Identity Infrastructure Management

The Identity Infrastructure team is focused on our top-level cloud provider infrastructure organization-level management for AWS and GCP in collaboration with the Infrastructure Security team. We handle all AWS and GCP access requests and are the maintainers of HackyStack that powers the GitLab Sandbox Cloud. Each team that deploys infrastructure resources is responsible for managing their own infrastructure workloads using industry best practices inside the castle walls created by Security.

Overview

All Cloud infrastructure with RED data is managed by the Infrastructure department. All demo/dev/test/sandbox/staging/production infrastructure for ORANGE/YELLOW/GREEN data is created by the Identity team using our self service portal or through issue templates.

Every team member can self-service create an AWS account and GCP project using the Sandbox Cloud for their own experimentation. This is your personal sandbox and is not shared with others.

We provision AWS accounts and GCP projects for each service/workload that more than one user has access to.

We believe in “one account/project per workload” for security blast radius and cost attribution reasons. Do not deploy different functional applications in the same AWS account or GCP project that has your team’s name on it. You simply need to use the issue template to request a new AWS account or GCP project.

Identity Site Reliability Engineering

Since the Identity team manages our administrative access control plane with our BLACK accounts, we refer to this as the Black Ops Kingdom that includes the following services:

For security reasons, any services with a *.gitlab.black subdomain use an internal IP address that are only accessible with VPN access (BLACK account users) or for service accounts with addresses that have been added to the firewall ACL.

  • (Future) ctl.gitlab.systems - Our instance of accessctl-ui self-service portal for team members (end users) that allows access without VPN using Okta and Okta Verify device trust. For security reasons, the self-service portal focuses on read-only functionality and creating requests, however has no administrative capabilities.
  • (Internal IP) ctl.gitlab.black - Our internal instance of accessctl-api API for administrative operations using the CLI with a valid API token when connected to the VPN.
  • (Internal IP) gitops.gitlab.black - Self-managed GitLab instance with accessctl-ci policies, manifests, changelogs, cloud infrastructure organization-level configuration, and Identity configuration pipelines. This instance is hardened for least privilege and is only accessible by designated Security team members.
  • (Future) gitops.gitlab.systems - Terraform environments for Services Cloud (powered by HackyStack)
  • gitops.gitlabsandbox.cloud - Terraform environments for Sandbox Cloud (powered by HackyStack)
  • gitlabsandbox.cloud - Our instance of HackyStack that provides self-service access to AWS and GCP for team members.
  • (Future) vault.gitlab.black - HashiCorp Vault instance
  • (Future) teleport.gitlab.black - Teleport Bastion instance

Identity SaaS Vendor Services

Okta Tenant
gitlab.okta.com

Google Workspace Org
gitlab.com

Google Workspace Org
gitlab.black

Google Workspace Org
Dedicated Dev

Google Workspace Org
Dedicated Prod

Google Workspace Org
gitlabservices.cloud

Google Workspace Org
gitlabsandbox.cloud

NordLayer VPN
VPN
Managed by IT Security

Identity Self Hosted Vendor Services

ops.gitlab.black
Self-Managed GitLab Instance
Top-Level Control Plane IaC

Teleport
Bastion Cluster

HashiCorp Vault
Secrets Manager

Identity GitOps State Management Repos

Self Service Custom App Infrastructure

HackyStack
Infrastructure Management
Sandbox and Services Orgs

Identity Platform
Access Control (accessctl)
RBAC Policy Management
App/Group/User Provisioning

Training Lab Manager
Product training Hands-on Labs
User and Group Provisioning

Cloud Provider Organization Management

The Identity Infrastructure team manages our top-level cloud provider infrastructure organization-level management for AWS and GCP in collaboration with the Infrastructure Security team.

Each team that deploys infrastructure resources is responsible for managing their own infrastructure workloads and DevOps operations using industry best practices. In other words, the Security team provides the scaffolding for your castle (Terraform templates) and provides hardened castle walls, while your team is responsible for anything you build inside the castle walls.

AWS Organizations

AWS EDP Billing

AWS Organization
Black Ops

Account per Workload

AWS Organization
Dedicated Dev x3675

Account per User

AWS Organization
Dedicated Prd x0475

Control Plane Accounts

Account per Tenant Env

AWS Organization
Dedicated PubSec Prd x9885

Control Plane Accounts

Account per Tenant Env

AWS Organization
Sandbox x3027

Account per User

AWS Organization
Services x6953

Account per Workload

(Multiple) AWS Organizations
Off-the-grid workloads

GCP Organizations

Current State

Migrate services-realm to
new org in FY25

Migrate sandbox-realm to
new org in FY25

GCP Billing Account

GCP Organization
Dedicated Dev

GCP Organization
Dedicated Prd

GCP Organization
gitlab.com (SaaS)
Exists Today

Cloud Realms Projects
Managed by HackyStack
Exists Today

Legacy Group Projects
Deprecate in FY25

Infrastructure Folder
gitlab.com (SaaS) Workloads
Exists Today

GCP Organization
gitlabservices.cloud

GCP Organization
gitlabsandbox.cloud

Future State

GCP Billing Account

GCP Organization
Dedicated Dev

GCP Organization
Dedicated Prd

GCP Organization
SaaS Stg/Prd (gitlab.com)
Managed by config-mgmt

GCP Organization
Services (gitlab.systems)
Managed by infractl

GCP Organization
Sandbox (gitlabsandbox.cloud)
Managed by HackyStack

Shared Responsibilities

We use a shared responsibility model for cloud providers.

Identity Infrastructure Team

Responsible for defining our kingdoms, castles, castle walls, and naming conventions. Focus on BLACK administrative control plane and provisioning and automation of ORANGE, YELLOW, and GREEN data infrastructure.

  • Top-level AWS and GCP organization-level management, billing, IAM/RBAC
  • Admin account administration and architecture
  • Audit-related service accounts
  • Infrastructure standards naming schema
  • AWS Account creation
  • GCP Project creation
  • Azure sandbox user management
  • Defining Identity Roles and Identity Groups
    • Managing AWS Identity Center Groups and Permission Sets
    • Managing Google Groups and User Memberships (using Identity Roles)
  • Services Cloud Architecture and Automation (production-esque environments)
  • Sandbox Cloud Architecture and Automation (dev/test environments)
  • Tech debt reduction of legacy AWS accounts

Infrastructure Security Team

Responsible for security of all RED data infrastructure and cloud provider best practice configuration policies across all AWS and GCP organizations.

  • Top-level AWS and GCP security policies
  • Resource and workload configuration audit and risk remediation
  • Least privilege and role-based access control assignments for GCP Projects, Roles, and Resources in RED data organizations
  • Zero touch optimization for change and configuration management
  • Just-in-time access controls for resources not already managed by Identity team
  • All security related to infrastructure with RED data
  • GCP Infrastructure (SaaS Production) Folder and Projects
  • Tech Debt Reduction of legacy GCP projects

See the team’s handbook page to learn more.

Infrastructure SaaS Platforms Team

Responsible for product hosting, reliability, and scalability of customer-facing applications and services related to the GitLab product.

  • GCP Infrastructure (SaaS Production) Folder and Projects
  • Runway Infrastructure for Development Teams

See the team’s handbook page to learn more.

Services Cloud

Each team that deploys infrastructure resources is responsible for managing their own infrastructure workloads and DevOps operations using industry best practices.

In other words, the Security team provides the scaffolding for your castle and provides hardened castle walls, while your team is responsible for anything you build inside the castle walls.

Sandbox Cloud Users (Engineers)

Each user is responsible for creating and destroying your own workloads.

See the Sandbox Cloud handbook page to learn more.

Last modified October 29, 2024: Fix broken links (455376ee)