HashiCorp Terraform for Network Infrastructure as Code

Transcript

1. © 2023 HASHICORP 1 HashiCorp Terraform for Network Infrastructure as

   Code Rosemary Wang Developer Advocate at HashiCorp @joatmon08

2. © 2023 HASHICORP 2 Write network infrastructure as code Share

   it with your team and organization. Run it in production. Research Adopt Standardize Scale The Infrastructure as Code Journey @joatmon08

3. © 2023 HASHICORP Declarative Define what resources should be. 3

   Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08

4. © 2023 HASHICORP Declarative Define what resources should be. 4

   Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08

5. © 2023 HASHICORP 5 Declarative Define expected state of infrastructure

   in configuration files that you can version, reuse, and share. locals { annotation = "orchestrator:terraform" } resource "aci_tenant" "dev" { description = "This tenant is created by Terraform" name = "${var.prefix}_tenant" annotation = local.annotation } resource "aci_application_profile" "dev" { tenant_dn = aci_tenant.dev.id name = "${var.prefix}_ap" annotation = local.annotation } resource "aci_vrf" "dev" { tenant_dn = aci_tenant.dev.id name = "${var.prefix}_vrf" annotation = local.annotation } @joatmon08

6. © 2023 HASHICORP @joatmon08

7. © 2023 HASHICORP 7 registry.terraform.io/browse/providers?category=networking Terraform Providers for Networking @joatmon08

8. © 2023 HASHICORP Declarative Define what resources should be. 8

   Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08

9. © 2023 HASHICORP 9 Manage Code & State Establish a

   source of truth with configuration and state. terraform { cloud { organization = "hashicorp-team-da-beta" workspaces { tags = ["datacenter", "networking", "source:cli"] } } } resource "aci_tenant" "dev" { description = "This tenant is created by Terraform" name = "${var.prefix}_tenant" annotation = local.annotation } @joatmon08

10. © 2023 HASHICORP @joatmon08

11. © 2023 HASHICORP @joatmon08

12. © 2023 HASHICORP @joatmon08

13. © 2023 HASHICORP Declarative Define what resources should be. 13

    Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08

14. © 2023 HASHICORP 14 Inject Dependencies Retrieve metadata from an

    abstraction to change downstream dependencies independently. data "aws_availability_zones" "available" { state = "available" filter { name = "group-name" values = [var.region] } } resource "aws_subnet" "public" { count = var.public_subnet_count vpc_id = aws_vpc.nfd.id availability_zone = data.aws_availability_zones.available.names[count .index] // omitted } @joatmon08

15. © 2023 HASHICORP @joatmon08

16. © 2023 HASHICORP 16 developer.hashicorp.com/terraform/language Terraform Configuration Language @joatmon08

17. © 2023 HASHICORP Declarative Define what resources should be. 17

    Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08

18. © 2023 HASHICORP 18 Learn more at developer.hashicorp.com/terraform/tutorials @joatmon08

19. © 2023 HASHICORP 19 Collaboration Practices for Network Infrastructure as

    Code with HashiCorp Terraform Cloud Rosemary Wang Developer Advocate at HashiCorp @joatmon08

20. © 2023 HASHICORP 20 Write network infrastructure as code Share

    it with your team and organization. Run it in production. Research Adopt Standardize Scale The Infrastructure as Code Journey @joatmon08

21. © 2023 HASHICORP Modularize Offer self-service for resources. 21 Test

    Validate system functions as intended. Verify Check secure & compliant configurations and settings. Practices @joatmon08

22. © 2023 HASHICORP 22 Modularize Group common resources to enable

    self-service of properly configured network infrastructure. locals { annotation = "orchestrator:terraform" } resource "aci_tenant" "dev" { description = "This tenant is created by Terraform" name = "${var.prefix}_tenant" annotation = local.annotation } resource "aci_application_profile" "dev" { tenant_dn = aci_tenant.dev.id name = "${var.prefix}_ap" annotation = local.annotation } resource "aci_vrf" "dev" { tenant_dn = aci_tenant.dev.id name = "${var.prefix}_vrf" annotation = local.annotation } @joatmon08

23. © 2023 HASHICORP @joatmon08

24. © 2023 HASHICORP 24 registry.terraform.io/search/modules Modules on Terraform Registry @joatmon08

25. © 2023 HASHICORP Modularize Offer self-service for resources. 25 Test

    Validate system functions as intended. Verify Check secure & compliant configurations and settings. Practices @joatmon08

26. © 2023 HASHICORP 26 Test Write different tests to check

    for specific attributes and functionality. // VARIABLE VALIDATION variable "region" { type = string default = "us-east-1" description = "AWS Region" validation { condition = startswith(var.region, "us-") error_message = "Only use AWS regions in US" } } // TEST aws_subnets_have_correct_mask = rule { all aws_subnets as _, aws_subnets { aws_subnets.values.cidr_block contains "/24" } } @joatmon08

27. © 2023 HASHICORP @joatmon08

28. © 2023 HASHICORP @joatmon08

29. © 2023 HASHICORP 29 play.sentinelproject.io/ Sentinel @joatmon08

30. © 2023 HASHICORP

31. © 2023 HASHICORP Modularize Offer self-service for resources. 31 Test

    Validate system functions as intended. Verify Check secure & compliant configurations and settings. Practices @joatmon08

32. © 2023 HASHICORP 32 Verify Use existing policy libraries and

    custom policies to check for compliant and secure infrastructure configuration. // Policies to Run policy "public_access" { query = "data.terraform.policies.public_access.deny" enforcement_level = "mandatory" } // Policy Definition package terraform.policies.public_access import input.plan as tfplan deny[msg] { r := tfplan.resource_changes[_] r.type == "aws_security_group" r.change.after.ingress[_].cidr_blocks[_] == "0.0.0.0/0" msg := sprintf("%v has 0.0.0.0/0 as allowed ingress", [r.address]) } @joatmon08

33. © 2023 HASHICORP @joatmon08

34. © 2023 HASHICORP 34 registry.terraform.io/browse/run-tasks Terraform Cloud Run Tasks @joatmon08

35. © 2023 HASHICORP @joatmon08

36. © 2023 HASHICORP @joatmon08

37. © 2023 HASHICORP 37 developer.hashicorp.com/terraform/cloud-docs/policy-enforcement Terraform Cloud Policy Enforcement @joatmon08

38. © 2023 HASHICORP 38 Learn more at developer.hashicorp.com/terraform/tutorials/cloud -get-started @joatmon08

39. © 2023 HASHICORP 39 Manage Network Infrastructure as Code Complexity

    with HashiCorp Terraform Cloud Rosemary Wang Developer Advocate at HashiCorp @joatmon08

40. © 2023 HASHICORP 40 Write network infrastructure as code Share

    it with your team and organization. Run it in production. Research Adopt Standardize Scale The Infrastructure as Code Journey @joatmon08

41. © 2023 HASHICORP Bridge Use manual interfaces to run infrastructure

    as code. 41 Validate Reconcile source of truth. Change Use immutability to update infrastructure. Practices @joatmon08

42. © 2023 HASHICORP 42 developer.hashicorp.com/terraform/cloud-docs/integrations/service-now Change Management Systems @joatmon08

43. © 2023 HASHICORP @joatmon08

44. © 2023 HASHICORP 44 developer.hashicorp.com/terraform/tutorials/cloud/no-code-provisioning No-Code Provisioning @joatmon08

45. © 2023 HASHICORP Bridge Use manual interfaces to run infrastructure

    as code. 45 Validate Reconcile source of truth. Change Use immutability to update infrastructure. Practices @joatmon08

46. © 2023 HASHICORP 46 Validate Reconcile current state to codified

    one in order to reduce errors. data "aws_acm_certificate" "issued" { domain = "tf.example.com" most_recent = true } resource "aws_lb_listener_certificate" "example" { listener_arn = aws_lb_listener.front_end.arn certificate_arn = data.aws_acm_certificate.issued.arn lifecycle { postcondition { condition = data.aws_acm_certificate.issued.status != "EXPIRED" error_message = "The listener certificate has expired." } } } @joatmon08

47. © 2023 HASHICORP @joatmon08

48. © 2023 HASHICORP @joatmon08

49. © 2023 HASHICORP 49 developer.hashicorp.com/terraform/cloud-docs/workspaces/health Health Assessments @joatmon08

50. © 2023 HASHICORP Bridge Use manual interfaces to run infrastructure

    as code. 50 Validate Reconcile source of truth. Change Use immutability to update infrastructure. Practices @joatmon08

51. © 2023 HASHICORP @joatmon08

52. © 2023 HASHICORP @joatmon08

53. © 2023 HASHICORP @joatmon08

54. © 2023 HASHICORP 54 …even continuously deployed changes @joatmon08

55. © 2023 HASHICORP @joatmon08

56. © 2023 HASHICORP @joatmon08

57. © 2023 HASHICORP 57 developer.hashicorp.com/consul/tutorials/network-infrastructure-automation/co nsul-terraform-sync-intro Consul-Terraform-Sync @joatmon08

58. © 2023 HASHICORP 58 Learn more at developer.hashicorp.com/terraform/tutorials/cloud @joatmon08