2 Building a barebones DevOps pipeline

This chapter covers

Configuring a CI pipeline for an example invoicer application
Deploying the invoicer in AWS
Identifying areas of a DevOps pipeline that require security attention

In chapter 1, I outlined an ambitious security strategy and described why security must be an integral component of the product. For security to be a part of DevOps, we must first understand how applications are built, deployed, and operated in DevOps. We’ll ignore security in this chapter and focus on building a fully functional DevOps pipeline to understand the techniques of DevOps and set the stage for security discussions we’ll have in chapters 3, 4, and 5.

DevOps is more about concepts, ideas, and workflows than it is about recommending one specific technology. A DevOps standard may not exist, yet it has consistent patterns across implementations. In this chapter, we take a specific example to implement those patterns: the invoicer, a small web API that manages invoices through a handful of HTTP endpoints. It’s written in Go and its source code is available at https://securing-devops.com/ch02/invoicer.

2.1 Implementation roadmap

2.2 The code repository: GitHub

2.3 The CI platform: CircleCI

2.4 The container repository: Docker Hub

2.5 The production infrastructure: Amazon Web Services

2.5.1 Three-tier architecture

2.5.2 Configuring access to AWS

2.5.3 Virtual Private Cloud

2.5.4 Creating the database tier

2.5.5 Creating the first two tiers with Elastic Beanstalk

2.5.6 Deploying the container onto your systems

2.6 A rapid security audit

Summary