SlideShare uma empresa Scribd logo

Applying Roles and Profiles method to compliance code

Puppet
Puppet

Heston Snodgrass, Puppet

Tecnologia
1 de 17
Baixar para ler offline
Applying the Roles & Profiles Method to Compliance Code Heston Snodgrass, Sr. Services Delivery Engineer March 25, 2021
2 Agenda • Writing Compliance Code is Hard • Overview of Roles & Profiles and the Facade Pattern • Adapting These Patterns to Compliance Code • Unique Hiera Interfaces • Handling Boilerplate • Q&A
3 Writing Compliance Code is Hard • Code touches many parts of the node • Can lead to a sprawling, tightly-coupled code base • Auditing and maintaining this code can be difficult • A lot of overlap between compliance frameworks • Dreaded “spaghetti code” Image: Yeh Xintong, unsplash.com
Design patterns are problem-solving templates for your code • The roles & profiles method is a design pattern • It takes inspiration from the facade pattern detailed in the “Gang of Four” book¹ • a facade is an object that serves as a front-facing interface masking more complex underlying or structural code² • Roles are the simple “front-end” facades, or interfaces, and profiles are the complex, “back-end” implementations 4 Not just for software engineering interviews Software Design Patterns 1. Design Patterns: Elements of Reusable Object-Oriented Software by Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides 2. https://en.wikipedia.org/wiki/Facade_pattern
5 A Picture is Worth a Thousand Roles & Profiles https://puppet.com/docs/pe/2019.8/osp/the_roles_and_profiles_method.html
Adapting Roles & Profiles to Modules There are two fundamental concepts for adapting roles & profiles to a module: • Interfaces - Simple Puppet classes that are interacted with • Implementations - More complex Puppet classes / defined types that are either declared or included by interfaces Interfaces and implementations should be kept separate Finally, remember to document all of your code thoroughly 6
7 I’m the Interface, so That’s What You Call Me • Interfaces are simple and homogenized • Interfaces names relate directly to a compliance framework • Interfaces only declare or include implementations • Interfaces pass all needed parameters Image: Pierre Chatel, unsplash.com
8 That Implementation Really Tied the Room Together • Implementations are single-purpose and self-contained • Implementations DO NOT have framework-specific data • Exceptions can be made for default values • Implementations are as complex as necessary • Implementations are reusable Image: Ant Rozetsky, unsplash.com
9 Examples! Because it’s more fun to see code than it is to hear about it
10 This is our Compliance Module Simple, straight-forward, and WE know what it does. However, I have a few questions: • What CIS controls does this module enforce? • Does this module enforce the CIS control “Ensure mounting of UDF filesystem is disabled”? • Not all nodes that need to be CIS compliant need SSH and rsyslog configuration, is this possible? This overly simplistic and incomplete CIS compliance module still has fundamental issues with it. So what can we do about all this?
• To adapt the roles & profiles method to our module we’ll need to refactor it • First, we create two subdirectories in our manifests directory: • manifests/interfaces • manifests/implementations • Next, we split up the implementation code into separate, self-contained classes / defined types • Implementations are created in manifests/implementations 11 Refactoring, It’s What’s for Dinner
• Now, we need to create the interfaces for this code • Interfaces are created in manifests/interfaces • We will use the CIS control names as the interface class names 12 Let There be Interfaces
• Now we create an init.pp for our module. I like to refer to init.pp as the module interface • The simplest way to do this is to just include all of our interfaces • Standard Hiera configuration • No scope issues from resource-like class declarations • We could also treat init.pp just like our other interface classes and parameterize it • This simplifies our Hiera config • We can configure our compliance module entirely from the classifier • Use what works best for you. Experiment and focus on configuration, maintainability, and auditability. • Keep it as simple as feasibly possible for what you want to accomplish 13 The Module Interface
14 The Module Interface Part Deux Using only include: A more complex example:
A New Compliance Framework has Appeared! By using our adapted roles & profiles pattern, change is easy • Quickly adapt to compliance framework changes – New compliance framework, new interfaces – Framework control names change, update interfaces • Refactoring and maintaining the code is easier – Backend changes don’t necessarily impact the front end • Configuring the code now aligns directly with the controls we are enforcing – Makes life easier for auditors • Onboarding new team members is easier – Code is in small, digestible pieces – Maps directly to the compliance framework 15
16 Whole Lotta Boilerplate One downside with this pattern is that there is a good amount of boilerplate code. Fortunately, there’s some tooling that can help: • Custom PDK templates – Uses a familiar tool – Documented well – Can be complex to implement generation of custom classes • https://github.com/hsnodgrass/abide_dev_utils – Used by the Puppet SSE team – Works from ERB templates stored directly in your module – I like a bit of self-promotion
Thank you. And now time for our Q&A! My contact info: - Email: heston.snodgrass@puppet.com - Community Slack: @Heston Snodgrass

Recomendados

Modern Module Development
Modern Module DevelopmentModern Module Development
Modern Module Development
_morgan
 
Introduction to Puppet Enterprise 10/03/2018
Introduction to Puppet Enterprise 10/03/2018Introduction to Puppet Enterprise 10/03/2018
Introduction to Puppet Enterprise 10/03/2018
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
Puppet
 
What's New in Puppet Enterprise 2016.5
What's New in Puppet Enterprise 2016.5What's New in Puppet Enterprise 2016.5
What's New in Puppet Enterprise 2016.5
Puppet
 
Network Automation at Shapeways
Network Automation at ShapewaysNetwork Automation at Shapeways
Network Automation at Shapeways
Puppet
 
Introduction to Puppet Enterprise 2016.4
Introduction to Puppet Enterprise 2016.4Introduction to Puppet Enterprise 2016.4
Introduction to Puppet Enterprise 2016.4
Puppet
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CD
Batyr Nuryyev
 

Recomendados

Modern Module Development
Modern Module DevelopmentModern Module Development
Modern Module Development
_morgan
 
Introduction to Puppet Enterprise 10/03/2018
Introduction to Puppet Enterprise 10/03/2018Introduction to Puppet Enterprise 10/03/2018
Introduction to Puppet Enterprise 10/03/2018
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
Puppet
 
What's New in Puppet Enterprise 2016.5
What's New in Puppet Enterprise 2016.5What's New in Puppet Enterprise 2016.5
What's New in Puppet Enterprise 2016.5
Puppet
 
Network Automation at Shapeways
Network Automation at ShapewaysNetwork Automation at Shapeways
Network Automation at Shapeways
Puppet
 
Introduction to Puppet Enterprise 2016.4
Introduction to Puppet Enterprise 2016.4Introduction to Puppet Enterprise 2016.4
Introduction to Puppet Enterprise 2016.4
Puppet
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CD
Batyr Nuryyev
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
Puppet
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
Puppet
 
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
Gene Kim
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
Udaypal Aarkoti
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
Puppet
 
Continuous Integration as a Way of Life
Continuous Integration as a Way of LifeContinuous Integration as a Way of Life
Continuous Integration as a Way of Life
Melissa Benua
 
Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring
Melissa Benua
 
Sam Guckenheimer - Moving to One Engineering System
Sam Guckenheimer - Moving to One Engineering SystemSam Guckenheimer - Moving to One Engineering System
Sam Guckenheimer - Moving to One Engineering System
WinOps Conf
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
Christopher Read
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
 
Continuous Integration and Continuous Deployment in Enterprise scenario
Continuous Integration and Continuous Deployment in Enterprise scenarioContinuous Integration and Continuous Deployment in Enterprise scenario
Continuous Integration and Continuous Deployment in Enterprise scenario
Davide Benvegnù
 
Louisville Software Engineering Meet Up: Continuous Integration Using Jenkins
Louisville Software Engineering Meet Up: Continuous Integration Using JenkinsLouisville Software Engineering Meet Up: Continuous Integration Using Jenkins
Louisville Software Engineering Meet Up: Continuous Integration Using Jenkins
James Strong
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
Knoldus Inc.
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
Virendra Bhalothia
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
cdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitecturecdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD Architecture
Miles Blatstein
 
Taking your version control to a next level with TFS and Git
Taking your version control to a next level with TFS and GitTaking your version control to a next level with TFS and Git
Taking your version control to a next level with TFS and Git
Alexander Vanwynsberghe
 
Seminar continuous delivery 19092013
Seminar continuous delivery 19092013Seminar continuous delivery 19092013
Seminar continuous delivery 19092013
Joris De Winne
 
Securing deployment pipeline
Securing deployment pipelineSecuring deployment pipeline
Securing deployment pipeline
Len Bass
 
Continuous delivery applied
Continuous delivery appliedContinuous delivery applied
Continuous delivery applied
Mike McGarr
 
Entity Framework: To the Unit of Work Design Pattern and Beyond
Entity Framework: To the Unit of Work Design Pattern and BeyondEntity Framework: To the Unit of Work Design Pattern and Beyond
Entity Framework: To the Unit of Work Design Pattern and Beyond
Steve Westgarth
 
Component based development | what, why and how
Component based development | what, why and howComponent based development | what, why and how
Component based development | what, why and how
Rakesh Kumar Jha
 

Mais conteúdo relacionado

Mais procurados

What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
Puppet
 
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
Gene Kim
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
Puppet
 
Continuous Integration as a Way of Life
Continuous Integration as a Way of LifeContinuous Integration as a Way of Life
Continuous Integration as a Way of Life
Melissa Benua
 
Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring
Melissa Benua
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Securing deployment pipeline
Securing deployment pipelineSecuring deployment pipeline
Securing deployment pipeline
Len Bass
 
Continuous delivery applied
Continuous delivery appliedContinuous delivery applied
Continuous delivery applied
Mike McGarr
 

Mais procurados (20)

Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
 
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
 
Continuous Integration as a Way of Life
Continuous Integration as a Way of LifeContinuous Integration as a Way of Life
Continuous Integration as a Way of Life
 
Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring
 
Sam Guckenheimer - Moving to One Engineering System
Sam Guckenheimer - Moving to One Engineering SystemSam Guckenheimer - Moving to One Engineering System
Sam Guckenheimer - Moving to One Engineering System
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
 
Continuous Integration and Continuous Deployment in Enterprise scenario
Continuous Integration and Continuous Deployment in Enterprise scenarioContinuous Integration and Continuous Deployment in Enterprise scenario
Continuous Integration and Continuous Deployment in Enterprise scenario
 
Louisville Software Engineering Meet Up: Continuous Integration Using Jenkins
Louisville Software Engineering Meet Up: Continuous Integration Using JenkinsLouisville Software Engineering Meet Up: Continuous Integration Using Jenkins
Louisville Software Engineering Meet Up: Continuous Integration Using Jenkins
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
cdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitecturecdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD Architecture
 
Taking your version control to a next level with TFS and Git
Taking your version control to a next level with TFS and GitTaking your version control to a next level with TFS and Git
Taking your version control to a next level with TFS and Git
 
Seminar continuous delivery 19092013
Seminar continuous delivery 19092013Seminar continuous delivery 19092013
Seminar continuous delivery 19092013
 
Securing deployment pipeline
Securing deployment pipelineSecuring deployment pipeline
Securing deployment pipeline
 
Continuous delivery applied
Continuous delivery appliedContinuous delivery applied
Continuous delivery applied
 

Semelhante a Applying Roles and Profiles method to compliance code

Software Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuableSoftware Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuable
Comsysto Reply GmbH
 
Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®
Hannes Lowette
 
Improving The Quality of Existing Software
Improving The Quality of Existing SoftwareImproving The Quality of Existing Software
Improving The Quality of Existing Software
Steven Smith
 
Generic Software Process Models
Generic Software Process ModelsGeneric Software Process Models
Generic Software Process Models
Education Front
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
Comsysto Reply GmbH
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
Comsysto Reply GmbH
 

Semelhante a Applying Roles and Profiles method to compliance code (20)

Entity Framework: To the Unit of Work Design Pattern and Beyond
Entity Framework: To the Unit of Work Design Pattern and BeyondEntity Framework: To the Unit of Work Design Pattern and Beyond
Entity Framework: To the Unit of Work Design Pattern and Beyond
 
Component based development | what, why and how
Component based development | what, why and howComponent based development | what, why and how
Component based development | what, why and how
 
Software Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuableSoftware Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuable
 
From silex to symfony and viceversa
From silex to symfony and viceversaFrom silex to symfony and viceversa
From silex to symfony and viceversa
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®
 
Improving The Quality of Existing Software
Improving The Quality of Existing SoftwareImproving The Quality of Existing Software
Improving The Quality of Existing Software
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices Architecture
 
ASP.NET Core Demos Part 2
ASP.NET Core Demos Part 2ASP.NET Core Demos Part 2
ASP.NET Core Demos Part 2
 
Generic Software Process Models
Generic Software Process ModelsGeneric Software Process Models
Generic Software Process Models
 
An Introduction To Software Development - Implementation
An Introduction To Software Development - ImplementationAn Introduction To Software Development - Implementation
An Introduction To Software Development - Implementation
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Testing, a pragmatic approach
Testing, a pragmatic approachTesting, a pragmatic approach
Testing, a pragmatic approach
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
 
Agile Mumbai 2020 Conference | How to get the best ROI on Your Test Automati...
Agile Mumbai 2020 Conference | How to get the best ROI on Your Test Automati...Agile Mumbai 2020 Conference | How to get the best ROI on Your Test Automati...
Agile Mumbai 2020 Conference | How to get the best ROI on Your Test Automati...
 
Aspect Oriented Programming
Aspect Oriented ProgrammingAspect Oriented Programming
Aspect Oriented Programming
 
Is your ABAP Code Ready for the Cloud?
Is your ABAP Code Ready for the Cloud?Is your ABAP Code Ready for the Cloud?
Is your ABAP Code Ready for the Cloud?
 
Agile enterprise integration
Agile enterprise integrationAgile enterprise integration
Agile enterprise integration
 
Code refactoring
Code refactoringCode refactoring
Code refactoring
 

Mais de Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 

Mais de Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Puppet in k8s, Miroslav Hadzhiev
Puppet in k8s, Miroslav HadzhievPuppet in k8s, Miroslav Hadzhiev
Puppet in k8s, Miroslav Hadzhiev
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Applying Roles and Profiles method to compliance code

  • 1. Applying the Roles & Profiles Method to Compliance Code Heston Snodgrass, Sr. Services Delivery Engineer March 25, 2021
  • 2. 2 Agenda • Writing Compliance Code is Hard • Overview of Roles & Profiles and the Facade Pattern • Adapting These Patterns to Compliance Code • Unique Hiera Interfaces • Handling Boilerplate • Q&A
  • 3. 3 Writing Compliance Code is Hard • Code touches many parts of the node • Can lead to a sprawling, tightly-coupled code base • Auditing and maintaining this code can be difficult • A lot of overlap between compliance frameworks • Dreaded “spaghetti code” Image: Yeh Xintong, unsplash.com
  • 4. Design patterns are problem-solving templates for your code • The roles & profiles method is a design pattern • It takes inspiration from the facade pattern detailed in the “Gang of Four” book¹ • a facade is an object that serves as a front-facing interface masking more complex underlying or structural code² • Roles are the simple “front-end” facades, or interfaces, and profiles are the complex, “back-end” implementations 4 Not just for software engineering interviews Software Design Patterns 1. Design Patterns: Elements of Reusable Object-Oriented Software by Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides 2. https://en.wikipedia.org/wiki/Facade_pattern
  • 5. 5 A Picture is Worth a Thousand Roles & Profiles https://puppet.com/docs/pe/2019.8/osp/the_roles_and_profiles_method.html
  • 6. Adapting Roles & Profiles to Modules There are two fundamental concepts for adapting roles & profiles to a module: • Interfaces - Simple Puppet classes that are interacted with • Implementations - More complex Puppet classes / defined types that are either declared or included by interfaces Interfaces and implementations should be kept separate Finally, remember to document all of your code thoroughly 6
  • 7. 7 I’m the Interface, so That’s What You Call Me • Interfaces are simple and homogenized • Interfaces names relate directly to a compliance framework • Interfaces only declare or include implementations • Interfaces pass all needed parameters Image: Pierre Chatel, unsplash.com
  • 8. 8 That Implementation Really Tied the Room Together • Implementations are single-purpose and self-contained • Implementations DO NOT have framework-specific data • Exceptions can be made for default values • Implementations are as complex as necessary • Implementations are reusable Image: Ant Rozetsky, unsplash.com
  • 9. 9 Examples! Because it’s more fun to see code than it is to hear about it
  • 10. 10 This is our Compliance Module Simple, straight-forward, and WE know what it does. However, I have a few questions: • What CIS controls does this module enforce? • Does this module enforce the CIS control “Ensure mounting of UDF filesystem is disabled”? • Not all nodes that need to be CIS compliant need SSH and rsyslog configuration, is this possible? This overly simplistic and incomplete CIS compliance module still has fundamental issues with it. So what can we do about all this?
  • 11. • To adapt the roles & profiles method to our module we’ll need to refactor it • First, we create two subdirectories in our manifests directory: • manifests/interfaces • manifests/implementations • Next, we split up the implementation code into separate, self-contained classes / defined types • Implementations are created in manifests/implementations 11 Refactoring, It’s What’s for Dinner
  • 12. • Now, we need to create the interfaces for this code • Interfaces are created in manifests/interfaces • We will use the CIS control names as the interface class names 12 Let There be Interfaces
  • 13. • Now we create an init.pp for our module. I like to refer to init.pp as the module interface • The simplest way to do this is to just include all of our interfaces • Standard Hiera configuration • No scope issues from resource-like class declarations • We could also treat init.pp just like our other interface classes and parameterize it • This simplifies our Hiera config • We can configure our compliance module entirely from the classifier • Use what works best for you. Experiment and focus on configuration, maintainability, and auditability. • Keep it as simple as feasibly possible for what you want to accomplish 13 The Module Interface
  • 14. 14 The Module Interface Part Deux Using only include: A more complex example:
  • 15. A New Compliance Framework has Appeared! By using our adapted roles & profiles pattern, change is easy • Quickly adapt to compliance framework changes – New compliance framework, new interfaces – Framework control names change, update interfaces • Refactoring and maintaining the code is easier – Backend changes don’t necessarily impact the front end • Configuring the code now aligns directly with the controls we are enforcing – Makes life easier for auditors • Onboarding new team members is easier – Code is in small, digestible pieces – Maps directly to the compliance framework 15
  • 16. 16 Whole Lotta Boilerplate One downside with this pattern is that there is a good amount of boilerplate code. Fortunately, there’s some tooling that can help: • Custom PDK templates – Uses a familiar tool – Documented well – Can be complex to implement generation of custom classes • https://github.com/hsnodgrass/abide_dev_utils – Used by the Puppet SSE team – Works from ERB templates stored directly in your module – I like a bit of self-promotion
  • 17. Thank you. And now time for our Q&A! My contact info: - Email: heston.snodgrass@puppet.com - Community Slack: @Heston Snodgrass