Skip to content

Extend Pulumi module for dual-target deployment (Azure + ITL ControlPlane) #11

Open
Open
Extend Pulumi module for dual-target deployment (Azure + ITL ControlPlane)#11
@nielsweistra

Description

@nielsweistra
nielsweistra
opened on Apr 19, 2026

Ticket ID: CP-SDK-011

Extend Pulumi module for dual-target deployment (Azure + ITL ControlPlane)

Background

The SDK already contains src/itl_controlplane_sdk/pulumi/ with a basic Pulumi integration. During architecture discussions it was established that policy resources and landing zones should be deployable to two targets simultaneously:

  • Azure — via Azure Policy API (ARM)
  • ITL ControlPlane — via the ITL Resource Provider API

A single Pulumi component should accept a targets parameter and route deployments accordingly, without the caller needing to know about the underlying APIs.

Files

  • src/itl_controlplane_sdk/pulumi/components.py — dual-target component base
  • src/itl_controlplane_sdk/pulumi/targets.py — Azure and ITL target implementations

Interface

from itl_controlplane_sdk.pulumi import ITLLandingZone, DefenderInitiative

# Deploy to both Azure and ITL ControlPlane simultaneously
landing_zone = ITLLandingZone("payments",
    subscription_id = "00000000-0000-0000-0000-000000000000",
    environment     = "production",
    owner           = "team@itlusions.com",
    budget          = 2000,
    region          = "westeurope",

    # Target selection
    azure_enabled   = True,   # -> Azure Policy API
    itl_enabled     = True,   # -> ITL ControlPlane API

    # Optional workloads
    aks_enabled     = True,
    flux_repo       = "https://github.com/ITlusions/itl-helm-charts",
)

# Or deploy individual components
defender = DefenderInitiative("defender",
    plans   = ["VirtualMachines", "Containers", "KeyVaults"],
    effect  = "DeployIfNotExists",
    targets = ["azure", "itl"],
)

Target routing

ITLLandingZone / DefenderInitiative
         |
    +---------+
    |         |
    v         v
 Azure      ITL ControlPlane
 Policy     Resource Provider
 API        API
(ARM JSON)  (ITL JSON)

What ITL ControlPlane adds over Azure

Capability Azure ITL ControlPlane
Resource governance
Subscription vending
Cross-tenant policies
Talos on-prem policies
Unified compliance report

Components to implement

class ITLPulumiComponent(pulumi.ComponentResource):
    """Base class for all ITL dual-target Pulumi components."""

    def __init__(self, name, azure_enabled=True, itl_enabled=True, opts=None):
        self._azure_enabled = azure_enabled
        self._itl_enabled   = itl_enabled

    def _deploy_to_azure(self, resource_dict: dict): ...
    def _deploy_to_itl(self, resource_dict: dict): ...


class DefenderInitiative(ITLPulumiComponent):
    """Deploy Defender for Cloud initiative to Azure and/or ITL ControlPlane."""
    ...

class ITLLandingZone(ITLPulumiComponent):
    """Full landing zone: governance, security, observability, networking."""
    ...

class AKSCluster(ITLPulumiComponent):
    """AKS cluster with Flux, Defender, logging pre-configured."""
    ...

Acceptance Criteria

  • ITLLandingZone deploys to Azure when azure_enabled=True
  • ITLLandingZone calls ITL ControlPlane API when itl_enabled=True
  • Both targets can be active simultaneously without conflict
  • DefenderInitiative wraps itl_policy_builder.templates.defender — no logic duplication
  • AKSCluster accepts flux_repo and applies correct platform profile
  • Unit tests mock both target APIs independently

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions