Using the 3-digit Server VM Code
Use them in Active Directory and applying a GPO against the WIN servers that allow an OPS group to be local admins on the VM. Instead of individual users, we use an OPS group, we just need to show the OPS group is there and audit gets generated with the OPS group on it.
Previously, the team used to manually add a user to a server. We use the 3 digit code for security management. At the end of a build, they would run a server audit and it calls out who can be on the server. That group has to be in the audit because it is on the paperwork. The quality folks never look at the document. However, it is part of our environment.
Currently, in service now we can see the report of a server build - automated. A change request is created, when a user goes to approve the build, the audit shows the OPS group that is assigned to the server in SNOW.
We have been using the following codes: azr - Azure gcp - Google sea - Bothell
The next three letters are where the server is hosted. When there is a problem with the server, they can look at that three letter code and find the business app. Using the naming convention ensures we don’t run into a character limit.
This is simply for finding out who owns the server.
Domain
If domain joined we follow the process.
Who owns the process
Infrastructure team under Bryan Davis.
What happens when there is not a 3 letter code
The audit process runs, and the IaaS team assigns the 3-letter code to place the server in the right OU and apply the ops group to the server.
Decision from GDCT
Everything follows the infrastructure defined process of joining VMs to the domains. This is the process described by the infrastructure team, fits into the SNOW workflow for VM and audit of GxP related environments. Anyone who wants to follow a process outside of this process will need to design and implement it with the network and infrastructure team.
Caveat: ephemeral systems should not be domain joined, should use Linux, and all be done in code. These are disposable VMs and will likely be implemented via containers
Issues
Who owns VMs and networking in the cloud?