Revise configuration guide best practices and examples

msftadam · web-flow · commit da5e12af065a · 2026-03-09T17:46:41.000-04:00
Updated the date and revised best practices for configuration groups, including recommendations for one-CGS and three-CGS approaches. Added guidelines for designing configuration resources and examples of CGS and CGV payloads.
diff --git a/articles/operator-service-manager/configuration-guide.md b/articles/operator-service-manager/configuration-guide.md
@@ -3,15 +3,86 @@ title: Configuration Group Best Practices for Azure Operator Service Manager
 description: Learn about best practices for configuration groups when you're using Azure Operator Service Manager.
 author: msftadam
 ms.author: adamdor
-ms.date: 06/24/2025
+ms.date: 03/09/2026
 ms.topic: best-practice
 ms.service: azure-operator-service-manager
 ---
 
-# Azure Operator Service Manager best practices for configuration groups
+# Best practices for configuration groups
 
 This article provides Azure Operator Service Manager guidelines to optimize the design of configuration group schemas (CGSs) and the operation of configuration group values (CGVs). Network function (NF) vendors, telco operators, and their partners should keep these practices in mind when onboarding and deploying NFs.
 
+## Configuring group resource approach
+
+Consider the following meta-schema guidelines when you're designing configuration resources:
+
+* First, choose which parameters to expose to the operator.
+  * A rule of thumb is to expose parameters backed by direct operation, such as a helm value.
+  * Surpress parameters backed by another agent, such as `cloudinit` `userdata`.
+* Sort the parameters into site-specific, instance-specific and decurity-specific sets. 
+  * Ensure that parameters don't overlap between CGS resources.
+* Define required versus optional parameters.
+* For optional parameters, define a reasonable default value.
+
+## One-CGS approach
+
+The original recommendation was to use only a single CGS for the entire NF. This approach consolidated site-specific, instance-specific, and security-specific parameters into a single set of configuration group resources. This approach avoided multiple resource sets, except for rare cases where a service had multiple components. Many partners successfully onboarded services using this approach, and it remains supported. However, this approach does not obscure secrets. All configuration values will be stored in resources as plain-text.
+
+## Three-CGS approach
+
+We now recommend that you use at least three CGSs for the entire NF, by organizing parameters into these sets of configuration resource groups:
+
+* Instance-specific parameters**: Examples include timeouts and debug levels.
+  * Uses CGS without secrets
+* Security-specific parameters**: Examples include passwords and certificates. With security-specific parameters, you use Azure Key Vault to store secure values.
+  * Uses CGS without secrets
+* Site-specific parameters**: Examples include IP addresses and unique names.
+  * Uses CGS with secrets
+ 
+## CGS without secrets
+
+This example shows a sample CGS payload defining `abc`, `xyz`, and `qwe` as exposed parameters. Two of the parameters have default values and one is required.
+
+```json
+{ 
+  "type": "object", 
+  "properties": {
+    "abc": { 
+      "type": "integer", 
+      "default": 30
+    }, 
+    "xyz": { 
+      "type": "integer", 
+      "default": 40
+    },
+    "qwe": {
+      "type": "integer"
+    }
+   }
+   "required": "qwe"
+}
+```
+
+## CGV without secrets
+
+This example shows a corresponding CGV input which an operator uses with the prior CGS:
+
+```json
+{
+"qwe": 20
+}
+```
+
+This example shows the resulting CGV resource that Azure Operator Service Manager generates:
+
+```json
+{
+"abc": 30,
+"xyz": 40,
+"qwe": 20
+}
+```
+
 ## Overview of JSON Schema
 
 JSON Schema is an Internet Engineering Task Force (IETF) standard that provides a format for what JSON data is required for an application and how to interact with it. Applying such standards for a JSON document helps you enforce consistency and data validity across JSON data.
@@ -85,73 +156,3 @@ The following rules are applied when you're validating a default value. Consider
 * Where a property value doesn't exist in the input CGV, it's evaluated for a default, along with any children.
 * Where a property value is the `object` type, and neither it nor its key exists in the input CGV, no defaults for the object are evaluated.
 
-## CGS considerations
-
-Over time, the recommended approach to best design CGSs changed.
-
-### One-CGS approach
-
-The original recommendation was to use only a single CGS for the entire NF. This approach consolidated site-specific, instance-specific, and security-specific parameters into a single set of configuration group objects. This approach avoided multiple object sets, except for rare cases where a service had multiple components. Many partners successfully onboarded services by using this approach, and it remains supported.
-
-### Three-CGS approach
-
-We now recommend that you use at least three CGSs for the entire NF, by organizing parameters into these sets of configuration groups:
-
-* **Site-specific parameters**: Examples include IP addresses and unique names.
-* **Instance-specific parameters**: Examples include timeouts and debug levels.
-* **Security-specific parameters**: Examples include passwords and certificates. With security-specific parameters, you use Azure Key Vault to store secure values.
-
-### Designing three-CGS object sets
-
-Consider the following meta-schema guidelines when you're designing three-CGS objects:
-
-* Choose which parameters to expose.
-  
-  A rule of thumb is to expose those parameters by using a direct operation, such as a compute tier or Helm value. Use this approach as opposed to a parameter that another agent acts on, such as `cloudinit` user data.
-* Sort the parameters into site-specific, instance-specific, and security-specific sets.
-* Define required versus optional parameters. For optional parameters, define a reasonable default value.
-* Ensure that parameters don't overlap between CGS objects.
-
-This example shows a sample CGS payload:
-
-```json
-{ 
-  "type": "object", 
-  "properties": {
-    "abc": { 
-      "type": "integer", 
-      "default": 30
-    }, 
-    "xyz": { 
-      "type": "integer", 
-      "default": 40
-    },
-    "qwe": {
-      "type": "integer"
-    }
-   }
-   "required": "qwe"
-}
-```
-
-This example shows a corresponding CGV payload that the operator passes:
-
-```json
-{
-"qwe": 20
-}
-```
-
-This example shows the resulting CGV payload that Azure Operator Service Manager generates:
-
-```json
-{
-"abc": 30,
-"xyz": 40,
-"qwe": 20
-}
-```
-
-## CGV considerations
-
-Before you submit the CGV resource creation, you can validate that the schema and values of the underlying YAML or JSON file match what the corresponding CGS expects. To accomplish that validation, one option is to use the YAML extension for Visual Studio Code.
