Introducing Reference Architecture 2.0

Next generation, production-grade, battle-tested, best practices end-to-end tech stack for AWS!

Today I am excited to announce the general availability of version 2.0 of the Gruntwork Reference Architecture!

From the very beginning, we at Gruntwork have focused on providing an end-to-end solution that makes it 10x easier to go to production and the Reference Architecture has been a core part of that. The Reference Architecture is an opinionated end-to-end tech stack built on top of the Infrastructure as Code Library that we deploy into your AWS accounts in about a day. With the Reference Architecture, you get a production ready platform that takes care of everything you need to launch your product in the cloud: orchestration (e.g., EKS, ECS, ASG), load balancer (e.g., ALB), database (e.g., Postgresql, Mysql, SQL Server, Aurora), cache (e.g., Memcached, Redis), network topology, monitoring, alerting, CI/CD, secrets management, VPN, and more (check out the Production Readiness Checklist to see what it takes to go to prod).

Let’s take a tour of what changed since version 1.0 of the Reference Architecture to provide you the next generation of a production ready AWS technology stack!

• Service Catalog
• Gruntwork Landing Zone
• Gruntwork Pipelines
• And more!

Service Catalog

On August 26th, 2020, we announced the initial release of the Service Catalog in a private, invite-only alpha program and have since made it generally available to all Gruntwork subscribers.

The Service Catalog provides a collection of highly configurable, battle-tested, production-grade services that you can deploy off-the-shelf without writing any code. Each service contains everything you need to deploy the components, including:

• Terraform code to provision the infrastructure, including considerations for security, monitoring, logging, alerting, backups, and more.
• Packer templates to build AMIs for your components, with configurations for log aggregation, SSH access control, server hardening, bootstrapping, metrics, and more.
• Scripts, documentation, automated tests, and much more.

You can learn more about the Service Catalog (including code snippets that show you how easy it is to deploy production ready infrastructure using the catalog) in the announcement blog post.

Reference Architecture 2.0 makes full use of the Service Catalog, assembling the services in the catalog into a coherent, end-to-end architecture.

Previous iterations of the Reference Architecture provided you a snapshot of an internal service catalog that you had to maintain going forward. While this gave you flexibility, it resulted in significant maintenance overhead to keep the modules up to date.

With the new configuration, you only need to maintain the live infrastructure configurations that specify the unique setup for your infrastructure, such as AWS regions, instance types, disk size, domain names, and other customizations.

Gruntwork Landing Zone

On March 19th, 2020 we announced the release of Gruntwork Landing Zone, a collection of modules that provide a secure baseline for managing multiple AWS accounts in your AWS Organization. Using multiple AWS accounts is a core part of a production ready AWS setup, but managing multiple AWS accounts has consistently resulted in major headaches for the operations team. Gruntwork Landing Zone simplified the overhead of managing multiple AWS accounts by providing a series of security baseline modules that can be applied to each account to setup a production ready AWS account in minutes, including CloudTrail, AWS Config, AWS GuardDuty, IAM groups for permissions management, cross account IAM roles, KMS keys, EBS encryption, and more.

Reference Architecture 2.0 leverages Gruntwork Landing Zone to provide you with a locked down, secure, production ready multi AWS account setup, evolving the existing multi account setup we providing in Reference Architecture 1.0.

Previous iterations of the Reference Architecture only included partial support for many of the configurations provided in Landing Zone. With Reference Architecture 2.0, you have an even more hardened multi account setup that you can bet your company on.

Gruntwork Pipelines

On March 17th, 2020 we announced the release of Gruntwork Pipelines, a secure and fully automated CI/CD platform for infrastructure code. Gruntwork Pipelines provided a solution that allows you to keep AWS credentials isolated away from third party CI platforms and located within a locked down AWS environment to prevent arbitrary access to your AWS accounts. Additionally, Gruntwork Pipelines has support for a wide variety of infrastructure code including Terraform, Terragrunt, Packer, Docker, and more.

In 2.0, the Reference Architecture now ships with Gruntwork Pipelines. This means that you get a secure and fully automated CI/CD workflow for all your infrastructure code. That is, when you receive the Reference Architecture, you complete the final integration steps depending upon your desired CI/CD environment, and then start leveraging the workflow by pushing changes on a new branch and open a PR to see the plan action for your changes being run. You can then trigger the apply action by merging the change into main, all without having to run terragrunt locally!

And more!

The above are just a few of the highlights of the improvements rolled into Reference Architecture 2.0. There are many more improvements to the Reference Architecture beyond what’s already mentioned, including:

• Leveraging latest terragrunt features such as (a) generate blocks for DRY provider configurations; (b) dependency blocks for explicit dependency management of your modules; (c) read_terragrunt_config for DRY configuration variables like allowed CIDR blocks, resource name prefixes, and more.
• Compatibility with Terraform 0.14.x.
• An improved CIS Reference Architecture that is compliant with version 1.3.0 of the standards (previously only supported 1.2.0).
• Build scripts for building AMIs and Docker images.
• Cross account sharing of encrypted AMIs.
• End-to-end encryption by default.

And so much more!

Updating from Reference Architecture 1.0

If you have previously purchased our Reference Architecture product and have a Reference Architecture 1.0 setup, you can upgrade to Reference Architecture 2.0 by following the guides listed below:

• Switch from using the internal infrastructure-modules repo to the Service Catalog in your Terragrunt configurations in the infrastructure-live repo.
• Deploy Gruntwork Pipelines to get a fully automated CI/CD pipeline for your infrastructure code.
• Migrate your existing security baseline modules to use Gruntwork Landing Zone (guide coming soon).

These guides give a comprehensive overview of how to take your existing Reference Architecture deployment and updating to include the 2.0 features in an incremental fashion.

Get a Reference Architecture

If you are interested in purchasing a Reference Architecture to get a production-grade, battle tested, best practices end-to-end tech stack for launching your products, contact us!

This article was co-authored with Yoriyasu Yano.