Build, Bundle, and Deploy Operations into Secured Pipeline

Confidential Client

FORTUNE 100 / GLOBAL INSURANCE CO.

‍

Challenge

This client is evolving its build, bundle, and deploy operations into a predictable, repeatable delivery model as it moves more of its operations into Amazon Web Services (AWS). As a result, more knowledge and experience is needed in the use of cloud operations tools, processes, and procedures as well as how to fully evolve the use of development behaviors, tools, processes, and procedures in the cloud. 

Prior to this engagement, the client hired Trility to help pursue a secure, safe serverless environment across its enterprise, so they turned to our team again to help bootstrap the design, implementation, and operational evolution of AWS operations and implement a data storage solution using CloudFormation for a secured enterprise framework.

Why CloudFormation?

AWS CloudFormation was selected to automate the secure deployment of AWS resources across business units to help the client's teams adapt quickly and automate testing.

Solution

In order to scale using CloudFormation, Trility proposed an automated continuous delivery pipeline ecosystem using the client-chosen tools, Terraform and Jenkins, as well as RDS Aurora MySQL and S3 solutions to design, direct, and implement the cloud ecosystem architecture.

Outcomes

Created, implemented, and still evolving a build pipeline ecosystem where:

• 100% of the stack (all infrastructure, systems, and applications) is deployed and controlled using CloudFormation and Jenkins.
• No console access or API access exists except for Jenkins, however, a “break glass” process is in place to generate credentials when/if needed.
• 100% of the stack is managed in a version control system using Git and GitHub Enterprise
• 100% of the stack is driven by Jenkins, GitHub Enterprise as change management control system, and each source-level change-set is associated to a change request with bi-directional traceability tracked in Jira
• Before any changes are made to the different environments, mandatory pull requests are required before being merged into main branch 
• Artifactory is used to store deployable code after it has been fully authenticated, canned for vulnerabilities following general CIS metrics
• CloudFront, with AWS Regional web application firewall (WAF), is enabled in front of the static website contents and Apigee endpoints with  specific regions whitelisted for access
• Centralized Splunk logging is used as the destination for all VPC Flow logs, Apigee and Auth0 endpoints, S3 bucket access, and database logs
• All manual steps are mitigated and/or eliminated with preference to ‘eliminated’, from application management and deployment using Jenkins

Created, implemented, and still evolving a repeatable database solution using automated deployments and provisioning, as well as static asset monitoring and scanning solutions for antivirus, malware, etc., detection in S3 buckets in the different environments.

Collaborating with identified vendors to assess information security aspects of their AWS solutions with respect to information exchanges and flows, ingress and egress needs, internal and external resource access requirements, and data protection requirements.

Reusable Patterns

Trility builds a golden triangle of truth for version control, change management, and continuous delivery pipelines to ensure predictable, repeatable, and auditable results. Long-term, this client's teams have increased operational performance and reduced time to value by leveraging the power of CloudFormation’s reusable templates:

• Environment – Serverless applications running within Lambda, RDS Aurora MySQL clusters, and S3 storage utilizing IAM roles and policies to secure the environments, and security groups to maintain secure access to the resources.
• Initiated/Deployed – Using Jenkins CI/CD pipelines, configuration files per environment, and templates using RBAC for operation
• Workload – Serverless apps and enforcing security and compliance using RBAC, security groups, IAM roles and policies across the AWS ecosystem deployed to support Digital Footprint.
• Third-party tools/solutions – NodeJS, Python, CloudFormation, Terraform, Apigee, Splunk, Auth0

Lessons Learned

It was determined an ephemeral solution was desirable as the client did not want to patch EC2 instances due to the time and was not optimal for scaling. Trility provided recommendations to evolve the existing framework to Lambda and NodeJS in a serverless environment, as it was determined early the client would save 12 hours/month on new images and 24 hours/month for new deployments. 

The client made the decision to no longer use AWS API Gateway and instead use Apigee as the API endpoint for service access and reverse proxy. As this application evolved, so did the framework in adjusting and scaling for even larger data sets.

Simplify, Automate, and Secure Your Next Challenge

Trility helps rethink your entire business strategy in the cloud. Learn how you can accelerate your next AWS initiative with us.