hashicorp tooling: value, efficiency & security

HashiCorp Tooling

Value, Efficiency & Security

contino.io

INTRODUCTIONS

Jordan TaylorDevOps Practitioner at Contino

Specialise in automation, configuration management, cloud orchestration & CI/CD

Favourite tools are Terraform, Docker and Vault

TO THE CLOUD!

Why?

How?

THE WHY

Avoid initial investment Cost savings

Flexibility Scalability

User control Speed of deployment

Out-of-the-box security and monitoring

THE HOWMAGIC

Otherwise known as:● Infrastructure as

Code● Use of Cloud

orchestration tools

Enabling:● Cloud deployments

in a single command● Auto-scaling● Uncomplicated

deploy processes● AUTOMATION

Company based in San Francisco

Insecure Systems Constrained ResourcesComplex WorkflowsManual Process

Effectively solve development, operations and security challenges such as:

Allowing for focus on business-critical tasks

VAGRANT PACKER TERRAFORM SERF

NOMAD VAULT OTTOCONSUL

AGENDA

Packer

Terraform

Use case: Taking a leading UK retailer into the Cloud with Packer and Terraform

Vault

PACKER

Create images for an array of platforms all from a single source configuration.

WHY ADOPT PACKER?

● Templated image builds

● Store templates in source control

● Pre-bake and pre-configure images

● Provide developers with SDKs in images

● Little engineer upskilling required

PACKER: TECHNICAL FUNCTIONALITY

Build temporary cloud instance

Provision and configure it according to the template

Snapshot it

Abstraction of cloud provider API manipulation

A PACKER TEMPLATE

PACKER BEST PRACTICES

1. Directory structure 2. Image naming convention

TERRAFORM

Allows the creation, combination and management of infrastructure resources across multiple providers.

WHY ADOPT TERRAFORM?

● Infrastructure as Code

● Store templated infrastructure in source control

● Provide on-demand infrastructural flexibility

● Little engineer upskilling required

● Simple move to the cloud

TERRAFORM TECHNICAL FUNCTIONALITY

Write Terraform templates

Execute ‘terraform plan’

Execute ‘terraform apply’

Resources deployed & state stored

● Abstraction of a cloud provider’s API, templated as code

● Store and manipulate the state of your infrastructure via metadata

A TERRAFORM TEMPLATE

TERRAFORM BEST PRACTICES

1. Store and share state wisely

2. Directory structure is key

CONSIDER TERRAFORM ENTERPRISE

● Remote Terraform plans, applies, and locks

● Change management and access control policies

● GitHub integration

● Remote state storage

● Artifact registry

● Notifications

● Auditing

● Rollback State

Taking a Leading UK Retailer into the Cloud

Client requirements:

● Equip workforce with the ability to move into the cloud

● Provide a template cloud architecture to move new teams/projects into the cloud

● Get rid of inflexible, long-life, isolated environments

● Scrap complex deployment processes and methodologies

DELIVERABLES● Templated AWS architecture designed and

implemented● Essentials training to large audiences,

encouraging adoption of new tools● Key engineers upskilled to train internally● A project team moved into the cloud

OUTCOMES

● Orchestrating infrastructure into the cloud with Terraform

● Deploying resources into AWS using Terraform, via Jenkins

● Creating pre-provisioned images with Packer

● Demonstrating configuration management capability with Chef

● Storing all Infrastructure as Code in Github

● Ready to upskill internally

EQUIP YOUR ORGANISATION WITH CLOUD CAPABILITYContino Cloud Enablement Package:

● AWS Essentials (2 day)

● Chef Essentials (1 days)

● Packer & Terraform Essentials (1 day)

● Terraform Intermediate (1 day)

http://contino.io/resources/

VAULT

Secret management system by Hashicorp

Secure storage Dynamic Secrets Leases AuditingSecure Infrastructure Automation

VALUE OF VAULT

Pre-Vault = secret sprawl, decentralised keys, limited visibility, poorly-defined ‘break-glass’ procedures

Post-Vault = single secret source, pragmatic access, operational access, practical security

VAULT COMPONENTS

Storage backend - Encrypted Vault data storage

Secret backend - Encrypted secret store

Audit backend - Log all interactions with Vault

Auth backend - Authenticate users to access Vault

INTERACTING WITH VAULT

Server - HTTP API, manages interaction

Vault token - similar to session cookie, post-authorisation secret access

Barrier - All data transitions are encrypted, in and out

INTERACTING WITH VAULT

Begin unsealing process

Gather shared key holders

Form master key

Unseal vault

Access secrets with Vault

VAULT ENTERPRISE

● 24x7x365 Phone and email support

● Hardware Security Module (HSM) integration

AUDITS● Vault's 0.5 audited by iSEC

EQUIP YOUR ORGANISATION WITH VAULT

http://contino.io/resources/

Vault Essentials (1 day)

● How Vault works

● How to set-up and implement Vault

● How to store and manage secrets with Vault

● How to secure applications with Vault

VALUE, EFFICIENCY & SECURITY

● Security with Vault

● Efficiency with Packer & Terraform

● Value with moving your organisation into the cloud swiftly, effectively and securely

USEFUL LINKS

Packer documentation: https://www.packer.io/docs/

Terraform documentation: https://www.terraform.io/docs/index.html

Vault documentation: https://www.vaultproject.io/docs/index.html

Contino offerings: http://contino.io/resources/

CONTINO OVERVIEWWe help Enterprise organisations transform their software delivery engines.

We do this by delivering on key strategic technology initiatives whilst also upskilling our clients workforce and supporting the development of a more vibrant engineering culture.

▪ Transform how you work with enterprise DevOps and Continuous Delivery

▪ Transform your infrastructure with Cloud

▪ Transform your application delivery with Containers

▪ Transform your enterprise architecture with Microservices

Based on our engagements with many global enterprise clients, we have developed significant IP in how to transform to DevOps and adopt the associated technology stacks within an enterprise setting.

SOME OF OUR CLIENTS

THANKS!

jordan.taylor@contino.io

@jordantaylorUK

NEED HELP? GET IN TOUCH

Achieving value, efficiency and security may not be so difficult…

Call us: 0203 227 0961

Email us: london@contino.io

Our offerings: contino.io/resources