Terraform and Sentinel

Transcript

1. Terraform and Sentinel Infrastructure as code and policy as code

2. Armon Dadgar Mitchell Hashimoto

3. 3 DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications

   Provision infrastructure Provision, secure, connect, and run any infrastructure THE PRACTITIONER TEAMS • Collaboration • Operations • Governance & policy

4. s 4 Tao of HashiCorp

5. Tao of HashiCorp 5 Workflows, not Technology Simple, Modular, Composable

   Communicate Sequential Process Immutability Versioning through Codification Automation through Codification Resilient Systems Pragmatism

6. s 6 Infrastructure as Code

7. Infrastructure challenges ▪ Create a completely isolation second environment to

   run an application (staging, QA, dev, etc.)? ▪ Deploy a complex new application? ▪ Update an existing complex application? ▪ Document how infrastructure is architected? ▪ Delegate some ops to smaller teams? 7

8. https://www.hashicorp.com/products/terraform

9. Benefits ▪ Learn from Software Development ▪ Versioning (Rollbacks) ▪

   Peer Review ▪ Abstraction / Encapsulation ▪ Code Reuse ▪ Automation and Leverage 9

10. s 10 Paradox of Automation

11. Sanity Checking 11 IT Ops Procurement “Please provision 5000 VMs”

12. Sanity Checking 12 IT Ops Procurement “Are you sure 5000?”

13. Sanity Checking 13 IT Ops Cloud “Please provision 5000 VMs”

14. Sanity Checking 14 IT Ops Cloud “Done!”

15. Scaling Automation 15 ▪ Paradox of Automation ▪ Accidental Error

    ▪ Compliance Bypass ▪ Malicious Intent

16. Policy to the Rescue 16 ▪ Compliance Policies ▪ Security

    Policies ▪ Operation Excellence

17. Policy Workflow 17

18. Policy as Code 18 ▪ Compliance Policies ▪ Governs Infrastructure

    as Code ▪ Defines a sandbox to automate in ▪ Codify business regulation and “sanity checking” ▪ Versioning and Automation through Codification

19. s 19 Sentinel

20. What is Sentinel 20 ▪ “Policy as Code Framework” ▪

    Sentinel Language Specification* ▪ Golang Embedded Runtime ▪ Simulator tool ▪ Import SDK * https://docs.hashicorp.com/sentinel/language/spec

21. What is Sentinel 21 ▪ Non-programmer friendly ▪ Easy to

    Embed ▪ Simple ▪ Debuggable ▪ Go Friendly

22. main = rule { all obj.items as item { item

    matches "my-item-[a-z0-9]+" } }

23. import "tfplan" allowed_types = ["n1-standard-1", "n1-standard-2"] clusters = tfplan.resources.google_container_cluster machine_type_allowed

    = rule { all clusters as name, instances { all instances as index, r { r.applied.node_config[0].machine_type in allowed_types } } } main = rule { machine_type_allowed }

24. ENFORCEMENT LEVELS "I'm sorry, Dave. I'm afraid I can't do

    that"

25. Sentinel Workflow 25

26. s 26 Demo

27. 27 DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications

    HashiCorp Enterprise + Sentinel ENTERPRISE ENTERPRISE ENTERPRISE THE PRACTITIONER TEAMS • Collaboration • Operations • Governance & policy ENTERPRISE DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications Provision infrastructure

28. Conclusion 28 ▪ Policy as Code builds upon “As Code”

    ▪ Shared benefits as Infrastructure as Code ▪ Sentinel a framework for Policy as Code ▪ Next Step in Infrastructure Automation