Browse Source

CON-2204 de vops audits reworks (#2333)

* chore(Readme): adding guidance for AFPA time management of deep in system project

* chore(README): formate the space

* chore(Audit Readme): rewording

* chore(README audits): added focus on technical questions commands

---------

Co-authored-by: Christopher Fremond <christopher@01talent.com>
pull/2338/head
Christopher Fremond 11 months ago committed by GitHub
parent
commit
a24842592e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 202
      subjects/devops/cloud-design/audit/README.md
  2. 244
      subjects/devops/code-keeper/audit/README.md

202
subjects/devops/cloud-design/audit/README.md

@ -1,102 +1,100 @@
#### General
##### Check the Repo content.
Files that must be inside the repository:
- Detailed documentation in the `README.md` file.
- Source code for the microservices and scripts required for deployment.
- Configuration files for AWS Infrastructure as Code (IaC), containerization, and orchestration tools.
###### Are all the required files present?
##### Play the role of a stakeholder.
Organize a simulated scenario where the students take on the role of AWS Cloud engineers and explain their solution to a team or stakeholder. Evaluate their grasp of the concepts and technologies used in the project, their communication efficacy, and their critical thinking about their solution.
Suggested roleplay questions include:
- What is the cloud and its associated benefits?
- Why is deploying the solution in the cloud preferred over on-premises?
- How would you differentiate between public, private, and hybrid cloud?
- What drove your decision to select AWS for this project, and what factors did you consider?
- Can you describe your microservices application's AWS-based architecture and the interaction between its components?
- How did you manage and optimize the cost of your AWS solution?
- What measures did you implement to ensure application security on AWS, and what AWS security best practices did you adhere to?
- What AWS monitoring and logging tools did you utilize, and how did they assist in identifying and troubleshooting application issues?
- Can you describe the AWS auto-scaling policies you implemented and how they help your application accommodate varying workloads?
- How did you optimize Docker images for each microservice, and how did it influence build times and image sizes?
- If you had to redo this project, what modifications would you make to your approach or the technologies you used?
- How can your AWS solution be expanded or altered to cater to future requirements like adding new microservices or migrating to a different cloud provider?
- What challenges did you face during the project and how did you address them?
- How did you ensure your documentation's clarity and completeness, and what measures did you take to make it easily understandable and maintainable?
###### Was the students able to answer all the questions correctly?
###### Did the students demonstrate a thorough understanding of the concepts and technologies used in the project?
###### Were the students able to communicate effectively and justify their decisions?
###### Could the students critically evaluate their solution and consider alternative strategies?
##### Review the Architecture Design.
Review the student's architecture design, ensuring that it meets the project requirements:
1. `Scalability`: Does the architecture utilize AWS services to manage varying workloads and scale as required?
2. `Availability`: Design the architecture to be fault-tolerant and maintain high availability, even during component failures.
3. `Security`: Does the architecture integrate AWS security best practices, such as data encryption, use of AWS VPC, and secure API endpoints with managed authentication?
4. `Cost-effectiveness`: Is the architecture designed to be cost-effective on AWS without compromising performance, security, or scalability?
5. `Simplicity`: Is the AWS architecture straightforward and free of unnecessary complexity while still fulfilling project requirements?
###### Did the architecture design and choice of services align with the project requirements?
###### Did the students have the ability to design a cost-effective architecture that meets the project requirements?
##### Check the student documentation in the `README.md` file.
###### Does the `README.md` file contain all the necessary information about the solution (prerequisites, setup, configuration, usage, ...)?
###### Is the documentation provided by the student clear and complete, including well-structured diagrams and thorough descriptions?
##### Verify the deployment.
###### Are all the microservices running as expected in the cloud environment, with no errors or connectivity issues?
###### Is the load balancing configured correctly, effectively distributing traffic across the services?
###### Are the microservices communicating with each other securely, using proper authentication and encryption methods?
##### Evaluate the infrastructure setup.
###### Are `Terraform` used effectively to provision and manage resources in the cloud environment?
###### Does the infrastructure setup follow the architecture design and the project requirements?
##### Assess containerization and orchestration.
###### Are the Dockerfiles optimized for efficient container builds?
###### Is the orchestration setup (e.g., Kubernetes manifests or AWS ECS task definitions) configured correctly?
##### Evaluate monitoring and logging.
###### Do monitoring and logging dashboards provide useful insights into the application performance and health?
##### Assess optimization efforts.
###### Are the auto-scaling policies configured correctly to handle varying workloads?
###### Does the application and resource allocation remain efficient under different load scenarios?
##### Check security best practices.
###### Has the student implemented security best practices, such as using HTTPS, securing API endpoints, and regularly scanning for vulnerabilities?
#### Bonus
###### +Did the student used his/her own `orchestrator` solution instead of the provided one?
###### +Did the student add any optional bonus?
###### +Is this project an outstanding project?
#### General
##### Check the Repo content.
Files that must be inside the repository:
- Detailed documentation in the `README.md` file.
- Source code for the microservices and scripts required for deployment.
- Configuration files for AWS Infrastructure as Code (IaC), containerization, and orchestration tools.
###### Are all the required files present?
##### Play the role of a stakeholder.
Organize a simulated scenario where the students take on the role of AWS Cloud engineers and explain their solution to a team or stakeholder. Evaluate their grasp of the concepts and technologies used in the project, their communication efficacy, and their critical thinking about their solution.
Suggested roleplay questions include:
- What is the cloud and its associated benefits?
- Why is deploying the solution in the cloud preferred over on-premises?
- How would you differentiate between public, private, and hybrid cloud?
- What drove your decision to select AWS for this project, and what factors did you consider?
- Can you describe your microservices application's AWS-based architecture and the interaction between its components?
- How did you manage and optimize the cost of your AWS solution?
- What measures did you implement to ensure application security on AWS, and what AWS security best practices did you adhere to?
- What AWS monitoring and logging tools did you utilize, and how did they assist in identifying and troubleshooting application issues?
- Can you describe the AWS auto-scaling policies you implemented and how they help your application accommodate varying workloads?
- How did you optimize Docker images for each microservice, and how did it influence build times and image sizes?
- If you had to redo this project, what modifications would you make to your approach or the technologies you used?
- How can your AWS solution be expanded or altered to cater to future requirements like adding new microservices or migrating to a different cloud provider?
- What challenges did you face during the project and how did you address them?
- How did you ensure your documentation's clarity and completeness, and what measures did you take to make it easily understandable and maintainable?
###### Were the students able to answer all the questions correctly?
###### Did the students demonstrate a thorough understanding of the concepts and technologies used in the project?
###### Were the students able to communicate effectively and justify their decisions?
###### Could the students critically evaluate their solution and consider alternative strategies?
##### Review the Architecture Design.
Review the student's architecture design, ensuring that it meets the project requirements:
1. `Scalability`: Does the architecture utilize AWS services to manage varying workloads and scale as required?
2. `Availability`: Is the architecture designed to be fault-tolerant and maintain high availability, even during component failures?
3. `Security`: Does the architecture integrate AWS security best practices, such as data encryption, use of AWS VPC, and secure API endpoints with managed authentication?
4. `Cost-effectiveness`: Is the architecture designed to be cost-effective on AWS without compromising performance, security, or scalability?
5. `Simplicity`: Is the AWS architecture straightforward and free of unnecessary complexity while still fulfilling project requirements?
###### Did the architecture design and choice of services align with all the project requirements above?
###### Were the students able to design a cost-effective architecture that meets the project requirements?
##### Check the student documentation in the `README.md` file.
###### Does the `README.md` file contain all the necessary information about the solution (prerequisites, setup, configuration, usage, ...)?
###### Is the documentation provided by the student clear and complete, including well-structured diagrams and thorough descriptions?
##### Verify the deployment. Ask the auditee **to show you**, the auditor, the use of the commands `aws cli`, `docker ps`, and/or `kubectl` or any other necessary with the right options to answer the following questions.
###### Are all the microservices running as expected in the cloud environment, with no errors or connectivity issues?
###### Is the load balancing configured correctly, effectively distributing traffic across the services?
###### Are the microservices communicating with each other securely, using proper authentication and encryption methods?
##### Evaluate the infrastructure setup. Ask the auditee **to show you**, the auditor, the use of the commands `terraform plan` and/or `terraform apply` to answer the following questions.
###### Is `Terraform` used effectively to provision and manage resources in the cloud environment?
###### Does the infrastructure setup follow the architecture design and the project requirements?
##### Assess containerization and orchestration. Ask the auditee **to show you**, the auditor, the use of the commands `aws cli`, `docker ps`, and/or `kubectl` or any other necessary with the right options to answer the following questions.
###### Are the Dockerfiles optimized for efficient container builds?
###### Is the orchestration setup (e.g., Kubernetes manifests or AWS ECS task definitions) configured correctly?
##### Evaluate monitoring and logging.
###### Are monitoring and logging dashboards providing useful insights into the application performance and health?
##### Assess optimization efforts.
###### Are the auto-scaling policies configured correctly to handle varying workloads?
###### Does the application and resource allocation remain efficient under different load scenarios?
##### Check security best practices.
###### Has the student implemented security best practices, such as using HTTPS, securing API endpoints, and regularly scanning for vulnerabilities?
#### Bonus
###### +Did the student add any optional bonus?
###### +Is this project an outstanding project?

244
subjects/devops/code-keeper/audit/README.md

@ -1,122 +1,122 @@
#### General
##### Check the Repo content:
Files that must be inside the repository:
- CI/CD pipeline configuration files, scripts, and any other required artifacts.
- An Ansible playbook and used scripts for deploying and configuring a GitLab instance.
- A well-documented README file that explains the pipeline design, the tools used, and how to set up and use the pipeline.
###### Are all the required files present?
##### Play the role of a stakeholder:
As part of the evaluation process, conduct a simulated real-world scenario where the students assume the role of a DevOps engineer and explain their solution to a team or stakeholder. Evaluate their understanding of the concepts and technologies used in the project, as well as their ability to communicate effectively and think critically about their solution.
During the roleplay, ask them the following questions:
- Can you explain the concept of DevOps and its benefits for the software development lifecycle?
- How do DevOps principles help improve collaboration between development and operations teams?
- What are some common DevOps practices, and how did you incorporate them into your project?
- How does automation play a key role in the DevOps process, and what tools did you use to automate different stages of your project?
- Can you discuss the role of continuous integration and continuous deployment (CI/CD) in a DevOps workflow, and how it helps improve the quality and speed of software delivery?
- Can you explain the importance of infrastructure as code (IaC) in a DevOps environment, and how it helps maintain consistency and reproducibility in your project?
- How do DevOps practices help improve the security of an application, and what steps did you take to integrate security into your development and deployment processes?
- What challenges did you face when implementing DevOps practices in your project, and how did you overcome them?
- How can DevOps practices help optimize resource usage and reduce costs in a cloud-based environment?
- Can you explain the purpose and benefits of using GitLab and GitLab Runners in your project, and how they improve the development and deployment processes?
- What are the advantages of using Ansible for automation in your project, and how did it help you streamline the deployment of GitLab and GitLab Runners?
- Can you explain the concept of Infrastructure as Code (IaC) and how you implemented it using Terraform in your project?
- What is the purpose of using continuous integration and continuous deployment (CI/CD) pipelines, and how did it help you automate the building, testing, and deployment of your application?
- How did you ensure the security of the application throughout the pipeline stages?
- Can you explain the continuous integration (CI) pipeline you've implemented for each repository?
- Can you explain the continuous deployment (CD) pipeline you've implemented for each repository?
###### Do all of the students have a good understanding of the concepts and technologies used in the project?
###### Do all of the students have the ability to communicate effectively and explain their decisions?
###### Are all of the students capable of thinking critically about their solution and considering alternative approaches?
##### Review the GitLab and Runners Deployment:
###### Was the GitLab instance deployed and configured successfully using Ansible?
###### Are the GitLab Runners integrated with the existing pipeline and executing tasks as expected for all repositories?
##### Review the Infrastructure Pipeline:
###### Does the student deploy the infrastructure of the `cloud-design` project and the source code of `crud-master` project for two environments (staging, prod) on a cloud platform (e.g., AWS, Azure, or Google Cloud) using `Terraform`?
###### Are the two environments similar in design, resources and services used?
###### Does the student's infrastructure configuration exist in an independent repository with a configured pipeline?
###### Are the "Init", "Validate", "Plan", "Apply to Staging", "Approval", and "Apply to production environment" stages implemented correctly in the infrastructure pipeline?
##### Review the CI Pipeline:
- `Build`: Compile and package the application.
- `Test`: Run unit and integration tests to ensure code quality and functionality.
- `Scan`: Analyze the source code and dependencies for security vulnerabilities and coding issues. Consider using tools such as `SonarQube`, `Snyk`, or `WhiteSource`.
- `Containerization`: Package the applications into Docker images using a Dockerfile, and push the images to a container registry (e.g., Docker Hub, Google Container Registry, or AWS ECR).
###### Are the Build, Test, Scan, and Containerization stages implemented correctly in the CI pipeline for each repository?
##### Review the CD Pipeline:
- `Deploy to Staging`: Deploy the application to a `staging environment` for further testing and validation.
- `Approval`: Require manual approval to proceed with deployment to the `production environment`. This step should involve stakeholders and ensure the application is ready for production.
- `Deploy to Production`: Deploy the application to the `production environment`, ensuring zero downtime and a smooth rollout.
###### Are the "Deploy to Staging", "Approval", and "Deploy to Production" stages implemented correctly in the CD pipeline for each repository?
##### Review the functionality of pipelines:
###### Are the pipelines working properly and updating the application and infrastructure after each modification in each repository?
##### Check whether the students have effectively implemented the following cybersecurity guidelines:
`Restrict triggers to protected branches`: Ensure that the pipelines are triggered only on protected branches, preventing unauthorized users from deploying or tampering with the application. Check that access control measures are in place to minimize risk.
`Separate credentials from code`: Confirm that the students have not stored credentials in application code or infrastructure files. Look for the use of secure methods like secret management tools or environment variables to prevent exposure or unauthorized access.
`Apply the least privilege principle`: Assess if the students have limited user and service access to the minimum required level. This reduces potential damage in case of breaches or compromised credentials.
`Update dependencies and tools regularly`: Check if the students have a process for keeping dependencies and pipeline tools updated. Verify if they have automated updates and monitored for security advisories and patches to minimize security vulnerabilities.
###### Are triggers restricted to protected branches, ensuring unauthorized users cannot deploy or tamper with the application?
###### Have the students separated credentials from code, using secure methods like secret management tools or environment variables?
###### Did the students apply the least privilege principle to limit user and service access to the minimum required level?
###### Do the students have a process for updating dependencies and tools regularly, automating updates, and monitoring for security advisories and patches?
##### Review the Documentation:
###### Does the `README.md` file contain all the necessary information about the solution (prerequisites, setup, configuration, usage, ...)?
###### Is the documentation provided by the student clear and complete, including well-structured diagrams and thorough descriptions?
#### Bonus
###### +Did the student implemented any feature or anything that you would consider a bonus?
###### +Is this project an outstanding project?
#### General
##### Check the Repo content:
Files that must be inside the repository:
- CI/CD pipeline configuration files, scripts, and any other required artifacts.
- An Ansible playbook and used scripts for deploying and configuring a GitLab instance.
- A well-documented README file that explains the pipeline design, the tools used, and how to set up and use the pipeline.
###### Are all the required files present?
##### Play the role of a stakeholder:
As part of the evaluation process, conduct a simulated real-world scenario where the students assume the role of a DevOps engineer and explain their solution to a team or stakeholder. Evaluate their understanding of the concepts and technologies used in the project, as well as their ability to communicate effectively and think critically about their solution.
During the roleplay, ask them the following questions:
- Can you explain the concept of DevOps and its benefits for the software development lifecycle?
- How do DevOps principles help improve collaboration between development and operations teams?
- What are some common DevOps practices, and how did you incorporate them into your project?
- How does automation play a key role in the DevOps process, and what tools did you use to automate different stages of your project?
- Can you discuss the role of continuous integration and continuous deployment (CI/CD) in a DevOps workflow, and how it helps improve the quality and speed of software delivery?
- Can you explain the importance of infrastructure as code (IaC) in a DevOps environment, and how it helps maintain consistency and reproducibility in your project?
- How do DevOps practices help improve the security of an application, and what steps did you take to integrate security into your development and deployment processes?
- What challenges did you face when implementing DevOps practices in your project, and how did you overcome them?
- How can DevOps practices help optimize resource usage and reduce costs in a cloud-based environment?
- Can you explain the purpose and benefits of using GitLab and GitLab Runners in your project, and how they improve the development and deployment processes?
- What are the advantages of using Ansible for automation in your project, and how did it help you streamline the deployment of GitLab and GitLab Runners?
- Can you explain the concept of Infrastructure as Code (IaC) and how you implemented it using Terraform in your project?
- What is the purpose of using continuous integration and continuous deployment (CI/CD) pipelines, and how did it help you automate the building, testing, and deployment of your application?
- How did you ensure the security of the application throughout the pipeline stages?
- Can you explain the continuous integration (CI) pipeline you've implemented for each repository?
- Can you explain the continuous deployment (CD) pipeline you've implemented for each repository?
###### Do all of the students have a good understanding of the concepts and technologies used in the project?
###### Do all of the students have the ability to communicate effectively and explain their decisions?
###### Are all of the students capable of thinking critically about their solution and considering alternative approaches?
##### Review the GitLab and Runners Deployment. Ask the auditee **to show you**, the auditor, the use of the commands `ansible-playbook --list-tasks`, and/or `systemctl status` or any other necessary with the right options to answer the following questions.
###### Was the GitLab instance deployed and configured successfully using Ansible?
###### Are the GitLab Runners integrated with the existing pipeline and executing tasks as expected for all repositories?
##### Review the Infrastructure Pipeline:
###### Did the student deploy the infrastructure of the `cloud-design` project and the source code of `crud-master` project for two environments (staging, prod) on a cloud platform (e.g., AWS, Azure, or Google Cloud) using `Terraform`?
###### Are the two environments similar in design, resources and services used?
###### Does the student's infrastructure configuration exist in an independent repository with a configured pipeline?
###### Are the "Init", "Validate", "Plan", "Apply to Staging", "Approval", and "Apply to production environment" stages implemented correctly in the infrastructure pipeline?
##### Review the CI Pipeline:
- `Build`: Compile and package the application.
- `Test`: Run unit and integration tests to ensure code quality and functionality.
- `Scan`: Analyze the source code and dependencies for security vulnerabilities and coding issues. Consider using tools such as `SonarQube`, `Snyk`, or `WhiteSource`.
- `Containerization`: Package the applications into Docker images using a Dockerfile, and push the images to a container registry (e.g., Docker Hub, Google Container Registry, or AWS ECR).
###### Are the Build, Test, Scan, and Containerization stages implemented correctly in the CI pipeline for each repository?
##### Review the CD Pipeline:
- `Deploy to Staging`: Deploy the application to a `staging environment` for further testing and validation.
- `Approval`: Require manual approval to proceed with deployment to the `production environment`. This step should involve stakeholders and ensure the application is ready for production.
- `Deploy to Production`: Deploy the application to the `production environment`, ensuring zero downtime and a smooth rollout.
###### Are the "Deploy to Staging", "Approval", and "Deploy to Production" stages implemented correctly in the CD pipeline for each repository?
##### Review the functionality of pipelines. Ask the auditee **to show you**, the auditor, that the pipelines are functional by running one or several tests of their choosing.
###### Are the pipelines working properly and updating the application and infrastructure after each modification in each repository?
##### Check whether the students have effectively implemented the following cybersecurity guidelines:
`Restrict triggers to protected branches`: Ensure that the pipelines are triggered only on protected branches, preventing unauthorized users from deploying or tampering with the application. Check that access control measures are in place to minimize risk.
`Separate credentials from code`: Confirm that the students have not stored credentials in application code or infrastructure files. Look for the use of secure methods like secret management tools or environment variables to prevent exposure or unauthorized access.
`Apply the least privilege principle`: Assess if the students have limited user and service access to the minimum required level. This reduces potential damage in case of breaches or compromised credentials.
`Update dependencies and tools regularly`: Check if the students have a process for keeping dependencies and pipeline tools updated. Verify if they have automated updates and monitored for security advisories and patches to minimize security vulnerabilities.
###### Are triggers restricted to protected branches, ensuring unauthorized users cannot deploy or tamper with the application?
###### Have the students separated credentials from code, using secure methods like secret management tools or environment variables?
###### Did the students apply the least privilege principle to limit user and service access to the minimum required level?
###### Do the students have a process for updating dependencies and tools regularly, automating updates, and monitoring for security advisories and patches?
##### Review the Documentation:
###### Does the `README.md` file contain all the necessary information about the solution (prerequisites, setup, configuration, usage, ...)?
###### Is the documentation provided by the student clear and complete, including well-structured diagrams and thorough descriptions?
#### Bonus
###### +Did the student implemented any feature or anything that you would consider a bonus?
###### +Is this project an outstanding project?
Loading…
Cancel
Save