A checklist of anyone practicing Site Reliability Engineering
:dart: Repository Purpose: Provide teams and individuals an idea on what to take into consideration and what to aspire for in the SRE field and work
Note: these checklists are opinionated. They are based on my own opinion and experience and are not universal truth (duh! :smile:). So you should definitely doubt anything you read here and you are more than welcome to add your own opinion on the matter, by starting a discussion or proposing a change to the project
:construction: You may say this repository is still in progress. I wouldn't treat it as complete source at this point or anything close to that. Contributions are more than welcome!
![]() Team - Responsibilities - Skills | ![]() Production - Requirements - Provisioning | |
![]() Git - CI |
![]() Cloud - Provisioning |
![]() Kubernetes - Scaling |
Team
Responsibilities
- [ ] Decide on responsibilities
- [ ] Documented/Written
Skills
Must
- [ ] Coding
- [ ] Monitoring
- [ ] CI/CD
- [ ] IaC, CM
Optional
Some will argue that the following skills and topics shouldn't be optional and are 100% must, but in my personal view they very much depend on your responsibilities as SRE and your work environment. If your environment consists mostly of bare metal (physical) servers for example and there are no containers, then why containers is a must for you?
- [ ] Containers
- [ ] Kubernetes
- [ ] Cloud
- [ ] Virtualization
Processes
- [ ] Incident Management
SRE Team Goals
- [ ] Set goals
SRE Lead
- [ ] Is there an onboarding page for SREs joining the team?
- [ ] Schedule 1:1 meeting with team (probably...manager or lead? TBD)
- [ ] Identify Possible Gaps. Few things to watch out for:
- [ ] Identify SRE team maturity and work on improving it
- [ ] Keep learning ALL THE TIME
New SRE Team Member
- Welcome :)
- Have a mentor? Great. If not, ask for one
- [ ] Do the onboarding
- [ ] Learn about the product
- [ ] Time to deep dive into operations
Production
Requirements
- [ ] What are the requirements for going to production?
Provisioning
- [ ] How do you provision the infrastructure required for deploying the application? (Terraform, Pulumi, CloudFormation, ...)
Installation
- [ ] How to install the application and its dependencies? (Container, Bash Script, Ansible, ...)
Deployment
- [ ] How to deploy the application or the application service? (k8s, cloud instances)
Configuration
- [ ] How to configure the application? (k8s, Ansible, ...)
Resiliency
- [ ] Your app is able to withstand outages (usually by implement multi-region or multi-cloud architectures)
- [ ] Your app will scale up and down in response to load change
Technologies :computer:
Git Repositories
CI
- [ ] Is there CI for every project?
Security
- [ ] Least Privilege and Zero Trust
Automation
- [ ] This is quite advanced but still, you may want to consider automating repositories creation and access control (using technologies like Terraform or programming languages, you can automate fully the process of repositories management)
Cloud
Provisioning
- [ ] Resources managed through IaC technologies such as Terraform, Pulumi, etc.
Tracking and Monitoring
- [ ] Resources are tagged, labeled - [ ] Env (e.g. staging, prod, dev) - [ ] Owner (e.g. team)
Accounts
- [ ] Separate accounts for dev, staging, production, ...
Resources
- [ ] Resources Quotas are set (no one wants to hit high bills)
- [ ] Important resources are protected from being removed - whether directly, using internal cleanup tooling or any other method
Reliability
- [ ] No single point of failure
Kubernetes
Resource Management
- [ ] Apply/Add labels for every type of resources. You may use this page as a suggestion to which labels you should be adding
- [ ] Every workload has requests defined for CPU and memory (this ensures the workload gets the resources it requires and it's scheduled on the right node)
- [ ] Every workload has limits defined for memory (but NOT CPU)
CI/CD
- [ ] CI/CD for Cluster bootstraping - [ ] CD process for manifests/configurations (using something like Flux, ArgoCD) - [ ] Make sure cluster bootstraping (the process of preparing the cluster) is managed fully using GitOpsCluster Management
- [ ] Cluster for each environment? Dev, QA, Staging, Production
- [ ] Cluster Policy Management
Scaling
- Cluster Scaling
- Application/Pod Scaling
Chaos Engineering
- [ ] Choose Chaos Engineering framework that is compatible with Kubernetes
GitOps - ArgoCD
Git Repositories
- [ ] Infra code (Manifests, Configurations, etc.) is in a separate repository (and not in application repository)
GitOps Management
- [ ] GitOps adopted for GitOps agents themselves and not only for app related code and infra
- [ ] DON'T install ArgoCD with kubectl commands
- [ ] Helm chart not recommended as it lags behind official releases of new ArgoCD releases
- [ ] Consider:
- [ ] Think about:
Sync Strategy
- [ ] Auto Prune (resources deleted when files/content deleted)
- [ ] Self-heal (cluster state corrected based on Git state and when manual changes done to the cluster)
Monitoring
- [ ] Choose monitoring solution
- [ ] Alerts/Monitors
- [ ] Incident Management
- [ ] Dashboards
Chaos Engineering
The interesting topic of ensuring your environment can withstand unexpected disruptions
TODO: insert a list of steps to go towards the process of establishing and integrating chaos engineering in your environments
IaC
The Chosen One
- Things to consider when choosing IaC technology:
Implementation
- [ ] Follow DRY (Don't Repeat Yourself) principle as in make sure there are no code duplication so when you change parameter's value for example, you don't need to change it in two different place
- [ ] Readable code - use naming conventions, formatting, ... make sure anyone can read the code and doesn't suffer much in doing so :)
Terraform
Development and CI/CD
- [ ] CI pipeline to test Terraform changes (syntax, lint, ...) - Consider inserting cost considerations (e.g. test whether a change will raise the bill significantly if you are using a public cloud) - [ ] CD pipeline to deploy/apply Terraform changes after the change is merged - To apply changes as part of a pull request (without merging a change) you can use something like Atlantis - This way you can avoid using local configurations and credentials - Needless to say, but once you started to use Terraform in your org, you should use only that and not allow users to make changes manually in the providers you are using (that will lead to errors when running terraform apply)
State
- [ ] Stored in a private secured location
- [ ] Stored in a shared location as it may be updated by different team members
- [ ] Backed up (e.g. by having versioning)
- [ ] Never edited directly/manually (as it should be managed and updated by Terraform itself as part of the Terraform lifecycle)
Terraform Projects File Structure
- [ ] Separate directory for each environment (staging, production, ...)
- [ ] Separate backend for each environment (as you don't want share the same authentication and access controls for all environments)
- [ ] Separate directory in each environment for each component and application
staging/
networking/
applications/
databases/
production/ networking/ applications/ web-app-1/ web-app-2/ databases/ mongo/ mysql/
global/ useraccessmanagement/
modules/ applications/ web-app-1/...
- [ ] You don't put everything in main.tf
Terraform Code
- [ ] Variables have description (to document what they are used for)
- [ ] Set lifecycle "prevent_destroy" on resources that should never be deleted (e.g. Terraform state source like S3 bucket)
- [ ] Try not including shell scripts inline (some tend to grow quite a lot over time). Use instead templatefile function to render a script from a file
- [ ] No hardcoded repeated values (common examples are ports, CIDR blocks, etc.). Instead use the concept of
locals - [ ] Prefer using
foreachinstead ofcount.countis very limited in modifying lists as it uses list position/index to rely on whileforeachis map, set based so it based on specific keys - [ ] Consistent naming, code style conventions and formatting
- [ ] Set tagging standards
default_tags. This will help you manage tags at scale
Modules
- [ ] Avoid duplication of Terraform code/configuration by using modules
- [ ] Try to make modules reusable as much as possible
- [ ] Avoid hardcoding values, especially in the case reusable modules. To make them reusable, values will have to come from input variables
- [ ] Consider using only separate resources in a module and not inline blocks as they may limit you at some point or another when reusing the module
- [ ] Don't use relative paths! use
path references(e.g.path.module,path.root) - [ ] Try avoiding using latest version of a module. Instead stick for example to tags.
Git
- Recommended repositories layout:
- [ ] Consider using Git tags
Cloud
- [ ] Don't hardcode image IDs (it's hard to maintain long term). Instead use filters
data "cloudimage" "imagedata" {
provider = ...
filter {
name = "name"
values = ["some-image-you-would-like-to-use"]
}
resource "some_instance" "instance" { image = data.cloudimage.imagedata.id }
Secrets
- [ ] Basics!
- [ ] Provider Credentials
- uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::someIamRole
aws-region: ...
- Jenkins: If Jenkins runs on the provider, you can use the provider access entities (like roles, policies, ...) to grant the instance, on which Jenkins is running, access control - CircleCI: you can use CircleCI Context and then specify it in your CircleCI config file
context:
- some-context
- [ ] Secrets in Terraform Configuration
sensitive = true) and pass values with environment variables
- pros: simple to use, no need to store sensitive data inside Terraform code
- cons: managed outside of Terraform so tracking, enforcing, managing for different environments, ... is challenging or not feasible
- Encrypted Files - encrypting the secret and storing the encrypted secrets in Terraform configurations
- pros: secrets are encrypted and are of Terraform code and part of the version control system
- cons: working this way can be cumbersome (to modify, you first have to decrypt, makes the changes and then encrypt it again). Still holds security risk if someone gets their hands on the decryption key
- Secret Store - centralized secret store
- pros: no plain text secrets in Terraform configurations. Easy to standardize practices and policies around secrets if they are all in the same place
- cons: not managed as part of the repository, version control, ... makes it easier to makes mistakes in regards to different environments. Costs
Credits
Logos credits can be found here




