Testing CI/CD principals with firewall changes and maybe some AI.
Hypothesis: CI/CD appliance firewall changes for the least cost with event driven architecture.
- Terraform for infrastructure build
- Ansible for config management (Most firewalls work with it and python)
- Ec2 for ansible control node - hoping to move to a container or function
- Could this be Ipv6 only.
- github's tf provider does have a data resource for action IP addresses in CIDR range.
- SSM for:
- Applying initial playbook for control node.
- Parameter store for secrets
- KMS, S3, dynamodb, CloudWatch, Cloudtrail for tf backend and operations.
- Create a simple or complex issue
- Use custom template still but with source/destination/port.
- Use customer template for complex bugs to capture more details around applications (think AD)
- Issue triggers a AWS/firewall reachability tests
- AWS could be triggered from github <-> SNS queue
- Firewall is likely to need a ansible playbook
- Reports back both tests into the issue
- Add a label if tests comeback green for engineer to asses next steps.
- Create feature request with 5 tuple/URL requirement in description
- create branch for change
- add ansible/terraform code
- Could use NLP/AI to recommend code with some awareness of objects and groups (think AD)
- Create a PR
- lint/syntax check
- security scan code
- merge change if approved
- trigger control node to get new configuration to roll out to firewall.
- Run reachability test to confirm change is successful.
turn the control node into a lambda function or fargate container and start on merge commit event. OR Use spot instances and ASG change the instance size from 0 to 1
Automatic ssh keys retrieval from gpg