aws / aws-proton-public-roadmap

This is the public roadmap for AWS Proton
https://aws.amazon.com/proton
Other
198 stars 13 forks source link

Infrastructure as Code Template Validation - Deployment Workflow #67

Open tatcoo opened 2 years ago

tatcoo commented 2 years ago

As more teams and developers customize IaC templates, platform engineers want to remove manual checks and ticketing flows. To give their teams autonomy without lowering the bar on compliance with organizational standards, customers will be able to define validation steps as part of a Proton template, so that Proton can run evaluation to make sure the deployment meets standards. This includes IaC files that are created from pre-approved Proton templates, and developer-defined IaC component files. Validation could include integration to a tool (e.g., CloudFormation Guard, enforcing Terraform Sentinel checks), and defining exception flows (e.g., cuts a ticket to admin, who can manually review and approve).

tatcoo commented 2 years ago

We are curious to hear more about how you and your team prefer to validate IaC templates -> is this most common when uploading the template to a service like Proton or shared repository, or as part of your deployment workflow? Do you want to have different kinds of checks at different points?

haakond commented 2 years ago

Hi, I'm working on a project where we have established a workflow where templates are pushed to GitHub and then the changes are synced back to AWS Proton.

In our case it would be very useful to be able to validate the syntax and compile Jinja Cloudformation templates as early as possible in the SDLC, even before the change is pushed, ideally set up as a pre-commit hook in each developer's environment, and/or in CI/CD pipelines.

As of today syntax errors and smaller mistakes aren't detected before a template is published and deployed (to a staging environment) in Proton. This is time consuming and error prone. Some kind of functionality in the CLI similar to aws cloudformation validate-template could do the trick.

Another idea could be to provide something like aws proton render-template where the output can be piped to another relevant process in the CI/CD workflow like Checkov, cfn-lint etc.

tatcoo commented 2 years ago

Thanks @haakond - this is great feedback. We're thinking through how we can help enable this before a template is published to help reduce errors you find and have to roll back. Stay tuned for more details!

davidebonavita commented 2 years ago

Hello @tatcoo Do you have any update on this? As @haakond said the current process is really time consuming. Pushing changes to GitHub, syncing them to Proton, publishing the version and trying to update the service just to find out that there's a syntax error is quite frustrating

tatcoo commented 2 years ago

Hi @davidebonavita ; has @haakond checked out our GitHub Actions Template Checker? https://github.com/aws-samples/aws-proton-template-checker-action

Its not a full-fledged feature within the service, but if he's open to trying it and providing feedback its something the team has been iterating on