Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform and Sentinel

Terraform and Sentinel

Watch a special webinar as HashiCorp founders Mitchell Hashimoto and Armon Dadgar share their views on cloud infrastructure provisioning and policy management. The webinar is a technical back-and-forth between Mitchell and Armon discussing their insights on the importance of automation, how it began with infrastructure as code, and the next step in cloud infrastructure provisioning -- policy as code.

Mitchell and Armon go on to discuss how they are focusing HashiCorp’s offerings to help with these concerns. HashiCorp Terraform Enterprise uses infrastructure as code and automation to remove the manual burden on operators to make changes to infrastructure at scale. This efficiency comes with risks, as less experienced users can make significant mistakes that impact business operations. Mitchell and Armon introduce Sentinel, the HashiCorp policy as code framework, which lets IT operators embed the necessary policy guardrails into the provisioning workflow.

Webinar: https://www.hashicorp.com/resources/terraform-sentinel-policy-management-cloud-provisioning

Armon Dadgar

January 24, 2018
Tweet

More Decks by Armon Dadgar

Other Decks in Technology

Transcript

  1. 3 DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications

    Provision infrastructure Provision, secure, connect, and run any infrastructure THE PRACTITIONER TEAMS • Collaboration • Operations • Governance & policy
  2. Tao of HashiCorp 5 Workflows, not Technology Simple, Modular, Composable

    Communicate Sequential Process Immutability Versioning through Codification Automation through Codification Resilient Systems Pragmatism
  3. Infrastructure challenges ▪ Create a completely isolation second environment to

    run an application (staging, QA, dev, etc.)? ▪ Deploy a complex new application? ▪ Update an existing complex application? ▪ Document how infrastructure is architected? ▪ Delegate some ops to smaller teams? 7
  4. Benefits ▪ Learn from Software Development ▪ Versioning (Rollbacks) ▪

    Peer Review ▪ Abstraction / Encapsulation ▪ Code Reuse ▪ Automation and Leverage 9
  5. Policy as Code 18 ▪ Compliance Policies ▪ Governs Infrastructure

    as Code ▪ Defines a sandbox to automate in ▪ Codify business regulation and “sanity checking” ▪ Versioning and Automation through Codification
  6. What is Sentinel 20 ▪ “Policy as Code Framework” ▪

    Sentinel Language Specification* ▪ Golang Embedded Runtime ▪ Simulator tool ▪ Import SDK * https://docs.hashicorp.com/sentinel/language/spec
  7. What is Sentinel 21 ▪ Non-programmer friendly ▪ Easy to

    Embed ▪ Simple ▪ Debuggable ▪ Go Friendly
  8. main = rule { all obj.items as item { item

    matches "my-item-[a-z0-9]+" } }
  9. import "tfplan" allowed_types = ["n1-standard-1", "n1-standard-2"] clusters = tfplan.resources.google_container_cluster machine_type_allowed

    = rule { all clusters as name, instances { all instances as index, r { r.applied.node_config[0].machine_type in allowed_types } } } main = rule { machine_type_allowed }
  10. 27 DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications

    HashiCorp Enterprise + Sentinel ENTERPRISE ENTERPRISE ENTERPRISE THE PRACTITIONER TEAMS • Collaboration • Operations • Governance & policy ENTERPRISE DEVELOPMENT SECURITY OPERATIONS Run applications Secure infrastructure & applications Provision infrastructure
  11. Conclusion 28 ▪ Policy as Code builds upon “As Code”

    ▪ Shared benefits as Infrastructure as Code ▪ Sentinel a framework for Policy as Code ▪ Next Step in Infrastructure Automation