The Progression of Self Service at KPMG (Part 1)

You can find the accompanying code for this blog here.

— — — — — — — — — — — — — — — — — — — — — — — — — —

Empowering developers to create resources in the Cloud both quickly and securely is important to the innovation of PoC and products. However, in a sandbox environment — even creating something simple like a static site, with the correct logging/encryption can become complex, meaning that the developer must either:

• Fiddle around in the portal to configure the resources
• Learn a proprietary template like CloudFormation or domain-specific language like HCL if they wish to make provisioning repeatable
• Or get someone in an operations department to configure the resource.

This is without mentioning that the solution for storing logs could easily drift between newly created resources!

To solve this problem, we wanted a tool that would allow the developer to create, update and delete the static sites quickly and easily — without having to learn a new language entirely, Pulumi fit this requirement quite well.

Pulumi is an infrastructure as code platform that works with modern programming languages like Python, JavaScript/TypeScript, .NET and Go, so, developers need not learn a new language or template format to quickly become self-sufficient in defining new cloud resources. Pulumi has the added benefit of supporting over 50 cloud providers, so, the skills needed to set up infrastructure on AWS are just as applicable to Azure or Google Cloud.

Pulumi has provided some interesting examples of self service using their tool. Including one for AWS Static Sites which met a lot of our needs out of the box!

This sample uses the following AWS products:

• Amazon S3 is used to store the website’s contents.
• Amazon CloudFront is the CDN serving content.
• Amazon Route53 is used to set up the DNS for the website.
• Amazon Certificate Manager is used for securing things via HTTPS.

Using Pulumi’s example as a base we made a few changes:

• Include the latest version of TLS on Cloudfront to satisfy our Security Policy
• Add tagging on the resources required on all our public static sites (we have some automation that fixes potential compliance issues automagically)
• Added versioning, encryption, and logging to our S3 buckets as standard
• We decoupled the static content from the Pulumi code so that developers could change and manage the content of the site independent from Pulumi itself — enabling tighter user access control & faster deployments to the site.

Interestingly, Pulumi provides a policy engine that can enforce these requirements on each deployment — ensuring that each subsequent static site meets all of our security and compliance rules.

Alongside Pulumi we worked on additional automation to check domain availability & purchase domains via Route 53 to facilitate the prerequisites of using a custom domain & secure via SSL Cert using CloudFront.

Stay tuned for this and more the next part of KPMG’s Self Service story — where we use Pulumi’s automation API to make a Flask application frontend, so that developers only need to worry about the static site content and never know about Pulumi working behind the scenes!