Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ADDO - Integrating Infrastructure as Code into a Continuous Delivery Pipeline

3f6ef57041f1429e9764eb6c72d0fecd?s=47 Adarsh Shah
November 06, 2019

ADDO - Integrating Infrastructure as Code into a Continuous Delivery Pipeline

Infrastructure as Code (IaC) is the approach that takes proven coding techniques used by software systems and extends them to infrastructure. It is one of the key DevOps practices that enables teams to deliver infrastructure rapidly, reliably and at scale, and thereby also software running on that infrastructure.

The primary goal of Continuous Delivery (CD) is to ensure that the software can be reliably released at any time and integrating IaC as part of the CD pipeline helps in furthering that goal.

Adarsh Shah has helped organizations from various domains adopt IaC & CD. In this presentation, he will talk about benefits & challenges of integrating Infrastructure as Code into a Continuous Delivery pipeline, best practices/patterns to be used & any other aspects to consider.

3f6ef57041f1429e9764eb6c72d0fecd?s=128

Adarsh Shah

November 06, 2019
Tweet

Transcript

  1. Integrating Infrastructure as Code into a Continuous Delivery Pipeline Considerations

    & Best Practices Adarsh Shah Technology Leader, Coach, Hands-on Architect Independent Consultant @shahadarsh 
 shahadarsh.com
  2. @shahadarsh shahadarsh.com We are going to cover.. • Infrastructure as

    Code • Continuous Delivery • Considerations & best practices when integrating IaC to CD • Source Control • Testing • Security • Compliance • Patterns for Provisioning • Build and Deploy pipelines • GitOps • People & Process
  3. @shahadarsh shahadarsh.com Infrastructure as Code Infrastructure as Code (IaC) is

    the approach that takes proven coding techniques used by software systems and extends them to infrastructure.
  4. @shahadarsh shahadarsh.com Challenges without IaC • Configuration Drift • Snowflake

    Servers • Human Error • Time to Complete
  5. @shahadarsh shahadarsh.com Continuous Delivery Continuous Delivery is the ability to

    get changes of all types—including new features, configuration changes, bug fixes and experiments—into production, or into the hands of users, safely and quickly in a sustainable way. - Jez Humble
  6. @shahadarsh shahadarsh.com Continuous Delivery

  7. shahadarsh.com @shahadarsh Considerations & Best Practices

  8. @shahadarsh shahadarsh.com Source Control

  9. @shahadarsh shahadarsh.com Source Control • Everything in source control •

    Code accessibility • Modularize • Version the Modules • Collaboration!! • Code/test as documentation
  10. @shahadarsh shahadarsh.com Infra as Code testing Static Analysis terraform validate,

    TFLint, puppet parser validate Unit bats, chefspec Smoke w/ dummy app Selenium Integration inspec, goss Brittle Cost Maintenance Infra as Code Test Pyramid Duration
  11. @shahadarsh shahadarsh.com Security Patterns • CIS benchmark automation • Building

    hardening policies • Static scanning
  12. @shahadarsh shahadarsh.com Security Considerations • Dynamic scanning • Secrets management

    • Artifact signing & verification
  13. @shahadarsh shahadarsh.com Compliance • Finance, Healthcare & other industries •

    SOX, PII, HIPPA, PCI, GDPR • Compliance as Code - Code instead of Paperwork • Chef InSpec, HashiCorp Sentinel (Policy as Code)
  14. @shahadarsh shahadarsh.com Compliance as Code using HashiCorp Sentinel Ensure that

    modification of critical data can only be performed by authorized sysops with valid MFA
  15. @shahadarsh shahadarsh.com Patterns for Provisioning • Immutable VMs • Containerized

    Services • Base Image & App Pull
  16. @shahadarsh shahadarsh.com Immutable VMs • Infra Module - Multitier App

    • Loosely Coupled • App Image consumed by Infrastructure Module
  17. @shahadarsh shahadarsh.com Immutable VMs Infrastructure Application pull Ephemeral Environment Testing

    & Validation Ephemeral Environment Ephemeral Environment AMI Publish & Deploy AMI pull Security Int. Tests Compliance Continuous Integration Unit Tests Static Analysis Security App Tests Int. Tests
  18. @shahadarsh shahadarsh.com Containerized Services • Infra Module - Container Management

    System • Fully Decoupled from Apps • Apps are deployed with Container Management System specific tools
  19. @shahadarsh shahadarsh.com Containerized Services Infrastructure Application Publish & Deploy pull

    Scan Sign App Tests ECR Testing & Validation Ephemeral Environment Security Compliance Int. Tests Continuous Integration Unit Tests Static Analysis
  20. @shahadarsh shahadarsh.com Base Image & App Pull • Infra Module

    - App Servers • VMs pull app on deploy, or app update • Anti-Pattern: Allowing Long-Lived VMs
  21. @shahadarsh shahadarsh.com Base Image & App Pull Infrastructure Application pull

    pull Publish & Deploy AMI Testing & Validation Ephemeral Environment Security Int. Tests Ephemeral Environment Compliance Ephemeral Environment Security App Tests Continuous Integration Unit Tests Static Analysis
  22. @shahadarsh shahadarsh.com GitOps •Source Control as a System of Record

    •Operations by Pull Request •Repeatable, Predictable, Auditable & Accessible
  23. @shahadarsh shahadarsh.com GitOps Workflow Create Pull Request Trigger Approve Pull

    Request Int Tests Compliance Security Trigger Terraform Apply Terraform Plan Static Analysis
  24. @shahadarsh shahadarsh.com People & Process • Enables teams to interact

    • Infra, Security, Compliance, QA etc teams work together • Improvement in processes • Faster feedback
  25. @shahadarsh shahadarsh.com Infra Compliance Security Production Inspection

  26. @shahadarsh shahadarsh.com Building Quality In Infra Compliance Security Production

  27. @shahadarsh shahadarsh.com Summary • Infrastructure as Code • Continuous Delivery

    • Considerations & best practices when integrating IaC to CD • Source Control • Testing • Security • Compliance • Patterns for Provisioning • Build and Deploy pipelines • GitOps • People & Process
  28. Questions on Slack #2019addo-ci-cd Adarsh Shah Technology Leader, Coach, Hands-on

    Architect Independent Consultant @shahadarsh 
 shahadarsh.com