My talk from DevOpsCon Berlin 2019 about the lessons I've learned from agile software development that can be applied to infrastructure as code including Terraform unit testing and CloudFormation linting.

1. IaC :: Lessons Learned
from Dev to Ops
Emma Button @growerofawesome

2. Trust me,
I’m a Developer

3. @growerofawesome
Agility Simplicity
Technical Excellence
Quality
Purpose & Shared Ownership

4. Code Re-UseSimplicity
@growerofawesome

5. Code Re-UseSimplicity
@growerofawesome
Public Libraries
Open Source
Communities

6. • Cloudformation
Sample Templates
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/sample-templates-services-us-west-2.html
AWS Labs
https://github.com/awslabs/aws-cloudformation-templates
Code Snippets
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/CHAP_TemplateQuickRef.html
• Terraform
Module Registry
https://registry.terraform.io/
• Chef
Chef Supermarket
https://supermarket.chef.io/
• Ansible
Module Library
https://docs.ansible.com/ansible/latest/modules/list_of_all_modules.html#all-modules
• Puppet
Puppet Forge
https://forge.puppet.com/
Simplicity
@growerofawesome

7. @growerofawesome
Quality Unit Testing

8. @growerofawesome
Quality Fetch
Terraform
Code from Git
repo
Lint Terraform
Code
Terraform
Apply in test
env
Install ruby
gems
Run Inspec
tests &
Server
Validations
Terraform
Destroy test
env
Report
Results
fail
pass
Continue
pipeline

9. @growerofawesome
Quality File layout for
Kitchen Terraform
Simple Inspec
test using
Rspec syntax

10. @growerofawesome
Quality
Kitchen Terraform
Test results

11. @growerofawesome
Quality
Inspec controls
control 'mysql-password-management’ do
title 'Do not store your MySQL password in your ENV’
desc ‘
Storing credentials in your ENV may easily exposes
them to an attacker. Prevent this at all costs.
‘
describe command('env') do
its('stdout') { should_not match /^MYSQL_PWD=/ }
end
end
control 'apache-running’ do
title 'Apache2 should be configured and running’
describe service(apache.service) do
it { should be_enabled }
it { should be_running }
end
end

12. @growerofawesome
Quality Unit Testing
Static Code Analysis

13. Quality
@growerofawesome
cfn-lint
cfn-nag
tflint
foodcritic
cookstyle
Ansible Lint
puppet-lint

14. @growerofawesome
Quality Unit Testing
Static Code Analysis
Peer Review / Pair Programming

15. @growerofawesome
Quality Unit Testing
Static Code Analysis
Peer Review / Pair Programming
Acceptance Criteria

16. @growerofawesome
Quality Independent
Negotiable
Valuable
Estimable
Small
Testable

17. @growerofawesome
Quality Given I apply the |CV_2019_Web |route table
When I send | HTTP | traffic from my third-party
load test harness
Then I expect The load test harness to | FAIL |
And I expect an entry in the | TRAFFIC | log file
to indicate that the traffic was | DENIED |

18. @growerofawesome
Quality Unit Testing
Static Code Analysis
Peer Review / Pair Programming
Acceptance Criteria

19. @growerofawesome
Excellence Logical Separation

20. @growerofawesome
Excellence
Web Server, EC2, Application, Logging
Database (RDS) + Object Storage (S3)
IAM users, groups, roles, permissions
VPCs, Subnets, internet gateways, VPNs, NATs

21. @growerofawesome
Excellence Logical Separation
Parameter Injection & Dependency Management

22. @growerofawesome
Excellence
...
"Parameters" : {
"EnvType" : {
"Description" : "Environment type.",
"Default" : "test",
"Type" : "String",
"AllowedValues" : ["prod", "dev"],
"ConstraintDescription" : "must specify prod or dev"
}
},
"Conditions" : {
"CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "prod"]},
"CreateDevResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "dev"]}
},
"Resources" : {
"EC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"InstanceType" : { "Fn::If" : [
"CreateProdResources",
"c1.xlarge",
{"Fn::If" : [
"CreateDevResources",
"m1.large",
"m1.small"
]}
]}
}
},
...

23. @growerofawesome
Excellence Outputs:
DatabaseARN:
Value: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DBTable}
Description: ARN of the Dynamo Database Table
Export: Name: !Sub "${AWS::StackName}- DatabaseARN"
AppLayer.yml
DBLayer.yml
Policies:
- PolicyName: V568AppPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action: ['dynamodb:GetItem’,
'dynamodb:PutItem’,
'dynamodb:Query’,
'dynamodb:Scan’,
'dynamodb:UpdateItem’,
]
Resource:
Fn::ImportValue: !Sub ${DBStackName}-DatabaseARN

24. @growerofawesome
Excellence "Resources" : {
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
]
}
},
"DependsOn" : "myDB"
},
"myDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m5.large",
"Engine" : "MySQL",
"EngineVersion" : “8.0",
"MasterUsername" : “AUserNameGoesHere",
"MasterUserPassword" : “ASecretPasswordGoesHere"
}
}
}
}

25. @growerofawesome
Excellence Logical Separation
Design Review – People over Process & Tools
Parameter Injection & Dependency Management

26. @growerofawesome
Purpose Shared
Ownership
Product Owner Comb-Shaped
People
Live the team

27. @growerofawesome
Purpose
General-
Specialist
Specialist DevOps
Engineer

28. @growerofawesome
Purpose Shared
Ownership
Product Owner Comb-Shaped
People
Live the team

29. @growerofawesome