General Recommendations

Cloud-based services are incredibly capable and powerful but require an ongoing commitment by all parties involved. New AWS services are being added at a near-exponential rate while refinements to previous service capabilities continue to change. Each client’s needs and aspirations are unique and must be addressed in exquisite detail as there is no standard approach available. How to determine an optimal AWS Devops for organizations can be challenging.  We have developed some simple guidelines that help lead conversations with customers when it comes to implementing AWS Devops within their business.

Figure 1: AWS Services year-over-year

Each application/service deployment is unique and must be planned and executed in a methodical manner to achieve the desired results. In addition, prior deployments must be revisited on a planned basis as services change and best-practices are updated. Staying current with the rapidly changing landscape of AWS is no small feat. The AWS Specialists at Triumph Tech are committed to a perpetual learning cycle to ensure we’re maintaining the most up-to-date industry best practices, this includes constant validation through AWS documentation resources.

AWS Config and IaC

Knowing that each deployment is one-of-a-kind, we utilize several tools and services to assist in providing both passive and active best-practice guidance. These are comprised of AWS compliance tools, AWS Config, etc., and provisioning and management tools such as Infrastructure-as-Code.

AWS Config (see ref) allows for account-wide constraints and compliance guardrails. As mentioned in the Config reference, these rules will start with baseline configurations. However, these rules will evolve with the observed account usage, and client needs continue to be refined. AWS Config and Infrastructure-as-Code (IaC) reinforce one another in helping to ensure compliance, security, and overall best-practices are followed within the account structure.

The underlying architecture of the CUSTOMER AWS environment is configured via IaC. Most changes will need to be accomplished through a change-management process that will leverage this capability. We highly recommend instituting similar procedures for CUSTOMER-driven service deployments in the Sandbox, Dev, and Testing accounts.

There are multiple benefits to this approach:

• Enhanced Security
  • Everything is deployed the same way every time
  • Compliance and security standards can be consistently met with each deployment
• Reduced Risk
  • Inherent capture of institutional knowledge and self-documentation
  • Augments disaster recovery options
• Straightforward Compliance
  • Reduce human interaction/errors
  • Changes to production are versioned and logged
  • Always up-to-date history of change

CI/CD

Triumph Tech can assist in constructing the most appropriate pipeline implementation once we have a more detailed understanding of your exact needs.

To best achieve these benefits, a formal review process should be put in place for all changes.

• We recommend a pipeline approach for deployment. The pipeline consists of a set of steps to perform some related set of tasks. Pipelines will include all necessary deployment configuration and will be composed of smaller, reusable subtasks
  • Horizontal Pipeline: A class of Pipelines acting as an orchestration layer orders all operations or other sub-jobs (Vertical Pipeline jobs) to perform the overall task. Service, Environment, and Library Pipelines are all types of Horizontal Pipelines.
  • Vertical Pipeline: A generic, parameter-based pipeline script called from other higher-level scripts (e.g., Horizontal Pipelines). These scripts perform smaller tasks and generally act as a “funnel” for data/configuration; these will trigger additional processing functions. These scripts are parameterized build jobs and are responsible for validating their incoming parameters. Direct use of these scripts is discouraged, as these scripts should only be called via wrappers in the overall process.
• Examples include:
  • Build Jobs (Lambda, Beanstalk, Clojure Lib)
  • Deploy Jobs (Lambda, Beanstalk, Schema, Migrations, Infrastructure)

With a review process in place, it will be possible to match best-practices to the desired outcome before pushing changes.

Questions to understand Customer AWS Devops Needs

To better assist our customers with specific deployment scenarios we would need information such as:

• What services/tools are required for new workloads that will be deployed?
  • list of services, dependencies, use-case in prod, compliance requirements, limitations
• What encryption standards are needed/currently in use?
  • Encryption in transit
  • Encryption at rest
  • Storage Type
    • EBS
    • S3 (In transit/At rest)
    • DB
    • other
• How is code currently deployed to applications/testing?
• CI/CD
  • What is the current CI/CD process?
  • Tools/Services
  • Methodologies
  • Approach (blue/green etc)