Lessons from building an Internal . . . Platform

on-call CRITICAL VULN PAGES ALERT #423: Critical Exploit in Flarelang v1.5.1 and lower detected. now

on-call disrupts

on-call mission

on-call identify every on-call engineer of every service we run publicly mission

affected teams and codebases 100% Platform Team Mapping the impact

affected teams and codebases 95% Platform Team Mapping the impact

affected teams and codebases 63% 32% Platform Team Mapping the impact

find a way to reach the 63% mission

Principal Site Reliability Engineer, Internal Platform and Services he / him @martinb3 Martin Smith

find who is running the latest release of Nomad mission

Senior Developer Advocate, Infrastructure & Orchestration he / him @ksatirli Kerim Satirli

func main() { services := []string{"service-1", "service-2", "service-n"} for _, service := range services { } } // identify affected `services` internal_platform.go Collecting the data

affected teams and codebases Platform Team 63% 32% Mapping the impact

Collectors GitHub Incidents Datadog team health service health product health monitors dashboards errors / traces static collectors teams heuristics groupings Platform Team repo contents api data event driven Collecting the data

Rendering the data

Rendering the data

02 Why we are building it

GitHub static Datadog Incidents monitors dashboards errors and traces team health service health product health teams codebases Slack channels repo metadata full source code deploy health Classifying the data

GitHub static Datadog Incidents logging best practices service attribution passing SLOs synthetic monitors team attribution escalation policy silenced incidents incident volume known teams Go versions SDK versions partitions code owners PR templates branch protection secret scanning Classifying the data

problems lots of data = lots of

lots of data = lots of use cases

"A collection of tools, services, and infrastructure components that help developers manage the entire application lifecycle." " "

Attribute Ensure Detect Standardize Are there errors? Has it been deployed recently? Has it been scanned for vulnerabilities? Is it on a recent version? Is it using our standard monitoring? Does it lose alerts? Does it have SLOs, and are they being met? Does it have synthetic monitoring? Are there wake-up monitors? What team owns this? Where is this in GitHub, Slack or PagerDuty? Where are the dashboards? Mapping the problems

How far behind is my service on Go or internal SDKs? How do I enable DR for my service? Engineering Does this service have SLOs and how is it tracking against those SLOs? Is the owner team on-call for this service? SREs Is code scanning enabled on this repository? Is this service subject to PCI controls? Governance Mapping the personas

open and opinionated everyone can submit data everyone can check data one-stop data vending data is ephemeral schemas as safeguards common helpers Mapping the guardrails

What developers need to know and have access to for their job and services. Engineering wants a Developer Platform What leaders need to be aware of related to customer experience and priorization. SRE wants a Reliability Platform What security and systems engineering teams need to understand how operators are supporting their services. Governance wants an Intelligence Platform Mapping the requirements

loose data team health service health product health monitors dashboard errors / traces teams heuristics groupings api data events repo contents structured data product and service teams scenarios and checks service stacks generic assets insights campaigns quality score custom checks . . . profit? better service health

Our definition of "service" is strongly tied to how we operate.

Data Integration Remediation Community Inability to tag Change over time Outreach Making truth consistency of data new tags or data types discovery of data Freshness Critical path Exporting Result Scoring freshness of data volume and scaling structure tradeoffs Problems we solve

03 Looking forward

Automation Reliability Targeting Understanding What PCI-covered repos have a Dependabot warning? What are we doing internally when we run our products? Company-wide SRE use cases — workflows and tiering * Feeding data to AI applications could much it much easier to operate services Future direction

Are we able to handle unexpected situations within our SLO budget?

Does a more complete set of data equate to higher service quality?

Does the company care if a dependency is flaky across many services?

Platform(s) Internal Developer Platform What developers need to know and have access to for their job and services. Reliability Data Platform What leaders need to know to improve our customer experience and feature set. Service Intelligence Platform What Governance need to know to influence on how operators run their services.

clearly define how we run services at HashiCorp goal

Thank you speakerdeck.com/ksatirli