IDP Pattern: One ESC environment per team
Description
This pattern involves creating a dedicated Pulumi ESC (Environments, Secrets, and Configuration) environment for each team in your organization. Each team manages their own environment containing team-specific configuration, secrets, and variables across all their services.
When to use this pattern
- Team autonomy: When teams need full control over their configuration and secrets
- Organizational alignment: When infrastructure boundaries should match team boundaries
- Shared team resources: When teams share configuration across multiple services
- Simplified access control: When you want team-based permissions rather than service-based
- Cross-service coordination: When teams need to coordinate configuration across their services
When NOT to use this pattern
- Service isolation requirements: When different services within a team need strict isolation
- Compliance boundaries: When services have different compliance or security requirements
- Multi-team services: When services span multiple teams
- Fine-grained permissions: When you need service-level access control
- Large team sizes: When teams are too large to effectively manage shared configuration
How to use this pattern
This pattern leverages Pulumi ESC’s composition capabilities to allow teams to manage their own configuration while still enabling cross-team collaboration when needed.
Example
Consider two teams: backend and frontend, each managing multiple services:
# environments/backend-team.yaml
values:
team: "backend"
services:
api:
port: 8080
replicas: 3
worker:
concurrency: 10
timeout: 30
shared:
database:
host: "backend-db.example.com"
secrets:
dbPassword: "backend-db-secret"
# environments/frontend-team.yaml
values:
team: "frontend"
services:
web:
port: 3000
replicas: 2
cdn:
provider: "cloudflare"
shared:
apiEndpoint: "https://api.example.com"
Teams can compose with shared organizational environments:
# pulumi.yaml for backend team's API service
name: backend-api
runtime: nodejs
environment:
- org-shared
- backend-team
This allows teams to maintain autonomy while accessing shared organizational resources.
Related patterns
- IDP Pattern: One ESC environment per service - Alternative service-focused approach
- IDP Pattern: One ESC environment per lifecycle stage - Complementary staging approach
- IDP Pattern: Composable environments - For sharing configuration across teams
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
