Jump to Content
DevOps & SRE

How to integrate Policy Intelligence recommendations into an IaC pipeline

October 28, 2019
Dominik Richter

Product Manager, Google Cloud

Payal Jain

Solutions Architect, Google Cloud

Chances are, you want to configure your Google Cloud environment for optimal security, cost and efficiency. Lucky for you, Google Cloud Policy Intelligence helps you do just that. Policy Intelligence’s new IAM and Compute Engine Rightsizing recommenders are currently in beta and automatically suggest ways to make your cloud deployment more secure and cost-effective.

https://storage.googleapis.com/gweb-cloudblog-publish/images/google_cloud_iam.max-1400x1400.png

It’s easy enough to review and apply these recommendations from within the Google Cloud Console. But what if you use Infrastructure as Code (IaC)? Treating your cloud infrastructure as code can make the administration, roll-out and upkeep of your environment more consistent and repeatable, and free your teams from having to troubleshoot snowflake environments that have a tendency to drift over time. If you do have IaC pipelines, you may need to manually review your IaC manifests to prevent infrastructure drifts, and also to ensure that they reflect the recommendations you may apply from within the Google Cloud console. 

Further, as your Google Cloud footprint expands, relying on manual techniques alone to review and track recommendations is inefficient. 

What if you could make Policy Intelligence recommenders and your IaC pipelines work together?

In a perfect world, you’d be able to use the recommendations that GCP surfaces with your repeatable IaC pipelines. Imagine if you could setup a serverless pipeline to track Policy Intelligence recommendations, automatically update your IaC manifests, generate pull requests for authorized teams to review and approve, and finally, roll them out with your CI/CD tool.


https://storage.googleapis.com/gweb-cloudblog-publish/images/iac_pipelines.max-2000x2000.png
Click to enlarge

Turns out, you can! To get you started and learn more, here’s a tutorial that shows you how.

In this tutorial, we walk you through a pipeline that parses the Policy Intelligence recommendations generated by the platform to map them to the configuration you have in your Terraform manifests. The service updates your IaC manifests to reflect these recommendations and generates a pull request for your teams to review and approve. Upon approval and merge, a Cloud Build job rolls out the changes to the infrastructure in your GCP organization. 

Now you don’t have to choose between following Policy Intelligence’s latest recommendations and practicing Infrastructure as Code. The open source codebase for this tutorial is available on Github. Download it today and modify it to suit your specific DevOps pipeline.
Posted in