Skip to content

Commit a9ea863

Browse files
authored
Merge pull request #9 from sharath-satish-msft/docs/public-repo-cleanup
docs: revise terminology, slim public docs, relocate CPDM-specific content
2 parents 48de2be + 257a54e commit a9ea863

10 files changed

Lines changed: 256 additions & 833 deletions

CHANGELOG.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
### Changed
11+
- Reworded public docs to refer to "data consumers" instead of "customers" to better describe the intended audience of this public repository.
12+
- Slimmed `docs/architecture.md` and `docs/faq.md` to keep only generic starter-kit guidance; removed deeper operator-specific content that lives in the internal platform repo.
13+
- Trimmed `docs/consumer-ingestion-guide.md` to focus on the manifest, index-file, and checkpointing contracts; removed references to internal platform pipeline names.
14+
15+
### Added
16+
- `docs/extending-the-starter-kit.md` covering target-database substitution patterns (Fabric, SQL, Snowflake), extracted from the previous ingestion guide.
17+
18+
### Removed
19+
- `docs/implementation-checklist.md` (internal operator checklist; relocated to the internal platform repo).
20+
1021
### Added
1122
- Initial open-source release setup
1223
- Microsoft OSS-compliant repository structure

CONTRIBUTING.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,14 +64,14 @@ See [.github/PULL_REQUEST_TEMPLATE.md](.github/PULL_REQUEST_TEMPLATE.md) for our
6464

6565
❌ Microsoft internal code or proprietary assets
6666
❌ Secrets, credentials, or sensitive configuration
67-
❌ Tenant-specific or customer-identifying information
67+
❌ Tenant-specific or identifying information
6868
❌ Code designed for Microsoft internal environments
6969
❌ Changes requiring Microsoft internal dependencies
7070

7171
## Important Notes
7272

7373
- **No SLA or Production Support**: This is a community project, not a Microsoft service. Contributions and responses are provided on a best-effort basis.
74-
- **Reference Architecture**: This is a starter kit and reference implementation. Production deployments require customer validation and additional controls.
74+
- **Reference Architecture**: This is a starter kit and reference implementation. Production deployments require additional validation and controls by the deploying organization.
7575
- **Your Responsibility**: When you deploy resources, you are responsible for their security, compliance, and operational management.
7676

7777
## Licensing

README.md

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,15 @@
11
# CDM Starter Kit
22

3-
A customer-focused Azure infrastructure starter kit for deploying CDM Starter Kit utility resources using Bicep and Azure CreateUIDefinition.
3+
An Azure infrastructure starter kit for deploying CDM Starter Kit utility resources using Bicep and Azure CreateUIDefinition.
44

55
## What This Repository Is
66

7-
This repository provides **infrastructure-as-code templates and deployment automation** for customers who want to establish foundational CDM Starter Kit capabilities in their Azure environments. It is **not** a Microsoft service, does not deploy into Microsoft tenants, and contains no first-party production code or secrets.
7+
This repository provides **infrastructure-as-code templates and deployment automation** for data consumers who want to establish foundational CDM Starter Kit capabilities in their own Azure environments. It is **not** a Microsoft service, does not deploy into Microsoft tenants, and contains no first-party production code or secrets.
88

99
## Who This Is For
1010

11-
- Azure customers and partners
12-
- Organizations establishing CDM Starter Kit practices
13-
- Teams needing structured infrastructure foundations for data analytics and cost optimization
11+
- Data consumers establishing CDM Starter Kit practices in their own Azure subscriptions
12+
- Teams needing a structured infrastructure foundation for data analytics workloads
1413

1514
## What It Deploys
1615

@@ -25,27 +24,27 @@ This starter kit provisions the following infrastructure components:
2524

2625
### Important Usage Constraints
2726

28-
This starter kit is designed for **customer-owned Azure subscriptions only**:
27+
This starter kit is designed for **consumer-owned Azure subscriptions only**:
2928

3029
- ✅ Deploy into your own Azure subscriptions
3130
- ✅ Verify subscription quotas, target-region service availability, and selected SKUs before deployment
32-
-**Do not** deploy into Microsoft internal or production tenants
3331
- ❌ This repository **does not contain secrets, API keys, certificates, or tenant-specific credentials**
3432
-**Never** add secrets, connection strings, or subscription IDs to this repository
3533

3634
### Implementation Details
3735

3836
- **Infrastructure-as-Code**: Uses Azure Bicep for declarative, version-controlled infrastructure
3937
- **UI-Driven Deployment**: Includes Azure CreateUIDefinition forms for guided Azure Portal deployments
40-
- **Customer-Owned Identity**: All RBAC and access is configured by and for the deploying customer
38+
- **Consumer-Owned Identity**: All RBAC and access is configured by and for the deploying organization
4139
- **No Microsoft Runtime**: Does not provision Microsoft-managed services or long-running cloud infrastructure on our behalf
4240

4341
## Getting Started
4442

4543
1. Review [CONTRIBUTING.md](./CONTRIBUTING.md) for contribution guidelines
4644
2. See [docs/architecture.md](./docs/architecture.md) for infrastructure overview
4745
3. Check [docs/faq.md](./docs/faq.md) for common questions
48-
4. Report security concerns privately via [SECURITY.md](./SECURITY.md)
46+
4. See [docs/extending-the-starter-kit.md](./docs/extending-the-starter-kit.md) for guidance on enhancing the kit
47+
5. Report security concerns privately via [SECURITY.md](./SECURITY.md)
4948

5049
## Code of Conduct
5150

@@ -58,7 +57,7 @@ This project is licensed under the [MIT License](./LICENSE).
5857
## Security & Transparency
5958

6059
- **Secret Scanning**: This repository has Secret Scanning enabled to prevent accidental credential commits
61-
- **No Hardcoded Credentials**: All examples use parameterized deployment with customer-supplied values
60+
- **No Hardcoded Credentials**: All examples use parameterized deployment with consumer-supplied values
6261
- **Vulnerable Dependency Scanning**: Automated scanning is configured via Dependabot
6362

6463
For security concerns, see [SECURITY.md](./SECURITY.md).
@@ -71,4 +70,4 @@ For security concerns, see [SECURITY.md](./SECURITY.md).
7170

7271
---
7372

74-
**Not a Microsoft service.** Customer-deployed reference architecture for CDM Starter Kit infrastructure on Azure. Deploy and use at your own discretion.
73+
**Not a Microsoft service.** Consumer-deployed reference architecture for CDM Starter Kit infrastructure on Azure. Deploy and use at your own discretion.

SECURITY.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ We will acknowledge receipt of your report and work to assess and address the vu
3030

3131
-**No secrets, API keys, or connection strings**
3232
-**No credentials, certificate files, or private keys**
33-
-**No Microsoft tenant IDs or customer subscription IDs**
33+
-**No tenant IDs or subscription IDs**
3434
-**No service principal credentials or managed identities**
3535
-**No hardcoded authentication tokens or SAS keys**
3636

@@ -45,7 +45,7 @@ We will acknowledge receipt of your report and work to assess and address the vu
4545

4646
This is a **reference architecture / starter kit**, not a production service.
4747

48-
**Customers are responsible for:**
48+
**Data consumers are responsible for:**
4949
- ✅ Deploying into their own Azure subscriptions
5050
- ✅ Configuring appropriate RBAC and access controls
5151
- ✅ Implementing network security policies for their environments
@@ -54,10 +54,10 @@ This is a **reference architecture / starter kit**, not a production service.
5454
- ✅ Maintaining compliance with their own organizational policies
5555

5656
**This repository is not responsible for:**
57-
-Customer execution environments or Azure tenants
58-
-Customer-supplied credentials or secrets
57+
-Consumer execution environments or Azure tenants
58+
-Consumer-supplied credentials or secrets
5959
- ❌ Ongoing operational security of deployed infrastructure
60-
- ❌ Compliance with customer-specific security policies
60+
- ❌ Compliance with consumer-specific security policies
6161

6262
## Dependency Management
6363

SUPPORT.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## Scope
44

5-
CDM Starter Kit is an open-source infrastructure starter kit for Azure customers and partners. This repository is **not** a Microsoft service and does not include SLA-backed production support.
5+
CDM Starter Kit is an open-source infrastructure starter kit for data consumers running workloads in their own Azure subscriptions. This repository is **not** a Microsoft service and does not include SLA-backed production support.
66

77
## How to Get Help
88

@@ -39,14 +39,14 @@ Follow `SECURITY.md` and report privately to the security contact listed there.
3939

4040
## What Is Out of Scope
4141

42-
- Customer-specific production operations
42+
- Consumer-specific production operations
4343
- Tenant-specific deployment customization requests
4444
- Emergency/on-call support
4545
- Requests requiring internal Microsoft systems
4646

4747
## Responsible Use
4848

49-
- Deploy only to customer-owned Azure subscriptions
49+
- Deploy only to Azure subscriptions you own
5050
- Do not commit secrets, credentials, tenant IDs, or subscription IDs
5151
- Validate changes with Bicep linting and PR checks before merge
5252

docs/architecture.md

Lines changed: 37 additions & 122 deletions
Original file line numberDiff line numberDiff line change
@@ -2,94 +2,55 @@
22

33
## High-Level Design
44

5-
This starter kit provides Infrastructure-as-Code templates to deploy a foundational CDM Starter Kit infrastructure stack on Azure. It is designed as a **customer-deployed reference architecture** on customer-owned Azure subscriptions.
5+
This starter kit provides Infrastructure-as-Code templates to deploy a foundational analytics stack on Azure. It is a **consumer-deployed reference architecture** intended to run in the data consumer's own Azure subscription.
66

77
## Core Principles
88

9-
### 1. Infrastructure-as-Code (Bicep)
9+
### Infrastructure-as-Code (Bicep)
1010

1111
All infrastructure is declared using Azure Bicep:
1212

13-
- **Version-controlled** - All configurations tracked in Git
14-
- **Repeatable** - Consistent, idempotent deployments
15-
- **Parameterized** - Customer-supplied values at deployment time
16-
- **Modular** - Components organized for reusability and maintainability
13+
- Version-controlled, repeatable, idempotent deployments
14+
- Parameterized so values are supplied at deploy time
15+
- Modular components for reuse and maintainability
1716

18-
### 2. Customer-Owned Identity & Access
17+
### Consumer-Owned Identity & Access
1918

20-
- **RBAC-First**: Role-based access control is the foundation
21-
- **No Service Accounts**: Customers manage all identities
22-
- **Least Privilege**: RBAC scaffolding supports principled access assignment
23-
- **Customer-Controlled**: All access decisions made by deploying organization
19+
- RBAC-first access model
20+
- All identities and role assignments are managed by the deploying organization
21+
- Least-privilege role mappings are surfaced as parameters, not embedded
2422

25-
### 3. No Microsoft-Managed Runtime
23+
### No Microsoft-Managed Runtime
2624

27-
This architecture does NOT provision:
25+
This architecture does **not** provision:
2826

29-
- Microsoft-hosted services on behalf of the customer
30-
- First-party production infrastructure
31-
- Long-running Microsoft managed processes
32-
- Internal authentication or tenant-scoped components
27+
- Microsoft-hosted services on the consumer's behalf
28+
- First-party production infrastructure
29+
- Long-running Microsoft-managed processes
30+
- Internal authentication or tenant-scoped components
3331

34-
Instead, it deploys **standard Azure customer-owned resources** that the organization operates directly.
32+
It deploys **standard Azure resources** that the data consumer operates directly.
3533

3634
## Infrastructure Components
3735

38-
### 1. Azure Storage
36+
| Component | Purpose |
37+
| --- | --- |
38+
| Azure Storage | Foundation data storage layer |
39+
| Azure Data Explorer (Kusto/ADX) | Analytics and telemetry ingestion |
40+
| Azure Synapse Analytics | Data warehousing and processing |
41+
| RBAC scaffolding | Parameterized role assignments for users and service principals |
3942

40-
**Purpose**: Foundation data storage layer
41-
42-
- Supports data lakes, backups, and artifact repositories
43-
- RBAC configured by customer for multi-user access
44-
- Diagnostic data and logs stored securely
45-
- Network access restricted via SAS/RBAC policies
46-
47-
**Customer Responsibility**: Configure lifecycle policies, network security, data retention
48-
49-
### 2. Azure Data Explorer (Kusto/ADX)
50-
51-
**Purpose**: High-performance analytics and telemetry ingestion
52-
53-
- Time-series data analysis and exploration
54-
- Real-time dashboard and alerting capabilities
55-
- Data aggregation
56-
- Query-based insights and reporting
57-
58-
**Customer Responsibility**: Query optimization, data retention policies, cluster sizing
59-
60-
### 3. Azure Synapse Analytics
61-
62-
**Purpose**: Data warehousing, ELT/ETL, and advanced analytics
63-
64-
- Structured data warehouse for BI and reporting
65-
- SQL and Spark pools for processing
66-
- Integration with Power BI for visualization
67-
- Cost and resource optimization analysis
68-
69-
**Customer Responsibility**: Workload tuning, compute scaling, metadata management
70-
71-
### 4. RBAC Scaffolding
72-
73-
**Purpose**: Principled access control foundation
74-
75-
- Role assignments for service principals and users
76-
- Audit-ready access management
77-
78-
**Customer Responsibility**: Assigning actual users/services, ongoing access reviews
43+
Configuration of lifecycle, network security, retention, scaling, and ongoing access reviews is the responsibility of the deploying organization.
7944

8045
## Deployment Flow
8146

8247
### Option 1: Azure Portal (CreateUIDefinition)
8348

84-
1. Customer opens **Create** → Search "CDM Starter Kit"
85-
2. Guided form captures:
86-
- Subscription and resource group
87-
- Resource naming conventions
88-
- Compliance/regulatory tags
89-
3. One-click deployment
90-
4. Resources created in customer's subscription
49+
1. Open **Create** in the Azure Portal and search for "CDM Starter Kit".
50+
2. The guided form captures subscription, resource group, naming conventions, and tags.
51+
3. Submit to deploy resources into your own subscription.
9152

92-
### Option 2: Infrastructure-as-Code (Bicep CLI)
53+
### Option 2: Bicep CLI
9354

9455
```bash
9556
az deployment group create \
@@ -102,63 +63,17 @@ Both paths produce identical resource configurations.
10263

10364
## Security Boundaries
10465

105-
### What Is Secure
106-
107-
✅ Customer controls all identities (AAD users, service principals)
108-
✅ Customer controls RBAC and permissions
109-
✅ Data is encrypted at rest and in transit (Azure defaults)
110-
✅ Audit logs are captured and retained
111-
✅ Network access is configurable via NSGs
112-
113-
### What Requires Customer Hardening
114-
115-
⚠️ Network security policies (firewalls, private endpoints, NSGs)
116-
⚠️ Identity federation and conditional access policies
117-
⚠️ Data retention and compliance scoping
118-
⚠️ Backup and disaster recovery strategies
119-
⚠️ Monitoring and alerting configuration
120-
121-
### What Is NOT Secured
122-
123-
❌ This architecture does not include:
124-
- Multi-tenant isolation (customer-owned resources only)
125-
- Advanced threat detection (customer enablement required)
126-
- Compliance automation (customer responsibility)
127-
- Secrets/credentials management (customer's Azure Key Vault)
128-
129-
## Operational Responsibility Model
130-
131-
| Component | Deployed | Managed | Secured |
132-
|-----------|----------|---------|---------|
133-
| Azure Storage | Starter Kit | Customer | Customer |
134-
| Data Explorer | Starter Kit | Customer | Customer |
135-
| Synapse | Starter Kit | Customer | Customer |
136-
| RBAC Foundation | Starter Kit | Customer | Customer |
137-
| VNets / NSGs | Starter Kit | Customer | Customer |
138-
| Credentials | Customer | Customer | Customer |
139-
| Access Reviews | - | Customer | Customer |
140-
| Monitoring/Alerting | Starter Kit | Customer | Customer |
141-
142-
**Summary**: This kit provides the **infrastructure template**. Customers are responsible for **deployment configuration, operational management, and security hardening**.
143-
144-
## Scaling & Customization
145-
146-
The starter kit is designed for easy customization:
147-
148-
- **SKU Flexibility**: Bicep parameters support resource sizing
149-
- **Regional Deployment**: Works across Azure regions
150-
- **Tagging Strategy**: Customer-defined tag schemas (TBD)
151-
- **Module Reusability**: Components can be extended or replaced
152-
- **Integration**: Designed to connect with existing Azure infrastructure
66+
What the template provides out of the box:
15367

154-
## Compliance & Governance
68+
- Encryption at rest and in transit (Azure defaults)
69+
- Audit-log capture on supported resources
70+
- Configurable network access via NSGs and resource firewalls
15571

156-
- **Audit Logging**: All deployments and access logged to Activity Log
157-
- **Blueprint Support**: Can be packaged as Azure Blueprint
158-
- **Policy-Compatible**: Works with Azure Policy for governance
159-
- **Tagging**: Supports cost allocation and compliance tagging (TBD)
160-
- **Documentation**: Clear parameter descriptions for compliance review
72+
What you need to harden yourself:
16173

162-
---
74+
- Network policies (private endpoints, firewall rules, NSG tuning)
75+
- Identity assignments (AAD users, groups, service principals)
76+
- Data retention, lifecycle, and backup policies
77+
- Workload-specific compliance controls
16378

164-
**Key Takeaway**: This is a **reference architecture starter kit**, not a production service. Customers deploy, operate, and secure the infrastructure. Microsoft provides the template and examples.
79+
See [extending-the-starter-kit.md](./extending-the-starter-kit.md) for patterns to adapt the kit to other target databases or runtimes.

0 commit comments

Comments
 (0)