The Landing Zones: Maximizing Efficiency Through Automation.
Introduction
In this case study, we will discuss the objective of establishing a landing zone and how the combination of Ansible and Terraform automation was utilized to create it.
For those unfamiliar with landing zones, they serve as a secure and scalable way to leverage cloud resources. Our Platform engineering services team streamlined the process of setting up a landing zone for an enterprise, incorporating essential components such as IAM services, Security group rules, DNS services, Proxy services, Security firewalls, Cloud Monitoring, Log analytics services, Backup and recovery services, and DevOps tool chains.
This packaged solution can be effortlessly redeployed for multiple customers simultaneously. The implementation adheres to industry best practices, employing Infrastructure as Code (IaaC) to ensure modularity and repeatability using Terraform. The CI/CD pipeline, along with Site Reliability Engineering (SRE), DevOps, and GitOps principles, is employed to establish appropriate controls that align with internal guidelines. Configuration as Code (CaC) is adopted to manage system configuration using Ansible for server hardening, Active Directory setup, user management, DNS record configuration, Transit gateway configuration, and filesystem configuration. This approach enhances traceability and manageability for the organization while complementing the benefits of Infrastructure as Code (IaaC) and Configuration as Code (CaC).
Off-course, this blog refers to the approach used in the specific SAP Client opinionated solution but is not limited to it. The same approach can be applied and reused for any SAP, non-SAP, or other client trying to build and manage their cloud infrastructure.
IaaC and CaC with Terraform-Ansible
The landing zone consists of two primary levels: the first one being a workload-aware landing zone, encompassing the essential software-defined infrastructure. The second level comprises the software and tools needed to manage workloads effectively.
To achieve this, we utilized Terraform to leverage software-defined infrastructure and IBM Schematics service to apply and handle cloud infrastructure requests. The provisioning of workload-specific infrastructure is controlled by an input file while keeping the code intact and managed by Platform Engineering Services (PES).
In a similar manner, the software and solutions needed for the landing zone are established and maintained through Configuration as Code, utilizing the capabilities of Ansible. The code and configuration are managed within GitHub, while Ansible Tower is employed to apply the software configuration, offering significant advantages in terms of automation and speed. This approach ensures efficient management and deployment of software components, enhancing the overall value of the landing zone setup.
To deploy and manage both the workload configuration and infrastructure, we need to design and develop atomic blocks that work in unison. Each atomic block is a self-contained modular code, adhering to the DRY (Don’t Repeat Yourself) principle, ensuring that no two atomic blocks carry out the same function. We can achieve human readability and declarative programming for both Ansible and Terraform by abstracting the logic. This allows programs to manage code as well. For a more thorough understanding of the establishment of Terraform and Ansible, in-depth discussions will be covered in other blog series, which are beyond the scope of this document.
Synergistic Execution: Ansible and Terraform
The automation process described involves the use of Ansible and Terraform to efficiently manage infrastructure in a cloud environment. It begins with setting up a Configuration-as-Code (CaC) and Infrastructure-as-Code (IaaC) repository, where client-specific code and configurations are pushed. Terraform is then employed through a IBM Schematics pipeline to apply the configurations, ensuring consistent and automated infrastructure creation. To enable communication between different cloud accounts, a transit gateway is configured for secure networking. Dynamic inventory is implemented to manage server details for each customer automatically.
Once the infrastructure is in place, the workflow moves on to installing and configuring crucial services such as DNS, Active Directory, and Identity Management (IDM). Servers are then integrated with the Active Directory for centralized user authentication and access management. Automation continues with the execution of server hardening jobs, reinforcing server security using Ansible’s automation capabilities. Finally, IT Service Management (ITSM) tools are installed on respective servers, streamlining IT service delivery and incident resolution.
By orchestrating this comprehensive workflow, organizations can achieve greater efficiency, consistency, and agility in managing infrastructure, configurations, and deployments across multiple cloud accounts. Ansible and terraform provide a powerful solution for modern IT operations, ensuring a seamless and secure management process from start to finish.
Conclusion
In conclusion, using atomic blocks to deploy and manage infrastructure and workload configurations has proven to be a very effective strategy. Each atomic block maintains its modularity and prevents functional redundancy by following the DRY principle.
Ansible’s abilities and the establishment of a landing zone with software-defined infrastructure have increased speed, which has been extremely beneficial for the program. The success of the landing zone setup has also been aided by the combination of Terraform and IBM Schematics service for cloud infrastructure management.
Further reading
Maximizing Enterprise Agility: Empowering Configuration Management with Ansible at Scale — This blog is a concise guide that explores the benefits of utilizing Ansible, a powerful open-source automation tool, to achieve greater agility and efficiency in managing enterprise level configurations.
Contributors
Naveen Purushothaman — Distinguished Engineer | CTO — Platform Engineering Services
Sudarshana K S — Site Reliability Engineer | Lead developer
Soumyadeep Paul -Technology Architect
Bejoy Alias — Cloud Delivery Architect (AWS & IBM Cloud)
Arjun S Babu — Infrastructure Specialist — Cloud
