Integrating Infrastructure as Code into a Continuous Delivery Pipeline Considerations, Best Practices & Patterns Adarsh Shah & Matt Kuritz Contino - Enterprise DevOps and Cloud Transformation Consultancy @ShahAdarsh & @_kuritz Deck: http://bit.ly/IaC-CD 

Who are we? Adarsh Shah Principal Consultant ShahAdarsh _kuritz Matt Kuritz Senior Consultant 

@ShahAdarsh @_kuritz Infrastructure as Code Infrastructure as Code (IaC) is the approach that takes proven coding techniques used by software systems and extends them to infrastructure. 

@ShahAdarsh @_kuritz Challenges without IaC • Configuration Issues • Repeatability • Human Error • Time to Complete 

@ShahAdarsh @_kuritz Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes and experiments—into production, or into the hands of users, safely and quickly in a sustainable way. - Jez Humble 

@ShahAdarsh @_kuritz Continuous Delivery 

@ShahAdarsh @_kuritz Considerations & best practices when integrating IaC to CD pipeline 

@ShahAdarsh @_kuritz Source Control 

@ShahAdarsh @_kuritz Source Control • Everything in source control • Code accessibility • Modularize • Collaboration!! • Code/test as documentation 

@ShahAdarsh @_kuritz Source Control 

@ShahAdarsh @_kuritz Infra as Code testing Static Analysis terraform validate, TFLint, puppet parser validate Unit bats, chefspec Smoke w/ dummy app Selenium Integration inspec, goss Brittle Cost Maintenance Infra as Code Test Pyramid Duration 

@ShahAdarsh @_kuritz Security Patterns • CIS benchmark automation • Building hardening policies • Static scanning 

@ShahAdarsh @_kuritz Security Considerations • Dynamic scanning • Secrets management • Artifact signing & verification 

@ShahAdarsh @_kuritz Compliance • Finance, Healthcare & other industries • SOX, PII, HIPPA, PCI • Compliance as Code - Code instead of Paperwork • Chef InSpec, HashiCorp Sentinel (Policy as Code) 

@ShahAdarsh @_kuritz Compliance as Code using HashiCorp Sentinel Ensure that modification of critical data can only be performed by authorized sysops with valid MFA 

@ShahAdarsh @_kuritz Patterns for Provisioning • Immutable VMs • Containerized Services • Base Image & App Pull 

@ShahAdarsh @_kuritz Immutable VMs • Infra Module - Multitier App w/ Cache Cluster • Loosely Coupled • App Image consumed by Infrastructure Module 

@ShahAdarsh @_kuritz Immutable VMs Infrastructure Application pull Ephemeral Environment Testing & Validation Ephemeral Environment Ephemeral Environment AMI Publish & Deploy AMI pull Security Int. Tests Compliance Continuous Integration Unit Tests Static Analysis Security App Tests Int. Tests 

@ShahAdarsh @_kuritz Containerized Services • Infra Module - Container Management System • Fully Decoupled from Apps • Apps are deployed with Container Management System specific tools 

@ShahAdarsh @_kuritz Containerized Services Infrastructure Application Publish & Deploy pull Scan Sign App Tests ECR Testing & Validation Ephemeral Environment Security Compliance Int. Tests Continuous Integration Unit Tests Static Analysis 

@ShahAdarsh @_kuritz Base Image & App Pull • Infra Module - App Servers • VMs pull app on deploy, or app update • Anti-Pattern: Allowing Long-Lived VMs 

@ShahAdarsh @_kuritz Base Image & App Pull Infrastructure Application pull pull Publish & Deploy AMI Testing & Validation Ephemeral Environment Security Int. Tests Ephemeral Environment Compliance Ephemeral Environment Security App Tests Continuous Integration Unit Tests Static Analysis 

@ShahAdarsh @_kuritz People & Process • Enables teams to interact • Infra, Security, Compliance, QA etc teams work together • Improvement in processes • Faster feedback 

@ShahAdarsh @_kuritz Infra Compliance Security Production Inspection 

@ShahAdarsh @_kuritz Building Quality In Infra Compliance Security Production 

@ShahAdarsh @_kuritz Summary • Infrastructure as Code • Continuous Delivery • Considerations & best practices when integrating IaC to CD • Source Control • Testing • Security • Compliance • Patterns for Provisioning • Build and Deploy pipelines • People & Process 

Questions Adarsh Shah & Matt Kuritz Contino - Enterprise DevOps and Cloud Transformation Consultancy @ShahAdarsh & @_kuritz Deck: http://bit.ly/IaC-CD