際際滷

際際滷Share a Scribd company logo

Implementing DevOps Automation Best Practices and Common Mistakes

Derek Ashmore
Derek Ashmore

Derek C. Ashmore gave a presentation on implementing DevOps automation best practices and common mistakes. He discussed establishing DevOps discipline through practices like source code management, infrastructure as code testing, and feature branching. Ashmore also covered DevOps management approaches like automating approvals and guardrails instead of manual reviews. He warned against mistakes such as a lack of testing for common infrastructure code and creating an overly large blast radius for changes.

1 of 25
Download to read offline
Implementing DevOps Automation Best Practices and Common Mistakes Given by Derek C. Ashmore Agile+DevOps East 2023 November 8, 2023 息2023 Derek C. Ashmore, All Rights Reserved 1
Who am I? Professional Geek since 1987 AWS since 2010 Azure since 2017 Specialties Application Transformation Infrastructure Automation Yes I still code! 息2023 Derek C. Ashmore, All Rights Reserved 2
Discussion Resources This slide deck /derekashmore/presentations 際際滷 deck has hyper-links! Dont bother writing down URLs I take questions For those online, contact me on LinkedIn 息2023 Derek C. Ashmore, All Rights Reserved 3
Agenda Intro and Level Set DevOps Best Practices DevOps Management Summary / Q&A 息2023 Derek C. Ashmore, All Rights Reserved 4
DevOps Managed Infrastructure 99+% Infrastructure as Code (IaC) Manual changes Increase errors Increase unwanted differences between environments Increase admin workload Scripted/Coded changes Larger upfront cost, but.. Less busywork Leverage Others Work Decreases Errors Errors fixed in one place Eliminates unwanted differences Change history (with source control) 息2023 Derek C. Ashmore, All Rights Reserved 5
Tales from the Field Large Consumer Product Firm Rebuilds entire cloud footprint every two weeks Large Fast-food Franchise Easy to add new business unit spokes Security / Guardrails built in Internet ingress/egress On premises network connectivity Large Financial Institution Mobile App Cloud and application footprint blue/green capability 息2023 Derek C. Ashmore, All Rights Reserved
DevOps Automation Categories Network / non-application specific infrastructure Virtual Networks/VPCs and subnets Route tables, Network peering Security groups / NSGs Application infrastructure Relational databases Serverless constructs Security privileges and policies IAM Roles and privilege grants Virtual machine image production Produce machine images for teams to use Docker image production is similar conceptually 息2023 Derek C. Ashmore, All Rights Reserved 7
Agenda Intro and Level Set DevOps Best Practices DevOps Management Summary / Q&A 息2023 Derek C. Ashmore, All Rights Reserved 8
Discipline is Key Discipline required differs per maturity level Source Code Management Source Code Structure Deployment Management (CI/CD Pipelines) Avoid Manual Changes Testing Strategy 息2023 Derek C. Ashmore, All Rights Reserved 9
Automation Usage Evolution In the beginning Use Source Control As #Coders grow Feature branches CI/CD Pipelines As #Configurations grow Separate repo for modules Implement versioning Never use main/master! Further reading 息2023 Derek C. Ashmore, All Rights Reserved
Feature Branching DevOps Team Discipline is Key Feature Branches Never edit main/master directly! Update using Pull Requests Should live less than one day! Single targeted enhancement One developer only Long-lived branches prone to merge conflicts Squash commits on merge Further reading 息2023 Derek C. Ashmore, All Rights Reserved
Code in Reusable Modules Advantages are Small blast radius More easily tested Economies of scale Example reusable modules Kubernetes Cluster Virtual Machine Virtual Networks and Subnets S3/Storage accounts Serverless services/functions 100+ Modules in all Used in 400+ pipelines Tested in merge to master 息2023 Derek C. Ashmore, All Rights Reserved 12
CI/CD Pipelines Provides consistent runtime environment Software version Cloud security policy Audit history / Admin security Pipeline approvals Force Plan/Dry-Run execution Force manual approval before changing the environment 息2023 Derek C. Ashmore, All Rights Reserved
Manual Intervention Requirements Some companies require manual intervention Often dictated by company policy Examples include Requiring DNS entries to be manually entered Separate group allocates security privileges On-premises connectivity IaC depending on manual intervention cannot have automated tests Localize the manual intervention requirements 息2023 Derek C. Ashmore, All Rights Reserved 14
Accommodating Manual Processes 息2023 Derek C. Ashmore, All Rights Reserved 15
Infrastructure Code Testing IaC is code! Housed in source control Often changed and released Needs testing like any other code IaC change can have negative impact Environment outages End-user internet connectivity outage Application outages Testing team delayed for four days Testing IaC can minimize negative impact 息2023 Derek C. Ashmore, All Rights Reserved 16
Infrastructure Code Testing Differences IaC != Application Code IaC requires external resources (e.g. Cloud) to run In-process unit testing often not possible Limited localized (in-process) testing Generally limited to syntax checks Terraform validation Ansible Dry Runs IDE syntax checks Most testing is integration testing 息2023 Derek C. Ashmore, All Rights Reserved 17
Infrastructure Code Testing Challenges Friction Harder to write/maintain Dependencies Managed by other teams Testing costs Use Sandbox tear-down after tests Manual intervention requirements Not possible to automate tests 息2023 Derek C. Ashmore, All Rights Reserved 18
Lack of Discipline Causes Unplanned Work Change due to automatic upgrades Unintended consequences Accidental over-writing changes of others Merge conflicts Changes deployed from unmerged branches Increased defect rate Configuration Drift caused by manual change 息2023 Derek C. Ashmore, All Rights Reserved 19
Frequent Mistakes in the Field Lack of testing for common IaC code Testing for one use of common code is not sufficient! Often breaks other consumers of the common code Creating a blast radius for IaC thats too large Cant make targeted changes without unintended consequences Treating common IaC code as an enforcement mechanism Decouple policy enforcement and naming conventions Common IaC is a productivity enhancer only 息2023 Derek C. Ashmore, All Rights Reserved 20
Agenda Intro and Level Set DevOps Best Practices DevOps Management Summary / Q&A 息2023 Derek C. Ashmore, All Rights Reserved 21
Management is different too! Instead of Manual reviews/approvals Automate guardrails Automate testing Whitelist cloud services Consider continuous delivery/deployment Capacity planning up front Monitor cost increases and investigate Mandating policy changes by edict Automate policy enforcement 息2023 Derek C. Ashmore, All Rights Reserved
Things that Dont work Adding Manual Approvals/Reviews Kills velocity and productivity Stops innovation Creates bottlenecks Forcing manual procedures Attempt to expedite Creates technical debt 息2023 Derek C. Ashmore, All Rights Reserved
Things that Work! Declare War on manual approvals Favor automated guardrails Automate oversight Decentralize Cloud Management Let app teams manage app infrastructure Dont be a bottleneck Leave App teams to innovate Create a Service Catalog Automate whitelisting of services Create reasonable process for new services Legal reviews (HIPPA, GDPR, etc.) Fund automation You wont make it manually! DevOps Team Discipline Automation needs SDLC just like applications Source management is key 息2023 Derek C. Ashmore, All Rights Reserved
Thank you! Derek Ashmore: Blog: www.derekashmore.com LinkedIn: www.linkedin.com/in/derekashmore Connect Invites from attendees welcome Twitter: https://twitter.com/Derek_Ashmore GitHub: https://github.com/Derek-Ashmore Book: http://dvtpress.com/ Please fill out the evaluation form! 息2023 Derek C. Ashmore, All Rights Reserved 25

More Related Content

Implementing DevOps Automation Best Practices and Common Mistakes

  • 1. Implementing DevOps Automation Best Practices and Common Mistakes Given by Derek C. Ashmore Agile+DevOps East 2023 November 8, 2023 息2023 Derek C. Ashmore, All Rights Reserved 1
  • 2. Who am I? Professional Geek since 1987 AWS since 2010 Azure since 2017 Specialties Application Transformation Infrastructure Automation Yes I still code! 息2023 Derek C. Ashmore, All Rights Reserved 2
  • 3. Discussion Resources This slide deck /derekashmore/presentations 際際滷 deck has hyper-links! Dont bother writing down URLs I take questions For those online, contact me on LinkedIn 息2023 Derek C. Ashmore, All Rights Reserved 3
  • 4. Agenda Intro and Level Set DevOps Best Practices DevOps Management Summary / Q&A 息2023 Derek C. Ashmore, All Rights Reserved 4
  • 5. DevOps Managed Infrastructure 99+% Infrastructure as Code (IaC) Manual changes Increase errors Increase unwanted differences between environments Increase admin workload Scripted/Coded changes Larger upfront cost, but.. Less busywork Leverage Others Work Decreases Errors Errors fixed in one place Eliminates unwanted differences Change history (with source control) 息2023 Derek C. Ashmore, All Rights Reserved 5
  • 6. Tales from the Field Large Consumer Product Firm Rebuilds entire cloud footprint every two weeks Large Fast-food Franchise Easy to add new business unit spokes Security / Guardrails built in Internet ingress/egress On premises network connectivity Large Financial Institution Mobile App Cloud and application footprint blue/green capability 息2023 Derek C. Ashmore, All Rights Reserved
  • 7. DevOps Automation Categories Network / non-application specific infrastructure Virtual Networks/VPCs and subnets Route tables, Network peering Security groups / NSGs Application infrastructure Relational databases Serverless constructs Security privileges and policies IAM Roles and privilege grants Virtual machine image production Produce machine images for teams to use Docker image production is similar conceptually 息2023 Derek C. Ashmore, All Rights Reserved 7
  • 8. Agenda Intro and Level Set DevOps Best Practices DevOps Management Summary / Q&A 息2023 Derek C. Ashmore, All Rights Reserved 8
  • 9. Discipline is Key Discipline required differs per maturity level Source Code Management Source Code Structure Deployment Management (CI/CD Pipelines) Avoid Manual Changes Testing Strategy 息2023 Derek C. Ashmore, All Rights Reserved 9
  • 10. Automation Usage Evolution In the beginning Use Source Control As #Coders grow Feature branches CI/CD Pipelines As #Configurations grow Separate repo for modules Implement versioning Never use main/master! Further reading 息2023 Derek C. Ashmore, All Rights Reserved
  • 11. Feature Branching DevOps Team Discipline is Key Feature Branches Never edit main/master directly! Update using Pull Requests Should live less than one day! Single targeted enhancement One developer only Long-lived branches prone to merge conflicts Squash commits on merge Further reading 息2023 Derek C. Ashmore, All Rights Reserved
  • 12. Code in Reusable Modules Advantages are Small blast radius More easily tested Economies of scale Example reusable modules Kubernetes Cluster Virtual Machine Virtual Networks and Subnets S3/Storage accounts Serverless services/functions 100+ Modules in all Used in 400+ pipelines Tested in merge to master 息2023 Derek C. Ashmore, All Rights Reserved 12
  • 13. CI/CD Pipelines Provides consistent runtime environment Software version Cloud security policy Audit history / Admin security Pipeline approvals Force Plan/Dry-Run execution Force manual approval before changing the environment 息2023 Derek C. Ashmore, All Rights Reserved
  • 14. Manual Intervention Requirements Some companies require manual intervention Often dictated by company policy Examples include Requiring DNS entries to be manually entered Separate group allocates security privileges On-premises connectivity IaC depending on manual intervention cannot have automated tests Localize the manual intervention requirements 息2023 Derek C. Ashmore, All Rights Reserved 14
  • 15. Accommodating Manual Processes 息2023 Derek C. Ashmore, All Rights Reserved 15
  • 16. Infrastructure Code Testing IaC is code! Housed in source control Often changed and released Needs testing like any other code IaC change can have negative impact Environment outages End-user internet connectivity outage Application outages Testing team delayed for four days Testing IaC can minimize negative impact 息2023 Derek C. Ashmore, All Rights Reserved 16
  • 17. Infrastructure Code Testing Differences IaC != Application Code IaC requires external resources (e.g. Cloud) to run In-process unit testing often not possible Limited localized (in-process) testing Generally limited to syntax checks Terraform validation Ansible Dry Runs IDE syntax checks Most testing is integration testing 息2023 Derek C. Ashmore, All Rights Reserved 17
  • 18. Infrastructure Code Testing Challenges Friction Harder to write/maintain Dependencies Managed by other teams Testing costs Use Sandbox tear-down after tests Manual intervention requirements Not possible to automate tests 息2023 Derek C. Ashmore, All Rights Reserved 18
  • 19. Lack of Discipline Causes Unplanned Work Change due to automatic upgrades Unintended consequences Accidental over-writing changes of others Merge conflicts Changes deployed from unmerged branches Increased defect rate Configuration Drift caused by manual change 息2023 Derek C. Ashmore, All Rights Reserved 19
  • 20. Frequent Mistakes in the Field Lack of testing for common IaC code Testing for one use of common code is not sufficient! Often breaks other consumers of the common code Creating a blast radius for IaC thats too large Cant make targeted changes without unintended consequences Treating common IaC code as an enforcement mechanism Decouple policy enforcement and naming conventions Common IaC is a productivity enhancer only 息2023 Derek C. Ashmore, All Rights Reserved 20
  • 21. Agenda Intro and Level Set DevOps Best Practices DevOps Management Summary / Q&A 息2023 Derek C. Ashmore, All Rights Reserved 21
  • 22. Management is different too! Instead of Manual reviews/approvals Automate guardrails Automate testing Whitelist cloud services Consider continuous delivery/deployment Capacity planning up front Monitor cost increases and investigate Mandating policy changes by edict Automate policy enforcement 息2023 Derek C. Ashmore, All Rights Reserved
  • 23. Things that Dont work Adding Manual Approvals/Reviews Kills velocity and productivity Stops innovation Creates bottlenecks Forcing manual procedures Attempt to expedite Creates technical debt 息2023 Derek C. Ashmore, All Rights Reserved
  • 24. Things that Work! Declare War on manual approvals Favor automated guardrails Automate oversight Decentralize Cloud Management Let app teams manage app infrastructure Dont be a bottleneck Leave App teams to innovate Create a Service Catalog Automate whitelisting of services Create reasonable process for new services Legal reviews (HIPPA, GDPR, etc.) Fund automation You wont make it manually! DevOps Team Discipline Automation needs SDLC just like applications Source management is key 息2023 Derek C. Ashmore, All Rights Reserved
  • 25. Thank you! Derek Ashmore: Blog: www.derekashmore.com LinkedIn: www.linkedin.com/in/derekashmore Connect Invites from attendees welcome Twitter: https://twitter.com/Derek_Ashmore GitHub: https://github.com/Derek-Ashmore Book: http://dvtpress.com/ Please fill out the evaluation form! 息2023 Derek C. Ashmore, All Rights Reserved 25