SlideShare a Scribd company logo
1 of 17
Download to read offline
Applying the Roles & Profiles
Method to Compliance Code
Heston Snodgrass,
Sr. Services Delivery Engineer
March 25, 2021
2
Agenda
• Writing Compliance Code is Hard
• Overview of Roles & Profiles and the Facade
Pattern
• Adapting These Patterns to Compliance Code
• Unique Hiera Interfaces
• Handling Boilerplate
• Q&A
3
Writing Compliance Code is
Hard
• Code touches many parts of the node
• Can lead to a sprawling, tightly-coupled code base
• Auditing and maintaining this code can be difficult
• A lot of overlap between compliance frameworks
• Dreaded “spaghetti code”
Image: Yeh Xintong, unsplash.com
Design patterns are problem-solving templates for your code
• The roles & profiles method is a design pattern
• It takes inspiration from the facade pattern detailed in the “Gang of Four” book¹
• a facade is an object that serves as a front-facing interface masking more complex underlying or
structural code²
• Roles are the simple “front-end” facades, or interfaces, and profiles are the complex, “back-end”
implementations
4
Not just for software engineering interviews
Software Design Patterns
1. Design Patterns: Elements of Reusable Object-Oriented Software by Erich Gamma, Richard
Helm, Ralph Johnson, and John Vlissides
2. https://en.wikipedia.org/wiki/Facade_pattern
5
A Picture is Worth a Thousand Roles & Profiles
https://puppet.com/docs/pe/2019.8/osp/the_roles_and_profiles_method.html
Adapting
Roles &
Profiles to
Modules
There are two fundamental concepts for
adapting roles & profiles to a module:
• Interfaces - Simple Puppet classes that are interacted with
• Implementations - More complex Puppet classes / defined types
that are either declared or included by interfaces
Interfaces and implementations should be kept separate
Finally, remember to document all of your code thoroughly
6
7
I’m the Interface, so That’s
What You Call Me
• Interfaces are simple and homogenized
• Interfaces names relate directly to a compliance
framework
• Interfaces only declare or include implementations
• Interfaces pass all needed parameters
Image: Pierre Chatel, unsplash.com
8
That Implementation Really
Tied the Room Together
• Implementations are single-purpose and
self-contained
• Implementations DO NOT have framework-specific
data
• Exceptions can be made for default values
• Implementations are as complex as necessary
• Implementations are reusable
Image: Ant Rozetsky, unsplash.com
9
Examples!
Because it’s more fun to see code than it is to hear about it
10
This is our Compliance
Module
Simple, straight-forward, and WE know what it does.
However, I have a few questions:
• What CIS controls does this module enforce?
• Does this module enforce the CIS control “Ensure
mounting of UDF filesystem is disabled”?
• Not all nodes that need to be CIS compliant need
SSH and rsyslog configuration, is this possible?
This overly simplistic and incomplete CIS compliance
module still has fundamental issues with it. So what can
we do about all this?
• To adapt the roles & profiles method to our module we’ll need to refactor it
• First, we create two subdirectories in our manifests directory:
• manifests/interfaces
• manifests/implementations
• Next, we split up the implementation code into separate, self-contained classes / defined types
• Implementations are created in manifests/implementations
11
Refactoring, It’s What’s for Dinner
• Now, we need to create the interfaces for this code
• Interfaces are created in manifests/interfaces
• We will use the CIS control names as the interface class names
12
Let There be Interfaces
• Now we create an init.pp for our module. I like to refer to init.pp as the module interface
• The simplest way to do this is to just include all of our interfaces
• Standard Hiera configuration
• No scope issues from resource-like class declarations
• We could also treat init.pp just like our other interface classes and parameterize it
• This simplifies our Hiera config
• We can configure our compliance module entirely from the classifier
• Use what works best for you. Experiment and focus on configuration, maintainability, and auditability.
• Keep it as simple as feasibly possible for what you want to accomplish
13
The Module Interface
14
The Module Interface Part Deux
Using only include:
A more complex example:
A New
Compliance
Framework
has Appeared!
By using our adapted roles & profiles pattern,
change is easy
• Quickly adapt to compliance framework changes
– New compliance framework, new interfaces
– Framework control names change, update interfaces
• Refactoring and maintaining the code is easier
– Backend changes don’t necessarily impact the front end
• Configuring the code now aligns directly with the controls we are
enforcing
– Makes life easier for auditors
• Onboarding new team members is easier
– Code is in small, digestible pieces
– Maps directly to the compliance framework
15
16
Whole Lotta Boilerplate
One downside with this pattern is that there is a good
amount of boilerplate code. Fortunately, there’s some
tooling that can help:
• Custom PDK templates
– Uses a familiar tool
– Documented well
– Can be complex to implement generation of custom classes
• https://github.com/hsnodgrass/abide_dev_utils
– Used by the Puppet SSE team
– Works from ERB templates stored directly in your module
– I like a bit of self-promotion
Thank you.
And now time for our Q&A!
My contact info:
- Email: heston.snodgrass@puppet.com
- Community Slack: @Heston Snodgrass

More Related Content

What's hot

Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSPuppet
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4Puppet
 
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...Gene Kim
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4Puppet
 
Continuous Integration as a Way of Life
Continuous Integration as a Way of LifeContinuous Integration as a Way of Life
Continuous Integration as a Way of LifeMelissa Benua
 
Integration Testing as Validation and Monitoring
 Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and MonitoringMelissa Benua
 
Sam Guckenheimer - Moving to One Engineering System
Sam Guckenheimer - Moving to One Engineering SystemSam Guckenheimer - Moving to One Engineering System
Sam Guckenheimer - Moving to One Engineering SystemWinOps Conf
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentChristopher Read
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamDeborah Schalm
 
Continuous Integration and Continuous Deployment in Enterprise scenario
Continuous Integration and Continuous Deployment in Enterprise scenarioContinuous Integration and Continuous Deployment in Enterprise scenario
Continuous Integration and Continuous Deployment in Enterprise scenarioDavide Benvegnù
 
Louisville Software Engineering Meet Up: Continuous Integration Using Jenkins
Louisville Software Engineering Meet Up: Continuous Integration Using JenkinsLouisville Software Engineering Meet Up: Continuous Integration Using Jenkins
Louisville Software Engineering Meet Up: Continuous Integration Using JenkinsJames Strong
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICDKnoldus Inc.
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryVirendra Bhalothia
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
cdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitecturecdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitectureMiles Blatstein
 
Taking your version control to a next level with TFS and Git
Taking your version control to a next level with TFS and GitTaking your version control to a next level with TFS and Git
Taking your version control to a next level with TFS and GitAlexander Vanwynsberghe
 
Seminar continuous delivery 19092013
Seminar continuous delivery 19092013Seminar continuous delivery 19092013
Seminar continuous delivery 19092013Joris De Winne
 
Securing deployment pipeline
Securing deployment pipelineSecuring deployment pipeline
Securing deployment pipelineLen Bass
 
Continuous delivery applied
Continuous delivery appliedContinuous delivery applied
Continuous delivery appliedMike McGarr
 

What's hot (20)

Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
 
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
DOES14 - Gary Gruver - Macy's - Transforming Traditional Enterprise Software ...
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4
 
Continuous Integration as a Way of Life
Continuous Integration as a Way of LifeContinuous Integration as a Way of Life
Continuous Integration as a Way of Life
 
Integration Testing as Validation and Monitoring
 Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring
 
Sam Guckenheimer - Moving to One Engineering System
Sam Guckenheimer - Moving to One Engineering SystemSam Guckenheimer - Moving to One Engineering System
Sam Guckenheimer - Moving to One Engineering System
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
 
Continuous Integration and Continuous Deployment in Enterprise scenario
Continuous Integration and Continuous Deployment in Enterprise scenarioContinuous Integration and Continuous Deployment in Enterprise scenario
Continuous Integration and Continuous Deployment in Enterprise scenario
 
Louisville Software Engineering Meet Up: Continuous Integration Using Jenkins
Louisville Software Engineering Meet Up: Continuous Integration Using JenkinsLouisville Software Engineering Meet Up: Continuous Integration Using Jenkins
Louisville Software Engineering Meet Up: Continuous Integration Using Jenkins
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
cdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD ArchitecturecdSummit Austin - Jez Humble: CD Architecture
cdSummit Austin - Jez Humble: CD Architecture
 
Taking your version control to a next level with TFS and Git
Taking your version control to a next level with TFS and GitTaking your version control to a next level with TFS and Git
Taking your version control to a next level with TFS and Git
 
Seminar continuous delivery 19092013
Seminar continuous delivery 19092013Seminar continuous delivery 19092013
Seminar continuous delivery 19092013
 
Securing deployment pipeline
Securing deployment pipelineSecuring deployment pipeline
Securing deployment pipeline
 
Continuous delivery applied
Continuous delivery appliedContinuous delivery applied
Continuous delivery applied
 

Similar to Applying Roles and Profiles method to compliance code

Entity Framework: To the Unit of Work Design Pattern and Beyond
Entity Framework: To the Unit of Work Design Pattern and BeyondEntity Framework: To the Unit of Work Design Pattern and Beyond
Entity Framework: To the Unit of Work Design Pattern and BeyondSteve Westgarth
 
Component based development | what, why and how
Component based development | what, why and howComponent based development | what, why and how
Component based development | what, why and howRakesh Kumar Jha
 
Software Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuableSoftware Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuableComsysto Reply GmbH
 
From silex to symfony and viceversa
From silex to symfony and viceversaFrom silex to symfony and viceversa
From silex to symfony and viceversaRonny López
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous IntegrationXPDays
 
Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®Hannes Lowette
 
Improving The Quality of Existing Software
Improving The Quality of Existing SoftwareImproving The Quality of Existing Software
Improving The Quality of Existing SoftwareSteven Smith
 
ASP.NET Core Demos Part 2
ASP.NET Core Demos Part 2ASP.NET Core Demos Part 2
ASP.NET Core Demos Part 2Erik Noren
 
Generic Software Process Models
Generic Software Process ModelsGeneric Software Process Models
Generic Software Process ModelsEducation Front
 
An Introduction To Software Development - Implementation
An Introduction To Software Development - ImplementationAn Introduction To Software Development - Implementation
An Introduction To Software Development - ImplementationBlue Elephant Consulting
 
Testing, a pragmatic approach
Testing, a pragmatic approachTesting, a pragmatic approach
Testing, a pragmatic approachEnrico Da Ros
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyComsysto Reply GmbH
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyComsysto Reply GmbH
 
Agile Mumbai 2020 Conference | How to get the best ROI on Your Test Automati...
Agile Mumbai 2020 Conference |  How to get the best ROI on Your Test Automati...Agile Mumbai 2020 Conference |  How to get the best ROI on Your Test Automati...
Agile Mumbai 2020 Conference | How to get the best ROI on Your Test Automati...AgileNetwork
 
Is your ABAP Code Ready for the Cloud?
Is your ABAP Code Ready for the Cloud?Is your ABAP Code Ready for the Cloud?
Is your ABAP Code Ready for the Cloud?Tobias Trapp
 
Agile enterprise integration
Agile enterprise integrationAgile enterprise integration
Agile enterprise integrationSimon Greig
 
Code refactoring
Code refactoringCode refactoring
Code refactoringLalit Kale
 
Clean architecture with asp.net core
Clean architecture with asp.net coreClean architecture with asp.net core
Clean architecture with asp.net coreSam Nasr, MCSA, MVP
 

Similar to Applying Roles and Profiles method to compliance code (20)

Entity Framework: To the Unit of Work Design Pattern and Beyond
Entity Framework: To the Unit of Work Design Pattern and BeyondEntity Framework: To the Unit of Work Design Pattern and Beyond
Entity Framework: To the Unit of Work Design Pattern and Beyond
 
Component based development | what, why and how
Component based development | what, why and howComponent based development | what, why and how
Component based development | what, why and how
 
Software Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuableSoftware Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuable
 
From silex to symfony and viceversa
From silex to symfony and viceversaFrom silex to symfony and viceversa
From silex to symfony and viceversa
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®Build software like a bag of marbles, not a castle of LEGO®
Build software like a bag of marbles, not a castle of LEGO®
 
Improving The Quality of Existing Software
Improving The Quality of Existing SoftwareImproving The Quality of Existing Software
Improving The Quality of Existing Software
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices Architecture
 
ASP.NET Core Demos Part 2
ASP.NET Core Demos Part 2ASP.NET Core Demos Part 2
ASP.NET Core Demos Part 2
 
Generic Software Process Models
Generic Software Process ModelsGeneric Software Process Models
Generic Software Process Models
 
An Introduction To Software Development - Implementation
An Introduction To Software Development - ImplementationAn Introduction To Software Development - Implementation
An Introduction To Software Development - Implementation
 
Testing, a pragmatic approach
Testing, a pragmatic approachTesting, a pragmatic approach
Testing, a pragmatic approach
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
 
Agile Mumbai 2020 Conference | How to get the best ROI on Your Test Automati...
Agile Mumbai 2020 Conference |  How to get the best ROI on Your Test Automati...Agile Mumbai 2020 Conference |  How to get the best ROI on Your Test Automati...
Agile Mumbai 2020 Conference | How to get the best ROI on Your Test Automati...
 
Aspect Oriented Programming
Aspect Oriented ProgrammingAspect Oriented Programming
Aspect Oriented Programming
 
Is your ABAP Code Ready for the Cloud?
Is your ABAP Code Ready for the Cloud?Is your ABAP Code Ready for the Cloud?
Is your ABAP Code Ready for the Cloud?
 
Agile enterprise integration
Agile enterprise integrationAgile enterprise integration
Agile enterprise integration
 
Code refactoring
Code refactoringCode refactoring
Code refactoring
 
Clean architecture with asp.net core
Clean architecture with asp.net coreClean architecture with asp.net core
Clean architecture with asp.net core
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyamlPuppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)Puppet
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscodePuppet
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twentiesPuppet
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approachPuppet
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliancePuppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowPuppet
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Puppet
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppetPuppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkPuppet
 
Take control of your dev ops dumping ground
Take control of your  dev ops dumping groundTake control of your  dev ops dumping ground
Take control of your dev ops dumping groundPuppet
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy SoftwarePuppet
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User GroupPuppet
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsPuppet
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyPuppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkPuppet
 
Puppet in k8s, Miroslav Hadzhiev
Puppet in k8s, Miroslav HadzhievPuppet in k8s, Miroslav Hadzhiev
Puppet in k8s, Miroslav HadzhievPuppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your  dev ops dumping groundTake control of your  dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Puppet in k8s, Miroslav Hadzhiev
Puppet in k8s, Miroslav HadzhievPuppet in k8s, Miroslav Hadzhiev
Puppet in k8s, Miroslav Hadzhiev
 

Recently uploaded

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 

Recently uploaded (20)

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 

Applying Roles and Profiles method to compliance code

  • 1. Applying the Roles & Profiles Method to Compliance Code Heston Snodgrass, Sr. Services Delivery Engineer March 25, 2021
  • 2. 2 Agenda • Writing Compliance Code is Hard • Overview of Roles & Profiles and the Facade Pattern • Adapting These Patterns to Compliance Code • Unique Hiera Interfaces • Handling Boilerplate • Q&A
  • 3. 3 Writing Compliance Code is Hard • Code touches many parts of the node • Can lead to a sprawling, tightly-coupled code base • Auditing and maintaining this code can be difficult • A lot of overlap between compliance frameworks • Dreaded “spaghetti code” Image: Yeh Xintong, unsplash.com
  • 4. Design patterns are problem-solving templates for your code • The roles & profiles method is a design pattern • It takes inspiration from the facade pattern detailed in the “Gang of Four” book¹ • a facade is an object that serves as a front-facing interface masking more complex underlying or structural code² • Roles are the simple “front-end” facades, or interfaces, and profiles are the complex, “back-end” implementations 4 Not just for software engineering interviews Software Design Patterns 1. Design Patterns: Elements of Reusable Object-Oriented Software by Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides 2. https://en.wikipedia.org/wiki/Facade_pattern
  • 5. 5 A Picture is Worth a Thousand Roles & Profiles https://puppet.com/docs/pe/2019.8/osp/the_roles_and_profiles_method.html
  • 6. Adapting Roles & Profiles to Modules There are two fundamental concepts for adapting roles & profiles to a module: • Interfaces - Simple Puppet classes that are interacted with • Implementations - More complex Puppet classes / defined types that are either declared or included by interfaces Interfaces and implementations should be kept separate Finally, remember to document all of your code thoroughly 6
  • 7. 7 I’m the Interface, so That’s What You Call Me • Interfaces are simple and homogenized • Interfaces names relate directly to a compliance framework • Interfaces only declare or include implementations • Interfaces pass all needed parameters Image: Pierre Chatel, unsplash.com
  • 8. 8 That Implementation Really Tied the Room Together • Implementations are single-purpose and self-contained • Implementations DO NOT have framework-specific data • Exceptions can be made for default values • Implementations are as complex as necessary • Implementations are reusable Image: Ant Rozetsky, unsplash.com
  • 9. 9 Examples! Because it’s more fun to see code than it is to hear about it
  • 10. 10 This is our Compliance Module Simple, straight-forward, and WE know what it does. However, I have a few questions: • What CIS controls does this module enforce? • Does this module enforce the CIS control “Ensure mounting of UDF filesystem is disabled”? • Not all nodes that need to be CIS compliant need SSH and rsyslog configuration, is this possible? This overly simplistic and incomplete CIS compliance module still has fundamental issues with it. So what can we do about all this?
  • 11. • To adapt the roles & profiles method to our module we’ll need to refactor it • First, we create two subdirectories in our manifests directory: • manifests/interfaces • manifests/implementations • Next, we split up the implementation code into separate, self-contained classes / defined types • Implementations are created in manifests/implementations 11 Refactoring, It’s What’s for Dinner
  • 12. • Now, we need to create the interfaces for this code • Interfaces are created in manifests/interfaces • We will use the CIS control names as the interface class names 12 Let There be Interfaces
  • 13. • Now we create an init.pp for our module. I like to refer to init.pp as the module interface • The simplest way to do this is to just include all of our interfaces • Standard Hiera configuration • No scope issues from resource-like class declarations • We could also treat init.pp just like our other interface classes and parameterize it • This simplifies our Hiera config • We can configure our compliance module entirely from the classifier • Use what works best for you. Experiment and focus on configuration, maintainability, and auditability. • Keep it as simple as feasibly possible for what you want to accomplish 13 The Module Interface
  • 14. 14 The Module Interface Part Deux Using only include: A more complex example:
  • 15. A New Compliance Framework has Appeared! By using our adapted roles & profiles pattern, change is easy • Quickly adapt to compliance framework changes – New compliance framework, new interfaces – Framework control names change, update interfaces • Refactoring and maintaining the code is easier – Backend changes don’t necessarily impact the front end • Configuring the code now aligns directly with the controls we are enforcing – Makes life easier for auditors • Onboarding new team members is easier – Code is in small, digestible pieces – Maps directly to the compliance framework 15
  • 16. 16 Whole Lotta Boilerplate One downside with this pattern is that there is a good amount of boilerplate code. Fortunately, there’s some tooling that can help: • Custom PDK templates – Uses a familiar tool – Documented well – Can be complex to implement generation of custom classes • https://github.com/hsnodgrass/abide_dev_utils – Used by the Puppet SSE team – Works from ERB templates stored directly in your module – I like a bit of self-promotion
  • 17. Thank you. And now time for our Q&A! My contact info: - Email: heston.snodgrass@puppet.com - Community Slack: @Heston Snodgrass