hashicorp tooling: value, efficiency & security
TRANSCRIPT
HashiCorp Tooling
Value, Efficiency & Security
contino.io
INTRODUCTIONS
Jordan TaylorDevOps Practitioner at Contino
Specialise in automation, configuration management, cloud orchestration & CI/CD
Favourite tools are Terraform, Docker and Vault
TO THE CLOUD!
Why?
How?
THE WHY
Avoid initial investment Cost savings
Flexibility Scalability
User control Speed of deployment
Out-of-the-box security and monitoring
THE HOWMAGIC
Otherwise known as:● Infrastructure as
Code● Use of Cloud
orchestration tools
Enabling:● Cloud deployments
in a single command● Auto-scaling● Uncomplicated
deploy processes● AUTOMATION
Company based in San Francisco
Insecure Systems Constrained ResourcesComplex WorkflowsManual Process
Effectively solve development, operations and security challenges such as:
Allowing for focus on business-critical tasks
VAGRANT PACKER TERRAFORM SERF
NOMAD VAULT OTTOCONSUL
AGENDA
Packer
Terraform
Use case: Taking a leading UK retailer into the Cloud with Packer and Terraform
Vault
PACKER
Create images for an array of platforms all from a single source configuration.
WHY ADOPT PACKER?
● Templated image builds
● Store templates in source control
● Pre-bake and pre-configure images
● Provide developers with SDKs in images
● Little engineer upskilling required
PACKER: TECHNICAL FUNCTIONALITY
Build temporary cloud instance
Provision and configure it according to the template
Snapshot it
Abstraction of cloud provider API manipulation
A PACKER TEMPLATE
PACKER BEST PRACTICES
1. Directory structure 2. Image naming convention
TERRAFORM
Allows the creation, combination and management of infrastructure resources across multiple providers.
WHY ADOPT TERRAFORM?
● Infrastructure as Code
● Store templated infrastructure in source control
● Provide on-demand infrastructural flexibility
● Little engineer upskilling required
● Simple move to the cloud
TERRAFORM TECHNICAL FUNCTIONALITY
Write Terraform templates
Execute ‘terraform plan’
Execute ‘terraform apply’
Resources deployed & state stored
● Abstraction of a cloud provider’s API, templated as code
● Store and manipulate the state of your infrastructure via metadata
A TERRAFORM TEMPLATE
TERRAFORM BEST PRACTICES
1. Store and share state wisely
2. Directory structure is key
CONSIDER TERRAFORM ENTERPRISE
● Remote Terraform plans, applies, and locks
● Change management and access control policies
● GitHub integration
● Remote state storage
● Artifact registry
● Notifications
● Auditing
● Rollback State
Taking a Leading UK Retailer into the Cloud
Client requirements:
● Equip workforce with the ability to move into the cloud
● Provide a template cloud architecture to move new teams/projects into the cloud
● Get rid of inflexible, long-life, isolated environments
● Scrap complex deployment processes and methodologies
DELIVERABLES● Templated AWS architecture designed and
implemented● Essentials training to large audiences,
encouraging adoption of new tools● Key engineers upskilled to train internally● A project team moved into the cloud
OUTCOMES
● Orchestrating infrastructure into the cloud with Terraform
● Deploying resources into AWS using Terraform, via Jenkins
● Creating pre-provisioned images with Packer
● Demonstrating configuration management capability with Chef
● Storing all Infrastructure as Code in Github
● Ready to upskill internally
EQUIP YOUR ORGANISATION WITH CLOUD CAPABILITYContino Cloud Enablement Package:
● AWS Essentials (2 day)
● Chef Essentials (1 days)
● Packer & Terraform Essentials (1 day)
● Terraform Intermediate (1 day)
http://contino.io/resources/
VAULT
Secret management system by Hashicorp
Secure storage Dynamic Secrets Leases AuditingSecure Infrastructure Automation
VALUE OF VAULT
Pre-Vault = secret sprawl, decentralised keys, limited visibility, poorly-defined ‘break-glass’ procedures
Post-Vault = single secret source, pragmatic access, operational access, practical security
VAULT COMPONENTS
Storage backend - Encrypted Vault data storage
Secret backend - Encrypted secret store
Audit backend - Log all interactions with Vault
Auth backend - Authenticate users to access Vault
INTERACTING WITH VAULT
Server - HTTP API, manages interaction
Vault token - similar to session cookie, post-authorisation secret access
Barrier - All data transitions are encrypted, in and out
INTERACTING WITH VAULT
Begin unsealing process
Gather shared key holders
Form master key
Unseal vault
Access secrets with Vault
VAULT ENTERPRISE
● 24x7x365 Phone and email support
● Hardware Security Module (HSM) integration
AUDITS● Vault's 0.5 audited by iSEC
EQUIP YOUR ORGANISATION WITH VAULT
http://contino.io/resources/
Vault Essentials (1 day)
● How Vault works
● How to set-up and implement Vault
● How to store and manage secrets with Vault
● How to secure applications with Vault
VALUE, EFFICIENCY & SECURITY
● Security with Vault
● Efficiency with Packer & Terraform
● Value with moving your organisation into the cloud swiftly, effectively and securely
USEFUL LINKS
Packer documentation: https://www.packer.io/docs/
Terraform documentation: https://www.terraform.io/docs/index.html
Vault documentation: https://www.vaultproject.io/docs/index.html
Contino offerings: http://contino.io/resources/
CONTINO OVERVIEWWe help Enterprise organisations transform their software delivery engines.
We do this by delivering on key strategic technology initiatives whilst also upskilling our clients workforce and supporting the development of a more vibrant engineering culture.
▪ Transform how you work with enterprise DevOps and Continuous Delivery
▪ Transform your infrastructure with Cloud
▪ Transform your application delivery with Containers
▪ Transform your enterprise architecture with Microservices
Based on our engagements with many global enterprise clients, we have developed significant IP in how to transform to DevOps and adopt the associated technology stacks within an enterprise setting.
SOME OF OUR CLIENTS
NEED HELP? GET IN TOUCH
Achieving value, efficiency and security may not be so difficult…
Call us: 0203 227 0961
Email us: [email protected]
Our offerings: contino.io/resources