Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Scaling Infrastructure as Code to Improve Delivery & Maintain Security

Scaling Infrastructure as Code to Improve Delivery & Maintain Security

We started practicing with infrastructure as code for public cloud resources and extend our use to on-premise infrastructure. With open source tools, we can start our journey and automate some of our configuration. As we grow, however, we start running into problems of configuration conflicts, growing infrastructure dependencies, rising public cloud expenses, and audit of our changes. How can we proactively address questions around security, audit, collaboration, and cost for our infrastructure? In this talk, we'll investigate the answers to questions around collaboration, dependency management, security, auditing, and cost by scaling our hybrid infrastructure as code.


Rosemary Wang

April 21, 2020

More Decks by Rosemary Wang

Other Decks in Technology


  1. Scaling Infrastructure as Code to Improve Delivery & Maintain Security

    April 21, 2020 | #CTOAVC Copyright © 2019 HashiCorp 1
  2. “Above the Line” “Below the Line” 2

  3. The Transition to Hybrid IT Traditional Datacenter “Static” Modern Datacenter

    “Dynamic” Dedicated Infrastructure Private Cloud AWS Azure GCP ... + + + SYSTEMS OF RECORD SYSTEMS OF ENGAGEMENT 3
  4. “Above the Line” “Below the Line” 4

  5. Rosemary Wang Developer Advocate at HashiCorp @joatmon08 joatmon08 linkedin.com/in/rosemarywang 5

  6. Infrastructure as Code? 6

  7. Scaling Infrastructure as Code? 7

  8. Deliver Quickly Continuous Integration/Delivery/ Deployment Automated Testing Develop Consistently Development

    Model Code/Dependency Management Deploy Securely Security as Code Policy as Code 8
  9. Deliver Quickly Continuous Integration/Delivery/Deployment & Automated Testing 9

  10. Delivery 1. Change staging. 2. Run tests. 3. Review change.

    4. If approved, push to production. 5. Run tests. Integration 1. Change staging. 2. Run tests. 3. Review change. 4. Approve review. 5. Change production. 6. Run tests. Deployment 1. Change staging. 2. Run tests. 3. If tests pass, push to production. 4. Run tests. Choose Your Continuous * Journey 10
  11. Delivery Deliver on Schedule Integration Deliver When Possible Larger Blast

    Radius Challenging Rollback Low Rate of Change Deployment Always Deliver Smaller Blast Radius Well-Defined Rollback High Rate of Change Choose Your Continuous * Journey 11
  12. Automated Testing 12 Manual End to End Integration Contract Unit


  14. Develop Consistently Development Model & Code/Dependency Management 14

  15. Development Model Trunk-Based Development Deploy to Staging before Production Or

    Deploy to Production, Rollback on Failure Feature Branching Staging Infrastructure per Branch Or Staging Infrastructure dedicated to Branches 15 staging production
  16. Development Model Trunk-Based Development Dynamic Infrastructure Minimal Provisioning Time Immutable

    Infrastructure Higher Rate of Change Knowledge of Automated Testing Feature Branching Static Infrastructure Longer Provisioning Cycle Critical Infrastructure Lower Rate of Change Knowledge of Git 16
  17. ▪ Blast radius ▪ Rate of change ▪ Scope of

    responsibility ▪ Ease of management Code Management Identify Bounded Contexts & Modularize 17
  18. ▪ Version configurations ▪ Maintain schema for inputs and outputs

    ▪ Distribute for self-service ▪ Develop common architecture Dependency Management Sharing Standard Configuration 18
  19. Monorepo reference locally Multi-repository reference remotely Mono- vs. Multi-Repository 19

    CODE EDITOR module "vaulthelm" { source = "app.terraform.io/hashicorp-team-demo /vaulthelm/google" version = "0.9.0" }
  20. Deploy Securely Security as Code, Policy as Code 20

  21. Known unknowns Monitoring Known knowns Testing Unknown knowns Siloed Knowledge

    Unknown unknowns Observability 21
  22. Evolutionary Architecture support scale in organization and systems 22 thoughtworks.com/books/building-evolutionary-architectures

  23. Security or Policy as Code CODE EDITOR import "tfplan/v2" as

    tfplan database_only_has_non_permissive_firewall_rules = rule { all database_firewall_rules as firewall_rule { firewall_rule.values.start_ip_address is not "" and firewall_rule.values.end_ip_address is not "" } } resources_with_tag_field_have_defined_tags = rule { all resources_with_tag_field as resource { resource.values.tags is not null } } 23
  24. 24

  25. Infrastructure as Code enables self-service engagement with a system 25

  26. Scaling Infrastructure as Code means normalizing patterns across an organization

  27. Cloud Operating Model hashicorp.com/cloud-operating-model Terraform Cloud app.terraform.io/signup/account Learn Terraform Cloud

    learn.hashicorp.com/terraform/cloud-gettingstarted/tfc_overview TDD for Infrastructure hashicorp.com/resources/test-driven-development-tdd-for-infrastructure Structuring Terraform Configuration for Production hashicorp.com/blog/structuring-hashicorp-terraform-configuration-for-production Evolving Your Infrastructure with Terraform hashicorp.com/resources/evolving-infrastructure-terraform-opencredo Resources 27
  28. Rosemary Wang Developer Advocate at HashiCorp @joatmon08 joatmon08 linkedin.com/in/rosemarywang 28

    Thank you!