Hosted SDK
Unique can and does host SDK developed modules for clients in certain scenarios. Learn here how this hosting works and looks.
The Software Development Kit (SDK) will tell you more about the SDK itself.
- 1 Availability
- 2 Consulting
- 3 Cost
- 4 High-Level Architecture
- 4.1 GitHub
- 4.1.1 Actions
- 4.2 Azure
- 4.2.1 Container Apps
- 4.2.2 Cost-aspect
- 4.1 GitHub
- 5 Security
- 5.1 Code only
- 5.2 Encrypted environments
- 5.3 Least privilege
- 5.4 PIM-protected
- 5.5 Six-eye principle
- 5.6 Private endpoints
- 6 Conclusion
Unique deploys modules developed by own developers, collaborators or partners as https://azure.microsoft.com/en-us/products/container-apps(ACA ff.).
Availability
Hosted SDKs are only available for:
Co-Development Partners
Single-Tenant Clients
Other clients or deployment models respectively must close a separate contract or upsell to accommodate the additional consumption cost.
Consulting
Unique offers clients that want to host the SDK by themselves advice at a premium.
Cost
The consumption cost of the deployed modules is directly billed towards the Single Tenant consumption contract.
High-Level Architecture
In Software Development Kit (SDK) you can read about a generic deployment.
Unique deploys the hosted versions as described in the diagram below.
GitHub
Each separate hosting has a GitHub repository wherein multiple deployment environments target different environments (where an environment is most often assigned to a Unique tenant).
Classical environment names will be: next
(Uniques PaaS), test
or ctlq
and certainly prod
.
Actions
All deployments happen through an audited deploy action. The action (by default after approval from a second pair of eyes) builds the image, pushes it to the client's own registry and initiates a deployment to a specific app.
Azure
Each hosted SDK deployment features its own Azure Container Registry with a dedicated Service Principal for these deployments which uses a custom role that has exactly those permissions to update an app and push a docker image.
Container Apps
Each environment from GitHub maps to one deployed Container App. You can learn more below in the Security section about the measures taken to keep them secure.
Cost-aspect
Unique keeps the Container Apps idle (which means they react faster) which comes at a premium (Microsoft Docs). Since only active CPU cycles really impact cost that is a valid trade-off to have a responsive SDK experience.
Note that the Azure costs are 1:1 billed forward to the client's agreed contract, refer to Cost.
Dedicated plans are available upon specific use cases and requests which are again directly billed to the Unique contract of the client. The same applies for GPU use cases.
Security
The ACA apps run in customer-specific subscriptions in specific resource groups in isolation (the same subscriptions that are used for the Single Tenants itself. This allows clean access regulations via PIM as well as transparent cost overview and billing.
Code only
For the whole setup described above, only automation and infrastructure as code are used. All changes to these environments are thus automatically also four-eye guarded and every change meticulously audited. This applies also to all environment and branch protection settings.
Encrypted environments
Unique leverages AGE keys and sops to allow developers to pass Environment settings and variables securely to the apps/environments without knowing any Azure credentials themselves.
Least privilege
Least-privilege automation principles are used per tenant in order to just and only update the application in the environment in question.
PIM-protected
All resources used for hosted SDK deployments are PIM protected within Azure, applying the same strong access concept as for the whole tenants, including the app logs. This also includes Azure-hosted, tamper-safe activity and audit logs.
Six-eye principle
Not only code that gets merged into the protected branch, but also deployments underly the four-eye principle which means at least two times four eyes are needed to upgrade one application. Most clients cannot provide enough developers to include three humans in this process but it would technically be available. Currently, the same human that approves the code also can approve a deployment.
Private endpoints
Unique does not leverage private endpoints for this use case. The SDK empowers developers to develop their own module for FinanceGPT and the nature of this is to allow code to be hosted anywhere bringing maximum flexibility and agility in development adopting or even making the AI wave. Using private endpoints for modules complicates matters for clients and their developers with no significant security enhancement:
The apps are stateless, they have no persistence
No data can be extracted from them as they receive their input via the webhook payload
They have no network capability where other resources have an increased attack surface
They run each in their own Vnet disconnected from any other resources rendering them de facto useless without the input value the attacker could not provide
The apps use a secure secret authentication method with signed payloads, see Software Development Kit (SDK).
Conclusion
With this lean approach Unique empowers clients to develop more than one tenant model and more than one tenant from one central repository even mixing PaaS and Single Tenant (and potentially also Customer Managed Tenant).
Author | @Dominik Meyer |
---|
© 2024 Unique AG. All rights reserved. Privacy Policy – Terms of Service