Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Iac :: Lessons Learned from Dev to Ops

180 views

Published on

My talk from DevOpsCon Berlin 2019 about the lessons I've learned from agile software development that can be applied to infrastructure as code including Terraform unit testing and CloudFormation linting.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Iac :: Lessons Learned from Dev to Ops

  1. 1. IaC :: Lessons Learned from Dev to Ops Emma Button @growerofawesome
  2. 2. Trust me, I’m a Developer
  3. 3. @growerofawesome Agility Simplicity Technical Excellence Quality Purpose & Shared Ownership
  4. 4. Code Re-UseSimplicity @growerofawesome
  5. 5. Code Re-UseSimplicity @growerofawesome Public Libraries Open Source Communities
  6. 6. • Cloudformation Sample Templates https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/sample-templates-services-us-west-2.html AWS Labs https://github.com/awslabs/aws-cloudformation-templates Code Snippets https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/CHAP_TemplateQuickRef.html • Terraform Module Registry https://registry.terraform.io/ • Chef Chef Supermarket https://supermarket.chef.io/ • Ansible Module Library https://docs.ansible.com/ansible/latest/modules/list_of_all_modules.html#all-modules • Puppet Puppet Forge https://forge.puppet.com/ Simplicity @growerofawesome
  7. 7. @growerofawesome Quality Unit Testing
  8. 8. @growerofawesome Quality Fetch Terraform Code from Git repo Lint Terraform Code Terraform Apply in test env Install ruby gems Run Inspec tests & Server Validations Terraform Destroy test env Report Results fail pass Continue pipeline
  9. 9. @growerofawesome Quality File layout for Kitchen Terraform Simple Inspec test using Rspec syntax
  10. 10. @growerofawesome Quality Kitchen Terraform Test results
  11. 11. @growerofawesome Quality Inspec controls control 'mysql-password-management’ do title 'Do not store your MySQL password in your ENV’ desc ‘ Storing credentials in your ENV may easily exposes them to an attacker. Prevent this at all costs. ‘ describe command('env') do its('stdout') { should_not match /^MYSQL_PWD=/ } end end control 'apache-running’ do title 'Apache2 should be configured and running’ describe service(apache.service) do it { should be_enabled } it { should be_running } end end
  12. 12. @growerofawesome Quality Unit Testing Static Code Analysis
  13. 13. Quality @growerofawesome cfn-lint cfn-nag tflint foodcritic cookstyle Ansible Lint puppet-lint
  14. 14. @growerofawesome Quality Unit Testing Static Code Analysis Peer Review / Pair Programming
  15. 15. @growerofawesome Quality Unit Testing Static Code Analysis Peer Review / Pair Programming Acceptance Criteria
  16. 16. @growerofawesome Quality Independent Negotiable Valuable Estimable Small Testable
  17. 17. @growerofawesome Quality Given I apply the |CV_2019_Web |route table When I send | HTTP | traffic from my third-party load test harness Then I expect The load test harness to | FAIL | And I expect an entry in the | TRAFFIC | log file to indicate that the traffic was | DENIED |
  18. 18. @growerofawesome Quality Unit Testing Static Code Analysis Peer Review / Pair Programming Acceptance Criteria
  19. 19. @growerofawesome Excellence Logical Separation
  20. 20. @growerofawesome Excellence Web Server, EC2, Application, Logging Database (RDS) + Object Storage (S3) IAM users, groups, roles, permissions VPCs, Subnets, internet gateways, VPNs, NATs
  21. 21. @growerofawesome Excellence Logical Separation Parameter Injection & Dependency Management
  22. 22. @growerofawesome Excellence ... "Parameters" : { "EnvType" : { "Description" : "Environment type.", "Default" : "test", "Type" : "String", "AllowedValues" : ["prod", "dev"], "ConstraintDescription" : "must specify prod or dev" } }, "Conditions" : { "CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "prod"]}, "CreateDevResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "dev"]} }, "Resources" : { "EC2Instance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]}, "InstanceType" : { "Fn::If" : [ "CreateProdResources", "c1.xlarge", {"Fn::If" : [ "CreateDevResources", "m1.large", "m1.small" ]} ]} } }, ...
  23. 23. @growerofawesome Excellence Outputs: DatabaseARN: Value: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DBTable} Description: ARN of the Dynamo Database Table Export: Name: !Sub "${AWS::StackName}- DatabaseARN" AppLayer.yml DBLayer.yml Policies: - PolicyName: V568AppPolicy PolicyDocument: Statement: - Effect: Allow Action: ['dynamodb:GetItem’, 'dynamodb:PutItem’, 'dynamodb:Query’, 'dynamodb:Scan’, 'dynamodb:UpdateItem’, ] Resource: Fn::ImportValue: !Sub ${DBStackName}-DatabaseARN
  24. 24. @growerofawesome Excellence "Resources" : { "Ec2Instance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "ImageId": { "Fn::FindInMap": [ "RegionMap", { "Ref": "AWS::Region" }, "AMI" ] } }, "DependsOn" : "myDB" }, "myDB" : { "Type" : "AWS::RDS::DBInstance", "Properties" : { "AllocatedStorage" : "5", "DBInstanceClass" : "db.m5.large", "Engine" : "MySQL", "EngineVersion" : “8.0", "MasterUsername" : “AUserNameGoesHere", "MasterUserPassword" : “ASecretPasswordGoesHere" } } } }
  25. 25. @growerofawesome Excellence Logical Separation Design Review – People over Process & Tools Parameter Injection & Dependency Management
  26. 26. @growerofawesome Purpose Shared Ownership Product Owner Comb-Shaped People Live the team
  27. 27. @growerofawesome Purpose General- Specialist Specialist DevOps Engineer
  28. 28. @growerofawesome Purpose Shared Ownership Product Owner Comb-Shaped People Live the team
  29. 29. @growerofawesome

×