Policy Driven Deployments hero graphic

Policy Driven Deployments

Jul 22, 2020 by Armory

Consistent Policy Enforcement

What if the industry has been thinking about continuous delivery the wrong way?  What if continuous delivery is not an extension of continuous integration, instead it is the concept of automating the rules that have been defined by your change review boards and exposing them to application teams early in the development cycle.  You would automate your production delivery through policies eliminating the need for manual change review boards, which is the real blocker of being able to deliver continuously.

For example, you want to ensure that none of your EC2 Security Groups enable 0.0.0.0/0 to the public, or you want to make sure none of the Kubernetes Service ports are open on port 22.  With Armory’s Policy Engine, you can deliver your application through the orchestration of build, provision, and deploy stages that are validated against these policies, providing teams the information needed to better understand the amount of risk necessary for this change.  You can expose these rules in your non-production environments so application teams have visibility into the operational requirements as a part of the development lifecycle.  You would define your pipelines to validate the policies required for production deployments, rather than the traditional trial and error approach.  Evaluating policies is normally done with a manual ticketing approach.  This approach introduces opportunity for manual error, and also reduces consistency since different people are assigned to different tickets, which reduces the overall safety of your production environments.  Using a policy-driven approach minimizes the manual ticketing process, providing consistent application of policies across the organization.

Safe Deployments Require Automation

Armory originally viewed our Policy Engine as a way to provide gates for teams to stop the delivery of a risky piece of software or infrastructure.  Therefore, we positioned the Policy Engine as a safety mechanism as teams implement continuous delivery.  But blocking deployments at the last minute is the antithesis of continuous delivery and should only be done as a last resort. Instead, we now leverage our Policy Engine to inform application teams of missing requirements early on, in their non-production pipelines, allowing them time to fix their deployments before an official change review.

You can use the Armory Policy Engine to provide training wheels to teams of lesser maturity in the continuous delivery process, surfacing best practices earlier in the delivery process.  As teams get better at implementing the policies in their development lifecycle, you can allow them to skip the change review process altogether, and deliver functionality straight to production.  Imagine a world where change review boards only questioned exceptions to production deployments, rather than having to validate every production delivery.

What We Learned from Releasing the Policy Engine

Over the last 6 months, the Armory team has been querying teams and executives about their challenges pre and post COVID-19.  We found an interesting correlation between enterprises and analysts that are struggling to define a category for software delivery automation due to the number of tools that companies use, while needing to provide self-service capabilities to their application teams.  The delivery options range everywhere from manual, repeatable steps that are done via a series of tickets, to complete automation through declarative delivery with GitOps.  The tooling choices seem to come down to the decisions of the platform architecture teams in conjunction with the operations and SRE teams.  The problem every executive and analyst has described to us has nothing to do with the delivery of applications to non-production systems. Instead, it has to do with the critical nature of securing and automating the delivery of projects into a production environment.

Today, teams can deploy to non-production environments with limited involvement from the operations teams.  This is normally due to limited security constraints on the environment to allow teams to experiment with different technologies and frameworks.  Application teams gain a false sense of security thinking this will be consistent with the production environments.  To deploy to production, application teams still require a number of internal processes, from manual ticketing processes to change review boards.  This slows down the delivery process, as decisions are still made in silos with limited feedback to the application teams.  Even when the operations teams give a green light for an application team to deploy to production, the security team can overrule their decision.  Many teams stop innovating due to the frustration this process fosters. They are relegated to the maintenance of applications without the opportunity to experiment.  This leads to a consumer perception that the company has stopped innovating, forcing consumers to seek alternatives from their competitors.  Even worse, teams struggle to compete with existing offerings, requiring a company to reduce staff as revenue continues to decline.  This is critical today as companies start to recover post COVID-19.

Conclusion

We currently have a number of customers that are using the Armory Policy Engine to begin their continuous delivery journey.  If you work for a company that has concerns with consistent policy enforcement or visibility into policy definition, we would love to speak to you to learn more about your challenges.  You can learn more about our Policy Engine on our website.

Share this post:

Recently Published Posts

How to Become a Site Reliability Engineer (SRE)

Jun 6, 2023

A site reliability engineer (SRE) bridges the gap between IT operations and software development. They understand coding and the overall task of keeping the system operating.  The SRE role originated to give software developers input into how teams deploy and maintain software and to improve it to increase reliability and performance. Before SREs, the software […]

Read more

Continuous Deployment KPIs

May 31, 2023

Key SDLC Performance Metrics for Engineering Leaders Engineering leaders must have an effective system in place to measure their team’s performance and ensure that they are meeting their goals. One way to do this is by monitoring Continuous Deployment Key Performance Indicators (KPIs).  CD and Automated Tests If you’re not aware, Continuous Deployment, or CD, […]

Read more

What Are the Pros and Cons of Rolling Deployments?

May 26, 2023

Rolling deployments use a software release strategy that delivers new versions of an application in phases to minimize downtime. Anyone who has lived through a failed update knows how painful it can be. If a comprehensive update fails, there are hours of downtime while it is rolled back. Even if the deployment happens after hours, […]

Read more