Why is it important to maintain devops inventory?

Introduction

DevOps inventory management refers to the process of overseeing and controlling the various resources, assets, and components involved in the development and operations (DevOps) lifecycle of software systems. This encompasses configurations, code repositories, dependencies, and human resources.

In the dynamic landscape of DevOps, where rapid iteration and deployment are paramount, having a comprehensive inventory management system is crucial. It provides teams with visibility into their assets, facilitating efficient resource allocation, tracking of changes, and ensuring compliance with organizational standards and policies.

DevOps inventory management serves as a foundational element of successful DevOps practices. In this article we will look at why inventory management is important and how you should plan for it.

Why should you maintain an inventory?

The inventory management helps you with following objectives and success factors.

1. Enhance Collaboration: By centralizing information about resources and configurations, teams can collaborate more effectively, minimizing gaps and errors.
2. Streamline Deployment: With a clear understanding of available resources and dependencies, teams can streamline the deployment process, reducing downtime and improving overall system reliability.
3. Compliance and Security: By maintaining an accurate inventory of software components and configurations, teams can ensure compliance with regulations and standards, as well as mitigate security risks by promptly addressing vulnerabilities.
4. Optimize Resource Utilization: Through continuous monitoring and analysis of inventory data, teams can identify opportunities to optimize resource utilization, minimizing waste and maximizing efficiency.

Key inventory items

Branches

Branching strategy helps you define how you build and release your code from lower environments to higher environments. You need to ensure that there are no deviations, as your pipelines and processes are tied to specific branches. For example, if you are using Gitflow strategy, your continuous integration branch is development and release branch is master or main.

Approach: Get a list of all repos and list of branches for each repo. Azure DevOps for example, exposes REST APIs using which you can get this information. Based on your branching strategy, record if required branches are present and if any deviations from naming convention, for example, Development vs development vs develop. This will help you to take corrective actions.

You can be more enterprising by also determining advance branch policies and recording them for review.

Pipeline names

It is important that you enforce pipeline names for clarity and purpose. For example, your build pipelines can use a naming convention like [CI Dev] <app name> or [CI Main] <app name>. Similarly your CD pipelines can use a name like [CD Dev] <app name> or [CD Main] <app name>. Alternately you can designate pipelines such as [CD Release] <app name> to denote their purpose or [CD Prod] <app name> to denote to which env they deploy.

In any case, documenting and enforcing naming convention helps DevOps team and/or platform engineering team and application teams to be on the same page wrt implementation and purpose.

Approach: The inventory collection process can use your DevOps tools APIs to query for list of pipelines, records their names and check for variances from the prescribed names. Corrective actions can then be taken in consultation with owing team.

This inventory will also help you to clean up temporary, unwanted or deprecated pipelines.

Pipeline organization

Pipeline organization and structuring helps you to store all relevant pipelines in application specific folders organized by department name or BU name or any other entity. This has many benefits.

• Logical organization leading to easier search and find.
• Set permissions (like read, full, write) at folder level that can be inherited by pipelines. Thus, you can grant read-only permission for all, write permissions to app team and full permissions to DevOps team.

Approach: The inventory collection job can use APIs exposed by DevOps tool to get the location of the pipelines and record that. The DevOps team can inspect the outliers manually or flag the outliers using a rule engine which could be as simple as PowerShell script or DB query.

Base Docker images

It is important you maintain an inventory of your docker base image and apps that are using them. You may be building your custom base images or using an available base image from popular registries like Docker hub or Red Hat. In any case, maintaining this inventory helps to

• Find all applications that are using a given base image. If the base image is upgraded, these are the applications you need to rebuild.
• Similarly, if a base image is deprecated, you have a list of applications, that needs to be built with supported version of base image. The deprecated images then can be cleaned up to save on storage costs.

Approach: The inventory collection job can scan Dockerfile in code repos and records information about the base image and app image. The data should be saved in database table with required metadata to be able to identify relations.

Security scans

Various types of security scans are integrated with pipelines to ensure any security issues and vulnerability issues are rectified before the code is deployed to production. This includes —

• Static code scans using tools like SonarQube, Checkmarx
• Dynamic code scans
• Scan of open source software (OSS) used in application that may have vulnerability or security issues
• Docker image scans
• Runtime container scans

Your DevOps strategy may include scanning code for every build or scans at regular intervals separate from code builds and deployments. Irrespective of strategy, it is essential to determine if scans are configured correctly and being executed.

Approach: The inventory collection job can collect data about scans from various sources such as

• Pipeline code that executes scan as part of build process.
• Separate pipeline(s) for each app for different kind of scans.

This inventory will help you detect misconfigurations and gaps such that corrective actions can be taken.

Conclusion

Once you have a successful devops strategy and implementation, it is essential to monitor and govern your devops infrastructure. The inventory collection and analysis is a key part of governance activity. This will help you to be on the right path for compliance and standardization. The inventory collection and management itself can start as simple as spreadsheet and mature into a more sophisticated process.