|||
|
|
|
|||
|
|
### Cross-Plane Access
|
|||
|
|
|
|||
|
|
**Default Rule**: **No role crosses planes by default.**
|
|||
|
|
|
|||
|
|
**Explicit Delegation Required**:
|
|||
|
|
- Cross-plane access must be explicitly granted
|
|||
|
|
- Delegation is audited and logged
|
|||
|
|
- Delegation can be time-limited or permanent
|
|||
|
|
|
|||
|
|
**Delegation Mechanisms**:
|
|||
|
|
- **Role Delegation**: Grant role from one plane to user in another plane
|
|||
|
|
- **Temporary Access**: Time-limited cross-plane access
|
|||
|
|
- **Escalation**: Emergency escalation procedures
|
|||
|
|
|
|||
|
|
### Multi-Region RBAC
|
|||
|
|
|
|||
|
|
- **Regional Roles**: Roles scoped to specific regions
|
|||
|
|
- **Cross-Region Roles**: Roles that span multiple regions (requires approval)
|
|||
|
|
- **Federated RBAC**: RBAC across federated tenants
|
|||
|
|
|
|||
|
|
### Integration with Keycloak
|
|||
|
|
|
|||
|
|
- **Keycloak Roles**: Phoenix roles map to Keycloak roles
|
|||
|
|
- **Realm-Level Roles**: Tenant-specific roles in Keycloak realm
|
|||
|
|
- **Federated Roles**: Roles from federated identity providers
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## VII. Key Rules and Constraints
|
|||
|
|
|
|||
|
|
### Commercial Plane Rules
|
|||
|
|
|
|||
|
|
1. **A Client can own multiple Tenants**
|
|||
|
|
- Rationale: Single legal entity may operate multiple domains/identities
|
|||
|
|
- Enforcement: Database foreign key (Tenant.clientId → Client.id)
|
|||
|
|
|
|||
|
|
2. **A Tenant cannot span multiple Clients**
|
|||
|
|
- Rationale: Billing and contractual boundaries must be clear
|
|||
|
|
- Enforcement: Database constraint (Tenant.clientId is NOT NULL and UNIQUE per tenant)
|
|||
|
|
|
|||
|
|
3. **Billing is never tied directly to environments or repos**
|
|||
|
|
- Rationale: Billing operates at Client/Subscription level
|
|||
|
|
- Enforcement: Billing APIs only accept Client or Subscription IDs
|
|||
|
|
|
|||
|
|
### Tenancy Plane Rules
|
|||
|
|
|
|||
|
|
4. **One Tenant → many Subscriptions**
|
|||
|
|
- Rationale: Tenant can have multiple service subscriptions
|
|||
|
|
- Enforcement: Database foreign key (Subscription.tenantId → Tenant.id)
|
|||
|
|
|
|||
|
|
5. **One Tenant → many Environments**
|
|||
|
|
- Rationale: Environments are scoped to tenants for security
|
|||
|
|
- Enforcement: Environment belongs to Subscription, which belongs to Tenant
|
|||
|
|
|
|||
|
|
6. **Tenant is the security blast-radius boundary**
|
|||
|
|
- Rationale: Security incidents contained within tenant
|
|||
|
|
- Enforcement: Network isolation, RBAC namespace isolation, data isolation
|
|||
|
|
|
|||
|
|
### Subscription Plane Rules
|
|||
|
|
|
|||
|
|
7. **Subscriptions live inside a Tenant**
|
|||
|
|
- Rationale: Subscriptions inherit tenant identity and security
|
|||
|
|
- Enforcement: Database foreign key (Subscription.tenantId → Tenant.id, NOT NULL)
|
|||
|
|
|
|||
|
|
8. **Subscriptions are mapped to one Client billing profile**
|
|||
|
|
- Rationale: Billing aggregation at Client level
|
|||
|
|
- Enforcement: Subscription.clientId → Client.id (via Tenant.clientId)
|
|||
|
|
|
|||
|
|
### Environment Plane Rules
|
|||
|
|
|
|||
|
|
9. **Environments belong to Subscriptions**
|
|||
|
|
- Rationale: Environments inherit subscription quotas and policies
|
|||
|
|
- Enforcement: Database foreign key (Environment.subscriptionId → Subscription.id, NOT NULL)
|
|||
|
|
|
|||
|
|
10. **Promotion flows are policy-driven, not manual**
|
|||
|
|
- Rationale: Automated, auditable promotion reduces error
|
|||
|
|
- Enforcement: PromotionFlow policies enforced by CI/CD pipelines
|
|||
|
|
|
|||
|
|
11. **PROD access is always the most restricted**
|
|||
|
|
- Rationale: Production requires highest security
|
|||
|
|
- Enforcement: RBAC policies enforce stricter access for PROD
|
|||
|
|
|
|||
|
|
### Content & DevOps Plane Rules
|
|||
|
|
|
|||
|
|
12. **Git never directly deploys to PROD without environment + subscription authorization**
|
|||
|
|
- Rationale: Production deployments require explicit authorization
|
|||
|
|
- Enforcement: CI/CD pipelines check environment type and require approvals
|
|||
|
|
|
|||
|
|
13. **Content hierarchy ownership is required at each level**
|
|||
|
|
- Rationale: Clear ownership enables governance
|
|||
|
|
- Enforcement: Ownership fields are required in entity schemas
|
|||
|
|
|
|||
|
|
### Cross-Plane Rules
|
|||
|
|
|
|||
|
|
14. **No role crosses planes by default**
|
|||
|
|
- Rationale: Separation of concerns requires explicit cross-plane access
|
|||
|
|
- Enforcement: RBAC system enforces plane boundaries
|
|||
|
|
|
|||
|
|
15. **Cross-plane access requires explicit delegation**
|
|||
|
|
- Rationale: Auditability and security require explicit delegation
|
|||
|
|
- Enforcement: Delegation must be recorded and audited
|
|||
|
|
|
|||
|
|
### Violation Handling
|
|||
|
|
|
|||
|
|
- **Prevention**: Database constraints prevent invalid relationships
|
|||
|
|
- **Detection**: Audit logs detect policy violations
|
|||
|
|
- **Response**: Automated alerts and manual review for violations
|
|||
|
|
- **Remediation**: Automated remediation where possible, manual intervention required for critical violations
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## VIII. Multi-Region and Multi-National Capabilities
|
|||
|
|
|
|||
|
|
### Sovereign Cloud Deployments
|
|||
|
|
|
|||
|
|
**Per-Region/Nation Sovereign Clouds**:
|
|||
|
|
- Each region/nation can have its own sovereign cloud deployment
|
|||
|
|
- Complete data residency and sovereignty per region
|
|||
|
|
- Regional compliance and governance
|
|||
|
|
|
|||
|
|
### Cross-Region Governance
|
|||
|
|
|
|||
|
|
**Federated Governance**:
|
|||
|
|
- Governance policies can span multiple regions
|
|||
|
|
- Cross-region coordination for multi-national operations
|
|||
|
|
- Regional autonomy with coordinated governance
|
|||
|
|
|
|||
|
|
### Multi-National Tenant Structures
|
|||
|
|
|
|||
|
|
**Per-Nation Tenants**:
|
|||
|
|
- Separate tenant per nation with coordinated governance
|
|||
|
|
- Federated identity across nations
|
|||
|
|
- Cross-border data sharing with governance
|
|||
|
|
|
|||
|
|
### Regional Data Residency
|
|||
|
|
|
|||
|
|
**Data Residency Enforcement**:
|
|||
|
|
- Hard enforcement: Data cannot leave region
|
|||
|
|
- Soft enforcement: Data preferred in region, warnings if outside
|
|||
|
|
- Advisory: Recommendations for data placement
|
|||
|
|
|
|||
|
|
### Landing Zone Patterns
|
|||
|
|
|
|||
|
|
**Regional Landing Zones**:
|
|||
|
|
- Landing zone per region for sovereign deployments
|
|||
|
|
- Cross-region connectivity for coordination
|
|||
|
|
- Regional compliance per landing zone
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## IX. Decentralized Architecture
|
|||
|
|
|
|||
|
|
### How Decentralization Enables Sovereignty
|
|||
|
|
|
|||
|
|
**Distributed Control**:
|
|||
|
|
- Control planes can be deployed per region
|
|||
|
|
- Regional autonomy with coordinated governance
|
|||
|
|
- No single point of control
|
|||
|
|
|
|||
|
|
**Sovereignty Benefits**:
|
|||
|
|
- Complete control over regional infrastructure
|
|||
|
|
- Data sovereignty per region
|
|||
|
|
- Regulatory compliance per region
|
|||
|
|
|
|||
|
|
### Distributed Control Planes
|
|||
|
|
|
|||
|
|
**Regional Control Planes**:
|
|||
|
|
- Each region can have its own control plane deployment
|
|||
|
|
- Coordinated but not centralized
|
|||
|
|
- Eventual consistency across regions
|
|||
|
|
|
|||
|
|
### Cross-Region Coordination
|
|||
|
|
|
|||
|
|
**Coordination Mechanisms**:
|
|||
|
|
- Event-driven coordination
|
|||
|
|
- API-based coordination
|
|||
|
|
- Governance-based coordination
|
|||
|
|
|
|||
|
|
**Conflict Resolution**:
|
|||
|
|
- Regional autonomy with escalation
|
|||
|
|
- Governance policies for conflict resolution
|
|||
|
|
- Audit trails for coordination decisions
|
|||
|
|
|
|||
|
|
### Federated Identity and Governance
|
|||
|
|
|
|||
|
|
**Federated Identity**:
|
|||
|
|
- Identity federation across regions
|
|||
|
|
- SSO across regions with regional control
|
|||
|
|
- Multi-national identity coordination
|
|||
|
|
|
|||
|
|
**Federated Governance**:
|
|||
|
|
- Governance policies can be federated
|
|||
|
|
- Regional governance with coordination
|
|||
|
|
- Cross-border governance patterns
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## X. Integration with Existing Infrastructure
|
|||
|
|
|
|||
|
|
### Entity Mapping to Existing Systems
|
|||
|
|
|
|||
|
|
#### Proxmox Infrastructure
|
|||
|
|
|
|||
|
|
**Mapping**:
|
|||
|
|
- **Region** → Proxmox Site
|
|||
|
|
- **Cluster** → Proxmox Cluster
|
|||
|
|
- **Node** → Proxmox Node
|
|||
|
|
- **VM** → Proxmox VM
|
|||
|
|
|
|||
|
|
**Integration**:
|
|||
|
|
- Environments map to Proxmox resource pools
|
|||
|
|
- Subscriptions map to Proxmox quotas
|
|||
|
|
- Tenants map to Proxmox access controls
|
|||
|
|
|
|||
|
|
#### Kubernetes Clusters
|
|||
|
|
|
|||
|
|
**Mapping**:
|
|||
|
|
- **Environment** → Kubernetes Namespace
|
|||
|
|
- **Subscription** → Kubernetes ResourceQuota
|
|||
|
|
- **Tenant** → Kubernetes RBAC namespace
|
|||
|
|
|
|||
|
|
**Integration**:
|
|||
|
|
- Environments deploy to Kubernetes namespaces
|
|||
|
|
- Subscriptions enforce Kubernetes resource quotas
|
|||
|
|
- Tenants enforce Kubernetes RBAC boundaries
|
|||
|
|
|
|||
|
|
#### Cloudflare Tunnels and Zero Trust
|
|||
|
|
|
|||
|
|
**Mapping**:
|
|||
|
|
- **Tenant** → Cloudflare Access Policy
|
|||
|
|
- **Environment** → Cloudflare Tunnel Configuration
|
|||
|
|
- **Region** → Cloudflare Tunnel Endpoint
|
|||
|
|
|
|||
|
|
**Integration**:
|
|||
|
|
- Tenant identity maps to Cloudflare Access policies
|
|||
|
|
- Environments use Cloudflare tunnels for connectivity
|
|||
|
|
- Regions map to Cloudflare tunnel endpoints
|
|||
|
|
|
|||
|
|
#### Keycloak Realms
|
|||
|
|
|
|||
|
|
**Mapping**:
|
|||
|
|
- **Tenant** → Keycloak Realm (1:1)
|
|||
|
|
- **Identity Provider** → Keycloak Identity Provider
|
|||
|
|
- **RBAC Roles** → Keycloak Roles
|
|||
|
|
|
|||
|
|
**Integration**:
|
|||
|
|
- Each tenant gets a Keycloak realm
|
|||
|
|
- Tenant identity provider maps to Keycloak identity provider
|
|||
|
|
- Phoenix RBAC roles map to Keycloak roles
|
|||
|
|
|
|||
|
|
#### ArgoCD Applications
|
|||
|
|
|
|||
|
|
**Mapping**:
|
|||
|
|
- **Application** → ArgoCD Application
|
|||
|
|
- **Environment** → ArgoCD Target Environment
|
|||
|
|
- **Subscription** → ArgoCD Resource Quota
|
|||
|
|
|
|||
|
|
**Integration**:
|
|||
|
|
- Applications deploy via ArgoCD
|
|||
|
|
- Environments map to ArgoCD target environments
|
|||
|
|
- Subscriptions enforce ArgoCD resource quotas
|
|||
|
|
|
|||
|
|
#### Crossplane Resources
|
|||
|
|
|
|||
|
|
**Mapping**:
|
|||
|
|
- **Subscription** → Crossplane Composite Resource
|
|||
|
|
- **Environment** → Crossplane Claim
|
|||
|
|
- **Infrastructure** → Crossplane Managed Resources
|
|||
|
|
|
|||
|
|
**Integration**:
|
|||
|
|
- Subscriptions provision infrastructure via Crossplane
|
|||
|
|
- Environments create Crossplane claims
|
|||
|
|
- Infrastructure resources managed by Crossplane
|
|||
|
|
|
|||
|
|
#### Monitoring and Observability
|
|||
|
|
|
|||
|
|
**Mapping**:
|
|||
|
|
- **Tenant** → Monitoring Namespace
|
|||
|
|
- **Environment** → Monitoring Labels
|
|||
|
|
- **Subscription** → Cost Metrics
|
|||
|
|
|
|||
|
|
**Integration**:
|
|||
|
|
- Monitoring scoped by tenant and environment
|
|||
|
|
- Cost metrics aggregated by subscription
|
|||
|
|
- Alerts configured per environment
|
|||
|
|
|
|||
|
|
### Resource Model Mapping
|
|||
|
|
|
|||
|
|
**Existing Model** (from `docs/architecture/data-model.md`):
|
|||
|
|
```
|
|||
|
|
Region → Site → Cluster → Node → VM/Pod/Service
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
**Operating Model Mapping**:
|
|||
|
|
- **Region**: Maps to Phoenix Region (with Tenant/Subscription context)
|
|||
|
|
- **Site**: Maps to Landing Zone or Environment
|
|||
|
|
- **Cluster**: Maps to Subscription service bundle
|
|||
|
|
- **Node**: Maps to Environment resources
|
|||
|
|
- **VM/Pod/Service**: Maps to Environment workloads
|
|||
|
|
|
|||
|
|
### API Integration Points
|
|||
|
|
|
|||
|
|
**Control Plane APIs**:
|
|||
|
|
- Commercial Plane API: Client and billing operations
|
|||
|
|
- Tenancy Plane API: Tenant and identity operations
|
|||
|
|
- Subscription Plane API: Subscription and quota operations
|
|||
|
|
- Environment Plane API: Environment and deployment operations
|
|||
|
|
- Content & DevOps Plane API: Content and Git operations
|
|||
|
|
|
|||
|
|
**Integration APIs**:
|
|||
|
|
- Proxmox API integration
|
|||
|
|
- Kubernetes API integration
|
|||
|
|
- Cloudflare API integration
|
|||
|
|
- Keycloak API integration
|
|||
|
|
- ArgoCD API integration
|
|||
|
|
- Crossplane API integration
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## XI. Use Cases for Sovereign Governments
|
|||
|
|
|
|||
|
|
### Use Case 1: Multi-National Defense Contractor
|
|||
|
|
|
|||
|
|
**Scenario**: Defense contractor with classified and unclassified workloads across multiple nations.
|
|||
|
|
|
|||
|
|
**Entity Mapping**:
|
|||
|
|
- **Client**: Defense contractor (single Client)
|
|||
|
|
- **Tenants**:
|
|||
|
|
- Tenant 1: Classified workloads (US)
|
|||
|
|
- Tenant 2: Unclassified workloads (US)
|
|||
|
|
- Tenant 3: Classified workloads (EU)
|
|||
|
|
- Tenant 4: Unclassified workloads (EU)
|
|||
|
|
- **Subscriptions**:
|
|||
|
|
- Classified Subscription (AIR-GAPPED environments)
|
|||
|
|
- Unclassified Subscription (REGULATED environments)
|
|||
|
|
- **Environments**:
|
|||
|
|
- AIR-GAPPED PROD (classified)
|
|||
|
|
- REGULATED PROD (unclassified)
|
|||
|
|
- **Landing Zones**: Separate landing zones per nation
|
|||
|
|
|
|||
|
|
**Compliance**: ITAR, FedRAMP, regional data residency
|
|||
|
|
|
|||
|
|
### Use Case 2: International Healthcare Agency
|
|||
|
|
|
|||
|
|
**Scenario**: Healthcare agency operating across multiple countries with HIPAA requirements.
|
|||
|
|
|
|||
|
|
**Entity Mapping**:
|
|||
|
|
- **Client**: Healthcare agency (single Client)
|
|||
|
|
- **Tenants**:
|
|||
|
|
- Tenant per country (for data residency)
|
|||
|
|
- **Subscriptions**:
|
|||
|
|
- Healthcare Subscription (HIPAA-compliant)
|
|||
|
|
- **Environments**:
|
|||
|
|
- REGULATED PROD (HIPAA)
|
|||
|
|
- REGULATED STAGING (HIPAA)
|
|||
|
|
- **Landing Zones**: Per-country landing zones
|
|||
|
|
|
|||
|
|
**Compliance**: HIPAA, GDPR, regional healthcare regulations
|
|||
|
|
|
|||
|
|
### Use Case 3: Cross-Border Financial Regulator
|
|||
|
|
|
|||
|
|
**Scenario**: Financial regulator coordinating across multiple nations.
|
|||
|
|
|
|||
|
|
**Entity Mapping**:
|
|||
|
|
- **Clients**: One Client per nation (coordinated)
|
|||
|
|
- **Tenants**:
|
|||
|
|
- Tenant per nation (federated)
|
|||
|
|
- **Subscriptions**:
|
|||
|
|
- Regulatory Subscription (cross-border)
|
|||
|
|
- **Environments**:
|
|||
|
|
- REGULATED PROD (financial regulations)
|
|||
|
|
- **Landing Zones**: Per-nation landing zones with cross-border connectivity
|
|||
|
|
|
|||
|
|
**Compliance**: Financial regulations per nation, cross-border coordination
|
|||
|
|
|
|||
|
|
### Use Case 4: Multi-Region Public Sector Agency
|
|||
|
|
|
|||
|
|
**Scenario**: Public sector agency with operations across multiple regions.
|
|||
|
|
|
|||
|
|
**Entity Mapping**:
|
|||
|
|
- **Client**: Public sector agency (single Client)
|
|||
|
|
- **Tenants**:
|
|||
|
|
- Tenant per region (for regional autonomy)
|
|||
|
|
- **Subscriptions**:
|
|||
|
|
- Public Sector Subscription
|
|||
|
|
- **Environments**:
|
|||
|
|
- PROD (public services)
|
|||
|
|
- STAGING (pre-production)
|
|||
|
|
- **Landing Zones**: Per-region landing zones
|
|||
|
|
|
|||
|
|
**Compliance**: Government regulations, regional data residency
|
|||
|
|
|
|||
|
|
### Use Case 5: Air-Gapped Deployment Per Nation
|
|||
|
|
|
|||
|
|
**Scenario**: Classified government system with complete isolation per nation.
|
|||
|
|
|
|||
|
|
**Entity Mapping**:
|
|||
|
|
- **Client**: Government (one per nation)
|
|||
|
|
- **Tenants**:
|
|||
|
|
- Single tenant per nation (complete isolation)
|
|||
|
|
- **Subscriptions**:
|
|||
|
|
- Classified Subscription
|
|||
|
|
- **Environments**:
|
|||
|
|
- AIR-GAPPED PROD (no external connectivity)
|
|||
|
|
- **Landing Zones**: Air-gapped landing zone per nation
|
|||
|
|
|
|||
|
|
**Compliance**: Classified systems, national security regulations
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## XII. Glossary
|
|||
|
|
|
|||
|
|
### Core Entities
|
|||
|
|
|
|||
|
|
- **Client (Billing Profile)**: Legal entity that contracts with Phoenix for cloud services. Financial and contractual boundary.
|
|||
|
|
- **Tenant**: Identity and domain boundary. Security blast-radius. Owns identity, domain, and security configuration.
|
|||
|
|
- **Subscription**: Logical container for services, quotas, and spend. Defines what services are available.
|
|||
|
|
- **Environment**: Lifecycle stage where workloads run. Provides network isolation, data isolation, and deployment policies.
|
|||
|
|
- **Landing Zone**: Regional deployment pattern for sovereign cloud deployments.
|
|||
|
|
|
|||
|
|
### Control Planes
|
|||
|
|
|
|||
|
|
- **Commercial Plane**: Financial ownership, invoicing, entitlements, contractual scope.
|
|||
|
|
- **Tenancy Plane**: Identity, domain ownership, trust boundaries, security isolation.
|
|||
|
|
- **Subscription Plane**: Logical containers for services, quotas, and spend.
|
|||
|
|
- **Environment Plane**: Operational isolation for lifecycle stages.
|
|||
|
|
- **Content & DevOps Plane**: What is built, governed, and deployed.
|
|||
|
|
|
|||
|
|
### Environment Types
|
|||
|
|
|
|||
|
|
- **DEV**: Development environment
|
|||
|
|
- **INT**: Integration testing environment
|
|||
|
|
- **UAT**: User acceptance testing environment
|
|||
|
|
- **STAGING**: Pre-production validation environment
|
|||
|
|
- **PROD**: Production environment
|
|||
|
|
- **REGULATED**: Regulated workloads requiring specific compliance
|
|||
|
|
- **SOVEREIGN**: Sovereign workloads requiring data residency
|
|||
|
|
- **AIR-GAPPED**: Classified workloads with no external connectivity
|
|||
|
|
|
|||
|
|
### Subscription Types
|
|||
|
|
|
|||
|
|
- **Shared Platform Subscription**: Shared infrastructure and platform services
|
|||
|
|
- **Product Subscription**: Dedicated resources for specific products
|
|||
|
|
- **Sandbox Subscription**: Experimental and development environments
|
|||
|
|
- **Innovation Subscription**: Innovation and learning environments
|
|||
|
|
|
|||
|
|
### Multi-Region Terminology
|
|||
|
|
|
|||
|
|
- **Sovereign Cloud**: Cloud deployment with complete regional control and data residency
|
|||
|
|
- **Landing Zone**: Regional deployment pattern for sovereign deployments
|
|||
|
|
- **Cross-Region Governance**: Governance policies spanning multiple regions
|
|||
|
|
- **Regional Data Residency**: Requirement that data remains in specific region
|
|||
|
|
- **Federated Identity**: Identity federation across regions or tenants
|
|||
|
|
|
|||
|
|
### Decentralized Architecture Terminology
|
|||
|
|
|
|||
|
|
- **Distributed Control Plane**: Control plane deployed per region
|
|||
|
|
- **Federated Governance**: Governance policies federated across regions
|
|||
|
|
- **Eventual Consistency**: Data consistency achieved over time across regions
|
|||
|
|
- **Regional Autonomy**: Regional control with coordinated governance
|
|||
|
|
|
|||
|
|
### Comparison to Azure/AWS
|
|||
|
|
|
|||
|
|
- **Azure AD Tenant** → **Phoenix Tenant**
|
|||
|
|
- **Azure Subscription** → **Phoenix Subscription**
|
|||
|
|
- **Azure Resource Group** → **Phoenix Environment**
|
|||
|
|
- **AWS Organization** → **Phoenix Client/Tenant**
|
|||
|
|
- **AWS Account** → **Phoenix Subscription**
|
|||
|
|
- **AWS Region** → **Phoenix Region/Landing Zone**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## XIII. Why This Works for Phoenix / Sankofa
|
|||
|
|
|
|||
|
|
This operating model provides:
|
|||
|
|
|
|||
|
|
1. **Enterprise-Scale Client Separation**: Support for large multi-tenant deployments
|
|||
|
|
2. **Strong Security & Sovereignty Boundaries**: Tenant as security blast-radius, regional sovereignty
|
|||
|
|
3. **Clean DevOps Velocity**: Content & DevOps separate from billing/tenancy
|
|||
|
|
4. **Clear Monetization and Cost Attribution**: Client-level billing with subscription aggregation
|
|||
|
|
5. **Regulator-Friendly Audit Trails**: Complete governance and compliance logging
|
|||
|
|
6. **Future Readiness**: Sovereign, regulated, and AI workloads supported
|
|||
|
|
7. **Multi-Region Native**: Designed for international/multi-national sovereign governments
|
|||
|
|
8. **Decentralized Architecture**: Supports distributed governance and sovereignty
|
|||
|
|
|
|||
|
|
### Alignment with Industry Standards
|
|||
|
|
|
|||
|
|
- **Azure / AWS / GCP Mental Models**: Familiar concepts with Phoenix enhancements
|
|||
|
|
- **Regulated Banking & Public-Sector Frameworks**: Compliance-ready architecture
|
|||
|
|
- **Multi-Tenant SaaS at Scale**: Enterprise-grade multi-tenancy
|
|||
|
|
- **Sovereign Cloud Requirements**: Regional sovereignty and data residency
|
|||
|
|
|
|||
|
|
### Competitive Advantages
|
|||
|
|
|
|||
|
|
- **Superior Multi-Tenancy**: Better than Azure with finer-grained control
|
|||
|
|
- **Superior Billing**: Per-second granularity vs Azure's hourly
|
|||
|
|
- **Sovereign Identity**: Keycloak-based, no Azure dependencies
|
|||
|
|
- **Multi-Region Native**: Built for international/multi-national deployments
|
|||
|
|
- **Decentralized Architecture**: Supports distributed sovereignty
|
|||
|
|
- **Landing Zone Patterns**: Sovereign cloud deployments per region
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## References
|
|||
|
|
|
|||
|
|
### Related Phoenix Documentation
|
|||
|
|
|
|||
|
|
- **[Architecture Diagrams](./OPERATING_MODEL_DIAGRAMS.md)** - Visual diagrams of the operating model
|
|||
|
|
- **[Cloud Provider Mapping](./CLOUD_PROVIDER_MAPPING.md)** - Azure/AWS mapping and competitive analysis
|
|||
|
|
- **[MVP Control Plane](./MVP_CONTROL_PLANE.md)** - Minimum viable product specification
|
|||
|
|
- **[Multi-Region Landing Zones](./MULTI_REGION_LANDING_ZONES.md)** - Landing zone patterns and deployment
|
|||
|
|
- **[Migration Guide](./MIGRATION_GUIDE.md)** - Migration from existing systems and cloud providers
|
|||
|
|
- **[Product Specification](./PRODUCT_SPEC.md)** - Client-facing product specification
|
|||
|
|
|
|||
|
|
### Existing Documentation (Tenant-Based Model)
|
|||
|
|
|
|||
|
|
> **Note**: The following documents describe the current tenant-based model. See [Migration Guide](./MIGRATION_GUIDE.md) for migration to the new operating model.
|
|||
|
|
|
|||
|
|
- **[Tenant Management](../tenants/TENANT_MANAGEMENT.md)** - Current multi-tenant operations guide
|
|||
|
|
- **[Billing Guide](../tenants/BILLING_GUIDE.md)** - Current billing and cost management
|
|||
|
|
- **[Identity Setup](../tenants/IDENTITY_SETUP.md)** - Current Keycloak configuration
|
|||
|
|
|
|||
|
|
### Architecture Documentation
|
|||
|
|
|
|||
|
|
- **[Data Model](../architecture/data-model.md)** - GraphQL schema and data model
|
|||
|
|
- **[GitOps Infrastructure](../../gitops/README.md)** - GitOps infrastructure
|
|||
|
|
- **[Architecture Diagrams](../architecture/README.md)** - System architecture diagrams
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**Last Updated**: 2025-01-09
|
|||
|
|
**Version**: 1.0
|
|||
|
|
**Status**: Comprehensive Operating Model Documentation
|
|||
|
|
|