Fair cost allocation in a shared Platform (as a Service)
by David Sterz, Mindcurv
The public cloud mimics the actual organization, departments, teams,products.
Dedicated cloud accounts for teams that are mapped 1:1 to an organisational units
Shared cloud accounts form their own organisational unit(s)
1 Platform Team provides a shared platform and services
20+ Product Teams have dedicated cloud resources, some are shared between them
Business: Provide accurate cloud costs per product to be consumed as part of a Unit Metric Aggregation
Finance: 80%-100% direct cost allocation to cost center codes from public cloud spent across Foundation- and Product Teams
Engineering: Cost ownership through full transparency and enablement to optimize themself towards business KPIs
A central Platform Team is the enabler for the Product Teams to develop value faster and compliant by providing shared platform services as a product (VCS, Container Registry, CI/CD) on a shared deployment target (Kubernetes) along with shared operational services (Dashboarding, Log-management, Metrics, and Tracing + APM, etc.)
The shared platform services are a mix of cloud resources, Kubernetes Deployments and as a 3rd Party SAAS that are consumed by most product teams.
The cloud resources that are needed by the product teams are provisioned by the central platform team into the product teams accounts which frees up the product teams from the heavy lifting and the operational responsibilities so they can focus more on their application development.
While organisational units and the account per team setup gives a good baseline for cost transparency there are various shared costs almost everywhere.
Product Team Accounts
Most costs can be allocated directly to the product team on product level. Higher granularity down to application and sub-service level is achieved through tagging and labeling.
A small percentage of costs occur in every product team account which is part of the platform teams tooling that provide observability, security and compliance services as part of the platform services.
Monitoring Agent per Account as part of shared observability costs
Thread Detection introduced by a central security team
Compliance checks against policies and best practices
Platform Team Accounts
As the platform for the product teams is shared most of the resources in the platform account is shared.
DNS with many records split in nonproduction and production
Secret Management via kubernetes integration with cloud providers secret service