At Stelligent, Infrastructure as Code (IaC) is foundational to our mantra of “Automate Everything”. This is reflected in our new engineer training, Stelligent U, which has recently been open-sourced. Throughout the training, we focus on creating and updating resources via CloudFormation. Even with templates provided as reference, the engineer is the ultimate decision-maker for building out working infrastructure that can be redeployed at will.
All major cloud providers have support for Infrastructure as Code, typically with many options available for provisioning services. When new engineers go through Stelligent U, the primary focus is on CloudFormation templates. However, there is also a module on Terraform and we encourage exploring programmatic solutions such as boto3 or AWS’s CDK.
Our focus during all the Stelligent U modules in regards to IaC, is to ensure that the infrastructure is:
- Reviewable – Infrastructure changes should not require manual effort to track them down.
- Reproducible – As long as the code does not change, the infrastructure should remain the same between deployments.
- Reusable – Utilize parameterized values rather than hard coded ones.
- Able to integrate with other services seamlessly – Easily compatible and enhanced by uniting with strong utilities, especially within the same cloud system.
The obvious benefit of having reviewable code is that someone can check your work. The reviewer can also perform asynchronous checks own time, such as with git pull requests. Having someone look over a shoulder while making changes in the console, although “reviewable”, should never happen.
However, it’s not only humans that can review your code. Automated tests can also help catch syntax or security errors and warnings. Running automated reviews saves both time and money, with quick implementation, fast feedback, and no external involvement from coworkers. Some options include terrascan and tflint for Terraform files, and cfn_nag and cfn-lint for CloudFormation templates
Another useful tool to assist with reviewing IaC prior to deployment is AWS CloudFormation change sets. With change sets, you are able to preview how updates to your template will impact running resources prior to deployment, such as if they can be modified in-place or require replacement. This allows you to prevent accidental deletion or unintended changes to resources without impacting production.
The same infrastructure, without any manual intervention, should be deployed each time. This ensures that each environment receives identical resources without the worry that some small unknown difference will invalidate your tests. A reproducible, consistent, reviewable environment is foundational to Stelligent’s mantra of “automate everything”. In addition to providing consistent development and production environments, IAC allows for easier disaster recovery and environment expansion. CloudFormation defaults to automatic rollback of changes that are incompatible or would otherwise cause failures, thus leaving a stack in its previous, known-good state.
When working on a production system, it can be easy to think that a quick small manual change is the correct choice as opposed to updating the code base. However, this often leads to significant complications down the line. Stelligent U instills making small changes at the code/template level as a core value. This ensures that the infrastructure deployed today will be the same as yesterday and the day before (assuming no code changes). Known as immutable infrastructure, Stelligent holds this as a core DevOps best practice. Resources can be protected from unintentional changes with stack policies that determine which items are allowed to be updated as well as through the DeletionPolicy attribute. Stelligent U also walks through how to protect a stack from deletion. It is also possible, and encouraged, to detect manual changes to CloudFormation managed resources via Drift Detection. Through both protection and detection, you can ensure that your infrastructure stays as defined throughout its lifecycle.
IaC provides scalability when working across multiple environments, regions, and even accounts in cloud services. CloudFormation templates configured to handle parameters defined in separate JSON files allow reuse of specifications as needed. As well, division of templates into smaller, logical units helps create more manageable and cohesive stacks that may not directly depend on other resources. Also, you can organize templates under nested stacks that reference other templates to update multiple similar resources simultaneously.
Being able to reuse code is key to preserving both consistency and efficiency, which is why Stelligent U provides a series of labs dedicated to CloudFormation template portability and reuse. Resources created by stacks can be exported for reuse by other stacks via cross-stack references. StackSets provide the option of reusing the same CloudFormation template for multiple accounts and regions under an administrator account, or for organizing resources into logical groups and dependencies. Conditions add another method to extend flexibility such as the use of a prefix for an S3 bucket name to reuse templates across multiple accounts. This concept can also be implemented via pseudo-parameters that utilize native CloudFormation functions.
AWS Service Integrations
Security plays an important role in keeping infrastructure reliable and stable, which AWS helps achieve through service integrations with CloudFormation. IAM roles and policies can determine which users can make changes to stacks and to what degree, including creation, deletion, and even read-only access. Service roles associated with a stack control permissions for its resources. AWS CloudTrail provides auditing for all CloudFormation API calls, whether through the console, command line, or other methods. This auditing allows administrators to keep track of which users made changes to stacks with the option of storing logs in S3. Stelligent U also includes a task designed to show the integration between CloudFormation and the AWS SSM Parameter Store.
By integrating CloudFormation with tools such as AWS CodePipeline, we can accomplish Continuous Delivery. Since CodePipeline has built-in functionality for all CloudFormation actions, stacks built, tested, and deployed to different environments require no human interaction.
Infrastructure and U
Infrastructure as Code is a pillar of Stelligent’s Philosophy and CI/CD in general. Stelligent U reinforces the mantra of “Automate Everything” while at the same time providing a foundational approach to IaC across many AWS platforms. In addition to the existing content, we are getting ready to add modules on static analysis of IaC and integrating drift detection into your CI/CD pipelines on AWS. Please come see us over at Stelligent U.
Stelligent Amazon Pollycast