Upgrade to Pro — share decks privately, control downloads, hide ads and more …

If you can, doesn’t mean you should - lessons l...

Avatar for Natalie Godec Natalie Godec
October 21, 2022
Technology
0
190

If you can, doesn’t mean you should - lessons learned terraforming clouds

Video: https://www.youtube.com/watch?v=S79nEFZN7xA

We all love automation; the fewer steps needed to get something deployed - the better. Even if it means abstraction layer on top of abstraction layer - we all love our abstraction layers. Terraform, modules, wrappers and orchestration tools allow for an increasingly more sophisticated code - but where do you draw the line?
In this talk, we explore the boundaries of infrastructure as code and look for the balance between abstraction and maintainability.

Avatar for Natalie Godec

Natalie Godec

October 21, 2022
Tweet

Other Decks in Technology

See All in Technology
AIに視覚を与えモバイルアプリケーション開発をより円滑に行う
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
1
780
Kiro のクレジットを使い切る!
Avatar for otanikohei otanikohei2023
0
110
生成AIの利用とセキュリティ /gen-ai-and-security
Avatar for Masayoshi Mizutani mizutani
0
940
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
72k
Data Hubグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
2.8k
LLM活用の壁を超える:リクルートR&Dの戦略と打ち手
Avatar for Recruit recruitengineers
PRO
1
220
ブラックボックス観測に基づくAI支援のプロトコルのリバースエンジニアリングと再現 ~AIを用いたリバースエンジニアリング~ @ SECCON 14 電脳会議 / Reverse Engineering and Reproduction of an AI-Assisted Protocol Based on Black-Box Observation @ SECCON 14 DENNO-KAIGI
Avatar for chibiegg chibiegg
0
140
どこで打鍵するのが良い? IaCの実行基盤選定について
Avatar for NRI Netcom nrinetcom
PRO
2
160
AIエンジニア Devin と歩む、自律型運用プロセスの構築
Avatar for a2-ito a2ito
0
660
20260305_【白金鉱業】分析者が地理情報を武器にするための軽量なアドホック分析環境
Avatar for Yuya Kaneta yucho147
0
120
Digitization部 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
7k
生成AI活用によるPRレビュー改善の歩み
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
5
2k

Featured

See All Featured
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
Avatar for Kenny Baas-Schwegler baasie
0
240
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
16k
Fireside Chat
Avatar for paigeccino paigeccino
42
3.8k
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
Avatar for Beat Signer signer
PRO
0
3.3k
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
1
1.4k
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
220
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
10k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
31
5.8k
Amusing Abliteration
Avatar for ianozsvald ianozsvald
0
120
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
What’s in a name? Adding method to the madness
Avatar for The Alliance productmarketing
PRO
24
4k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
26k

Transcript

  1. If you can, doesn’t mean you should Natalie Godec Staff

    Cloud Engineer Babylon terraform apply --target

  2. Who am I? • Natalie Godec • Cloud/Platform/DevOps/Systems Engineer •

    Interested in Infra, Data and Security • Also photographer • Socials: @ouvessvit

  3. Automation & Abstraction Are Awesome Where do you draw the

    line? twitter: ouvessvit

  4. Here? storage_bucket_access = merge( merge([ for user, access in var.access

    : { for bucket in access.buckets_ro : "${replace(user, ".", "_")}_${bucket}" => { member = "${user}@domain.com" bucket = bucket roles = ["storage.objectViewer"] } } ]...) ) twitter: ouvessvit

  5. Here? storage_bucket_access = merge( merge([ for user, access in var.access

    : { for bucket in access.buckets_ro : "${replace(user, ".", "_")}_${bucket}" => { member = "${user}@domain.com" bucket = bucket roles = ["storage.objectViewer"] } } ]...) ) twitter: ouvessvit

  6. Or here? $ terraform state list | wc -l 2051

    twitter: ouvessvit

  7. Terraform is a configuration language: You describe the desired end

    state of your infra twitter: ouvessvit

  8. • Dependency loops • State drifts • Inconsistency • Security

    holes • “Off the road” implementations Risks: twitter: ouvessvit

  9. Overly complex configurations • kitchen sink in one module •

    attempts at abstracting every use-case • transformations and conditions everywhere twitter: ouvessvit

  10. Procedural flows • local execs • VPC peering (╯°o°)╯︵ ┻━┻

    • K8s on cloud: EKS, GKE, AKS twitter: ouvessvit

  11. All-in-one states • all DBs in one state • all

    IAM roles and policies together • targeted deployments •`_´• twitter: ouvessvit

  12. Define a single point of deployment twitter: ouvessvit

  13. Single points of deployment All the infrastructure needed for a

    service Group of resources used by a single team Standalone, complex infrastructure twitter: ouvessvit

  14. All the infrastructure needed for a service Client profiles: -

    RDS instance - RDS parameter group - Security group - Security group rules - Cloudwatch logs - Cloudwatch alarms - SNS topic for alarms - IAM roles + policies - KMS key twitter: ouvessvit

  15. All the infrastructure needed for a service Client profiles: -

    RDS instance - RDS parameter group - Security group - Security group rules - Cloudwatch logs - Cloudwatch alarms - SNS topic for alarms - IAM roles + policies - KMS key Group of resources used by a single team GCP project for AI team: - The project :) - Network, DNS - Cloud Armour rules - Bigquery datasets - Storage buckets - IAM roles - Cloud Run - Vertex AI twitter: ouvessvit

  16. All the infrastructure needed for a service Client profiles: -

    RDS instance - RDS parameter group - Security group - Security group rules - Cloudwatch logs - Cloudwatch alarms - SNS topic for alarms - IAM roles + policies - KMS key Group of resources used by a single team GCP project for AI team: - The project :) - Network, DNS - Cloud Armour rules - Bigquery datasets - Storage buckets - IAM roles - Cloud Run - Vertex AI Standalone, complex infrastructure module Opensearch cluster: - The cluster (d’oh) - Security group - Security group rules - Cloudwatch logs - Cloudwatch alarms - SNS topic for alarms - IAM roles + policies - KMS key - Lambda for Opensearch config twitter: ouvessvit

  17. Characteristics of components in a single point of deployment •

    change together • evolve together • no conflicts or dependency issues • can be tested and deployed together • independent from the rest of the infrastructure twitter: ouvessvit

  18. Design patterns, guidelines and guardrails twitter: ouvessvit

  19. Design patterns Easy to use, understandable, consistent modules as building

    blocks Clearly documented and communicated standards, integrated in CI/CD Checkov, Terraform Compliance, GCP Org Policies, AWS Config, Azure Policy Guardlines Guardrails twitter: ouvessvit

  20. twitter: ouvessvit CICD integration lvl 1: format and validation

  21. twitter: ouvessvit CICD integration lvl 2: Checkov

  22. twitter: ouvessvit CICD integration lvl 3: Terraform Compliance

  23. twitter: ouvessvit CICD integration lvl 999: Infracost

  24. twitter: ouvessvit

  25. ✧゚Remember KISS ✧゚Always ask “Why?” ✧゚Understandability * credits to Anton

    Babenko twitter: ouvessvit

  26. Thank you twitter: ouvessvit