Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform and Sentinel

Terraform and Sentinel

Watch a special webinar as HashiCorp founders Mitchell Hashimoto and Armon Dadgar share their views on cloud infrastructure provisioning and policy management. The webinar is a technical back-and-forth between Mitchell and Armon discussing their insights on the importance of automation, how it began with infrastructure as code, and the next step in cloud infrastructure provisioning -- policy as code.

Mitchell and Armon go on to discuss how they are focusing HashiCorp’s offerings to help with these concerns. HashiCorp Terraform Enterprise uses infrastructure as code and automation to remove the manual burden on operators to make changes to infrastructure at scale. This efficiency comes with risks, as less experienced users can make significant mistakes that impact business operations. Mitchell and Armon introduce Sentinel, the HashiCorp policy as code framework, which lets IT operators embed the necessary policy guardrails into the provisioning workflow.

Webinar: https://www.hashicorp.com/resources/terraform-sentinel-policy-management-cloud-provisioning

Armon Dadgar

January 24, 2018
Tweet

More Decks by Armon Dadgar

Other Decks in Technology

Transcript

  1. Terraform and Sentinel
    Infrastructure as code and policy as code

    View Slide

  2. Armon
    Dadgar
    Mitchell
    Hashimoto

    View Slide

  3. 3
    DEVELOPMENT
    SECURITY
    OPERATIONS
    Run applications
    Secure infrastructure & applications
    Provision infrastructure
    Provision, secure, connect, and run any infrastructure
    THE PRACTITIONER TEAMS
    • Collaboration
    • Operations
    • Governance & policy

    View Slide

  4. s
    4
    Tao of HashiCorp

    View Slide

  5. Tao of HashiCorp
    5
    Workflows,
    not
    Technology
    Simple,
    Modular,
    Composable
    Communicate
    Sequential
    Process
    Immutability
    Versioning
    through
    Codification
    Automation
    through
    Codification
    Resilient
    Systems
    Pragmatism

    View Slide

  6. s
    6
    Infrastructure as Code

    View Slide

  7. Infrastructure challenges
    ▪ Create a completely isolation second environment to run an
    application (staging, QA, dev, etc.)?
    ▪ Deploy a complex new application?
    ▪ Update an existing complex application?
    ▪ Document how infrastructure is architected?
    ▪ Delegate some ops to smaller teams?
    7

    View Slide

  8. https://www.hashicorp.com/products/terraform

    View Slide

  9. Benefits
    ▪ Learn from Software Development
    ▪ Versioning (Rollbacks)
    ▪ Peer Review
    ▪ Abstraction / Encapsulation
    ▪ Code Reuse
    ▪ Automation and Leverage
    9

    View Slide

  10. s
    10
    Paradox of Automation

    View Slide

  11. Sanity Checking
    11
    IT Ops Procurement
    “Please provision 5000 VMs”

    View Slide

  12. Sanity Checking
    12
    IT Ops Procurement
    “Are you sure 5000?”

    View Slide

  13. Sanity Checking
    13
    IT Ops Cloud
    “Please provision 5000 VMs”

    View Slide

  14. Sanity Checking
    14
    IT Ops Cloud
    “Done!”

    View Slide

  15. Scaling Automation
    15
    ▪ Paradox of Automation
    ▪ Accidental Error
    ▪ Compliance Bypass
    ▪ Malicious Intent

    View Slide

  16. Policy to the Rescue
    16
    ▪ Compliance Policies
    ▪ Security Policies
    ▪ Operation Excellence

    View Slide

  17. Policy Workflow
    17

    View Slide

  18. Policy as Code
    18
    ▪ Compliance Policies
    ▪ Governs Infrastructure as Code
    ▪ Defines a sandbox to automate in
    ▪ Codify business regulation and “sanity checking”
    ▪ Versioning and Automation through Codification

    View Slide

  19. s
    19
    Sentinel

    View Slide

  20. What is Sentinel
    20
    ▪ “Policy as Code Framework”
    ▪ Sentinel Language Specification*
    ▪ Golang Embedded Runtime
    ▪ Simulator tool
    ▪ Import SDK
    * https://docs.hashicorp.com/sentinel/language/spec

    View Slide

  21. What is Sentinel
    21
    ▪ Non-programmer friendly
    ▪ Easy to Embed
    ▪ Simple
    ▪ Debuggable
    ▪ Go Friendly

    View Slide

  22. main = rule {
    all obj.items as item {
    item matches "my-item-[a-z0-9]+"
    }
    }

    View Slide

  23. import "tfplan"
    allowed_types = ["n1-standard-1", "n1-standard-2"]
    clusters = tfplan.resources.google_container_cluster
    machine_type_allowed = rule {
    all clusters as name, instances {
    all instances as index, r {
    r.applied.node_config[0].machine_type in
    allowed_types
    }
    }
    }
    main = rule { machine_type_allowed }

    View Slide

  24. ENFORCEMENT LEVELS
    "I'm sorry, Dave.
    I'm afraid I can't do that"

    View Slide

  25. Sentinel Workflow
    25

    View Slide

  26. s
    26
    Demo

    View Slide

  27. 27
    DEVELOPMENT
    SECURITY
    OPERATIONS
    Run applications
    Secure infrastructure & applications
    HashiCorp Enterprise + Sentinel
    ENTERPRISE
    ENTERPRISE
    ENTERPRISE
    THE PRACTITIONER TEAMS
    • Collaboration
    • Operations
    • Governance & policy
    ENTERPRISE
    DEVELOPMENT
    SECURITY
    OPERATIONS
    Run applications
    Secure infrastructure & applications
    Provision infrastructure

    View Slide

  28. Conclusion
    28
    ▪ Policy as Code builds upon “As Code”
    ▪ Shared benefits as Infrastructure as Code
    ▪ Sentinel a framework for Policy as Code
    ▪ Next Step in Infrastructure Automation

    View Slide