In early 2020, the client envisioned a journey of re-engineering a collaborative coffee ecosystem using cloud native technology aimed at helping coffee farms, SMB enterprises & likewise quickly innovate, experiment and scale to market demands.
The client was seeking a technology partner who could help them setup the platform and digitize their business right from farming to distribution. Usually most enterprises have an on-premises digital workplace to provision their users with easy-to-use and protected business solutions. However, determining the best path when looking to build a digital workplace in the cloud can be like driving through the never-ending tunnel.
The client wanted to use Opsio’s skilled & certified cloud engineers to drive their business solutions by leveraging public cloud without the need to maintain and manage their own in-house IT/Infrastructure team.
The client chose Opsio AB as we are industry veterans in cloud service engineering, integration, and operations. On the development front, the requirement was to achieve:
• Continuous Business Planning: Practice that focuses on establishing business goals and adjusting them based on customer feedback. In a traditional software development approach, the information needed to define a correct strategy is fragmented and inconsistent due to the low automation and processes standardization, the feedback is not received on time to be incorporated on the next release, failing this way to deliver value to the customer.
• Collaborative Development: Practice that aggregates all the elements of the different teams in the process of Software Development: Business owners, business analysts, enterprise and software architects, developers, QA practitioners, operations personnel, security specialists, suppliers, and partners. Practitioners from these teams work on multiple platforms and may be spread across multiple locations.
• Continuous Testing: Means to test as soon as possible and continuously during the development lifecycle, this leads to a development cost reduction as well to a better software quality. This practice is viable using techniques such as test automation and virtualization to simulate the production environments for the tests to be executed in a scenario more real as possible.
• Continuous Release and Deployment: The objective is to allow new functionalities to be deployed as fast as possible. It was this practice that originated the DevOps movement. This capability brought the concept of continuous integration to the next step allowing the possibility to create a complete automated pipeline of new features delivery in production.
• Continuous Monitoring: Collects data and metrics that are coming from the different stages of the application lifecycle which allows all the parties involved to react fast to improve or modify the functionalities which are being used.
• Continuous Customer Feedback and Optimization: The new technologies provide the ability to monitor the customer behavior which allows the business team or any other interested parties to take the necessary actions to improve the software.
Agile and Lean Principles
DevOps practice was implemented in SEWN during project inception based on agile and lean principles. This allowed the business owners, development, operations, and quality assurance team collaborate to deliver software/services in a continuous stable manner. Various types of tools & processes were implemented in SEWN to support functions such as project management, defect management etc. Tools such as Atlassian Jira, Confluence are used for documentation, work breakdown structure & project management functions. Tools such as Bug Herd & Zapier are used for Defect Management.
Infrastructure as code
As per Opsio’s strong culture of DevOps, everything we created for the customer was deployed using CloudFormation. We achieved a flexible and complete infrastructure by developing separate CloudFormation templates for the core infrastructure, another for the continuous integration/continuous deployment pipeline for Code Commit and Code Build (covered next), and lastly a template for the tasks running in AWS’s managed Container service, ECS. As with all Infrastructure as Code deployments, the infrastructure can be versioned, and controlled with all the tools available to application developers. This results in a consistent and reliable deployment every time.
Opsio designed a solution whereby the client applications would run within Docker containers, and for those containers to be managed and maintained by AWS managed Docker service, Elastic Container Service, or ECS. With this in place, developers can trigger new code to be built, tested, deployed and migrated through the various testing and staging environments, just by committing into a code repository as then normally would.
Redundancy and Scaling
As client demands high uptime this new environment is built to be 100% redundant. Their database is replicated between different availability zones and the same for those instances/tasks that is running in docker. Customer applications also has some peak hours/days where they need more performance, so we have setup auto-scaling rules for their ECS services/tasks in accordance with the best practices of the Amazon Web Service’s Well-Architected Framework. With the power of ELB health checks, this environment can self-heal in case of something would happen to their underlying hardware of software failure, so it spins up new tasks to ensure that enough resources capacity is available. To be able to provide good RPO and RTO numbers Opsio configured continuous backup of Aurora RDS Cluster.
Code Star Notifications
Opsio provisioned a unified developer interface, enabling them to easily manage software development as well as deployment activities in one place. With AWS CodeStar, we setup a entire continuous delivery tool-chain allowing developers to start releasing code faster.
AWS Secret Manager enables us to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. It is one central location to keep all credentials secure. It helps us protect access to our applications, services, and IT resources. There is no need to update the application code. All applications were running in containerized mode and needed to access Docker Hub to download the latest OS images/packages. Docker Hub credentials used in the containerized workloads were stored in Secrets Manager.
SSM – Parameter Store
SSM parameter store is like “salt in our food”. This feature removes the risk of exposing critical config information and other parameters we use in our services by integrating it with AWS KMS service. This is a small component of SSM but an essential one without which the service will be incomplete.
Security Best Practices (What’s ON)
All necessary application configurations (service endpoints, DB endpoints etc) are stored in parameters store with encryption enabled. These application configurations are made available to the applications during the build stage which makes these configuration parameters extremely secure.
Data in transit
The application deployment strategy ensures protection to data in transit by ensuring the following recommended protection controls
- HTTP/HTTPS traffic (web applications)
- HTTPS offload (web applications to ELB)
- SSH Traffic (Use SSH using non-privileged user accounts)
Data at rest:
- Encryption of data at rest
- S3 versioning
- Database snapshotsRestrictive IAM permissions with encryption keys
Policies and configuration:
We have enabled delegation of access to users and services through IAM Roles and temporary security credentials. Some of the policies implemented are:
- Cross Account Access, Delegation of privileges through IAM Groups & Roles
- Access to EC2s & Other services in form of IAM Roles & Policies
- Parameter Store to store secure credentials & configs
Web Application Firewalls
Opsio has provisioned the service of Web Application Firewall for the environment. We have configured WAF rules that protects the services from various types of vulnerabilities by filtering traffic against these rules Storing & Managing Encryption Keys: All access & secret access keys are stored in AWS KMS for increased security. These credentials are accessed and validated during application or service usage/runtime.
Accidental deletion of databases & other compute services is enabled which protects these services against accidental deletion or termination.
Backup & Recovery Solution
AWS Backup is a fully managed service for backup and restore. Opsio used AWS Backup services to provision backup strategies for the customer with a simpler approach to managing data protection across their AWS estate.
Sewn’s IT-infrastructure was designed and developed for AWS Cloud. A lot of focus was given to enable DevOps during the inception phase: new highly automated CI/CD pipelines were implemented, enhanced security layers were created, monitoring and alerting systems were improved.
Opsio managed to build the IT operations framework and reduce the amount of redundant manual tasks to unlock their engineering’s team potential, allowing it to prioritize complex development-based activities.
Running its key systems on AWS has delivered a range of benefits to Sewn. The scalability of AWS has enabled SEWN’s key systems to support the required transaction volumes, including the transactions associated with the sales every day. The business is also able to complete two to three major software releases and three to four minor releases per month on the CI/CD system alone without having to spend several weeks procuring additional hardware. This helped sewn accelerate its product release cycle by 2x.
By using AWS, SEWN has also been able to control costs. The business is now able to invest in the IT infrastructure it needs based on demand, rather than purchase hardware upfront based on growth estimates that might be inaccurate. The business plans to use AWS services to launch a machine learning platform and refine its supply chain by applying demand forecasting to tighten its delivery and fulfilment cycles.
The stability and agility of the AWS platform are providing opportunities for Sewn to explore further expansion. They are adding new modules and processes involving automation to streamline their business further.
AWS Services Used
Here is a partial list of key AWS Services used in building customer’s platform.
- AWS CodePipeline: We are using AWS CodePipeline to fully managed continuous delivery service in Sewn platform. This helps us in automating our release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of our release process every time there is a code change, based on the release model we have defined.
- AWS CodeBuild: AWS CodeBuild is used as a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to be deployed. With CodeBuild, we don’t need to provision, manage, and scale our own build servers. CodeBuild scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue.
- AWS CodeDeploy: AWS CodeDeploy is used to rapidly release new features, helps us to avoid downtime during application deployment, and handles the complexity of updating our applications.
- AWS CodeStar: We are using AWS CodeStar for notifying developers of Git Pull & Push requests. Also, approval notifications are sent using CodeStar notification. By using AWS CodeStar, we have been able to set up our entire continuous delivery toolchain, allowing us to start releasing code faster.
- AWS CodeCommit: AWS CodeCommit is a secure, highly scalable, managed source control service that hosts private Git repositories. It makes it easy for our teams to securely collaborate on code with contributions encrypted in transit and at rest. CodeCommit eliminates the need for us to manage our own source control system or worry about scaling its infrastructure.
- AWS S3: We use Amazon Simple Storage Service (Amazon S3) as an object storage service that is used to host our static assets such as Images, documents, css & svg etc. This means these resources can be shared across a multitude of frontend systems communicating with our Backend.
- Amazon Elastic Container Service: Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that help us to easily deploy, manage, and scale containerized applications for the customer. It deeply integrates with the rest of the AWS platform to provide a secure and easy-to-use solution for running container workloads in the cloud.
- AWS CloudFormation: AWS CloudFormation gives us an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. In the CloudFormation template we describe our desired resources and their dependencies so they can be launched and configured together as a stack.
- AWS Secrets Manager: AWS Secrets Manager helps us to protect secrets needed to access our applications, services, and IT resources. We use Secrets manager to easily store, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
- AWS RDS: We are using AWS Aurora to set up, operate, and scale a relational database in the cloud storing all business-critical data. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.
- AWS SSM Parameter Store: Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. We use it to store data such as passwords, database strings, DockerHub credentials and license codes as parameter values. We can store values as plain text or encrypted data.
- AWS Backup: We use AWS to centralize and automate data protection of critical AWS services. It offers a cost-effective, fully managed, policy-based service that further simplifies data protection at scale.