$30 off During Our Annual Pro Sale. View Details »

HashiCorp Terraform for Network Infrastructure as Code

HashiCorp Terraform for Network Infrastructure as Code

Presented at Networking Field Day 31.

Rosemary Wang

April 25, 2023
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. © 2023 HASHICORP
    1
    HashiCorp Terraform
    for Network
    Infrastructure as Code
    Rosemary Wang
    Developer Advocate at HashiCorp
    @joatmon08

    View Slide

  2. © 2023 HASHICORP
    2
    Write network
    infrastructure as code
    Share it with your team
    and organization.
    Run it in production.
    Research Adopt Standardize Scale
    The Infrastructure as Code Journey
    @joatmon08

    View Slide

  3. © 2023 HASHICORP
    Declarative
    Define what
    resources should
    be.
    3
    Maintain Code
    & State
    Use as source of
    truth.
    Inject
    Dependencies
    Decouple
    resources to
    mitigate impact.
    Practices
    @joatmon08

    View Slide

  4. © 2023 HASHICORP
    Declarative
    Define what
    resources should
    be.
    4
    Maintain Code
    & State
    Use as source of
    truth.
    Inject
    Dependencies
    Decouple
    resources to
    mitigate impact.
    Practices
    @joatmon08

    View Slide

  5. © 2023 HASHICORP
    5
    Declarative
    Define expected state of
    infrastructure in configuration
    files that you can version,
    reuse, and share.
    locals {
    annotation = "orchestrator:terraform"
    }
    resource "aci_tenant" "dev" {
    description = "This tenant is created by Terraform"
    name = "${var.prefix}_tenant"
    annotation = local.annotation
    }
    resource "aci_application_profile" "dev" {
    tenant_dn = aci_tenant.dev.id
    name = "${var.prefix}_ap"
    annotation = local.annotation
    }
    resource "aci_vrf" "dev" {
    tenant_dn = aci_tenant.dev.id
    name = "${var.prefix}_vrf"
    annotation = local.annotation
    }
    @joatmon08

    View Slide

  6. © 2023 HASHICORP
    @joatmon08

    View Slide

  7. © 2023 HASHICORP
    7
    registry.terraform.io/browse/providers?category=networking
    Terraform Providers for Networking
    @joatmon08

    View Slide

  8. © 2023 HASHICORP
    Declarative
    Define what
    resources should
    be.
    8
    Maintain Code
    & State
    Use as source of
    truth.
    Inject
    Dependencies
    Decouple
    resources to
    mitigate impact.
    Practices
    @joatmon08

    View Slide

  9. © 2023 HASHICORP
    9
    Manage Code
    & State
    Establish a source of truth with
    configuration and state.
    terraform {
    cloud {
    organization = "hashicorp-team-da-beta"
    workspaces {
    tags = ["datacenter", "networking",
    "source:cli"]
    }
    }
    }
    resource "aci_tenant" "dev" {
    description = "This tenant is created by Terraform"
    name = "${var.prefix}_tenant"
    annotation = local.annotation
    }
    @joatmon08

    View Slide

  10. © 2023 HASHICORP
    @joatmon08

    View Slide

  11. © 2023 HASHICORP
    @joatmon08

    View Slide

  12. © 2023 HASHICORP
    @joatmon08

    View Slide

  13. © 2023 HASHICORP
    Declarative
    Define what
    resources should
    be.
    13
    Maintain Code
    & State
    Use as source of
    truth.
    Inject
    Dependencies
    Decouple
    resources to
    mitigate impact.
    Practices
    @joatmon08

    View Slide

  14. © 2023 HASHICORP
    14
    Inject
    Dependencies
    Retrieve metadata from an
    abstraction to change downstream
    dependencies independently.
    data "aws_availability_zones" "available" {
    state = "available"
    filter {
    name = "group-name"
    values = [var.region]
    }
    }
    resource "aws_subnet" "public" {
    count = var.public_subnet_count
    vpc_id = aws_vpc.nfd.id
    availability_zone =
    data.aws_availability_zones.available.names[count
    .index]
    // omitted
    }
    @joatmon08

    View Slide

  15. © 2023 HASHICORP
    @joatmon08

    View Slide

  16. © 2023 HASHICORP
    16
    developer.hashicorp.com/terraform/language
    Terraform Configuration Language
    @joatmon08

    View Slide

  17. © 2023 HASHICORP
    Declarative
    Define what
    resources should
    be.
    17
    Maintain Code
    & State
    Use as source of
    truth.
    Inject
    Dependencies
    Decouple
    resources to
    mitigate impact.
    Practices
    @joatmon08

    View Slide

  18. © 2023 HASHICORP
    18
    Learn more at
    developer.hashicorp.com/terraform/tutorials
    @joatmon08

    View Slide

  19. © 2023 HASHICORP
    19
    Collaboration Practices for
    Network Infrastructure as
    Code with HashiCorp
    Terraform Cloud
    Rosemary Wang
    Developer Advocate at HashiCorp
    @joatmon08

    View Slide

  20. © 2023 HASHICORP
    20
    Write network
    infrastructure as code
    Share it with your team
    and organization.
    Run it in production.
    Research Adopt Standardize Scale
    The Infrastructure as Code Journey
    @joatmon08

    View Slide

  21. © 2023 HASHICORP
    Modularize
    Offer self-service
    for resources.
    21
    Test
    Validate system
    functions as
    intended.
    Verify
    Check secure &
    compliant
    configurations
    and settings.
    Practices
    @joatmon08

    View Slide

  22. © 2023 HASHICORP
    22
    Modularize
    Group common resources to
    enable self-service of
    properly configured network
    infrastructure.
    locals {
    annotation = "orchestrator:terraform"
    }
    resource "aci_tenant" "dev" {
    description = "This tenant is created by Terraform"
    name = "${var.prefix}_tenant"
    annotation = local.annotation
    }
    resource "aci_application_profile" "dev" {
    tenant_dn = aci_tenant.dev.id
    name = "${var.prefix}_ap"
    annotation = local.annotation
    }
    resource "aci_vrf" "dev" {
    tenant_dn = aci_tenant.dev.id
    name = "${var.prefix}_vrf"
    annotation = local.annotation
    }
    @joatmon08

    View Slide

  23. © 2023 HASHICORP
    @joatmon08

    View Slide

  24. © 2023 HASHICORP
    24
    registry.terraform.io/search/modules
    Modules on Terraform Registry
    @joatmon08

    View Slide

  25. © 2023 HASHICORP
    Modularize
    Offer self-service
    for resources.
    25
    Test
    Validate system
    functions as
    intended.
    Verify
    Check secure &
    compliant
    configurations
    and settings.
    Practices
    @joatmon08

    View Slide

  26. © 2023 HASHICORP
    26
    Test
    Write different tests to check
    for specific attributes and
    functionality.
    // VARIABLE VALIDATION
    variable "region" {
    type = string
    default = "us-east-1"
    description = "AWS Region"
    validation {
    condition = startswith(var.region, "us-")
    error_message = "Only use AWS regions in US"
    }
    }
    // TEST
    aws_subnets_have_correct_mask = rule {
    all aws_subnets as _, aws_subnets {
    aws_subnets.values.cidr_block contains "/24"
    }
    }
    @joatmon08

    View Slide

  27. © 2023 HASHICORP
    @joatmon08

    View Slide

  28. © 2023 HASHICORP
    @joatmon08

    View Slide

  29. © 2023 HASHICORP
    29
    play.sentinelproject.io/
    Sentinel
    @joatmon08

    View Slide

  30. © 2023 HASHICORP

    View Slide

  31. © 2023 HASHICORP
    Modularize
    Offer self-service
    for resources.
    31
    Test
    Validate system
    functions as
    intended.
    Verify
    Check secure &
    compliant
    configurations
    and settings.
    Practices
    @joatmon08

    View Slide

  32. © 2023 HASHICORP
    32
    Verify
    Use existing policy libraries
    and custom policies to check
    for compliant and secure
    infrastructure configuration.
    // Policies to Run
    policy "public_access" {
    query = "data.terraform.policies.public_access.deny"
    enforcement_level = "mandatory"
    }
    // Policy Definition
    package terraform.policies.public_access
    import input.plan as tfplan
    deny[msg] {
    r := tfplan.resource_changes[_]
    r.type == "aws_security_group"
    r.change.after.ingress[_].cidr_blocks[_] ==
    "0.0.0.0/0"
    msg := sprintf("%v has 0.0.0.0/0 as allowed
    ingress", [r.address])
    }
    @joatmon08

    View Slide

  33. © 2023 HASHICORP
    @joatmon08

    View Slide

  34. © 2023 HASHICORP
    34
    registry.terraform.io/browse/run-tasks
    Terraform Cloud Run Tasks
    @joatmon08

    View Slide

  35. © 2023 HASHICORP
    @joatmon08

    View Slide

  36. © 2023 HASHICORP
    @joatmon08

    View Slide

  37. © 2023 HASHICORP
    37
    developer.hashicorp.com/terraform/cloud-docs/policy-enforcement
    Terraform Cloud Policy Enforcement
    @joatmon08

    View Slide

  38. © 2023 HASHICORP
    38
    Learn more at
    developer.hashicorp.com/terraform/tutorials/cloud
    -get-started
    @joatmon08

    View Slide

  39. © 2023 HASHICORP
    39
    Manage Network
    Infrastructure as Code
    Complexity with HashiCorp
    Terraform Cloud
    Rosemary Wang
    Developer Advocate at HashiCorp
    @joatmon08

    View Slide

  40. © 2023 HASHICORP
    40
    Write network
    infrastructure as code
    Share it with your team
    and organization.
    Run it in production.
    Research Adopt Standardize Scale
    The Infrastructure as Code Journey
    @joatmon08

    View Slide

  41. © 2023 HASHICORP
    Bridge
    Use manual
    interfaces to run
    infrastructure as
    code.
    41
    Validate
    Reconcile source
    of truth.
    Change
    Use immutability
    to update
    infrastructure.
    Practices
    @joatmon08

    View Slide

  42. © 2023 HASHICORP
    42
    developer.hashicorp.com/terraform/cloud-docs/integrations/service-now
    Change Management Systems
    @joatmon08

    View Slide

  43. © 2023 HASHICORP
    @joatmon08

    View Slide

  44. © 2023 HASHICORP
    44
    developer.hashicorp.com/terraform/tutorials/cloud/no-code-provisioning
    No-Code Provisioning
    @joatmon08

    View Slide

  45. © 2023 HASHICORP
    Bridge
    Use manual
    interfaces to run
    infrastructure as
    code.
    45
    Validate
    Reconcile source
    of truth.
    Change
    Use immutability
    to update
    infrastructure.
    Practices
    @joatmon08

    View Slide

  46. © 2023 HASHICORP
    46
    Validate
    Reconcile current state to
    codified one in order to
    reduce errors.
    data "aws_acm_certificate" "issued" {
    domain = "tf.example.com"
    most_recent = true
    }
    resource "aws_lb_listener_certificate" "example" {
    listener_arn = aws_lb_listener.front_end.arn
    certificate_arn = data.aws_acm_certificate.issued.arn
    lifecycle {
    postcondition {
    condition =
    data.aws_acm_certificate.issued.status !=
    "EXPIRED"
    error_message = "The listener certificate has
    expired."
    }
    }
    }
    @joatmon08

    View Slide

  47. © 2023 HASHICORP
    @joatmon08

    View Slide

  48. © 2023 HASHICORP
    @joatmon08

    View Slide

  49. © 2023 HASHICORP
    49
    developer.hashicorp.com/terraform/cloud-docs/workspaces/health
    Health Assessments
    @joatmon08

    View Slide

  50. © 2023 HASHICORP
    Bridge
    Use manual
    interfaces to run
    infrastructure as
    code.
    50
    Validate
    Reconcile source
    of truth.
    Change
    Use immutability
    to update
    infrastructure.
    Practices
    @joatmon08

    View Slide

  51. © 2023 HASHICORP
    @joatmon08

    View Slide

  52. © 2023 HASHICORP
    @joatmon08

    View Slide

  53. © 2023 HASHICORP
    @joatmon08

    View Slide

  54. © 2023 HASHICORP
    54
    …even continuously
    deployed changes
    @joatmon08

    View Slide

  55. © 2023 HASHICORP
    @joatmon08

    View Slide

  56. © 2023 HASHICORP
    @joatmon08

    View Slide

  57. © 2023 HASHICORP
    57
    developer.hashicorp.com/consul/tutorials/network-infrastructure-automation/co
    nsul-terraform-sync-intro
    Consul-Terraform-Sync
    @joatmon08

    View Slide

  58. © 2023 HASHICORP
    58
    Learn more at
    developer.hashicorp.com/terraform/tutorials/cloud
    @joatmon08

    View Slide