Navigating AWS Deployment Targets with Armory

Many organizations look to Amazon Web Services (AWS) to host and deploy their applications in the cloud. However, they’re finding that their deployment tooling, often built as an extension of their legacy continuous integration (CI), is one of the main impediments to adopting cloud services. 

Custom-scripted production pipelines built with in-house tooling need to be rebuilt from scratch for new deployment targets. Furthermore, at the rate new AWS services are introduced and released, it’s challenging to keep custom-scripted tools updated and to take advantage of the latest innovations.

Defining deployment targets

From data center and cloud migration efforts to Kubernetes adoption and retooling, successful application deployments require consistent paths to production. The combination of homegrown, disparate tools and custom-scripted production paths requires extra time to learn and navigate, reducing developer efficiency and introducing avoidable, human-created errors. 

Armory leverages Spinnaker to create a single path from production to the deployment target, regardless of whether organizations are moving to Amazon EC2, Amazon Elastic Container Service (Amazon ECS), AWS Fargate, Amazon EKS, AWS Lambda or another AWS target. Previously, developers had to rebuild and custom-script the path to production for new deployment targets. But with Spinnaker, developers can deploy to a new target at the click of a button.

How it works

Spinnaker abstracts the concept of a “production” environment away from any specific deployment target. The cloud vendors themselves, with support from the rest of the community, build and maintain the connections, or Clouddrivers, between Spinnaker and the various production targets such as Amazon EC2 or Amazon EKS. 

This architecture allows for a consistent, repeatable path to production across entire organizations, incorporating industry and organizational best practices and end-to-end automated policy enforcement. Additional features such as blue-green deployments, canary deployments and 1-click rollbacks safeguard organizations in the event of bad deployments or failures. 

Utilize a single deployment pipeline for all software and applications, regardless of where the deployment target resides.

Architecture: infrastructure and security 

The supporting infrastructure

You use several AWS services when you deploy the Armory platform on AWS: Virtual Private Cloud, Amazon EKS, IAM, Amazon S3, AWS Secrets Manager, Redis and Amazon Aurora. 

“We had this disconnect between what was run in Terraform and our application deployments. Now teams are starting to see that they can combine those two things into a pipeline… It’s got people more creative in what they know they can do.” – Lead DevOps Engineer Fortune 500 Media & Education Company

Built-in security

Armory offers a breadth of solutions and integrations to deliver applications quickly and securely, such as: 

• Automated policy enforcement across deployments 
• Role-based access controls 
• Secrets management

With security and compliance policies baked in, security and operations teams can share centralized, pre-approved lists of templates that you can leverage across application teams. Templates are updated with new security policies and learnings to enable effective knowledge transfer across the organization. 

When setting up deployment targets with the AWS Quick Start, Armory configures Spinnaker to access AWS resources (with both access and secret access keys) using IAM user roles. This ensures secure access is provided to the correct user roles. 

With Armory Secrets Manager, organizations can enable role-based access controls requiring different types of authentication, protecting sensitive data, such as passwords and tokens.