Copy and Paste Deployments to GitOps

Transcript

1. Copy and paste deployments to full GitOps

2. ‣ Lessons learned ‣ Common challenges & solutions

3. ‣ Technology evolves quickly ‣ Automate, automate, automate ‣ Clear

   responsibilities ‣ Psychological safety

4. About Me

5. About me

6. ‣ Software Engineering (BSc), Advanced Information Systems (PgCert) ‣ Early

   career - Web developer + all-rounder (eTitle, Sony, Ben & Jerry’s, Tate & Lyle, Glenlivet) ‣ Enterprise companies – "DevOps Engineer” -> Senior Engineer -> Tech Lead -> Infrastructure Architect -> Tech Lead ‣ Support centralised platform and teams Jemma Hussein Allen

7. ‣ Automated provisioning on demand ‣ 24 x 7 communication

   ‣ Live global events

8. 1984 - Cutting edge tech

9. Technology evolves quickly

10. ‣ Tech conferences ‣ Blogs / Social Media ‣ Knowledge

    sharing / Hackathons Keeping up with Tech

11.  Darren Smith – Thoughtworks  Techniques, tools, platforms and

    languages and frameworks  Four rings: Adopt Trial Assess Hold Tech Radars

12. ‣ Custom tech radars ‣ Helps technical tooling direction ‣

    Easy integration & automation ‣ Zalando: https://github.com/zalando/tech-radar ‣ Backstage: https://github.com/backstage/backstage/tree/m aster/plugins/tech-radar Tech Radars

13. Tech Radars Terraform? Terraform CDK? Pulumi AWS Cloud Formation? Chef?

14.  Tim O’Reilly (O’Reilly Media)  OpenSource software development practices

    within an Organisation  Sharing reusable components and effort within a company InnerSource
15. None

16. InnerSource

17. Automate, Automate, Automate

18.  Continuous Integration (CI)  Continuous Delivery (CD)  Continuous

    Deployment (CD) AWS: https://aws.amazon.com/devops/continuous-integration
19. None
20. None

21.  Alexis Richardson (Weaveworks CEO)  A set of principles

    for operating and managing software systems  Declarative  Versioned and Immutable  Automatic Pulls  Continuous Reconciliation GitOps

22.  Hashicorp’s Saas solution for Terraform  Terraform Cloud <->

    Github  Terraform Cloud <-> AWS  Terraform Cloud agents GitOps with Terraform Cloud
23. None
24. None

25. Terraform Cloud <-> Github auth resource "tfe_oauth_client" "this" { name

    = "my-github-oauth-client" organization = "test-org" api_url = "https://api.github.com" http_url = "https://github.com" oauth_token = "my-vcs-provider-token" service_provider = "github" } https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/oauth_client

26. Terraform Cloud <-> Github

27. None

28. Terraform Cloud workspace configuration resource "tfe_workspace" "terraform-automation" { name =

    "terraform-automation" organization = tfe_organization.test-org auto_apply = true vcs_repo { branch = "main" identifier = "test/terraform-automation" oauth_token_id = tfe_oauth_client.this.oauth_token_id } } https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/workspace
29. None
30. None
31. None
32. None
33. None
34. None
35. None

36. Terraform Cloud <-> AWS auth data "tls_certificate" "tfc_certificate" { url

    = "https://${var.tfc_hostname}" } resource "aws_iam_openid_connect_provider" "tfc_provider" { url = data.tls_certificate.tfc_certificate.url client_id_list = [var.tfc_aws_audience] thumbprint_list = [data.tls_certificate.tfc_certificate.certificates[0].sha1_fingerprint] }
37. None

38. Terraform Cloud <-> AWS Idp resource "aws_iam_role" "tfc_role" { name

    = "terraform-automation" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRoleWithWebIdentity", Effect = "Allow" Sid = "TerraformCloudAccess", Principal = { Federated = "arn:aws:iam::xxxxxx:oidc-provider/app.terraform.io" } Condition = { StringLike = { "app.terraform.io:aud" = ["aws.workload.identity"] } } }, ] }) }
39. None

40. Terraform Cloud <-> AWS auth resource "aws_iam_policy" "tfc_policy" { name

    = "terraform-automation" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = ["s3:*", "s3-object-lambda:*"] Effect = "Allow" Resource = "*" }, ] }) } resource "aws_iam_role_policy_attachment" "tfc_policy_attachment" { role = aws_iam_role.tfc_role.name policy_arn = aws_iam_policy.tfc_policy.arn }
41. None

42. Terraform Cloud config

43. None

44. Example

45. provider.tf provider "aws" { region = "us-east-1" }

46. variables.tf variable "demo-bucket-name" { type = string description = "Bucket

    name" } variable "environment" { type = string description = "Environment name" } variable "bucket_config" { type = map(string) description = "Bucket configuration" }

47. terraform.tfvars demo-bucket-name = "very-random-name-terraform-automation-bucket" environment = "demo" bucket_config = {

    "acl" = "private" "object_ownership" = "BucketOwnerPreferred" "versioning" = "Enabled" }

48. resource "aws_s3_bucket" "this" { bucket = var.demo-bucket-name tags = {

    Name = var.demo-bucket-name Environment = var.environment } } resource "aws_s3_bucket_ownership_controls" "this" { bucket = aws_s3_bucket.this.id rule { object_ownership = var.bucket_config.object_ownership } } resource "aws_s3_bucket_acl" "this" { depends_on = [aws_s3_bucket_ownership_controls.this] bucket = aws_s3_bucket.this.id acl = var.bucket_config.acl }
49. None
50. None

51. Why automate?  Easy to scale  Easy to standardise

    across lots of resources  Good deployment visibility  Team work on the same repo  Terraform import for existing resources  Drift detection

52.  AWS, GCP, Azure  Terraform Cloud, Github actions, GoCD,

    TeamCity, Harness e.t.c.  Github, Gitlab, Bitbucket Other Solutions

53.  Continuous Delivery or Continuous Deployment?  Same deployment strategy

    for everything?  Github <-> Terraform Cloud <-> AWS example Automation Learnings

54. Clear responsibilities save headaches

55. Small Operations Team

56. Reliability Solutions? You build it, you run it - Equal

    Experts playbook

57. Delivery Solutions? You build it, you run it - Equal

    Experts playbook

58.  Runbooks for all production services  Multiple levels of

    support  Design monitoring and alerting during development  Good on-call and incident management tooling General learnings Grafana – status history: https://grafana.com/docs/grafana/latest/panels-visualizations/visualizations/status-history/ Opsgenie – on-call schedules: https://support.atlassian.com/opsgenie/docs/build-an-on-call- schedule/

59. Psychological safety benefits all

60. None
61. None
62. None
63. None
64. None
65. None
66. None
67. None

68.  What happened to Jo?  Incident Postmortem  Outcome

     Least privilege access  Regular backup/restore testing (Blameless) Incident post-mortem

69.  Cyber security best practice  Only give users the

    minimum privileges required to perform a task.  Protects the business  Protects the employee Least privilege principal

70.  The belief you won't be punished for speaking up

    with ideas, questions, concerns, or mistakes Amy Edmondson, The fearless organisation  One component of high performing teams Google’s project Aristotle How to measure? Psychological Safety

71. Psychological Safety If you make a mistake on this team,

    it is often held against you. Members of this team can bring up problems and tough issues. People on this team sometimes reject others for being different. It is safe to take a risk in this team. It is difficult to ask other members of this team for help. Working with members of this team my unique skills and talents are valued and utilized. No one on this team would deliberately act in a way that undermines my efforts. The fearless organisation - https://fearlessorganizationscan.com/engage/free-personal-psychological-safety-survey

72.  How did this help Jo?  Jo admitted the

    mistake  Jo participated in the incident post-mortem Psychological Safety

73. Recap

74. Technology evolves quickly ‣ Tech radars ‣ Thoughtworks – Technology

    Radar: https://www.thoughtworks.com/insights/blog/birth-technology-radar ‣ Zalando: https://github.com/zalando/tech-radar ‣ Backstage: https://github.com/backstage/backstage/tree/master/plugins/tech-radar ‣ InnerSource ‣ Github overview: https://resources.github.com/innersource/what-is-innersource

75. Automate, automate, automate ‣ CI / CD ‣ AWS: https://aws.amazon.com/devops/continuous-integration/

    ‣ Tailor to your specific use-case ‣ GitOps Advantages ‣ Github <-> Terraform <-> AWS Demo ‣ Terraform Cloud provider: https://registry.terraform.io/providers/hashicorp/tfe/latest/docs ‣ Github/Terraform Cloud auth: https://developer.hashicorp.com/terraform/cloud-docs/vcs/github ‣ AWS/Terraform Cloud auth: https://developer.hashicorp.com/terraform/cloud- docs/workspaces/dynamic-provider-credentials/aws-configuration

76. Clear responsibilities ‣ Delivery and Site reliability solutions ‣ Equal

    Experts Playbook: https://you-build-it-you-run-it.playbook.ee/ ‣ Importance of runbooks ‣ Implement monitoring and alerting during development ‣ Grafana: https://grafana.com/docs/grafana/latest/panels-visualizations/visualizations/status- history/ ‣ OpsGenie: https://support.atlassian.com/opsgenie/docs/build-an-on-call-schedule/

77. Psychological Safety ‣ Blameless incident post-mortems ‣ Psychological safety questionnaire

    ‣ The Fearless Organisation Scan: https://fearlessorganizationscan.com/engage/free-personal- psychological-safety-survey

78. Thank you

79. Remember to vote and share feedback on the QCon App.

    Any questions?