|
| 1 | +# Organizations - best practices |
| 2 | + |
| 3 | +December 9, 2024 |
| 4 | + |
| 5 | +--- |
| 6 | + |
| 7 | +Coder [Organizations](../../admin/users/organizations.md) allow administrators |
| 8 | +finer control over groups, templates, workspaces, and provisioners within their |
| 9 | +Coder deployment. |
| 10 | + |
| 11 | +Organizations allow multiple platform teams to offer templates and |
| 12 | +infrastructure to their users instead of having them entirely managed in a |
| 13 | +centralized fashion. |
| 14 | + |
| 15 | +Each organization can have its own unique admin and users can belong to multiple |
| 16 | +organizations, but every organization must have separate templates, |
| 17 | +provisioners, groups, and workspaces. |
| 18 | + |
| 19 | +On this best practice page, we cover some of the ways you can use Organizations |
| 20 | +to make it easier to manage your groups smoothly. |
| 21 | + |
| 22 | +## How Coder organizations work |
| 23 | + |
| 24 | +Organizations are the hierarchical parent for templates, groups, and |
| 25 | +provisioners. Every new organization must have separate templates, provisioners, |
| 26 | +and groups. |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | +Users can belong to multiple organizations while templates and provisioners |
| 31 | +cannot. |
| 32 | + |
| 33 | +## When to use organizations |
| 34 | + |
| 35 | +Organizations increase the maintenance overhead of a Coder deployment, so we |
| 36 | +recommend that you only use them when necessary. |
| 37 | + |
| 38 | +Use organizations when a separate group of users needs to manage their own |
| 39 | +templates and underlying infrastructure. If a group of users already has a |
| 40 | +separate, functional platform team willing to write templates or manage |
| 41 | +clusters, organizations may be a good fit. |
| 42 | + |
| 43 | +### Organization use case examples |
| 44 | + |
| 45 | +Here are a few examples for a fictional organization called MegaCo. It is |
| 46 | +deployed with Coder and has 1000 users in production. Today, MegaCo has a single |
| 47 | +(default) organization and a central platform team but is evaluating whether to |
| 48 | +use organizations for several use cases. |
| 49 | + |
| 50 | +| **Use Case** | **Description** | **Good fit for organizations?** | |
| 51 | +| ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | |
| 52 | +| Mergers and acquisitions | Raptix, a 180-person startup recently acquired by MegaCo, has an independent cloud account, platform team, and Terraform modules and pipelines for deploying their code. They want to use Coder. | ✅ Organizations | |
| 53 | +| Independent cloud-native teams that manage their namespaces, images, and/or clusters | MegaCo has six teams responsible for their own dev, staging, and production Kubernetes clusters and frequently deploy & test their work with `kubectl` and `helm`.</br></br>They wish to hook up Coder to their cluster so they can write and manage IDE templates for connecting to the cluster with their IDE | ✅ Organizations | |
| 54 | +| Java monolith | MegaCo has identified that anyone developing the Java monolith is best served with a VM instead of a container/cloud-native environment.</br></br>However, the Java team is supported by MegaCo's central platform team. | ❌ Use instead:</br>A separate template and/or groups | |
| 55 | +| Off-shore contractors | MegaCo employs off-shore contractors but has not onboarded them onto Coder due to privacy concerns, data sovereignty rules, and latency considerations.</br></br>They considered a minimal, localized second deployment of Coder, but decided against it due to maintenance overhead. | ✅ Organizations + Workspace Proxies | |
| 56 | +| Dev teams | Dev teams often need to bring their requirements for dev environments, such as specific repositories and tools | ❌ Use instead:</br>Parameters, dev containers, and/or groups | |
| 57 | +| ML Platform Team & ML Developers | MegaCo's data platform team maintains a homegrown "MLBox" product for data environments with a GPU, Jupyter, etc.</br></br>This team is interested in migrating to Coder for improved cost-saving and auditing of environments, but they need to hook up their own cluster and cloud accounts. They also want their templates only to be accessible to a specific set of users. | ✅ Organizations | |
| 58 | +| Supporting developers in various regions | MegaCo's central platform team supports developers connecting from the East Coast, the West Coast, and Australia. These developers are working on the same projects but need low-latency access to their environments. | ❌ Use instead:</br>Provisioners and workspace proxies to support multiple regions on a single template | |
| 59 | + |
| 60 | +## How to migrate to organizations |
| 61 | + |
| 62 | +Since templates and workspaces cannot be moved nor can they belong to multiple |
| 63 | +organizations, we recommend that you deprecate your template |
| 64 | +[through the API](../../reference/api/templates.md#update-template-metadata-by-id) |
| 65 | +or [through the Coder CLI](../../reference/cli/templates_edit.md#--deprecated). |
| 66 | +When a template is deprecated, the admin prevents new workspaces from being |
| 67 | +created and developers are notified with a deprecation message which can link to |
| 68 | +an external wiki page on migration instructions. |
| 69 | + |
| 70 | +Users can use a file transfer tool such as |
| 71 | +[rsync](https://linux.die.net/man/1/rsync) to migrate their files from one |
| 72 | +workspace to another. |
| 73 | + |
| 74 | +## Provisioner Isolation and Zero Trust |
| 75 | + |
| 76 | +In the organizations model, provisioners run in a separate |
| 77 | +cluster/infrastructure and have an isolated key to authenticate back with Coder. |
| 78 | +The provisioners have access to separate cloud resources that the control plane |
| 79 | +cannot access. Instead, the control plane sends simple "provisioner jobs" to the |
| 80 | +provisioner and the provisioner is responsible for executing the Terraform. |
| 81 | + |
| 82 | +There are planned improvements to the troubleshooting provisioners process. |
| 83 | +Follow these GitHub issues for more details: |
| 84 | + |
| 85 | +- [coder/coder#15048](https://github.com/coder/coder/issues/15048) |
| 86 | +- [coder/coder#15087](https://github.com/coder/coder/issues/15087) |
| 87 | +- [coder/coder#15192](https://github.com/coder/coder/issues/15192) |
| 88 | + |
| 89 | +## Identity Provider (SSO) Sync |
| 90 | + |
| 91 | +While the Coder UI or API can be used to assign specific users to organizations, |
| 92 | +this is discouraged. Instead, we recommend syncing the state from your identity |
| 93 | +provider such as Okta. A single claim from the identity provider (like |
| 94 | +`memberOf`) can be used to sync site-wide roles, organizations, groups, and |
| 95 | +organization roles. |
| 96 | + |
| 97 | +### Planned enhancements |
| 98 | + |
| 99 | +Site-wide role sync is managed via server flags. We plan on changing this to |
| 100 | +runtime configuration so Coder does not need a re-deploy: |
| 101 | + |
| 102 | +- Issue [coder/internal#86](https://github.com/coder/internal/issues/86) |
| 103 | + |
| 104 | +Make all sync configurable via the dashboard UI: |
| 105 | + |
| 106 | +- [coder/coder#15290](https://github.com/coder/coder/issues/15290) |
| 107 | + |
| 108 | +Regex filters and mapping can be configured to ensure the proper resources are |
| 109 | +allocated in Coder. Learn more about [IDP sync](../../admin/users/idp-sync.md). |
| 110 | + |
| 111 | +## Custom Roles |
| 112 | + |
| 113 | +Custom roles are organization-scoped and can be used to limit access controls |
| 114 | +within an organization. Custom roles can be applied to the default organization. |
| 115 | + |
| 116 | +Some examples of custom roles that can be created: |
| 117 | + |
| 118 | +**Provisioner Admin** |
| 119 | + |
| 120 | +- The user can deploy provisioners but not manage templates. This may be useful |
| 121 | + if automation is used to create and update templates in the organization. |
| 122 | + |
| 123 | +**Template Editor** |
| 124 | + |
| 125 | +- Inverse of provisioner admin: User can manage templates but not deploy |
| 126 | + provisioners. This may be useful if the provisioner and template are deployed |
| 127 | + via automation and users are allowed to edit them. |
| 128 | + |
| 129 | +**Template Pusher** |
| 130 | + |
| 131 | +- A system account that can push new templates from a git repo but cannot manage |
| 132 | + users or delete templates. |
| 133 | + |
| 134 | +We’re interested in identifying new use cases for custom roles. Please |
| 135 | +[create a GitHub issue](https://github.com/coder/internal/issues/new?title=request%28orgs%29%3A+request+title+here&labels=["customer-feedback"]&body=please+enter+your+request+here) |
| 136 | +with your suggestion or request. |
| 137 | + |
| 138 | +## Managing Organizations at Scale |
| 139 | + |
| 140 | +Using ClickOps to onboard new organizations, set quotas, and SSO sync can be |
| 141 | +cumbersome, especially if you want to "seed" organizations with provisioners and |
| 142 | +starter templates. |
| 143 | + |
| 144 | +Support for managing Organizations via the coderd Terrafom provider is planned |
| 145 | +so that this can be done declaratively and bulk updates to things like templates |
| 146 | +and quotas can be performed easily: |
| 147 | + |
| 148 | +- Issue |
| 149 | + [coder/terraform-provider-coderd#39](https://github.com/coder/terraform-provider-coderd/issues/39) |
0 commit comments