As incumbent enterprises move to the cloud, questions arise how transform the legacy IT culture to maximize the agility and flexibility AWS provides. Speed and dexterity must be implemented in a consistent manner, minimizing the impact to the organizational structure, but taking into account the existing skill sets and knowledge base. With AWS Service Catalog, you can manage commonly deployed AWS CloudFormation template versions, enable controlled self-provisioning, and leverage those same products in your automated deployment pipelines to AWS. In this session, developers, operations leads, architects, and IT managers learn how to leverage AWS Service Catalog and AWS CloudFormation to transform IT culture to maximize the agility, flexibility, and value that the AWS platform provides. Additionally, John Wiley & Sons, a 200-year-old enterprise, demonstrates how AWS Professional Services helped them balance the velocity achieved by moving to AWS with a structured governance model to deploy their cloud infrastructure and application code.
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)
Semelhante a AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalog: The John Wiley & Sons Journey with AWS Professional Services (DEV321)
Semelhante a AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalog: The John Wiley & Sons Journey with AWS Professional Services (DEV321) (20)
2. What to Expect from the Session
• Understand how AWS CloudFormation and AWS Service Catalog
can be leveraged to balance control and agility.
• AWS Service Catalog Best Practices.
• Understand how to replicate the pattern used by John Wiley & Sons
to help transform your company.
4. AWS CloudFormation Concepts and Technology
JSON/YAML formatted file
Parameter definition
Resource creation
Configuration actions
Framework
Stack creation
Stack updates
Error detection and rollback
Configured AWS resources
Comprehensive service support
Service event aware
Customizable
Template CloudFormation Stack
5. AWS CloudFormation Benefits
• Version control/replicate/update the templates like
application code
• Integrates with development, CI/CD, management tools
• No additional charge to use
7. Infrastructure as Code Workflow
Code
Version
Control
Code
Review
Integrate Deploy
Text Editor
Git/SVN/
Perforce
Review
Tools
Syntax
Validation
Tools
AWS
Services
8. Infrastructure as Code Workflow
Code
Version
Control
Code
Review
Integrate Deploy
“It’s all software”
Text Editor
Git/SVN/
Perforce
Review
Tools
Syntax
Validation
Tools
AWS
Services
9. What do customers tell us about Asset
Management Deployment?
1. Define the resources and
landscapes where software
and application are
deployed
2. ‘Approve once and deploy
many’
3. Enable self service deploy
with confidence
4. Automate deployments
11. AWS Service Catalog
AWS Service Catalog allows organizations to create and manage catalogs of
IT services. It enables users to quickly deploy approved IT services they need
in a self-service manner.
Administrator Users
Control
Standardization
Governance
Agility
Self-service
Time to market
12. AWS Service Catalog – A Few Terms to Note
Product
Portfolio Stack
Constraint
an IT service that you
want to make available
for deployment on AWS.
a collection of products,
together with configuration
information.
restrict the ways that specific
AWS resources can be
deployed for a product
every AWS Service Catalog
product is launched as an AWS
CloudFormation stack
13. AWS Service Catalog Overview
Enable
• 11 User API methods
• 37 Admin API methods
• Share products across Portfolios and AWS Accounts
Orchestrate
• Version Products
• Limit console access
• Provide various levels of user access
Automate
• Launch constraints
• Template constraints
14. Creates portfolio and
assigns product portfolio
1
Administrator
Adds constraints, grant access
and add tags
4
2 Creates
product
Authors
template
Administrator Interaction
ProductX
Versions
Portfolio BPortfolio A
• Users and Roles
• Constraints
• Tags
Service Catalog
3
DevOps
Automation
15. Opportunities to Strengthen the Handshake
User generated
products to foster
innovation
Back-end micro-services
acting on the stacks
Administrator
Products
17. AWS Service Catalog Benefits for Enterprises
• One-stop shop for end users
• Simple user access controls to the entire AWS platform
• Built-in governance
• Granular controls on CloudFormation templates
• Version control on products
Access and Governance:
• Reusability of Products across AWS Accounts
• API/CLI and console access
• Tagging enforcement
Reusability and Automation
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49. Why AWS Service Catalog for Wiley?
Standardize
Enforce Consistency
Limit Access
Enforce Tagging, Security Groups
One-Stop Shop
Automate Deployments
Agile Governance
51. Infrastructure Meets Application Needs
web app cache database
Application A
Web Tier App Tier Cache Tier DB Tier
web server app server cache cluster database
Portfolio
Tier AlignmentAccess Alignment
52. How Did We Approach the Environment?
- Design the Infrastructure to meet the Application
- Security and Separation at multiple levels:
- Application Level
- Application Tier Level
- Functional/Access Level
- Security/Network alignment with Application Design
59. Leverage the CLI to Provision a Product
]$ aws servicecatalog search-products
(list all products)
]$ aws servicecatalog describe-product --id prod-XXXXXX
(this gets the provisioning artifact ID)
]$ aws servicecatalog list-launch-paths --product-id prod-
XXXXXX
(this gets the path ID)
]$ aws servicecatalog describe-provisioning-parameters --
product-id prod-XXXXX --provisioning-artifact-id
checkUpdateVersion-12345678900 --path-id lp-YYYYYY
(this uses the provisioning artifact ID and path ID, and gets the parameters)
60. Launch a Product with the CLI
]$ aws servicecatalog provision-product --
product-id prod-XXXXX --provisioning-artifact-id
checkUpdateVersion-123456789000 --path-id lp-
YYYYYY --provisioning-parameters
Key=KeyName,Value=MyKeyPair3
Key=InstanceType,Value=m4.medium --provisioned-
product-name reInvent-CLI-example --provision-
token exampletoken
(launch product with parameters listed, you can also supply a
JSON file)
66. Consumers Creators Managers
Function Consume Resources Create Artifacts
Automate Processes
Create Environment
& Manage Resources
Typical Job Role Developers Automation/Release Mgmt Operations & InfoSec
AWS Access Launch Resources Create Artifacts Manage Environment
Governance
Responsibility
Meet Cost Requirements Artifacts that meet Standards Environment &
Compliance
Logging and
Monitoring
Read-Only Create Alarms & Dashboards Monitor & Audit
Service Catalog
Alignment
EndUserFullAccess AdminFullAccess AdminFullAccess + Full
IAM access
67. Consumers Creators Managers
Function Consume Resources Create Artifacts
Automate Processes
Create Environment
& Manage Resources
AD Group Publishing-Platform-Developers Publishing-Platform-DevOps AWS-admins
IAM role Publishing-Platform-Developers Publishing-Platform-DevOps AWS-admins
Policies attached
to Roles
ServiceCatalogEndUserFullAccess
ReadOnlyAccess
AWSSupportAccess
CloudWatchCreateDashboard
ServiceCatalogAdminFullAccess
ReadOnlyAccess
AWSSupportAccess
CloudFrontFullAccess
PublishingSQSAccess
AdministratorAccess
Service Catalog
Portfolio Access
Publishing-Platform Publishing-Platform
All of Service Catalog
All of Service Catalog
Example
68. Creates AD groups and AWS
IAM roles for application,
create IAM policies
Operations
Defines and creates Launch
constraints
2
Operations/Infrastructure Interaction
Managing Environment
Web
Server
Versions
Application BApplication A
• Users
• Constraints
• Tags
Service Catalog
1
Defines template constraints
AMI, security group, subnet,
instance types, tags
3
69. Creates portfolio and
assigns products to portfolio
1
Adds template constraints,
grant access and add tags
4
2 Creates
product
Authors
template
Automation/Release Mgmt Interaction
Managing & Creating Products
Web
Server
Versions
Application BApplication A
• Users
• Constraints
• Tags
Service Catalog
3
Release
Mgmt
70. Set Constraints with CLI
]$ aws servicecatalog create-constraint --portfolio-id
port-ZZZZZZ --product-id prod-XXXXXX --parameters
"{"Rules": {"Rule1": {"Assertions":
[{"Assert": {"Fn::Contains": [["EXAMPLE-AMI-ID-
1","EXAMPLE-AMI-ID-2"],{"Ref": "ami-
id"}]},"AssertDescription": "AMI ID should be
either EXAMPLE-AMI-ID-1 or EXAMPLE-AMI-ID-2"}]}}}" --
type TEMPLATE –idempotency-token exampletoken
New marketplace AMI
Custom AMI
AMI
Template
Constraint