Skip to content

Z1 — SaaS Startup Reference Platform

Asset: Z1  |  Workstream: [GTM][B]  |  Ownership: [SO→CO]  |  Owner: Sagar Status: drafted  |  Instantiates: Z0 (all 5 artifacts)

The default blueprint for the core ICP — the lean, SOC 2-oriented Baseline a Series A → pre-IPO B2B SaaS company on Azure + GitHub gets. Almost entirely shipped 🟦 modules — this is the most deployable Z today.

1. Module bill-of-materials

Every line is a real claude.md §4 asset. Status: 🟦 code-complete / 🟩 shipped / roadmap.

Layer Asset(s) Role Status
Identity (client) B2 client-bootstrap Federated OIDC SP — zero long-lived creds; the CI/CD identity 🟦
Subscription baseline B3 (wraps F1) Mgmt Group, Azure Policy initiative, Defender plans, central LAW, group RBAC, MCSB 🟦
State backend B4 (wraps F6) Per-env Terraform state SA, AAD-only, Blob-RBAC 🟦
Network F2 network-hub Hub-spoke, private DNS, NSG flow logs, optional Firewall 🟦
Key management F5 key-vault Premium KV, RBAC + purge protection + private endpoint 🟦
Registry F4 acr Premium ACR, private endpoint, AAD-only, signed-image ready 🟦
Compute F3 aks-secure Private AKS, Workload Identity, AAD-RBAC, Azure CNI Overlay 🟦
K8s policy D4 kyverno bundle 5 ClusterPolicies — no latest tag, signed images, no privileged, netpol 🟦
GitOps platform F8 gitops bundle ArgoCD app-of-apps + cert-manager + ESO + Kyverno + ingress 🟦
PIM (Azure roles) B5 pim-azure-resources JIT Owner/Contributor/UAA — tier-0 approval, tier-1 4h 🟦
IAM (directory) H1, H2, H3 AAD baseline, Conditional Access (MFA), PIM templates 🟦
IAM hygiene H5, H7 SP credential rotation, break-glass + sign-in alert 🟦
CI/CD C1, C2, C3 TF plan/apply + OPA gate; build/sign/scan; AKS deploy 🟦
Quality gates D1, D2, D3, C4, R1 pre-commit + PR-blocking + OPA bundle + branching + PR template 🟩/🟦
Evidence floor E0 Compliance snapshot per deploy roadmap (M2b)

Pinning: "current main" until F11 (module versioning, M3); then each line pins a semver ?ref=. Shipped subset: everything except E0 is 🟦 today.

2. Architecture diagram

d2 form lands with V2 (M2b). Topology sketch + prose until then.

                    GitHub (source + Actions)
                          │ OIDC (B2 — no secrets)
        ┌───────────────────────────────────────────┐
        │            Client Azure Subscription        │
        │  Mgmt Group · Azure Policy · Defender (B3)   │
        │                                             │
        │   Hub vNet (F2) ── peering ── Spoke vNet     │
        │      │                          │           │
        │   [Firewall?]            ┌──────┴───────┐    │
        │                          │ Private AKS  │    │
        │   Private Endpoints  ────┤ (F3) +Kyverno│    │
        │      ├── ACR (F4)        │ (D4) +ArgoCD │    │
        │      ├── Key Vault (F5)  │ (F8) +ESO    │    │
        │      └── State SA (B4)   └──────────────┘    │
        │                                             │
        │   Identity: H1/H2/H3 (MFA/CA/PIM) ·          │
        │             H5 (rotation) · H7 (break-glass) │
        │             B5 (Azure-role PIM)              │
        │   Logging → central Log Analytics (B3)       │
        └───────────────────────────────────────────┘
              CI/CD: C1 (plan/apply+OPA) → C2 (build/sign/scan) → C3 (AKS deploy)
              Evidence: E0 snapshot per deploy (roadmap M2b)

Topology in prose: one client subscription, hardened by B3. A hub-spoke network (F2); workload spoke hosts a private AKS cluster (F3) with the Kyverno policy floor (D4) and the GitOps platform layer (F8). ACR (F4), Key Vault (F5), and the Terraform state account (B4) are reached only via private endpoints. All human + workload identity flows through MFA/Conditional Access/PIM (H1–H3), secrets rotate (H5), break-glass is alerted (H7), and Azure-resource roles are JIT via PIM (B5). CI/CD authenticates via federated OIDC (B2) — no long-lived cloud credentials anywhere.

3. Compliance mapping (SOC 2-oriented)

Primary target: SOC 2 (Security). Strong CIS Azure + ISO 27001 Annex A overlap. See the full Y7 matrix; Z1-relevant rows:

Control area Covered by Framework refs
Logical access / MFA / least-priv H1–H3, B2, B5 SOC2 CC6.1/CC6.6 · ISO A.5.15/A.8.5 · CIS 1.1
Network boundary F2, F5 (PE), F4 (PE) SOC2 CC6.6 · CIS 3.7/8.5
Cryptography / KV F5 ISO A.8.24 · CIS 8.2
Change management C1–C4, D1–D3, R1 SOC2 CC8.1 · ISO A.8.9/A.8.28
Monitoring / Defender B3, F1 SOC2 CC7.2 · ISO A.8.16 · CIS 2.1
Image integrity C2, D4, F4 SOC2 CC7.1
Credential hygiene H5, B2 CIS 1.21
Evidence E0 (roadmap M2b) SOC2 CC4/CC7.2

Process controls (governance, HR, physical) are out of platform scope — see Y7 §6. Audit-ready, not certified.

4. Cost estimate (illustrative — Azure list, single region, sandbox-scale)

⚠️ Illustrative monthly Azure cost; finalize per client region + scale. Pairs with U1 budget.

Component Driver Illustrative $/mo ⚠️
Private AKS (F3) system + small user pool, 3 AZ $[300–600]
Azure Firewall (F2, optional) Standard tier (skip to cut cost) $[~950] if enabled
Defender for Cloud plans (B3) per-resource Standard $[100–400]
Log Analytics ingestion (B3) volume-dependent $[50–300]
ACR Premium (F4) fixed $[~50]
Key Vault Premium (F5) low txn $[~5–20]
Private endpoints + state SA per-PE + storage $[30–80]
Indicative total (no Firewall) $[~600–1,500]/mo

Biggest levers: AKS node sizing, Firewall on/off, Defender plan selection, LAW retention. SnowOps tunes these to the client's CFO-approved cap (U1).

5. Deploy guide (order of operations)

Each step has a real runbook under docs/runbooks/test/.

  1. B2 — provision the OIDC SP (the apply identity). → B2.md
  2. B3 — subscription baseline (MG, Policy, Defender, LAW, RBAC). → B3.md
  3. B4 — per-env state backend + Blob RBAC. → B4.md
  4. F2 — hub-spoke network + private DNS. → F2.md
  5. F5 — Key Vault (needs F2 PE subnet + DNS). → F5.md
  6. F4 — ACR (needs F2 PE + DNS). → F4.md
  7. F3 — private AKS (needs F2 spoke, F4 registry, F5 KV, D4 policy floor). → F3.md
  8. D4 — Kyverno policies (offline-validated; applied to the cluster). → D4.md
  9. F8 — GitOps app-of-apps (ArgoCD/ESO/cert-manager; reuses D4 rules). → F8.md
  10. H1 → H2 → H3 — AAD baseline → Conditional Access → PIM. → H1/H2/H3.md
  11. H7 — break-glass group + sign-in alert (produces the group H2/B3/B5 consume). → H7.md
  12. B5 — Azure-resource PIM (needs the H7/B3 break-glass Owner). → B5.md
  13. H5 — SP rotation workflow (scheduled). → H5.md
  14. C1 → C2 → C3 — wire the CI/CD pipelines into the client repo. → C1/C2/C3.md
  15. D1–D3, C4, R1 — quality gates onto the repo. → D1/D2/D3/C4/R1.md
  16. E0 (M2b) — evidence snapshot on deploy.

DoD (Z1)

  • Every referenced asset exists in §4 and composes (BOM validates against the library). (Met — all 🟦 except E0 flagged roadmap.)
  • Diagram renders. (Sketch + prose present; d2 with V2.)
  • SOC 2 coverage mapping (Y7) attached. (Met — §3.)

Sign-off

  • Reviewer: _  |  Date: _  |  Result: PASS / FAIL