Variables and naming standard¶
Consistent naming across all HCS projects makes resources, secrets, and code predictable and searchable. This document is the authoritative reference — when in doubt, check here.
Azure resource naming¶
Pattern¶
| Component | Description | Example values |
|---|---|---|
| type | Resource type prefix (see table below) | kv, rg, vm |
| org | Short org identifier | hcs, tp (TierPoint), ccb (Country Cloud Boy) |
| env | Environment | dev, stg, prd |
| region | Azure region short name | eus (East US), wus (West US), neu (North Europe) |
| instance | Two-digit zero-padded number | 01, 02 |
Examples:
- kv-hcs-prd-eus-01 — Key Vault, HCS org, production, East US, first instance
- rg-hcs-platform-prd-eus-01 — Resource group with optional descriptive segment
- st-hcs-artifacts-prd-eus-01 — Storage account (no hyphens in storage account names — use sthcsartifactsprdeus01)
Storage accounts, Key Vault names, and some other resources have character restrictions. Strip hyphens and shorten where required, but keep the naming intent intact.
Resource type prefixes¶
| Prefix | Resource type |
|---|---|
kv |
Key Vault |
rg |
Resource Group |
vm |
Virtual Machine |
st |
Storage Account |
vnet |
Virtual Network |
nsg |
Network Security Group |
pip |
Public IP Address |
mi |
Managed Identity (user-assigned) |
app |
App Service |
func |
Function App |
acr |
Container Registry |
apim |
API Management |
sql |
Azure SQL Server |
cosmos |
Cosmos DB account |
aks |
AKS cluster |
la |
Log Analytics workspace |
ai |
Application Insights |
sb |
Service Bus |
evh |
Event Hub |
cdn |
CDN profile |
ag |
Application Gateway |
lb |
Load Balancer |
Environment identifiers¶
| Identifier | Use for |
|---|---|
dev |
Development and experimentation |
stg |
Staging, pre-production, UAT |
prd |
Production |
Key Vault secret naming¶
- Format:
lowercase-kebab-case - Be descriptive — the name should tell you what the secret is without a lookup
- Examples:
hcs-github-org-pat,anthropic-api-key,spn-hcs-ado-pipelines-prd-secret - Avoid abbreviations unless they are universally understood (e.g.,
pat,api)
ADO variable group naming¶
- Format:
<project>-<env>-secrets - All lowercase-kebab-case
- Examples:
platform-prd-secrets,ranger-dev-secrets,scout-prd-secrets
GitHub repo naming¶
- Format:
lowercase-kebab-case - Prefix with project family for related repos:
azurelocal-ranger,azurelocal-surveyor - No dots in repo names (they cause issues with some tools)
- Examples:
platform-engineering,azure-scout,hcs-bicep-modules
ADO project naming¶
- Format: Title Case with spaces
- Examples:
Platform Engineering,Azure Local Cloud,TierPoint Automation
PowerShell naming¶
| Element | Convention | Example |
|---|---|---|
| Parameters | $PascalCase |
$VaultName, $SubscriptionId, $DryRun |
| Local variables | $camelCase |
$secretValue, $resourceGroup, $accountName |
| Functions | Verb-Noun with approved verbs |
Get-HCSSecretName, Set-HCSEnvironment |
| Script files | Verb-Noun.ps1 |
Load-HCSEnvironment.ps1, New-HCSRepo.ps1 |
| Constants / config | $PascalCase |
$VaultName = 'kv-hcs-vault-01' |
Required Azure tags¶
Every Azure resource created by HCS must have these tags. Resources without required tags will be flagged in cost and governance reviews.
| Tag | Description | Example |
|---|---|---|
Owner |
Email of the person or team responsible | kris@hybridsolutions.cloud |
Project |
Short project name | platform-engineering |
Environment |
One of: dev, stg, prd | prd |
CostCenter |
Billing identifier | hcs-internal, tierpoint-consulting |
ManagedBy |
How the resource was provisioned | manual, bicep, terraform, ado-pipeline |
Apply tags at resource group level where possible; resources inherit from the group. Override at resource level only when it differs.
az tag update `
--resource-id <resource-id> `
--operation merge `
--tags Owner=kris@hybridsolutions.cloud Project=platform-engineering Environment=prd CostCenter=hcs-internal ManagedBy=manual
Subscription and tenant IDs¶
Subscription ID and Tenant ID are not secrets — they are identifiers. However, they should not be hardcoded in scripts or committed to repos. Load them from environment variables or Key Vault:
AZURE_SUBSCRIPTION_ID— loaded byscripts/Load-HCSEnvironment.ps1AZURE_TENANT_ID— add to Key Vault and Load-HCSEnvironment.ps1 if needed
Config YAML naming¶
Config files use snake_case for all keys, at every nesting level. Never use camelCase or PascalCase in YAML.
# Correct
identity:
accounts:
local_admin_username: hcs-local-admin
local_admin_password: keyvault://kv-hcs-vault-01/account-local-admin-password
active_directory:
domain_name: corp.hybridsolutions.cloud
ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
compute:
azure_local:
cluster_name: hcs-cluster-01
dns_servers:
- 10.0.0.10
- 10.0.0.11
# Wrong — never do this
identity:
accounts:
localAdminUsername: hcs-local-admin # camelCase — prohibited
LocalAdminPassword: ... # PascalCase — prohibited
keyvault:// URI scheme¶
Config YAML files reference Key Vault secrets using the keyvault:// URI scheme. This keeps config files shareable (no actual secrets) while giving scripts a clear signal to resolve the value at runtime.
Examples:
identity:
accounts:
local_admin_password: keyvault://kv-hcs-vault-01/account-local-admin-password
lcm_password: keyvault://kv-hcs-vault-01/account-lcm-password
domain_join_password: keyvault://kv-hcs-vault-01/account-domain-join-password
Scripts resolve these at runtime using Resolve-KeyVaultRef. See scripting standard for the function implementation.
The <vault-name> in the URI should always be kv-hcs-vault-01 unless the project has its own isolated vault documented in docs/identity/overview.md.
Config file bootstrap policy¶
Every repo that uses a config/variables.yml file must also ship a config/variables.example.yml that is committed to the repo. The example file contains all keys with placeholder or safe default values — never real secrets or environment-specific values.
Scripts that require a config file must implement the bootstrap policy: if variables.yml is missing and variables.example.yml exists, copy the example file automatically and prompt the user to fill in their values before re-running.
# config/variables.example.yml
# Copy this file to variables.yml and fill in your environment values.
# variables.yml is gitignored — never commit it.
identity:
accounts:
local_admin_username: hcs-local-admin
local_admin_password: keyvault://kv-hcs-vault-01/account-local-admin-password
compute:
azure_local:
cluster_name: REPLACE-WITH-YOUR-CLUSTER-NAME
dns_servers:
- REPLACE-WITH-DNS-SERVER-1
- REPLACE-WITH-DNS-SERVER-2
The .gitignore for every infrastructure repo must include: