13 de June de 2024 André Ramoni

AWS multi-account model and ARGLabs

An AWS account does not have any cost by itself, so why we should share the same account across different scopes ?

Here we’ll talk about how we think real environments should look like and how we’ll do it in ARGLabs, since it’s just a lab and not a real environment.

AWS recommends the multi-account model for many reasons, we’ll focus on just a few of them here.

Access control

An AWS account is the first access control layer and blast radius limiting mechanism.

AWS accounts costs nothing by themselves, so you may have 3 or 56 accounts that you will only pay for what you run inside them.

It is much easier to control which accounts users have access to than to control the different access that different users need to different resources within a unique account.

So, access control is the first reason to do that.

Cost

Not only AWS accounts add no cost to your organization but it, in fact, helps to reduce costs.

In a shared account with multiple teams, applications and/or products, how do you know what are the costs for each of them ? Ok you can use tags, but there are many things that are not easy like this.

When you define a scope for AWS accounts and limit it’s usage to that scope, you can easily know the costs of that scope. Say you define a large product as an scope, and you run the entire product on one account and use another one for development/QA environments. The total cost of this product is the simple sum of the 2 accounts billings.

Isolation

Having just one scope inside an AWS account brings ownership to the people involved.

The responsible people is more likely to care about costs, efficiency, security etc because they will be the ones that the finops, security and other teams will talk to in case of problems. They own their product and the AWS account is like their exclusive environment where their product runs on.

The fact that only they are using the AWS account will make them confidently to take decisions like completely purge the development environment when they are not using, reducing costs to literally zero (yes, destroying all the infrastructure also!).

AWS account scope

What is the AWS account for ?

Should we have one set of accounts (environment accounts) by team ? Or by product ?

There’s no one-size-fits-all answer.

You should decide it based on the above benefits. If you have a large product made by a few teams applications and makes sense to have this product costs clearly visible and you don’t need to have different permissions for the teams that will have access to it, go for it.

If you have many apps from a group of teams that are part of a “business unit”, use accounts for that business unit.

You decide it.

In ARGLabs

Here in ARGLabs we’ll be using just one scope for our examples because it’s a lab.

One scope for all, that’s why we named it “The AIO (all-in-one) Scope”, and we’ll have 3 accounts for the different environments.

19 de May de 20245 de December de 2024 André Ramoni

ECS or EKS: Native cloud containers or kubernetes ?

There’s a lot of articles comparing the two and telling you about their differences and when you should go with one or another. I’ll make it slightly different.

I’ll tell you what I want to accomplish considering technology, culture, operations, costs, support and compliance and what is my choice to do so.

I want to provide developer teams a platform so they can easily build, deploy and run their apps in compliance with the Cloud Engineering Team’s best practices and Security Team’s policies.

Speedup cloud usage, cloud services details abstraction, best practices and security policies enforced, costs and permissions controlled with no bureaucracy and 100% cloud provider support.

19 de September de 202319 de September de 2023 André Ramoni

CIDR Control with terraform

Do you want to do everything as code ?

Do you know that you CAN manage your CIDRs allocations as code, and that it’s very simple, much more than you probably think ?

I’m not telling you that everybody should do it, but here I’ll try to show you that’s possible and very simple.

What are the main benefits ?

You’ll have a central place to manage every VPC network address
Everyone could query this central place to discover another team network address

We just need a centralized terraform state that everyone could read.

This terraform project just outputs our CIDRs allocations onto a state every other project can read: https://bitbucket.org/arglabs/arglabs-main-org-cidr-control/src/master/

Just put the CIDRs by environment on the cidr local map variable as following:

# CIDRs delegations:
  cidr = {

    # Entire company cidr by env:
    org = { 
      dev = "10.200.0.0/16"
      stg = "10.100.0.0/16"
      prd = "10.0.0.0/16"
      default = "" 
    }

    # Teams cidrs:
    sre = { 
      dev = "10.200.0.0/24"
      stg = "10.100.0.0/24"
      prd = "10.0.0.0/24"
      default = ""
    }
    
    team01 = {
      dev = "10.200.1.0/24"
      stg = "10.100.1.0/24"
      prd = "10.0.1.0/24"
      default = ""
    }
    # And so on...

  }

And let the pipeline run:

Then, in every project you need to get your own CIDR or any other CIDR, you can just read the terraform state as following:

data "terraform_remote_state" "cidr" {
  backend   = "s3"
  workspace = "default"
  #workspace = local.env
  config = {
    bucket   = "arglabs-terraform-states"
    region   = "us-east-1"
    role_arn = "arn:aws:iam::005801295308:role/deployer"
    key      = "main/org-cidr-control.tfstate"
  }
}

locals {

  cidr     = data.terraform_remote_state.cidr.outputs.cidr
  org_cidr = data.terraform_remote_state.cidr.outputs.cidr["org"][local.env]
  my_cidr  = data.terraform_remote_state.cidr.outputs.cidr[local.infra_scope_parsed][local.env]
}

output "my_cidr" { value = local.my_cidr }

ARGLabs

IaC made simple.

Best Practices