This document discusses integrating infrastructure as code (IaC) into a continuous delivery pipeline. It outlines considerations and best practices, including: using source control for all infrastructure code; implementing different types of testing (e.g. unit, integration, security); ensuring security and compliance; using patterns like immutable infrastructure and containerization; and focusing on people and processes to enable collaboration between teams.
Integrating Infrastructure as Code into Continuous Delivery
1. Integrating Infrastructure
as Code into a Continuous
Delivery Pipeline
Considerations, Best
Practices & Patterns
Adarsh Shah & Matt Kuritz
Contino - Enterprise DevOps and Cloud Transformation Consultancy
@ShahAdarsh & @_kuritz
Deck: http://bit.ly/IaC-CD
2. Who are we?
Adarsh Shah
Principal Consultant
ShahAdarsh _kuritz
Matt Kuritz
Senior Consultant
3. @ShahAdarsh @_kuritz
Infrastructure as Code
Infrastructure as Code (IaC) is the approach that takes
proven coding techniques used by software systems
and extends them to infrastructure.
5. @ShahAdarsh @_kuritz
Continuous Delivery
Continuous Delivery is the ability to get changes of all
types—including new features, configuration changes, bug
fixes and experiments—into production, or into the hands
of users, safely and quickly in a sustainable way.
- Jez Humble
9. @ShahAdarsh @_kuritz
Source Control
• Everything in source control
• Code accessibility
• Modules provide well defined interface
• Collaboration!!
• Code/test as documentation
14. @ShahAdarsh @_kuritz
Compliance
• Finance, Healthcare & other industries
• SOX, PII, HIPPA, PCI
• Compliance as Code - Code instead of Paperwork
• Chef InSpec, HashiCorp Sentinel (Policy as Code)
15. @ShahAdarsh @_kuritz
Compliance as Code using HashiCorp Sentinel
Ensure that modification of critical data can only be performed
by authorized sysops with valid MFA
19. @ShahAdarsh @_kuritz
Containerized Services
• Infra Module - Container Management System
• Fully Decoupled from Apps
• Apps are deployed with Container Management System
specific tools
23. @ShahAdarsh @_kuritz
People & Process
• Enables teams to interact
• Infra, Security, Compliance, QA etc teams work together
• Improvement in processes
• Faster feedback
26. @ShahAdarsh @_kuritz
Summary
• Infrastructure as Code
• Continuous Delivery
• Considerations & best practices when integrating IaC to CD
• Source Control
• Testing
• Security
• Compliance
• Patterns for Provisioning
• Build and Deploy pipelines
• People & Process
27. Questions
Adarsh Shah & Matt Kuritz
Contino - Enterprise DevOps and Cloud Transformation Consultancy
@ShahAdarsh & @_kuritz
Deck: http://bit.ly/IaC-CD
Editor's Notes
A
A & M
- Enables enterprises to accelerate innovation through the adoption of DevOps and cloud-native computing
A
M
A
[TODO] Time factor,
Multiple, under utilized servers
Server thats different from all others
Config constantly - diff can creep in over time
Configuration Issues
Repeatability
Time to Complete
Reproducibility / Human Error
A
Server Sprawl
Snowflake Servers
Configuration Drift
Jez Humble and Dave Farley wrote the book on it
idea is to get our changes to users quickly, and safely, at a steady pace
each ‘widget’ represents a commit
We have a number of processes that must be run for a piece to be confirmed as finished and working
A
What are the proven coding techniques used by software systems?
What are the best practices when using IaC & CD
Things to consider & best practices when integrating IaC to CD pipeline
Doesn’t mean skip TF plan
[TODO] This actually is a consideration, but do we want it
M
Provisioning/Config mgmt code, test code, CI/CD job definitions, utility scripts etc.
Instead of having out of date documentation using code/test as documentation
- Serves as a point for collaboration and knowledge sharing
Read, open PR access for all
Modules for Infrastructure vs Implementation
Doesn’t mean skip TF plan
[TODO] This actually is a consideration, but do we want it
A
Declarative definitions/scripts etc
Declarative approach - Desired state
Unit tests as needed.
-
M
[TODO] Time consuming, Faster feedback, People/Proces
Shift security left