Hosting
DevZero supports two different hosting models, providing ultimate flexibility to enterprises.
Fully Hosted #
DevZero can be consumed as a full SaaS offering, where DevZero hosts and manages the remote virtual development environments.
Self Hosted #
For enterprises that desire more observability and control over the virtual machines that host developer environments, DevZero supports a self-hosted model. In this model, our services are granted a limited a set of permissions to your cloud account which we use to launch and manage the lifecycle of the virtual machines.
Contact us to get relevant terraform, cloudformation, etc scripts to be able to hand entitlements to the DevZero management plane. Entitlements are based on whether standalone dev environments, K8s or serverless stacks are being used.
Terraform #
This script can be used to connect to the DevZero management plane. Some sections are marked optional - these are preferred, and will impact the setup and general user experience if omitted. Please speak with your DevZero contact to fully understand the impact it will have on your company's DevZero experience.
provider "aws" {
region = "us-east-1"
}
variable "external_id" {
description = <<EOF
The External ID provided by DevZero ensures that only devzero can assume this role.
DevZero's sales/customer support team will provide this.
EOF
}
variable "customer_account_id" {
description = "The AWS account ID for the customer account"
}
resource "aws_iam_role" "devzero_role" {
name = "devzero-access-role"
path = "/"
description = "IAM role with DevZero required access"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
AWS = [
# this is the DevZero service account that will invoke
# APIs in your cloud
"arn:aws:iam::749882936473:role/ProvisionerServiceAccountRole"
]
}
Action = [
"sts:AssumeRole"
]
Condition = {
StringEquals = {
# this is the identifier provided by DevZero
"sts:ExternalId" = var.external_id
}
}
},
{
Effect: "Allow",
Principal: {
Service: "events.amazonaws.com"
},
Action: "sts:AssumeRole"
}
]
})
tags = {
Name = "DevZero Access Role"
}
managed_policy_arns = [
# EC2 Full Access lets DevZero manage the full lifecycle of
# instances (starting, stopping, hibernating, etc). DevZero will
# only ever interact with resources that are tagged by the
# DevZero management plane.
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
# (optional) DevZero creates a full networking stack by default.
# If you have a stack already, please talk to us to connect relevant
# ARNs so DevZero's management plane can reuse existing resources.
"arn:aws:iam::aws:policy/AmazonVPCFullAccess",
# Required to notify DevZero's management plane about state transitions
# in AWS resources. We use this for automated hibernation from a
# cost control standpoint, as well as for improved user experience.
"arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess",
# (optional) AWS imposes various hard service quota limits. This lets
# DevZero foresee potential impacts to user experience and request
# quota increases as and when necessary. Admins will be notified.
"arn:aws:iam::aws:policy/ServiceQuotasFullAccess"
]
inline_policy {
name = "DevZero-CheckPermissions"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect: "Allow",
Action: [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetPolicy"
],
# Allows DevZero to check which permissions were granted.
Resource: "arn:aws:iam::${var.customer_account_id}:role/devzero-access-role"
}]
})
}
inline_policy {
name = "DevZero-CostExplorer"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
# (optional) Cost Explorer need to be enabled manually by going
# to the AWS user console. This powers the cost explorer
# section of DevZero's admin panel. All of these are read-only
# permissions to enable optimal cost management and reduce
# variability of cloud spend.
# You also need to activate "templateID" tag in User-defined
# cost allocation tags. You can do that in the AWS
# Billing Console: https://console.aws.amazon.com/billing/
"ce:Get*",
"ce:List*",
"ce:Describe*"
]
Resource = "*"
}
]
})
}
}
# a role and instance profile that can read secrets from AWS Secrets Manager that provisioner uses to assign to instances
resource "aws_iam_role" "devzero_provisioner_role" {
name = "devzero-instance-role"
path = "/"
description = "IAM role with DevZero required access"
inline_policy {
name = "DevZero-Provisioner-SecretsManager"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
]
Resource = "*"
}
]
})
}
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
Action = [
"sts:AssumeRole"
]
}
]
})
}
resource "aws_iam_instance_profile" "devzero_provisioner_instance_profile" {
name = "devzero-provisioner-instance-profile"
path = "/"
role = aws_iam_role.devzero_provisioner_role.name
}
# output role ARN
output "role_arn" {
value = aws_iam_role.devzero_role.arn
}