Recommendations and Best Practices
This topic provides recommendations and best practices for using Codebeamer AI in a customer-hosted deployment.
Terraform Repo
Store infrastructure-as-code (IaC) Terraform configurations in an internal version-controlled repository.
• Control and traceability: All IaC changes are versioned, reviewable, and auditable, and easier to rollback.
• Consistency and recovery: Environments can be recreated reliably, reducing configuration drift.
• Secure automation: Continuous integration and deployment pipelines can validate and deploy IaC using policy checks.
Container registry and Helm repository
• Import the AI service Docker image into an internal enterprise container registry, such as Azure Container Registry (ACR) or another OCI-compatible registry.
• Store and version Helm charts in internal Helm or OCI repository. Align chart versions and image tags with the released version for consistent and repeatable deployments.
Deployment Identity and Access
Separate identities per deployment component
Use separate identities for infrastructure provisioning, policy management, and service deployment.
◦ Infrastructure—Use a dedicated infrastructure service principal scoped only to the subscription used by Terraform.
◦ Azure Policy—Create a separate policy service principal.
◦ Service Deployment (Helm and Docker)—Use an Azure AD (Entra ID) group.
▪ Add all users who need AKS access to this group.
▪ Pass the group identifier as an input to Terraform.
 |
It is recommended to prefer service principals for automated workflows and AAD users/groups for interactive operations.
|
Environment And Terraform State Isolation
To keep environments secure and maintainable, use separate container entities wherever applicable.
• Use separate resource groups per environment to store Terraform state files, for example:
◦ Development: ptc-cbai-dev-store-rg
◦ Staging: ptc-cbai-test-store-rg
◦ Prod: ptc-cbai-prod-store-rg
• Storage Accounts in the Resource Group
Use separate Storage accounts for Terraform state or flow-log across environments.
◦ One storage account for Terraform state
For example devtfstate, tsttfstate, prodtfstate
◦ One storage account for VNet flow logs
For example devflowlogs, tstflowlogs, prodflowlogs
• Blob containers in Terraform state account
◦ Store infrastructure and policy state in different container.
For example
▪ infra-tfstate - Infrastructure Terraform state
▪ policy-tfstate - Azure Policy Terraform state
• Keep RBAC and naming conventions consistent across development, test, and production environments.
AKS Host Encryption
• aks_host_encryption_enabled enables host-level encryption for AKS node VMs.
• With it on, Azure encrypts temporary disks, OS disk cache, and data flow between VM and host.
• This improves security and supports compliance for regulated workloads.
• When disabled, managed disks are still encrypted at rest by default; only host-level encryption is affected.