Azure Infrastructure - HOLE Foundation

Overview

HOLE Foundation uses Azure primarily as the enterprise authentication and SSO backbone via Entra ID (Azure AD).

Terraform Workspace: azure-hole-general-services-prod Organization: theholetruth Location: /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/production/ Subscription: de602062-dafa-4c8b-91b7-98a75bcd7cff Tenant: HOLE Foundation (holefoundation.org)

Resources: ~10 (minimal, cloud-native approach)

---

Infrastructure Managed

Resource Groups

hole-entra-domain-services:

• Location: East US
• Purpose: SSO infrastructure container
• Tags: Critical=true, ManagedBy=Terraform
• Status: ✅ Imported into Terraform

File: terraform/production/main.tf

Entra ID (Azure AD)

Primary Function: Enterprise single sign-on for all HOLE Foundation services

22 SSO Integrations Powered:

1. Cloudflare (4 applications)

   • Cloudflare IDP (primary dashboard SSO)
   • Cloudflare SCIM (user provisioning)
   • theholetruth.org MCP OAuth
   • Additional Cloudflare app

2. GitHub Enterprise

   • Organization SSO: The-HOLE-Foundation
   • Enterprise account access

3. AWS IAM Identity Center

   • AWS console single sign-on
   • Multi-account management
   • Role assumption

4. Google Cloud / G Suite (2 connectors)

   • Google Workspace (email, docs)
   • Google Cloud Platform console

5. Terraform Cloud

   • Organization access: theholetruth
   • Workspace management

6. Development & Productivity (5 apps)

   • Notion (knowledge base)
   • Perplexity AI (AI search)
   • Clerk (authentication service)
   • [2 more]

7. Additional Services (11 apps)

   • Various internal dashboards
   • Third-party integrations
   • Development tools

Total: 22 active SSO integrations

Network Infrastructure (Disabled)

The following resources are NOT deployed (cloud-native approach, not needed):

• Virtual Network (aadds-vnet)
• Network Security Group (aadds-nsg)
• Managed Identity
• Private DNS zones (3x)

Reason: HOLE Foundation uses cloud-native Azure AD (Entra ID), not on-premises domain services. The 22 SSO integrations work perfectly without this infrastructure.

Cost Savings: ~$50-100/month by not deploying unnecessary infrastructure

---

Making Azure Changes

Standard Workflow

When user asks to modify Azure infrastructure:

1. Navigate to workspace:

cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/production

2. Authenticate (if needed):

az login
az account set --subscription "de602062-dafa-4c8b-91b7-98a75bcd7cff"

3. Edit Terraform files:

• main.tf - Resource definitions
• Add/modify Azure resources

4. Plan and apply:

terraform plan
terraform apply

No wrapper script needed - Azure uses Azure CLI authentication (no token in dotenvx)

---

Common Azure Operations

Add Resource to Resource Group

resource "azurerm_<resource_type>" "my_resource" {
  name                = "my-resource"
  location            = azurerm_resource_group.hole_entra_domain_services.location
  resource_group_name = azurerm_resource_group.hole_entra_domain_services.name

  tags = {
    Environment = "Production"
    ManagedBy   = "Terraform"
    Critical    = "true"
  }
}

Manage SSO Integration (Manual)

Note: Entra ID SSO integrations are typically configured via Azure Portal, not Terraform (many don't have Terraform resources yet).

Workflow:

1. Configure SSO app in Azure Portal
2. Document in Terraform comments
3. Future: Use AzureAD Terraform provider for automation

---

Critical Safety Rules

⚠️ SSO Impact Warning

ANY changes to Azure Entra ID can break access to all 22 services!

Before ANY Azure change:

1. ✅ Understand what will be affected
2. ✅ Have backup access method
3. ✅ Test in non-production first
4. ✅ Verify SSO after changes

After Azure changes, TEST these critical services:

• Cloudflare dashboard access
• GitHub organization access
• AWS console access
• Google Workspace access
• Terraform Cloud access

Resources to NEVER Delete

❌ NEVER delete hole-entra-domain-services resource group ❌ NEVER delete Entra ID tenant ❌ NEVER modify Entra ID without testing plan

Deletion Impact: Would break authentication for all 22 services!

---

SSO Integration Testing

After any Azure Entra ID changes, verify these integrations work:

Tier 1 (Critical - Test Immediately):

1. Cloudflare Dashboard - https://dash.cloudflare.com
2. GitHub Enterprise - https://github.com/orgs/The-HOLE-Foundation
3. AWS Console - https://console.aws.amazon.com
4. Terraform Cloud - https://app.terraform.io

Tier 2 (Important - Test Within 24h): 5. Google Workspace - https://workspace.google.com 6. Google Cloud Platform - https://console.cloud.google.com 7. Notion - https://notion.so 8. Perplexity AI - https://perplexity.ai

Tier 3 (Test When Needed): 9-22. Other integrated services

---

When to Use Azure vs Other Providers

Use Azure For

✅ Enterprise SSO configuration ✅ User authentication (via Entra ID) ✅ Access control across all services ✅ Identity management ✅ Group-based permissions

Use Cloudflare For

✅ Web hosting, DNS, CDN ✅ Application-level access control (Zero Trust)

Use AWS For

✅ AI services, compute, storage

NEVER Use Azure For

❌ Web hosting (use Cloudflare) ❌ DNS management (use Cloudflare) ❌ Object storage (use Cloudflare R2 or AWS S3) ❌ Serverless compute (use Cloudflare Workers or AWS Lambda)

Azure's role: Authentication backbone, not application infrastructure

---

Azure Cost Optimization

Current Costs

• Entra ID: Included (Free tier sufficient)
• Resource group: Free
• Total: ~$0/month for authentication infrastructure

Previous Waste Eliminated

✅ Deleted unused Entra Domain Services ($100/month) ✅ Removed unnecessary networking ($20/month) ✅ Kept only cloud-native Entra ID (free)

Savings: ~$120/month by optimizing to cloud-native

---

Integration with Cloudflare

Cloudflare Access + Azure Entra ID

Cloudflare Zero Trust Access applications use Azure Entra ID for authentication:

Cloudflare Side (terraform/cloudflare/foundation/):

resource "cloudflare_access_application" "my_app" {
  # ...
  # Identity provider references Azure
}

Azure Side (terraform/production/):

• Entra ID app registrations
• User assignments
• Group memberships

Testing: After changes to either side, verify SSO login works

---

Multi-Cloud Scenarios

Scenario 1: Add New SSO Service

User: "Add SSO for NewService.com"

Steps:

1. Configure in Azure Portal (Entra ID → Enterprise Applications)
2. Document in Terraform comments (or use AzureAD provider)
3. Test SSO login
4. No Cloudflare changes needed (unless using Access)

Scenario 2: Modify User Access

User: "Give team member access to AWS"

Steps:

1. Add user to appropriate Azure AD group
2. Group is mapped to AWS IAM Identity Center
3. User can now access AWS console via SSO
4. No Terraform changes (unless creating new groups)

---

Important Files

Terraform Configuration:

• terraform/production/main.tf - Resource definitions
• terraform/production/outputs.tf - Outputs
• terraform/production/backend.tf - Terraform Cloud config

Documentation:

• MULTI_SUBSCRIPTION_SUMMARY.md - Azure subscription overview
• SSO_INVENTORY.md - Complete SSO integration list
• README.md - Workspace documentation

---

Quick Reference

Subscription: de602062-dafa-4c8b-91b7-98a75bcd7cff Tenant: HOLE Foundation (holefoundation.org) Workspace: azure-hole-general-services-prod Location: terraform/production/ Resources: ~10 (minimal, optimized) SSO Integrations: 22 services Monthly Cost: ~$0 (free tier)

Authentication: Azure CLI (no token in dotenvx)

Critical: This infrastructure powers authentication for ALL services - handle with extreme care!

---

Version History

• 1.0.0 (2026-01-09) - Initial Azure skill
  • Resource group imported
  • SSO infrastructure documented
  • 22 integrations inventoried
  • Cloud-native optimization complete