Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform and Sentinel

Armon Dadgar
January 24, 2018
Technology
0
350

Terraform and Sentinel

Watch a special webinar as HashiCorp founders Mitchell Hashimoto and Armon Dadgar share their views on cloud infrastructure provisioning and policy management. The webinar is a technical back-and-forth between Mitchell and Armon discussing their insights on the importance of automation, how it began with infrastructure as code, and the next step in cloud infrastructure provisioning -- policy as code.

Mitchell and Armon go on to discuss how they are focusing HashiCorp’s offerings to help with these concerns. HashiCorp Terraform Enterprise uses infrastructure as code and automation to remove the manual burden on operators to make changes to infrastructure at scale. This efficiency comes with risks, as less experienced users can make significant mistakes that impact business operations. Mitchell and Armon introduce Sentinel, the HashiCorp policy as code framework, which lets IT operators embed the necessary policy guardrails into the provisioning workflow.

Webinar: https://www.hashicorp.com/resources/terraform-sentinel-policy-management-cloud-provisioning

Armon Dadgar

January 24, 2018
Tweet

More Decks by Armon Dadgar

See All by Armon Dadgar
Navigating the Many Definitions of Multi-Cloud
armon
0
660
Leaving the Ivory Tower: Research in the Real World
armon
9
1.6k
Making Security Approachable for Developers and Operators
armon
0
140
Consul: Service Mesh for Microservices
armon
0
350
What, Why, and How of Zero-Trust Networking
armon
1
670
Policy as Code: Intro to Sentinel
armon
2
250
Brave New World: Infrastructure Automation
armon
2
580
What's new in Terraform 0.10 - HUG
armon
0
600
Nomad Overview and 0.6 New Features
armon
7
1.2k

Other Decks in Technology

See All in Technology
LINE 平台與開發生態系介紹
line_developers_tw
PRO
0
260
如何在 Elasticsearch 實現敏捷的資料建模與管理 @ DevOpsDays Taipei 2023
unclejoe
0
130
物理シミュレーションと数理最適化の知見を導入した機械学習手法
yellowshippo
1
970
[PHPカンファレンス沖縄2023]【実践編】良いプロダクト作りのための組織育成 健全なコードは健全な組織、健全なチームから
ikezoemakoto
2
200
Product Ops: Conectando Estratégia e Execução de Produto
rigolon
1
180
サービスへの影響を抑えてデータベースの移行を実施したはなし Aurora MySQL -> Cloud SQL
pistatium
0
120
変化する組織の中で運用するフロントエンドエコシステム / Frontend Ecosystem in Organizational Changes
i524
1
630
XRミーティング 20230920
1ftseabass
PRO
0
110
Amazon SES のバウンス率が急上昇 〜Amazon SES を止めてしまった日〜
tomuro
5
3k
GraphQLはどんな時に使うか
saboyutaka
20
6.3k
土壌と植物で奏でるアート~農業における新たなパラダイム~
shinrinakamura
0
190
ChatGPTを前に頭が真っ白を乗り越え人が答えることが困難な認知負荷MAXなタフクエスチョンをどんどん回答させてプロダクト価値を爆速探求するぞ/cognitive_load_question_and_chatgpt
moriyuya
2
240

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.9k
Unsuck your backbone
ammeep
660
56k
Building Flexible Design Systems
yeseniaperezcruz
317
36k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
56k
Three Pipe Problems
jasonvnalue
89
9.2k
A better future with KSS
kneath
230
16k
GraphQLの誤解/rethinking-graphql
sonatard
44
8.5k
Mobile First: as difficult as doing things right
swwweet
214
8.2k
What the flash - Photography Introduction
edds
64
11k

Transcript

  1. Terraform and Sentinel
    Infrastructure as code and policy as code

    View Slide

  2. Armon
    Dadgar
    Mitchell
    Hashimoto

    View Slide

  3. 3
    DEVELOPMENT
    SECURITY
    OPERATIONS
    Run applications
    Secure infrastructure & applications
    Provision infrastructure
    Provision, secure, connect, and run any infrastructure
    THE PRACTITIONER TEAMS
    • Collaboration
    • Operations
    • Governance & policy

    View Slide

  4. s
    4
    Tao of HashiCorp

    View Slide

  5. Tao of HashiCorp
    5
    Workflows,
    not
    Technology
    Simple,
    Modular,
    Composable
    Communicate
    Sequential
    Process
    Immutability
    Versioning
    through
    Codification
    Automation
    through
    Codification
    Resilient
    Systems
    Pragmatism

    View Slide

  6. s
    6
    Infrastructure as Code

    View Slide

  7. Infrastructure challenges
    ▪ Create a completely isolation second environment to run an
    application (staging, QA, dev, etc.)?
    ▪ Deploy a complex new application?
    ▪ Update an existing complex application?
    ▪ Document how infrastructure is architected?
    ▪ Delegate some ops to smaller teams?
    7

    View Slide

  8. https://www.hashicorp.com/products/terraform

    View Slide

  9. Benefits
    ▪ Learn from Software Development
    ▪ Versioning (Rollbacks)
    ▪ Peer Review
    ▪ Abstraction / Encapsulation
    ▪ Code Reuse
    ▪ Automation and Leverage
    9

    View Slide

  10. s
    10
    Paradox of Automation

    View Slide

  11. Sanity Checking
    11
    IT Ops Procurement
    “Please provision 5000 VMs”

    View Slide

  12. Sanity Checking
    12
    IT Ops Procurement
    “Are you sure 5000?”

    View Slide

  13. Sanity Checking
    13
    IT Ops Cloud
    “Please provision 5000 VMs”

    View Slide

  14. Sanity Checking
    14
    IT Ops Cloud
    “Done!”

    View Slide

  15. Scaling Automation
    15
    ▪ Paradox of Automation
    ▪ Accidental Error
    ▪ Compliance Bypass
    ▪ Malicious Intent

    View Slide

  16. Policy to the Rescue
    16
    ▪ Compliance Policies
    ▪ Security Policies
    ▪ Operation Excellence

    View Slide

  17. Policy Workflow
    17

    View Slide

  18. Policy as Code
    18
    ▪ Compliance Policies
    ▪ Governs Infrastructure as Code
    ▪ Defines a sandbox to automate in
    ▪ Codify business regulation and “sanity checking”
    ▪ Versioning and Automation through Codification

    View Slide

  19. s
    19
    Sentinel

    View Slide

  20. What is Sentinel
    20
    ▪ “Policy as Code Framework”
    ▪ Sentinel Language Specification*
    ▪ Golang Embedded Runtime
    ▪ Simulator tool
    ▪ Import SDK
    * https://docs.hashicorp.com/sentinel/language/spec

    View Slide

  21. What is Sentinel
    21
    ▪ Non-programmer friendly
    ▪ Easy to Embed
    ▪ Simple
    ▪ Debuggable
    ▪ Go Friendly

    View Slide

  22. main = rule {
    all obj.items as item {
    item matches "my-item-[a-z0-9]+"
    }
    }

    View Slide

  23. import "tfplan"
    allowed_types = ["n1-standard-1", "n1-standard-2"]
    clusters = tfplan.resources.google_container_cluster
    machine_type_allowed = rule {
    all clusters as name, instances {
    all instances as index, r {
    r.applied.node_config[0].machine_type in
    allowed_types
    }
    }
    }
    main = rule { machine_type_allowed }

    View Slide

  24. ENFORCEMENT LEVELS
    "I'm sorry, Dave.
    I'm afraid I can't do that"

    View Slide

  25. Sentinel Workflow
    25

    View Slide

  26. s
    26
    Demo

    View Slide

  27. 27
    DEVELOPMENT
    SECURITY
    OPERATIONS
    Run applications
    Secure infrastructure & applications
    HashiCorp Enterprise + Sentinel
    ENTERPRISE
    ENTERPRISE
    ENTERPRISE
    THE PRACTITIONER TEAMS
    • Collaboration
    • Operations
    • Governance & policy
    ENTERPRISE
    DEVELOPMENT
    SECURITY
    OPERATIONS
    Run applications
    Secure infrastructure & applications
    Provision infrastructure

    View Slide

  28. Conclusion
    28
    ▪ Policy as Code builds upon “As Code”
    ▪ Shared benefits as Infrastructure as Code
    ▪ Sentinel a framework for Policy as Code
    ▪ Next Step in Infrastructure Automation

    View Slide