HashiTalks.pdf

Transcript

1. © DENSO CORPORATION All Rights Reserved. Susumu Tomita Naomichi Shimazu

   DENSO's cloud approach: Challenges in cloud and IaC for Japanese manufacturing 2024/5/22

2. © DENSO CORPORATION All Rights Reserved. 2 1. Introduction 2.

   Terraform Implementation Journey 3. Our Standard Terraform Modules 4. Enhancing Security Standards Agenda

3. © DENSO CORPORATION All Rights Reserved. 3 Susumu Tomita Department:

   CCoE Section, Digital Innovation Department, Cloud Services R&D Division Role: Software Engineer About: I joined DENSO in 2018. My current role involves software development for web services and working within the CCoE. I focus on creating software solutions that support our cloud services. Naomichi Shimazu Department: CCoE Section, Digital Innovation Department, Cloud Services R&D Division Role: Software Engineer About: I joined DENSO in 2017. Architectural design and construction of web services. Outside of work, I enjoy making and eating sushi! Self Introduction

4. © DENSO CORPORATION All Rights Reserved. 4 Introduction 1

5. © DENSO CORPORATION All Rights Reserved. 5 • Tech Changes:

   o DENSO is leader in changing car technology. Cars are now more using computer technology for Software-Defined Vehicles , connected cars and so on. • Need for New Skills: o Many embedded software engineers are working in DENSO, but we need expand our capability more. o For example cloud and web technologies. • What We Do: o Design and implement the next generation cars. Safer, easy to use and integrated Cloud and new technologies.. About DENSO: Embracing Cloud Technology Denmaru

6. © DENSO CORPORATION All Rights Reserved. 6 • Division Launch:

   o Our department established in 2017 to enhance our capabilities in cloud technologies. • Diverse Team Composition: o Our team includes not only software engineers but also business developers, combining technical and commercial expertise. • Collaborative Approach: o Our business and development teams work together closely, using a 'try and error' method to rapidly develop and refine software products. • Growth Strategy: o We start our projects small and scale them up gradually based on success and learning. Cloud Services R&D Division

7. © DENSO CORPORATION All Rights Reserved. 7 • AWS •

   As the backbone of our cloud infrastructure, AWS provides us with the flexibility and scalability necessary for our demanding applications. • Terraform • We use Terraform extensively for infrastructure as code, which allows us to manage our cloud resources efficiently and reliably. • Ruby on Rails • While Ruby on Rails is our primary development framework, we are open to integrating other technologies as needed. • GitHub • For continuous integration and deployment, we use GitHub Actions to automate our software delivery process. Technology stacks

8. © DENSO CORPORATION All Rights Reserved. 8 Terraform Implementation Journey

   2

9. © DENSO CORPORATION All Rights Reserved. Title / Month XX,

   2023 (Please enter it from the "Insert" → "Header and Footer") 9 • Multi-Platform Support • Supports AWS and other major cloud platforms. • Flexibility to adapt to future changes in cloud strategy. • Easy to Find Solutions and Best Practices • De facto standard for IaC. • Lots of information and case studies available. • User-Friendly Documentation • Official documentation is easy to navigate. • Easy to find how to write the resources you need. Why we choose Terraform?

10. © DENSO CORPORATION All Rights Reserved. 10 • Simplified Infrastructure

    Management • Single command to automatically build entire infrastructure. • Removes the risk of human errors and simplifies the process. • Reliable and Consistent Setups • Thanks to idempotence, setups are reliable and consistent every time. • Improved Documentation • Automation eliminates the need for separate documentation. • Code shows how everything is built and configured. Benefits of Terraform

11. © DENSO CORPORATION All Rights Reserved. 11 • Need for

    Multiple Environments • Environments required for development, testing, production, performance measurement, and penetration testing. • Code Limitations • Code was not designed to handle multiple environments. Specifically: • Hardcoded Values • Directory Structure Issues Challenges with Commercial Products

12. © DENSO CORPORATION All Rights Reserved. 12 • Copying and

    Pasting Code • Partial Changes and Additions • Skill Disparity Among Teams • Lack of Uniformity in Coding Standards Why These Problems Occurred Project A Problem A Project B Project C Problem A Problem B Project D Problem A Problem B Problem A

13. © DENSO CORPORATION All Rights Reserved. 13 Given the challenges

    and inconsistencies across projects, there was a clear need to standardize Terraform usage. • All developers can follow best practices for Terraform. • Cloud service division's products have similar AWS architecture, preventing implementation from scratch each time. Standard Terraform Modules

14. © DENSO CORPORATION All Rights Reserved. 14 Standard Terraform Modules

    3

15. © DENSO CORPORATION All Rights Reserved. 15 • Variable Customization

    o Only essential components can be changed. • Hardcoded Settings o Critical configurations are hardcoded. • Modular Design o Services are split into separate modules. o Related AWS services, like S3 and CloudWatch for Elastic Beanstalk, are defined in the same module. • Easy Updates with Git Submodule o Pull the latest code to update modules. Detail Design of Terraform modules

16. © DENSO CORPORATION All Rights Reserved. 16 • Sample Programs

    o Prepared sample programs to help developers understand the modules. • Pair Programming o Module designers pair programmed with developers to implement the modules together. • InnerSource on GitHub o Module code is openly shared on the internal GitHub. o Developers can refer to the source code, propose improvements via issues, and submit pull requests. How We Promote Standard Terraform Modules

17. © DENSO CORPORATION All Rights Reserved. 17 • Testing and

    Quality Assurance o Maintainers write test code using the Terraform test command (supported from v1.6). o TFLint o Static code scanning with PrismaCloud(CSPM). • Keeping Up with AWS o Maintainers ensure modules follow the latest AWS specifications. How We Maintain the Modules Issue Pull Request OK! I add the feature. Please add this option. Maintainer developer developer

18. © DENSO CORPORATION All Rights Reserved. 18 • Rapid Environment

    Setup o AWS environments can be created in less than a day. • Easy Application Deployment o Elastic Beanstalk is used for PaaS, making application deployment simple. o Easy integration with CI/CD pipelines for each product. • Focus on Application Development o Developers can focus on application development as modules keep up with the latest AWS specifications. Impact of Using the Modules

19. © DENSO CORPORATION All Rights Reserved. 19 Enhancing Security Standards

    4

20. © DENSO CORPORATION All Rights Reserved. Title / Month XX,

    2023 (Please enter it from the "Insert" → "Header and Footer") 20 • Promotion of Terraform Modules o Encouraged use by teams outside the Cloud Services Development Department. • Early AWS Usage Challenges o Many struggled with the initial stages of using AWS. o Lack of security baseline for AWS usage. • Existing Guidelines o Only covered web security, not comprehensive IT services. • Security Risks o Potential security incidents due to inadequate guidelines. • Security Department Challenges o Lacked experience with IT services and AWS. Promoting Terraform Modules and Discovering Security Issues

21. © DENSO CORPORATION All Rights Reserved. Title / Month XX,

    2023 (Please enter it from the "Insert" → "Header and Footer") 21 • Development of Security Guidelines o Created AWS security guidelines to establish a security baseline. • Well-Architected Framework o Guidelines based on AWS Well-Architected Framework. • Best Practices o Following the guidelines ensures best practices for AWS usage. Creating AWS Security Guidelines

22. © DENSO CORPORATION All Rights Reserved. Title / Month XX,

    2023 (Please enter it from the "Insert" → "Header and Footer") 22 • Security-Compliant Modules o Updated Terraform modules to reflect the security guidelines. • Consistent and Secure Environments o Terraform modules now create environments that comply with internal regulations. Integrating Security Guidelines into Terraform Modules

23. © DENSO CORPORATION All Rights Reserved. Title / Month XX,

    2023 (Please enter it from the "Insert" → "Header and Footer") 23 • IMDSv2 Compliance o Added WAF rules to prevent SSRF attacks. Examples AWSManagedRulesCommonRuleSet

24. © DENSO CORPORATION All Rights Reserved. Title / Month XX,

    2023 (Please enter it from the "Insert" → "Header and Footer") 24 • Log Retention o Ensured log retention period is at least 180 days through module validation. Examples

25. © DENSO CORPORATION All Rights Reserved. Title / Month XX,

    2023 (Please enter it from the "Insert" → "Header and Footer") 25 • Reduced Security Risks o Consistent application of security practices. • Enhanced Reputation o Minimized risks to the company's reputation. • Improved Module Evolution o Security guidelines inform module updates and enhancements. Benefits of Security-Compliant Modules

26. © DENSO CORPORATION All Rights Reserved. Title / Month XX,

    2023 (Please enter it from the "Insert" → "Header and Footer") 26 • Introduction to DENSO's Cloud Journey o Overview of challenges and solutions in cloud and IaC implementation. • Standardizing Terraform Modules o Ensured best practices and avoided redundant efforts. • Enhancing Security Standards o Addressed the lack of security guidelines and created AWS security guidelines. • Integrating Security into Terraform Modules o Updated modules to comply with security guidelines. • Benefits of Security-Compliant Modules o Reduced risks, and improved module evolution. Summary
27. None