Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HashiCorp Terraform for Network Infrastructure ...
Search
Rosemary Wang
April 25, 2023
Technology
0
120
HashiCorp Terraform for Network Infrastructure as Code
Presented at Networking Field Day 31.
Rosemary Wang
April 25, 2023
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
41
People, process, and technology for ILM and SLM adoption
joatmon08
0
24
Secure Day 2 operations with Boundary and Vault
joatmon08
0
50
Can You Test Your Infrastructure as Code?
joatmon08
1
91
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
49
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
66
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
63
Break Glass, Repair Fast, Reconcile Automation
joatmon08
1
56
Building a Developer Platform? Ask these questions.
joatmon08
0
68
Other Decks in Technology
See All in Technology
United™️ Airlines®️ Customer®️ USA Contact Numbers: Complete 2025 Support Guide
flyunitedguide
0
780
Claude Code に プロジェクト管理やらせたみた
unson
8
4.9k
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
lufthanahelpsupport
0
240
DatabricksにOLTPデータベース『Lakebase』がやってきた!
inoutk
0
150
大量配信システムにおけるSLOの実践:「見えない」信頼性をSLOで可視化
plaidtech
PRO
0
290
ClaudeCodeにキレない技術
gtnao
0
560
スタートアップに選択肢を 〜生成AIを活用したセカンダリー事業への挑戦〜
nstock
0
290
AWS CDK 開発を成功に導くトラブルシューティングガイド
wandora58
3
170
TLSから見るSREの未来
atpons
2
240
United airlines®️ USA Contact Numbers: Complete 2025 Support Guide
unitedflyhelp
0
340
How to Quickly Call American Airlines®️ U.S. Customer Care : Full Guide
flyaahelpguide
0
240
「クラウドコスト絶対削減」を支える技術—FinOpsを超えた徹底的なクラウドコスト削減の実践論
delta_tech
4
190
Featured
See All Featured
Embracing the Ebb and Flow
colly
86
4.7k
Statistics for Hackers
jakevdp
799
220k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
Making Projects Easy
brettharned
116
6.3k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
980
How GitHub (no longer) Works
holman
314
140k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
830
Transcript
© 2023 HASHICORP 1 HashiCorp Terraform for Network Infrastructure as
Code Rosemary Wang Developer Advocate at HashiCorp @joatmon08
© 2023 HASHICORP 2 Write network infrastructure as code Share
it with your team and organization. Run it in production. Research Adopt Standardize Scale The Infrastructure as Code Journey @joatmon08
© 2023 HASHICORP Declarative Define what resources should be. 3
Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08
© 2023 HASHICORP Declarative Define what resources should be. 4
Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08
© 2023 HASHICORP 5 Declarative Define expected state of infrastructure
in configuration files that you can version, reuse, and share. locals { annotation = "orchestrator:terraform" } resource "aci_tenant" "dev" { description = "This tenant is created by Terraform" name = "${var.prefix}_tenant" annotation = local.annotation } resource "aci_application_profile" "dev" { tenant_dn = aci_tenant.dev.id name = "${var.prefix}_ap" annotation = local.annotation } resource "aci_vrf" "dev" { tenant_dn = aci_tenant.dev.id name = "${var.prefix}_vrf" annotation = local.annotation } @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 7 registry.terraform.io/browse/providers?category=networking Terraform Providers for Networking @joatmon08
© 2023 HASHICORP Declarative Define what resources should be. 8
Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08
© 2023 HASHICORP 9 Manage Code & State Establish a
source of truth with configuration and state. terraform { cloud { organization = "hashicorp-team-da-beta" workspaces { tags = ["datacenter", "networking", "source:cli"] } } } resource "aci_tenant" "dev" { description = "This tenant is created by Terraform" name = "${var.prefix}_tenant" annotation = local.annotation } @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP Declarative Define what resources should be. 13
Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08
© 2023 HASHICORP 14 Inject Dependencies Retrieve metadata from an
abstraction to change downstream dependencies independently. data "aws_availability_zones" "available" { state = "available" filter { name = "group-name" values = [var.region] } } resource "aws_subnet" "public" { count = var.public_subnet_count vpc_id = aws_vpc.nfd.id availability_zone = data.aws_availability_zones.available.names[count .index] // omitted } @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 16 developer.hashicorp.com/terraform/language Terraform Configuration Language @joatmon08
© 2023 HASHICORP Declarative Define what resources should be. 17
Maintain Code & State Use as source of truth. Inject Dependencies Decouple resources to mitigate impact. Practices @joatmon08
© 2023 HASHICORP 18 Learn more at developer.hashicorp.com/terraform/tutorials @joatmon08
© 2023 HASHICORP 19 Collaboration Practices for Network Infrastructure as
Code with HashiCorp Terraform Cloud Rosemary Wang Developer Advocate at HashiCorp @joatmon08
© 2023 HASHICORP 20 Write network infrastructure as code Share
it with your team and organization. Run it in production. Research Adopt Standardize Scale The Infrastructure as Code Journey @joatmon08
© 2023 HASHICORP Modularize Offer self-service for resources. 21 Test
Validate system functions as intended. Verify Check secure & compliant configurations and settings. Practices @joatmon08
© 2023 HASHICORP 22 Modularize Group common resources to enable
self-service of properly configured network infrastructure. locals { annotation = "orchestrator:terraform" } resource "aci_tenant" "dev" { description = "This tenant is created by Terraform" name = "${var.prefix}_tenant" annotation = local.annotation } resource "aci_application_profile" "dev" { tenant_dn = aci_tenant.dev.id name = "${var.prefix}_ap" annotation = local.annotation } resource "aci_vrf" "dev" { tenant_dn = aci_tenant.dev.id name = "${var.prefix}_vrf" annotation = local.annotation } @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 24 registry.terraform.io/search/modules Modules on Terraform Registry @joatmon08
© 2023 HASHICORP Modularize Offer self-service for resources. 25 Test
Validate system functions as intended. Verify Check secure & compliant configurations and settings. Practices @joatmon08
© 2023 HASHICORP 26 Test Write different tests to check
for specific attributes and functionality. // VARIABLE VALIDATION variable "region" { type = string default = "us-east-1" description = "AWS Region" validation { condition = startswith(var.region, "us-") error_message = "Only use AWS regions in US" } } // TEST aws_subnets_have_correct_mask = rule { all aws_subnets as _, aws_subnets { aws_subnets.values.cidr_block contains "/24" } } @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 29 play.sentinelproject.io/ Sentinel @joatmon08
© 2023 HASHICORP
© 2023 HASHICORP Modularize Offer self-service for resources. 31 Test
Validate system functions as intended. Verify Check secure & compliant configurations and settings. Practices @joatmon08
© 2023 HASHICORP 32 Verify Use existing policy libraries and
custom policies to check for compliant and secure infrastructure configuration. // Policies to Run policy "public_access" { query = "data.terraform.policies.public_access.deny" enforcement_level = "mandatory" } // Policy Definition package terraform.policies.public_access import input.plan as tfplan deny[msg] { r := tfplan.resource_changes[_] r.type == "aws_security_group" r.change.after.ingress[_].cidr_blocks[_] == "0.0.0.0/0" msg := sprintf("%v has 0.0.0.0/0 as allowed ingress", [r.address]) } @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 34 registry.terraform.io/browse/run-tasks Terraform Cloud Run Tasks @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 37 developer.hashicorp.com/terraform/cloud-docs/policy-enforcement Terraform Cloud Policy Enforcement @joatmon08
© 2023 HASHICORP 38 Learn more at developer.hashicorp.com/terraform/tutorials/cloud -get-started @joatmon08
© 2023 HASHICORP 39 Manage Network Infrastructure as Code Complexity
with HashiCorp Terraform Cloud Rosemary Wang Developer Advocate at HashiCorp @joatmon08
© 2023 HASHICORP 40 Write network infrastructure as code Share
it with your team and organization. Run it in production. Research Adopt Standardize Scale The Infrastructure as Code Journey @joatmon08
© 2023 HASHICORP Bridge Use manual interfaces to run infrastructure
as code. 41 Validate Reconcile source of truth. Change Use immutability to update infrastructure. Practices @joatmon08
© 2023 HASHICORP 42 developer.hashicorp.com/terraform/cloud-docs/integrations/service-now Change Management Systems @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 44 developer.hashicorp.com/terraform/tutorials/cloud/no-code-provisioning No-Code Provisioning @joatmon08
© 2023 HASHICORP Bridge Use manual interfaces to run infrastructure
as code. 45 Validate Reconcile source of truth. Change Use immutability to update infrastructure. Practices @joatmon08
© 2023 HASHICORP 46 Validate Reconcile current state to codified
one in order to reduce errors. data "aws_acm_certificate" "issued" { domain = "tf.example.com" most_recent = true } resource "aws_lb_listener_certificate" "example" { listener_arn = aws_lb_listener.front_end.arn certificate_arn = data.aws_acm_certificate.issued.arn lifecycle { postcondition { condition = data.aws_acm_certificate.issued.status != "EXPIRED" error_message = "The listener certificate has expired." } } } @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 49 developer.hashicorp.com/terraform/cloud-docs/workspaces/health Health Assessments @joatmon08
© 2023 HASHICORP Bridge Use manual interfaces to run infrastructure
as code. 50 Validate Reconcile source of truth. Change Use immutability to update infrastructure. Practices @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 54 …even continuously deployed changes @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP @joatmon08
© 2023 HASHICORP 57 developer.hashicorp.com/consul/tutorials/network-infrastructure-automation/co nsul-terraform-sync-intro Consul-Terraform-Sync @joatmon08
© 2023 HASHICORP 58 Learn more at developer.hashicorp.com/terraform/tutorials/cloud @joatmon08