Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform and Sentinel

Terraform and Sentinel

Watch a special webinar as HashiCorp founders Mitchell Hashimoto and Armon Dadgar share their views on cloud infrastructure provisioning and policy management. The webinar is a technical back-and-forth between Mitchell and Armon discussing their insights on the importance of automation, how it began with infrastructure as code, and the next step in cloud infrastructure provisioning -- policy as code.

Mitchell and Armon go on to discuss how they are focusing HashiCorp’s offerings to help with these concerns. HashiCorp Terraform Enterprise uses infrastructure as code and automation to remove the manual burden on operators to make changes to infrastructure at scale. This efficiency comes with risks, as less experienced users can make significant mistakes that impact business operations. Mitchell and Armon introduce Sentinel, the HashiCorp policy as code framework, which lets IT operators embed the necessary policy guardrails into the provisioning workflow.

Webinar: https://www.hashicorp.com/resources/terraform-sentinel-policy-management-cloud-provisioning


Armon Dadgar

January 24, 2018

More Decks by Armon Dadgar

Other Decks in Technology


  1. Terraform and Sentinel Infrastructure as code and policy as code

  2. Armon Dadgar Mitchell Hashimoto

  3. 3 DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications

    Provision infrastructure Provision, secure, connect, and run any infrastructure THE PRACTITIONER TEAMS • Collaboration • Operations • Governance & policy
  4. s 4 Tao of HashiCorp

  5. Tao of HashiCorp 5 Workflows, not Technology Simple, Modular, Composable

    Communicate Sequential Process Immutability Versioning through Codification Automation through Codification Resilient Systems Pragmatism
  6. s 6 Infrastructure as Code

  7. Infrastructure challenges ▪ Create a completely isolation second environment to

    run an application (staging, QA, dev, etc.)? ▪ Deploy a complex new application? ▪ Update an existing complex application? ▪ Document how infrastructure is architected? ▪ Delegate some ops to smaller teams? 7
  8. https://www.hashicorp.com/products/terraform

  9. Benefits ▪ Learn from Software Development ▪ Versioning (Rollbacks) ▪

    Peer Review ▪ Abstraction / Encapsulation ▪ Code Reuse ▪ Automation and Leverage 9
  10. s 10 Paradox of Automation

  11. Sanity Checking 11 IT Ops Procurement “Please provision 5000 VMs”

  12. Sanity Checking 12 IT Ops Procurement “Are you sure 5000?”

  13. Sanity Checking 13 IT Ops Cloud “Please provision 5000 VMs”

  14. Sanity Checking 14 IT Ops Cloud “Done!”

  15. Scaling Automation 15 ▪ Paradox of Automation ▪ Accidental Error

    ▪ Compliance Bypass ▪ Malicious Intent
  16. Policy to the Rescue 16 ▪ Compliance Policies ▪ Security

    Policies ▪ Operation Excellence
  17. Policy Workflow 17

  18. Policy as Code 18 ▪ Compliance Policies ▪ Governs Infrastructure

    as Code ▪ Defines a sandbox to automate in ▪ Codify business regulation and “sanity checking” ▪ Versioning and Automation through Codification
  19. s 19 Sentinel

  20. What is Sentinel 20 ▪ “Policy as Code Framework” ▪

    Sentinel Language Specification* ▪ Golang Embedded Runtime ▪ Simulator tool ▪ Import SDK * https://docs.hashicorp.com/sentinel/language/spec
  21. What is Sentinel 21 ▪ Non-programmer friendly ▪ Easy to

    Embed ▪ Simple ▪ Debuggable ▪ Go Friendly
  22. main = rule { all obj.items as item { item

    matches "my-item-[a-z0-9]+" } }
  23. import "tfplan" allowed_types = ["n1-standard-1", "n1-standard-2"] clusters = tfplan.resources.google_container_cluster machine_type_allowed

    = rule { all clusters as name, instances { all instances as index, r { r.applied.node_config[0].machine_type in allowed_types } } } main = rule { machine_type_allowed }
  24. ENFORCEMENT LEVELS "I'm sorry, Dave. I'm afraid I can't do

  25. Sentinel Workflow 25

  26. s 26 Demo

  27. 27 DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications

    HashiCorp Enterprise + Sentinel ENTERPRISE ENTERPRISE ENTERPRISE THE PRACTITIONER TEAMS • Collaboration • Operations • Governance & policy ENTERPRISE DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications Provision infrastructure
  28. Conclusion 28 ▪ Policy as Code builds upon “As Code”

    ▪ Shared benefits as Infrastructure as Code ▪ Sentinel a framework for Policy as Code ▪ Next Step in Infrastructure Automation