Starting at the bottom, the foundation layer holds the basics like networking, storage, accounts, and permissions. The shared services layer is where I place tools like certificate managers and secret storage. I keep services that interact closely together, while separating those that work more independently. At the top, I lay out the applications. This is where I slot in services like auto-scaling groups, individual server instances, load balancers (depending on whether they're communal or specific), and pods in platforms like Kubernetes. Depending on the complexity of the environment there may be 1 or multiples of each layer.
By structuring IaC this way, I find it’s clearer and more intuitive.
Global - Things from the AWS global region, notably DNS (DelegationSet and Zone) and IAM
Core - Semi-permanent per-stack resources such as secrets and certificates
Network - Network resources per-stack (ie. VPC & EC2)
Database - Database resources per-stack (i.e. RDS) and rotating secrets (via Lambda)
Application - Application resources per-stack (i.e. ECS)
Breakglass - Resources for breakglass shell access to the DMZ subnets
Also, I think where OP uses "principal" they mean "principle".
The whole article reads as an advertorial for Pulumi. :|
OP also never bothers to ask themselves questions like "what if I'm wrong?" or "what to do with this obvious claim that doesn't add up?".
For example: why is "Data" layer below "Compute"? -- that's the kind of question that's never addressed by OP. I mean, most people in the industry wouldn't think about this as being layers, and definitely not being one on top of the other. To convince someone you need to give a very solid argument here... but there's nothing there...
I say some sense because layer 3 "permissions" sticks out to me like a sore thumb. Whenever I work with terraform I spend 50% of the time on permissions. I'd hesitate to call it a "layer" given the pervasive nature of IAM roles/permissions across all resources.
Because there are 7 of them, just like the toes on your left foot, one eye, and your right thumb? It didn't make sense to me either.
And seemed like an ad.
I guess
How long does it take to deploy a new service with this approach? A week?
> Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
> Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
Given that, how is one supposed to reply critically to such a post? I'm genuinely curious and open to suggestions, as it's something I'm clearly not good at.
It is in some cases required to do some version of this as the vendor API support does not allow for proper feedback when an operation is complete so it needs to settle.
Or, building docker images which run each time and take a long time / resources unnecessarily (I believe Pulumi have a fix for some version of this).
If your stacks are deployed via CI/CD, it’s not really a big deal to deploy 10x stacks in sequence, or just.
This may be overkill for a lot of projects but it’s valuable insight from a respected organization / individual.
What's next, real world data to back up their claims? Research papers offering corroborating evidence?
This is the internet, we don't do that here.
Avoid splitting this up as it introduces too much complexity. The IAC code should be very simple such that any dev can pick it up just coming off the tutorials.
Company I'm in has 3 layers and dozens of stacks and it's made the whole thing impossible to reason about. No one wants to touch it anymore which means we now have a Platform team that screws around with this chap for months on end.
Note: Lee Briggs works for Pulumi as a Principal Platform engineer so its in their interest to make this too complicated.
Everyone gets here eventually and you can just fight over stuff like “is an alb shared regional or app specific”
Infra should be simple as possible, and the simple infra should inform simple app design.
I bet we have far more instances under our name than the people that write this article, and yet we have nowhere near that level of complexity in our IaC definitions. And yet, somehow we manage. I guess we are immature?
We however had the advantage of building IAC from ground up and had the time to do it properly.
