HashiConf – October 2020 Conference

HashiCorp is holding their annual users conference online this year and I will be attending virtually to learn what is new and being announced around Terraform. The conference is a two day conference starting Oct 14th and runs through Oct 15th as well as two days of workshops on the 12th and 13th. This blog will cover part of the full schedule since not all of the presentations are Terraform centric.

HashiConf Digital Opening Keynote

The introduction keynote was interesting with conference shots from the presenter’s homes. The number of attendees (12K) and new number of employees (1K) were interesting numbers. The rest was mostly marketing information about HashiCorp. Some interesting facts: 1K enterprise customers, 6K new users/month, growing with cloud partners and technology partners. Certification program – http://hashicorp.com/certification. Learning program – http://learn.hashicorp.com

Unlocking the Cloud Operating Model: Provisioning

Vault as a Security Platform & Future Direction

Vault is the security layer on top of Terraform and allows storage of security and secrets for Kubernetes and other platforms in a secure manner. The bulk of downloads last year was a combination of Vault in conjunction with Kubernetes. The discussion continued from a banking customer that used Vault to store API keys, Certificates, as well as username/passwords. Vault also allows for automation or key rotation and X.509 certificates to be dynamically assigned and consumed.

Options for running Vault – traditional way of download and run as well as SaaS in the HashiCorp Cloud Platform. New announcement of Vault on AWS as a service.

Consul is an extension of Vault allowing for network infrastructure automation that includes service discovery as well as access rights, authorization, and connection health. Consul can reconfigure and change on-premises server like Cisco and cloud network configurations like load balancers, network security rules, and firewalls. New announcement of Consul on AWS as a service as well as Consul 1.9 with significant enhancements for Kubernetes

Human Authentication and Authorization is another layer that can cause problems or issues with system configuration and automation. Traditional products like Active Directory or LDAP for on-premises or Okta or AzureAD for cloud credentials can be leveraged to provide auth and authz resources. The trick is how to leverage these trusted sources into servers and services. Traditionally this was done with SSH keys or VPN credentials with secure network and known IP addresses or hostnames. With dynamic services and hosts this connection becomes difficult. Leveraging services like Okta or AzureAD and role based access for users or services is a better way of solving this problem. Credentials can be dynamically assigned to role and rotated as needed. The back end servers and services can verify these credentials with the auth service to verify authorization for the user or role for access. HashiCorp Boundary provides the linkages to make this work.

Boundary establishes a plugable identity provider into authentication source to verify user identities. A second set of plugables connect to an authorization source and integrates with HashiCorp Vault to access services with stored secrets allowing secrets to be rotated and dynamic.

Vault as a Security Platform and Future Direction

Vault centrally stores secrets for infrastructure

Vault can centrally store username and passwords, public and private keys, as well as other dynamic or secure credentials. In the image above a web server pulls the database credentials from Vault rather than storing it in code or config files and the webserver can use these dynamic credentials to connect to a database. This workflow can easily change and have the webserver request credentials from Vault and Vault connects to the database to generate a short lived auth token which is then passed back to Vault and then to the web server.

Building a Self-service vending machine to streamline multi-AWS account strategy

The presentation was from Eventbrite describing how they use Terraform and the HashiStack to manage AWS and a multi-account AWS solution. Multiple AWS accounts are needed to isolate different domains and solutions. Security can be controlled across all accounts through automation. The AWS Terraform Landing Zone (TLZ) quickly became a solution. This product was introduced a year ago as a joint project between HashiCorp and Amazon.

The majority of the conversation was business justification for a multi-AWS account management requirement and how AWS Control Tower would not work. From the discussion and chat it appears that TLZ is still in beta and could potentially make things easier.

Terraform in Regulated Financial Services

Customer presentation from Deutsche Boerse Group discussing Terraform deployment into AWS, Azure, and GCP. Fully automated electronic training application. Terraform and Packer foundation to building and managing systems. Infrastructure as Code (IaC) helps with regulation reporting and guidelines in the financial industry. The Terraform helps define uniform policies and procedures. Code is designed and split into product zones that represents different applications or functions.

Under the terraform directory is a split of dev, test, prod, and etc directories with product lists under each one.

Note that there are a few structures that are common across all modules and there are specific product and class of service. Network controls are controlled through a central network definition. Customizations can be made to note changes that vary from the company policies and procedures.

A standard module for a hub can be defined for services like monitoring and network.

This results in a core module that is secure and compliant with environments.

Packer in layered on top of this to harden the operating system and provision customizations into each virtual machine. Ansible configures the machine and can deploy straight to a cloud provider through a private marketplace or personal template.

Terraform Consistent Development and Deployment

This presentation reviewed what Comcast has done with Terraform. The primary goals are consistency and accuracy. Having everyone run the same configuration and secrets helps reduce complexity. Secondary goal is to have dev, test, and prod configurations the same in different regions and locations.

Bootstrap is done from a Git repository then managed with cloud storage backend

State is stored and referenced from a common backend.

Use a makefile with targets to run the proper terraform command with the proper environment variables. This allows you to integrate state, Vault, and secrets on all desktops and in the CI/CD tool.

Two levels of variables. One that are specific to a platform. The second is global variables. It is easy to set defaults and override when needed. The difficulty is to compare two environments to see changes and differences.

With this module you end up with a vars folder and tfvars file unique to different environments. The Makefile pulls in the right value and ingests the desired tfvars file.

Remainder of presentations

The remainder of the presentations were Vault or Consul presentations. I primarily wanted to focus on Terraform deployments and presentations in this blog. More tomorrow given that day 2 is more Terraform focused.

337 thoughts on “HashiConf – October 2020 Conference”

  1. In the awesome scheme of things you secure a B+ for effort and hard work. Exactly where you lost us ended up being in all the facts. As as the maxim goes, details make or break the argument.. And that couldn’t be more accurate here. Having said that, allow me tell you just what exactly did deliver the results. The authoring can be quite convincing which is possibly the reason why I am making an effort in order to comment. I do not really make it a regular habit of doing that. Secondly, whilst I can certainly see the leaps in reason you come up with, I am not confident of just how you seem to unite the ideas which inturn make the final result. For right now I shall yield to your point however wish in the foreseeable future you connect your facts better.

  2. Thanks so much for providing individuals with such a special possiblity to check tips from this website. It’s usually so useful and packed with a great time for me and my office friends to search your website at minimum three times in 7 days to learn the latest items you have got. And indeed, I’m just at all times happy with your amazing techniques served by you. Some 1 facts on this page are definitely the most effective I have ever had.

  3. I wish to point out my respect for your kindness for individuals that actually need guidance on your question. Your special dedication to passing the message all through turned out to be quite practical and has always helped employees like me to get to their ambitions. This informative publication means so much to me and a whole lot more to my fellow workers. Thank you; from everyone of us.

  4. I’m commenting to let you know what a cool encounter my cousin’s princess went through going through yuor web blog. She mastered lots of issues, including what it is like to possess a wonderful giving mindset to make the others clearly understand various very confusing issues. You really exceeded our own desires. Many thanks for displaying such helpful, dependable, educational as well as cool tips on the topic to Janet.

  5. I want to convey my admiration for your kind-heartedness supporting individuals who actually need help with your niche. Your special dedication to passing the message all-around had been surprisingly valuable and have really permitted professionals much like me to achieve their aims. Your new warm and friendly information denotes a lot a person like me and extremely more to my office workers. Thank you; from all of us.

  6. I wanted to develop a remark to be able to appreciate you for all of the magnificent solutions you are placing here. My time consuming internet lookup has finally been recognized with good content to share with my family. I ‘d claim that most of us visitors are unequivocally blessed to live in a really good network with many brilliant professionals with useful principles. I feel really privileged to have encountered your entire web page and look forward to really more brilliant moments reading here. Thank you once more for everything.

  7. Thanks so much for giving everyone a very spectacular chance to read from this website. It’s usually very useful and also full of a good time for me and my office mates to search your website really 3 times every week to read through the new stuff you have. Not to mention, I’m so always amazed concerning the magnificent inspiring ideas you give. Selected 2 points in this article are particularly the finest I have had.

  8. My husband and i felt very more than happy Louis managed to conclude his studies while using the ideas he acquired while using the web pages. It’s not at all simplistic to simply possibly be giving freely instructions which often some people could have been making money from. So we see we have the writer to appreciate for that. The most important explanations you made, the simple site navigation, the relationships you can assist to promote – it is everything fantastic, and it’s facilitating our son in addition to us consider that that topic is interesting, which is very pressing. Thank you for everything!

  9. I am also commenting to make you be aware of what a excellent experience my cousin’s girl undergone viewing your web page. She picked up lots of issues, not to mention what it is like to possess a marvelous giving mindset to make many more with no trouble gain knowledge of a variety of impossible topics. You actually did more than readers’ expected results. Thanks for imparting those priceless, safe, explanatory and as well as fun thoughts on that topic to Emily.

  10. Thank you so much for giving everyone an exceptionally splendid opportunity to read from this site. It is often so pleasant plus stuffed with amusement for me and my office co-workers to visit your website at least thrice in 7 days to find out the new items you will have. And lastly, we’re actually astounded considering the terrific points you give. Selected 1 ideas in this article are unequivocally the most impressive I have ever had.

  11. I am just commenting to let you be aware of what a remarkable experience my wife’s princess enjoyed browsing your blog. She even learned a lot of details, not to mention what it is like to possess an amazing teaching spirit to get other folks really easily have an understanding of specific problematic things. You undoubtedly did more than her expected results. Thank you for giving the priceless, healthy, informative as well as easy tips about the topic to Tanya.

  12. I have to get across my passion for your kind-heartedness for visitors who really want help on your niche. Your special commitment to getting the message all around has been certainly useful and has surely helped folks just like me to attain their desired goals. Your new interesting recommendations denotes a great deal to me and still more to my fellow workers. Best wishes; from everyone of us.

  13. My spouse and i were really relieved Louis could complete his investigations through your precious recommendations he was given from your very own weblog. It’s not at all simplistic to just be giving away procedures that many others may have been making money from. And now we take into account we have the website owner to give thanks to for this. All of the explanations you’ve made, the simple blog menu, the relationships you help to promote – it’s got everything unbelievable, and it is helping our son in addition to our family reckon that the theme is enjoyable, and that is truly essential. Thanks for the whole thing!

  14. I’m just writing to make you know what a perfect encounter my wife’s princess enjoyed studying yuor web blog. She realized a good number of issues, which include what it is like to have a very effective teaching nature to have most people smoothly comprehend specified specialized matters. You actually exceeded people’s expectations. I appreciate you for supplying those practical, dependable, explanatory and in addition cool thoughts on your topic to Mary.

  15. I must show my thanks to this writer for rescuing me from this instance. Just after surfing around through the world wide web and seeing opinions which were not productive, I assumed my life was well over. Being alive without the presence of answers to the problems you have resolved through your main review is a critical case, as well as the ones that would have badly damaged my career if I hadn’t come across your web blog. Your own personal understanding and kindness in touching a lot of things was invaluable. I’m not sure what I would have done if I had not discovered such a point like this. I am able to at this time look ahead to my future. Thank you so much for the skilled and effective guide. I will not be reluctant to endorse your web page to any person who would like assistance on this area.

Leave a Reply

Your email address will not be published. Required fields are marked *