This document outlines a model for implementing test-driven infrastructure (TDI) workflows. It discusses key concepts like extending the PDCA cycle and testing infrastructure code thoroughly. Benefits include avoiding errors, increased confidence, and raising coworkers' skills. It recommends tools like Git, Ansible, Docker, Jenkins and OpenVAS and describes how to automate everything, link components, and notify teams. The model depicts continuous integration/deployment pipelines from code to security testing to production. Implementing TDI is advocated to save time, deploy quickly and securely, and make deployment the disaster recovery process.

1. FROM DEVOPS TO
(AKA SYSOPS)
A CONCRETE CASE FOR MODELLING THE INFRASTRUCTURE WORKFLOW
MARC.SAETTEL@CYKLODEV.COM

2. FROM CODE TO INFRASTRUCTURE
…
WITH MASTERY AND STYLE

3. SUMMARY
Concepts
Benefits
Tools
Model
Use case
Conclusion
Q&A

4. CONCEPTS
What it is ?
The idea
PDCA extended
Test IT … Really test it
Be lazy

5. CONCEPTS > WHAT IT IS ?
TDI = Test Driven Architecture
TDI implies IAC (Infrastructure As Code)
SysOps like DevOps and SecOps != a norm or a set of tools
(.*)Ops == culture, way of doing
Devops is build on the top of Sysops (not against)
SecOps is built on top of DevOps

6. CONCEPTS > THE IDEA
Originally coming for Devops.
Easly extendable to Sysops as they
are already involved.
Require multiple skills.

7. CONCEPTS > PDCA EXTENDED
The cycle extends the Deming’s wheel.
Require an IasS/PasS provider and
some Devops tools.
Be prepared to build over and over …

8. CONCEPTS > TEST IT … REALLY TEST IT !
SysOps (like Devops) is not only system/software deployment and
write code . That’s the easy part.
You can only success if you write accurate tests (even if the case will
never appear). Murphy is watching you.

9. CONCEPTS > BE LAZY
Each sysadmin have to be lazy, but in a smart way.
If you know that you will make a task twice:
find a way to automate it !

10. BENEFITS
Avoid PEBKAC
Feel confident
Customer’s trust
Rise coworkers skills
Reduce conflicts

11. BENEFITS > AVOID PEBKAC
Humans will always make mistakes, you can’t fight this
TDI workflow will detect them before they
are applied in production environment.

12. BENEFITS > FEEL CONFIDENT
One of the biggest benefits is that you deliver what you have tested.
And you’re sure it’s working, so:
• No debug in production
• No hazardous action
• No fear
• No pain

13. BENEFITS > CUSTOMER’S TRUST
Among multiple builds you can prove to your customer that:
• You’re transparent - especially for failed builds
• You correct existing issues … Things works from/since
• You can prove (with tests) that an issue will always be detected in the next
builds

14. BENEFITS > RISE COWORKERS SKILLS
With SysOps/DevOps, you colleagues can be confident on producing their code and
not focus on the « Where, How, When I deploy my new version ».
They build code and tests properly without any other things in their mind.
They learn new tools and are implicated in a global flow.
You can also add a ChatOps to let everyone communicate (with projects news/build).

15. BENEFITS > REDUCE CONFLICTS
Generate test cases as many as you can.
Generate metrics as many as you can.
Turn complains into requests.
Use agility (scrum) for short cycle and look forward & behind.
Don’t argue about failure’s responsability but learn from them.

16. TOOLS
The Memory
The Maker
The Sandbox(s)
The Truce teller
The breaker

17. TOOLS > THE MEMORY
My preference goes to Git because it’s:
• Self hosted (respect project’s privacy)
• Distributed
• Decentralized
• Full of hooks
You can also choose another solution (Subversion, Mercurial, …)

18. TOOLS > THE MAKER
My preference goes to Ansible because it’s:
• Self hosted (respect project’s privacy)
• Agent-less
• Based on ssh
• Not limitated (CLI)
You can also choose another solution (CFEngine, Puppet, Chef, …)

19. TOOLS > THE SANDBOX(S)
To deploy your infrastructure you will need some IaaS/PasS providers and you
have to think for why you need at least twice (depending of your needs)
• Deep system interactions: IaaS
• Soft/None system interactions: PaaS
Pick also a provider who has custom images functionnality (for project’s privacy)

20. TOOLS > THE SANDBOX (IAAS)
My preference goes to Scaleway because it’s:
• Shipped with an http API
• My former provider (Illiad)
I also wrote a command interface to manage the
servers management an make it scriptable.
You can also choose another solution (DigitalOcean, Amazon, Docker, …).

21. TOOLS > THE SANDBOX (PASS)
My preference goes to Docker because it’s:
• Easy to install/use
• Easy to deploy complex stack (docker-compose)
• Shipped with DockerHub to store your own image
• Self hosted image possible (respect project’s privacy)
• The rising star
You can also choose another solution (DigitalOcean, Amazon, …).

22. TOOLS > THE TRUCE TELLER
My preference goes to Jenkins because it’s:
• Self hosted (respect project’s privacy)
• Deployed by Ansible
• Driven by http & git hooks
You can also choose another solution (Travis-CI, BuildBot, …)

23. TOOLS > THE BREAKER
My preference goes to OpenVAS because it’s:
• Self hosted (respect project’s privacy)
• Opensource
• Updated frequently (0day -30 days)
• Driven by CLI/API
You can also choose another solution (Metasploit, Nessus, …)

24. MODEL
Big picture
Automate everything
Link everything
Notify everyting
Endpoint

25. MODEL > BIG PICTURE
DEV PPE

26. MODEL > AUTOMATE EVERYTHING
SysOps
Deployment: System, Plateform
DevOps
Delivery: Application on top of IaaS/PasS
Tests
Execution: againt Sys&App
SecOps
Execution: againt Sys&App

27. MODEL > LINK EVERYTHING
Use the hooks abilities from Git.
Use Ansible return summary (Ok, Changed, Failed).
Use the API to create/destroy IasS/PasS instances.
Use the Jenkins jobs to trigger next steps.
Use the CLI power from OpenVAS.
Use the (almighty) return code 0 of each successfull actions.

28. MODEL > NOTIFY EVERYTHING
Not only the build initiator (aka the commiter: Sys || Dev || Sec)
Not only failed steps, but litteraly everything
Forward state in ELK and make statistics
Push results to the ChatOps
Make a dashboard

29. MODEL > ENDPOINT
The last step (Git) must be used only by the workflow
You will never commit directly on it
Choose if your last step is going in PreProduction or Production depending
on your internal process.

30. USE CASE
GIT
LEMP
APP
TESTS
SECURITY
DEPLOY

31. CONCLUSION
Use TDI to save time !
Use TDI to deploy quickly !
Use TDI to secure your code !
Use TDI to secure your infrastructure !
Use TDI to make your deployment time the DR time !!!

32. Q&A

33. THANKS FOR THE AUDIENCE