Azure Developer Platform
The Azure counterpart to the AWS platform, built on a deliberately different toolchain to prove the paved-road pattern is not cloud or tool specific.
/01Problem
A paved-road platform is only convincing if it generalizes. Building one on AWS proves it works once; rebuilding the same developer experience on Azure with a different GitOps and identity stack proves the pattern, not the tooling.
/02Approach
- Flux reconciles the platform from Git via GitRepository, Kustomization, and HelmRelease, the Azure-native counterpart to the AWS app-of-apps model.
- Crossplane with an Azure provider, authenticated through Azure Workload Identity, exposes a self-service StorageAccount API.
- A claim provisions a real storage account hardened by default: TLS1_2 minimum, HTTPS-only traffic, public blob access disabled, and infrastructure encryption, with no client secrets.
- Kyverno enforces owning-team labels as admission policy, identical governance intent to the AWS build.
/03Architecture
AKS with the OIDC issuer and workload identity enabled, plus a federated user-assigned managed identity, is provisioned in Terraform with an Azure Storage state backend.
Workload Identity replaces IRSA as the credential-free bridge between the cluster and the cloud control plane, the key substitution that makes the pattern portable.
/04Outcome
Same developer experience as the AWS platform (one claim, one hardened resource, no secrets) delivered on an entirely different toolchain.
Verified end to end against real Azure, then torn down clean.