Slide 1

Slide 1 text

Terraform and Sentinel Infrastructure as code and policy as code

Slide 2

Slide 2 text

Armon Dadgar Mitchell Hashimoto

Slide 3

Slide 3 text

3 DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications Provision infrastructure Provision, secure, connect, and run any infrastructure THE PRACTITIONER TEAMS • Collaboration • Operations • Governance & policy

Slide 4

Slide 4 text

s 4 Tao of HashiCorp

Slide 5

Slide 5 text

Tao of HashiCorp 5 Workflows, not Technology Simple, Modular, Composable Communicate Sequential Process Immutability Versioning through Codification Automation through Codification Resilient Systems Pragmatism

Slide 6

Slide 6 text

s 6 Infrastructure as Code

Slide 7

Slide 7 text

Infrastructure challenges ▪ Create a completely isolation second environment to run an application (staging, QA, dev, etc.)? ▪ Deploy a complex new application? ▪ Update an existing complex application? ▪ Document how infrastructure is architected? ▪ Delegate some ops to smaller teams? 7

Slide 8

Slide 8 text

https://www.hashicorp.com/products/terraform

Slide 9

Slide 9 text

Benefits ▪ Learn from Software Development ▪ Versioning (Rollbacks) ▪ Peer Review ▪ Abstraction / Encapsulation ▪ Code Reuse ▪ Automation and Leverage 9

Slide 10

Slide 10 text

s 10 Paradox of Automation

Slide 11

Slide 11 text

Sanity Checking 11 IT Ops Procurement “Please provision 5000 VMs”

Slide 12

Slide 12 text

Sanity Checking 12 IT Ops Procurement “Are you sure 5000?”

Slide 13

Slide 13 text

Sanity Checking 13 IT Ops Cloud “Please provision 5000 VMs”

Slide 14

Slide 14 text

Sanity Checking 14 IT Ops Cloud “Done!”

Slide 15

Slide 15 text

Scaling Automation 15 ▪ Paradox of Automation ▪ Accidental Error ▪ Compliance Bypass ▪ Malicious Intent

Slide 16

Slide 16 text

Policy to the Rescue 16 ▪ Compliance Policies ▪ Security Policies ▪ Operation Excellence

Slide 17

Slide 17 text

Policy Workflow 17

Slide 18

Slide 18 text

Policy as Code 18 ▪ Compliance Policies ▪ Governs Infrastructure as Code ▪ Defines a sandbox to automate in ▪ Codify business regulation and “sanity checking” ▪ Versioning and Automation through Codification

Slide 19

Slide 19 text

s 19 Sentinel

Slide 20

Slide 20 text

What is Sentinel 20 ▪ “Policy as Code Framework” ▪ Sentinel Language Specification* ▪ Golang Embedded Runtime ▪ Simulator tool ▪ Import SDK * https://docs.hashicorp.com/sentinel/language/spec

Slide 21

Slide 21 text

What is Sentinel 21 ▪ Non-programmer friendly ▪ Easy to Embed ▪ Simple ▪ Debuggable ▪ Go Friendly

Slide 22

Slide 22 text

main = rule { all obj.items as item { item matches "my-item-[a-z0-9]+" } }

Slide 23

Slide 23 text

import "tfplan" allowed_types = ["n1-standard-1", "n1-standard-2"] clusters = tfplan.resources.google_container_cluster machine_type_allowed = rule { all clusters as name, instances { all instances as index, r { r.applied.node_config[0].machine_type in allowed_types } } } main = rule { machine_type_allowed }

Slide 24

Slide 24 text

ENFORCEMENT LEVELS "I'm sorry, Dave. I'm afraid I can't do that"

Slide 25

Slide 25 text

Sentinel Workflow 25

Slide 26

Slide 26 text

s 26 Demo

Slide 27

Slide 27 text

27 DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications HashiCorp Enterprise + Sentinel ENTERPRISE ENTERPRISE ENTERPRISE THE PRACTITIONER TEAMS • Collaboration • Operations • Governance & policy ENTERPRISE DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications Provision infrastructure

Slide 28

Slide 28 text

Conclusion 28 ▪ Policy as Code builds upon “As Code” ▪ Shared benefits as Infrastructure as Code ▪ Sentinel a framework for Policy as Code ▪ Next Step in Infrastructure Automation