integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get...
Transcript of integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get...
![Page 1: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/1.jpg)
DT5 Continuous Delivery Thursday, November 8th, 2018 11:30 AM
Integrating Infrastructure as Code into a Continuous Delivery Pipeline
Presented by:
Adarsh Shah Contino
‘
Brought to you by:
350 Corporate Way, Suite 400, Orange Park, FL 32073 888-‐-‐-‐268-‐-‐-‐8770 ·∙·∙ 904-‐-‐-‐278-‐-‐-‐0524 -‐ [email protected] -‐ http://www.starwest.techwell.com/
![Page 2: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/2.jpg)
Adarsh Shah Adarsh Shah is a principal consultant at Contino, a global leader in DevOps and cloud enablement. Prior to Contino, he was at ThoughtWorks, where he led various engineering teams. With thirteen years of engineering and DevOps experience, Adarsh has a keen interest in building systems that add business value, and he is passionate about helping clients achieve continuous delivery by improving all three aspects of DevOps: people, process, and technology. These days, Adarsh is excited about working with distributed systems architecture and cloud technologies.
![Page 3: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/3.jpg)
Integrating Infrastructure as Code into a Continuous Delivery Pipeline
Considerations, Best Practices & Patterns
Adarsh ShahTechnical Principal & Cloud Native Practice Lead
Contino@ShahAdarsh
Deck: http://bit.ly/IaC-CD
![Page 4: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/4.jpg)
Who am I?
Adarsh ShahTechnical Principal & Cloud Native Practice Lead
ShahAdarsh
![Page 5: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/5.jpg)
@ShahAdarsh
Infrastructure as Code
Infrastructure as Code (IaC) is the approach that takes proven coding techniques used by software systems and extends them to infrastructure.
![Page 6: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/6.jpg)
@ShahAdarsh
Challenges without IaC
• Configuration Issues• Repeatability • Human Error• Time to Complete
![Page 7: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/7.jpg)
@ShahAdarsh
Continuous DeliveryContinuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes and experiments—into production, or into the hands of users, safely and quickly in a sustainable way.
- Jez Humble
![Page 8: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/8.jpg)
@ShahAdarsh
Continuous Delivery
![Page 9: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/9.jpg)
@ShahAdarsh @_kuritz
Considerations & best practices
![Page 10: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/10.jpg)
@ShahAdarsh
Source Control
![Page 11: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/11.jpg)
@ShahAdarsh
Source Control
• Everything in source control• Code accessibility• Modularize• Collaboration!!• Code/test as documentation
![Page 12: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/12.jpg)
@ShahAdarsh
Source Control
![Page 13: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/13.jpg)
@ShahAdarsh
Infra as Code testing
Static Analysisterraform validate, TFLint, puppet parser validate
Unitbats, chefspec
Smokew/ dummy app
Selenium
Integrationinspec, goss
Brittle
Cost
Maintenance
Infra as Code Test Pyramid
Duration
![Page 14: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/14.jpg)
@ShahAdarsh
Security Patterns
• CIS benchmark automation• Building hardening policies• Static scanning
![Page 15: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/15.jpg)
@ShahAdarsh
Security Considerations
• Dynamic scanning• Secrets management • Artifact signing & verification
![Page 16: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/16.jpg)
@ShahAdarsh
Compliance
• Finance, Healthcare & other industries • SOX, PII, HIPPA, PCI
• Compliance as Code - Code instead of Paperwork • Chef InSpec, HashiCorp Sentinel (Policy as Code)
![Page 17: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/17.jpg)
@ShahAdarsh
Compliance as Code using HashiCorp SentinelEnsure that modification of critical data can only be performed
by authorized sysops with valid MFA
![Page 18: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/18.jpg)
@ShahAdarsh
Patterns for Provisioning
• Immutable VMs• Containerized Services • Base Image & App Pull
![Page 19: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/19.jpg)
@ShahAdarsh
Immutable VMs
• Infra Module - Multitier App w/ Cache Cluster• Loosely Coupled• App Image consumed by Infrastructure Module
![Page 20: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/20.jpg)
@ShahAdarsh
Immutable VMs
Infrastructure
Application
pull
Ephemeral Environment
Testing & Validation
Ephemeral Environment
Ephemeral Environment
AMI
Publish & Deploy
AMI
pull
SecurityInt. Tests
Compliance
Continuous Integration
Unit TestsStatic Analysis
SecurityApp Tests
Int. Tests
![Page 21: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/21.jpg)
@ShahAdarsh
Containerized Services
• Infra Module - Container Management System• Fully Decoupled from Apps• Apps are deployed with Container Management System
specific tools
![Page 22: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/22.jpg)
@ShahAdarsh
Containerized Services
Infrastructure Application
Publish & Deploy
pullScanSign
App Tests
ECR
Testing & Validation
Ephemeral Environment
Security
Compliance
Int. Tests
Continuous Integration
Unit TestsStatic Analysis
![Page 23: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/23.jpg)
@ShahAdarsh
Base Image & App Pull
• Infra Module - App Servers• VMs pull app on deploy, or app update• Anti-Pattern: Allowing Long-Lived VMs
![Page 24: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/24.jpg)
@ShahAdarsh
Base Image & App Pull
Infrastructure
Application
pull
pull
Publish & DeployAMI
Testing & Validation
Ephemeral Environment
SecurityInt. Tests
Ephemeral Environment
Compliance
Ephemeral Environment
SecurityApp Tests
Continuous Integration
Unit TestsStatic Analysis
![Page 25: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/25.jpg)
@ShahAdarsh
People & Process
• Enables teams to interact• Infra, Security, Compliance, QA etc teams work together• Improvement in processes • Faster feedback
![Page 26: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/26.jpg)
@ShahAdarsh
Infra
Compliance
SecurityProduction
Inspection
![Page 27: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/27.jpg)
@ShahAdarsh
Building Quality In
Infra ComplianceSecurity
Production
![Page 28: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/28.jpg)
@ShahAdarsh
Summary• Infrastructure as Code• Continuous Delivery • Considerations & best practices when integrating IaC to CD
• Source Control • Testing • Security • Compliance • Patterns for Provisioning • Build and Deploy pipelines
• People & Process
![Page 29: integrating iac into cd pipeline · Continuous Delivery Continuous Delivery is the ability to get changes of all types—including new features, configuration changes, bug fixes](https://reader034.fdocuments.in/reader034/viewer/2022051904/5ff618c8046ffb3d861ba27c/html5/thumbnails/29.jpg)
Questions
Adarsh ShahTechnical Principal & Cloud Native Practice Lead
Contino@ShahAdarsh
Deck: http://bit.ly/IaC-CD