Configuration Promotion Automation

Configuration as Code (CaC)

Configuration as Code (CaC) is the practice of managing and automating the configuration of software and systems using machine-readable definition files. Instead of manually configuring settings through graphical interfaces or command-line tools, configurations are defined in code, stored in text files, and treated like any other piece of software. This allows for version control, collaboration, and automated deployments.

The key benefits of CaC include increased consistency, reduced errors, and improved auditability. By defining configurations in code, developers can eliminate the risk of human error associated with manual configuration. CaC also enables version control, allowing developers to track changes, revert to previous configurations, and maintain a history of modifications. This fosters collaboration, as teams can easily review and contribute to configuration changes. Furthermore, automated deployments ensure that configurations are applied consistently across all environments.

Export CaC

Engineers responsible for contributing features within Ping Identity solutions typically treat the GUI of the products as a development environment. Thus, they will need a process to extract the resulting configuration into code.

Ping Identity recommends that complex use-case development (such as authentication and authorization policy definition or DaVinci flow design) occur in the admin consoles rather than manipulating exports directly.

Extracted CaC can take various forms, but it should fit within the following guardrails:

  • Readability: Code should be human-readable and well-documented. Clear and concise code facilitates understanding, collaboration, and maintenance.

  • Modularity: Configurations should be organized into modular components. This makes it easier to manage, update, and reuse configuration settings across different environments or components.

  • Versioning: Like application code, configuration code should be versioned using a version control system. This enables tracking changes, rolling back to previous configurations, and collaborating effectively.

  • Idempotence: The configuration code should be idempotent, meaning that applying the same configuration multiple times has the same result as applying it once. This ensures that repeated executions don’t lead to unintended side effects or inconsistencies.

  • Reproducibility: CaC should support the reproducibility of environments. Given a specific version of the configuration, it should be possible to recreate the same environment consistently.

  • Parameterization: Configuration should be parameterized to allow flexibility. This enables the same codebase to be used across different environments or instances with varying requirements.

  • Security considerations: Implement security best practices in the configuration code. Parameterize sensitive information and ensure that access controls and permissions are well-defined and enforced.

  • Error handling: Include proper error handling mechanisms in the code. Log meaningful error messages and provide information that helps diagnose and resolve issues quickly.

  • Auditability: Maintain an audit trail of changes to configurations. Ensure that changes are logged and the reasons for each change are documented. This aids in troubleshooting and compliance.

  • Consistency across environments: Ensure that the same configuration codebase can be used across different environments (development, testing, production) with minimal modifications. This reduces the chances of configuration drift.

  • Scalability: Design configurations to scale as the system grows. Consider the ability to manage configurations for a growing number of services, components, or instances.

  • Collaboration: Facilitate collaboration among team members by following best practices for version control, code review, and documentation. Make sure that changes to the configuration are well-communicated and understood by the team.

  • Community and ecosystem support: Choose tools and frameworks that have active community and ecosystem support. This ensures that there are resources, plugins, and extensions available to enhance and extend the functionality of the configuration code.

Forms of how this configuration can be stored include:

  • Terraform HCL for solutions that have published Terraform providers (using the terraform export CLI feature).

  • Exported configuration files containing binary or structured data.

  • Postman API collection.

  • Generic API collection (which can be organized in an orchestrator such as Ansible or ICEflo).

  • Server Configuration Profiles (applies to Ping Identity software Docker images).

Validate configuration

Validating CaC is an important prerequisite for building confidence in the code review and promotion process. Code validation delivered through open-source tooling or developed scripts can be automatically run within the promotion pipeline.

Aspects of validation include:

  • Syntax checking: Use syntax checkers specific to the configuration language developers are using, such as YAML, JSON, or HCL. Ensure consistent formatting and coding style across configuration files to help with reviewability.

  • Linting: Additional linting beyond syntax checking can be used for service-specific validations. This can include dependency checking between configuration modules or logical error identification.

  • Security scanning: Perform security scans on configuration code to identify and remediate vulnerabilities. Ensure that sensitive information, such as passwords and API keys, is properly hidden and managed.

  • Compliance Checks: Implement checks for regulatory compliance and company policies within configuration validation processes.

Forms of configuration validation include:

  • Terraform validate (terraform validate).

  • JSON lint tools such as JSONLint.

  • Postman schema validation and syntax error checks.

  • Terraform sentinel policies.

  • Static code analysis tools.