The Guardian Developer Experience team’s mission statement is to “Enable teams to focus on delivering value at lightning speed by streamlining infrastructure management”.
In this session, the Guardian will describe how we’re working to fulfil our mission; we’ll give a brief history and a glimpse into the future.
4. A brief history
2015
Solely on AWS
(no more on premises servers)
2012
Move to AWS started
(mix of on premises and AWS)
May 1821
First Manchester Guardian
newspaper published
1999
Guardian Unlimited network
of websites launched
aws.amazon.com/solutions/case-studies/guardian
5. Autonomous
teams
● Dotcom team, building
theguardian.com
● Apps teams, building the iOS
and Android apps
● Reader Revenue teams,
building supporter and
contribution platforms
● Journalism teams, building
internal tools for Editorial
staff
9. July 2020
Full time DevX team
formed
A brief history (continued)
2015
Solely on AWS
(no more on premises servers)
2012
Move to AWS started
(mix of on premises and AWS)
May 1821
First Manchester Guardian
newspaper published
1999
Guardian Unlimited network
of websites launched
aws.amazon.com/solutions/case-studies/guardian
14. Our DevX Tools
● AMIable - Amazon Machine Image (AMI) management tool
● AMIgo - An AMI bakery
● Anghammarad - Centralised notifications service
● CDK - Generic Guardian flavoured AWS CDK components
● Central ELK - Centralised logging platform
● dev-nginx - Tools to configure a local development nginx to proxy our applications and services
● DNS Validation - An AWS lambda that automatically creates ACM validation DNS records
● Grafana - Centralised metrics service
● Gu:who - answering: who are all these users in my GitHub org?
● Janus - Google-backed AWS account access
● master-to-main - A CLI to automate updating a GitHub repository master branch to main
● Prism - Tool for collecting live data about infrastructure so it can be easily queried by users and automated tooling
● PRout - Looks after your pull requests, tells you when they're live
● Repo Apocalypse - Archive old Github projects to S3
● RiffRaff - The Guardian's deployment platform
● Security HQ - Centralised security information for AWS accounts
● Source - The Guardian’s design system
● SSM Scala - ssh replacement: CLI program that wraps SSM's EC2 Run Command
● Strap - Bootstrap your macOS development system
● ...
15. Our DevX Tools
● AMIable - Amazon Machine Image (AMI) management tool
● AMIgo - An AMI bakery
● Anghammarad - Centralised notifications service
● CDK - Generic Guardian flavoured AWS CDK components
● Central ELK - Centralised logging platform
● dev-nginx - Tools to configure a local development nginx to proxy our applications and services
● DNS Validation - An AWS lambda that automatically creates ACM validation DNS records
● Grafana - Centralised metrics service
● Gu:who - answering: who are all these users in my GitHub org?
● Janus - Google-backed AWS account access
● master-to-main - A CLI to automate updating a GitHub repository master branch to main
● Prism - Tool for collecting live data about infrastructure so it can be easily queried by users and automated tooling
● PRout - Looks after your pull requests, tells you when they're live
● Repo Apocalypse - Archive old Github projects to S3
● RiffRaff - The Guardian's deployment platform
● Security HQ - Centralised security information for AWS accounts
● Source - The Guardian’s design system
● SSM Scala - ssh replacement: CLI program that wraps SSM's EC2 Run Command
● Strap - Bootstrap your macOS development system
● ...
😱😱😱😱
😱
16. Janus
When making API calls to AWS locally,
AWS credentials are required.
Developers do not have any IAM users
for our AWS accounts, instead we use
temporary credentials or short-term,
federated sessions.
Janus is our federated login system for
managing access to our myriad AWS
accounts.
This approach allows us to make our
infrastructure easier and more secure
to use.
Google-backed AWS account
access
github.com/guardian/janus-app
18. SSM Scala
A command line tool that wraps AWS Systems Manager (SSM).
Used to execute commands on EC2 servers using EC2 Run command. It
provides the user with:
● an alternative to SSH for running commands
● standard SSH access using short lived RSA keys
We have removed direct SSH access (port 22) from applications and
replaced it with SSM Scala.
github.com/guardian/ssm-scala
19. Riff-Raff
Our applications primarily run
on EC2 or Lambda.
Riff-Raff is our deployment tool
and it allows us to use AWS
auto-scaling to achieve zero
downtime deploys.
Riff-Raff also records the
deployment history of each
project, and can be used to
schedule deploys.
The Guardian's deployment
platform
github.com/guardian/riff-raff
22. Source
Source is our Design System.
Written in React and Emotion, it
creates a consistent user and
developer experience across
*.theguardian.com and the apps.
It's expanding to support
internal tooling too.
The Guardian's design
system
github.com/guardian/source
23. Prism
Prism captures information about the infrastructure across our entire
estate in near real-time.
There is also a command line tool that uses the Prism API to locate
infrastructure.
github.com/guardian/prism
27. Let’s talk about CloudFormation...
✅ Tracked in VCS
✅ Repeatable
❌ JSON / YAML
❌ JSON can become verbose
❌ YAML is sensitive to whitespace
❌ Long feedback loop
❌ Errors first seen at runtime (UPDATE_ROLLBACK_COMPLETE 😈)
❌ Can result in not following the principles of least privilege
❌ Encourages copy pasting
❌ Consistency?
❌ Following best practice?
28. Guardian CDK
✅ Tracked in VCS
✅ Repeatable
✅ Written in a strongly typed language (TypeScript)
✅ Built using AWS CDK
✅ Unit tested
✅ Encodes today’s best practices
✅ Observability
✅ Runtime environment
✅ Configuration
✅ Deployment
✅ Follows the principles of least privilege
✅ npm install @guardian/cdk@latest
github.com/guardian/cdk
30. Guardian CDK
● A set of Guardian flavoured AWS CDK constructs and patterns,
encoding today’s best practice on:
○ Observability
○ Runtime environment
○ Configuration
○ Deployment
● CloudFormation in TypeScript
● Tracked in VCS
● Improved consistency
● Not YAML or JSON 🎉
○ Strongly typed
○ Unit tested
github.com/guardian/cdk
32. A lot of our backend tooling
revolves around simplifying
AWS resource management
across multiple accounts.
Observation
33. Vision
We will collaboratively create and
maintain best in class standard patterns
for deployment, configuration, runtime
and observability.
Creating and maintaining apps that follow
these patterns will be quick, logical, free
of boilerplate and secure by default.
We will have worked with teams to
migrate the majority of applications to
our standard patterns.
Teams will be focussed on delivering
business value at high velocity as
infrastructure concerns have been
streamlined.