Going to AWS re:Invent 2024?
Robert Wlodarczyk is VP of Software Operations at Xealth, and Rebecca Dean is Program Manager for Operational Excellence at the company. They spoke to us about the challenges of managing their Terraform locally as a SOC 2–compliant company and how transitioning to Spacelift to manage their infrastructure as code (IaC) has enabled them to move faster and with confidence.
With data breaches and cyber threats an ever-present concern, robust data security and privacy practices are a priority — especially in industries that manage sensitive health information. That’s why companies like digital health platform Xealth rely on SOC 2 (Service Organization Control 2) Type II certification to ensure compliance and give peace of mind to their customers.
Before adopting Spacelift, Xealth managed its infrastructure locally, depending on its DevOps engineers to run Terraform code on their own machines and then deploy it. This process was cumbersome and difficult to view clearly.
As a company with SOC 2 Type II certification, Xealth wanted to make it easier to maintain absolute visibility of the resource lifecycle. “One of our controls specifies that we have a release process in place and controls around releases, as well as auditability,” explains Robert Wlodarczyk, VP of Software Operations at Xealth. Relying on an ad hoc process to maintain auditability was not sustainable in the long term, so Xealth started to assess IaC automation tools as a way to manage their infrastructure.
Xealth started to look at their IaC options in early 2022. Spacelift caught their eye initially through a blog post on how to use Terraform to create and manage an AWS S3 bucket. Rebecca Dean, Xealth Program Manager for Operational Excellence, recalls the selection process. “We spent maybe a quarter evaluating different vendors. We had a whole matrix of features that we were looking for, but I think the usability of Spacelift was a really big pull.”
These required features included ease of use and onboarding, as well as the ability to see their audit history at a glance. They evaluated platforms such as Hashicorp Terraform Cloud, Pulumi, and ClusterAPI, ultimately choosing Spacelift.
The comprehensive nature of the platform made it particularly attractive because all of the company’s IaC management could be centralized. Having everything in one place immediately placed Spacelift at the top of the list of contenders. “With some of your competitors, you have to buy two separate products and they don’t necessarily. talk to each other, so I think Spacelift was a strong contender from the beginning. Then we needed to go in and compare the others to ensure that we were making an informed, fair choice that was right for the business,” explains Rebecca.
Once Xealth decided to adopt the Spacelift platform for managing the company’s IaC, the biggest hurdle they faced was onboarding — not because of the Spacelift process but because they needed to update some internal processes before they made the switch.
Onboarding to Spacelift was completed within days, and now Xealth has full control over its IaC. “With Spacelift, we have a schedule in place. We are still quite selective about what we deploy, but we have full auditing in place with the history within Spacelift.”
Consistency is key in this respect. “There’s a unified way, so we don’t have any oddities of the engineer’s machine there because everything’s running in the cloud and using Spacelift architecture.”
The next step for Xealth was to version their Terraform modules. Modules help you to abstract away common functionality in your infrastructure, and Spacelift’s module registry allows you to maintain and use your modules more easily. “We didn’t have that ability before because we didn’t have a module registry. So that’s given us the ability to move faster: We’re able to safely make changes to modules without necessarily adapting or adopting the changes until a time when we feel more comfortable.”
“We had a whole matrix of features that we were looking for, but the usability of Spacelift was a really big pull.”
Rebecca Dean, Xealth Program Manager for Operational Excellence
The company has some 650 stacks across all their environments, plus 221 modules. The module registry helps them manage those modules, all of which are now versioned and with documentation in place. “Having those docs there inside the registry is really nice, especially for users, if they’re trying to pick up how to use certain modules,” adds Robert.
Xealth is progressing quickly since it adopted the Spacelift platform. “Just in the last week, we auto-deployed our first few stacks, so as soon as things get merged into master, the stacks run in auto-deploy. We want to do that more for more stacks, but we need to evaluate which stacks make sense to auto-deploy because not everything does,” says Robert.
With policy as code, the IaC approach extends to the rules governing the infrastructure and the platform that manages it. Spacelift embraces policy as code and allows for defining policies related to various decision points in the application. Xealth leverages trigger policies for building modules and push policies for pushing their stacks onto private workers. They also have notification policies in place.
A feature they have their sights set on is Blueprints, standardized templates for a Spacelift stack and its configuration that accommodate self-service and reuse by enabling administrators to configure all the settings for deploying specific infrastructure. This standardized approach will work well for Xealth because their customers fit one of two distinct profiles:
“The two types of customers we have are health systems and third-party vendors that we integrate with. Onboarding either one in both staging and production is a very templated approach,” explains Robert. “There’s a set of inputs we need from the customer, and then once we have that it’s very much a crank kind of operation for us.”
With the adoption of Spacelift, Xealth is starting to democratize IaC across the company. As Robert explains, “Now we’ve opened up our usage of Spacelift to others within the company. With permissions and the right ownership setup inside both GitHub and Spacelift, we were able to delegate to the analytics team a bunch of stacks that they own, so they still have a partner from my team, but then they own that stack. They own deploying it. They own the schedule. They own the permissions to trigger it, deploy it, and confirm it — and they love it!”
This ensures that everybody is working faster and more productively because they have the controlled autonomy to manage the infrastructure they use. “And we’re okay with that because of the access control and all the change management pieces — whereas before we had to restrict the ability to deploy to a very small group of people. This helps the team and the company scale, so it’s been fantastic,” Rebecca points out.
“If you want to be able to move faster and more confidently, Spacelift gives you the ability to do so.”
Robert Wlodarczyk, Xealth VP of Software Operations
Control is particularly important for organizations like Xealth that handle sensitive health information, But even for companies with restrictive governance and compliance rules, Spacelift has the answer. “The main takeaway for us is speed and auditability. On the infosec side, that is super important. We can show history, and we’ve used that to even debug issues. When we start observing a problem, a few days or weeks later we can correlate it back to our code deployment — was it our infrastructure and deployment or was it something else?”
Xealth has big plans for Spacelift. “For example, we have a lot of serverless deploys right now, and we want to integrate those into Spacelift directly.” After more than a year as a Spacelift customer, Xealth’s Robert Wlodarczyk encourages other companies to adopt the platform. “If you want to be able to move faster and more confidently, Spacelift gives you the ability to do so — and if you have any concerns about the headache of onboarding, you should put your mind at ease because once you get one stack done, getting all your stacks done becomes just an exercise in time, not in complexity.”