Title

AWS re:Invent 2023 - Building a multi-account, multi-runtime service-oriented architecture (DOP316)

Summary

• Cole Morrison and Rosemary Cheng Yiu, both developer advocates at HashiCorp, discuss the complexities and necessities of building a multi-account, multi-runtime, and multi-region service-oriented architecture on AWS.
• They emphasize the challenges of scaling across large organizations and the need for a common interface or architectural foundation to manage diverse skill sets and processes.
• The talk covers the use of AWS Organizations for account management, AWS services like EC2, ECS, EKS, and CloudFront, and HashiCorp tools such as Terraform, Boundary, Vault, and Consul.
• They demonstrate how to create a production runtime, observe and manage it, add features and fix bugs, secure multi-user access, and customize and add new runtimes.
• The guiding principles for their architecture include autonomy, standardization, loose coupling, and discoverability.
• The session includes a live demo showing the setup of infrastructure as code, dynamic credentials, service mesh, traffic management, and privileged access management.
• A GitHub repository with a monorepo structure is used to reflect the organization account structure and facilitate infrastructure as code deployment.
• The speakers conclude by highlighting the importance of autonomy, standardization, loose coupling, and discoverability in building and extending service-oriented architectures.

Insights

• Autonomy: By using AWS accounts as a sandbox for different teams, organizations can provide autonomy and security while allowing teams to work within their preferred runtimes.
• Standardization: The use of infrastructure as code, such as Terraform, helps in creating consistent automation and reduces edge cases. Standardization is key to managing automation at scale.
• Loose Coupling: The use of well-defined interfaces, such as APIs, allows for modular and reusable components, which is essential for a service-oriented architecture.
• Discoverability: Systems at scale require mechanisms for tracking and identifying resources, components, and assets. Tools like AWS CloudTrail and HashiCorp Consul help in achieving discoverability.
• Multi-Account Management: AWS Organizations is a pivotal tool for managing multiple accounts, providing a hierarchical view and control over the AWS accounts.
• Service Mesh: HashiCorp Consul is used to manage service discovery and connectivity across multiple runtimes and regions, providing a layer of abstraction for service communication.
• Privileged Access Management: HashiCorp Boundary is introduced as a modern tool for managing access to TCP endpoints, providing just-in-time access and session recording for auditing purposes.
• Infrastructure as Code: The use of Terraform Cloud as a CI framework allows for collaborative infrastructure management and deployment, with dynamic credentials for AWS access.
• Scalability: The architecture presented is designed to scale, allowing for the addition of new runtimes and regions with minimal friction, leveraging the established patterns and modules.
• Security: The use of Vault for secrets management and dynamic credentials ensures that sensitive information is handled securely and access is controlled.
• Observability: The integration of CloudTrail and CloudWatch for logging, along with service mesh telemetry, provides insights into the system's health and activity.
• Traffic Management: The ability to manage traffic and implement canary deployments through service mesh capabilities like traffic splitting is crucial for feature testing and progressive delivery.
• Repository Structure: The GitHub monorepo structure mirrors the AWS organization account structure, which simplifies the mapping of code changes to the corresponding AWS account and runtime.