Getting

HashiCorp Terraform
into Production

Copyright © 2021 HashiCorp

Michael
Tharpe
Senior Solutions Engineer
HashiCorp

/mtharpe

/in/michael-tharpe
01

Terraform Core
Overview
Terraform
Provides the foundation for cloud infrastructure
automation using infrastructure as code for provisioning
and compliance in the cloud operating model.

Use Cases:
Collaborative infrastructure as code
Compliance & Management (Enterprise)
Self-Service infrastructure (Enterprise)

1000+ Millions 600+

Providers Weekly D/Ls Customers
Infrastructure as code
▪ Using version control and automation to reduce
human error and failed builds
▪ Terraform infrastructure as code and policy as
code to automate everything
▪ Open source providers allow rapid creation and
support for any infrastructure
Providers
Providers, extensible to any
cloud or service with an API,
enable Terraform to provision
diverse services without
abstracting functionality.
- Deep Integration with AWS
services
- Co-Development with the
AWS provider
 ITY
LEX
O MP
C
Terraform NIZ
AT
ION
AL

GA
Adoption OR

Self-Service Infrastructure

Enterprise products
build on the guiding Compliance and Management

principle to address
Secrets, identity,
organizational and policy management
Infrastructure as Code for Cloud Migration

complexity and
requirements.
Free Team & Governance Business
Build Standardize Innovate
02

Terraform
Open Source
Terraform Open Source Workflow
terraform.io/downloads

registry.terraform.io 1
Public clouds
& Schedulers
2
Terraform Configs (HCL files)
main.tf, outputs.tf, terraform.tfvars, ...

3 state file
Terraform Init
Finds and installs providers Private
Datacenter

4 5
Terraform Plan Terraform Apply
Performs a dry-run Deploy/Configure
Terraform Open Source Considerations

Access Keys
Set as environment variables
or hard coded into a config file

No API
Manual execution, scripting,
or wrapped with another process
state file

State Files
Contain sensitive data
Need to be protected
OSS does not support collaboration
Terraform Open Source Workarounds

Access Keys
Set as environment variables
or hard coded into a config file
Dedicated VM or Container Various methods of secrets management
Access limited to a small team,
configs stored in a VCS, runs
wrapped in a script or baked into a
CI/CD process

state file

main.tf, outputs.tf, terraform.tfvars,

Still need to control access
May have multiple locations

Obj Store
Terraform Open Source Doesn’t Scale
Each team has to create a custom workflow

Not safe for production workloads

Dev Team Y CI/CD tooling not used by all teams
TF configs & state files are trapped on the device
Access Keys stored on device Access Keys stored on runners or hard-coded
into a config file
Non-standard secrets management
Non-standard CI/CD tooling

Dev Team X Dev Team Z

Obj
Store

Terraform OSS
on dedicated system + VCS

Server access is limited to team + Obj

Store
Access Keys stored on server or
hard-coded into a config file Terraform OSS
Non-standard secrets management CI/CD process
Terraform OSS Non-standard VCS
on laptops
Security & Compliance Teams
Don’t like decentralized workflows, with out visibility

Public clouds
& Schedulers
-No centralized visibility
-No centralized operations
-No access controls
-No secrets management
Dev Teams XYZ
Security -No compliance enforcement
& Compliance
-Not acceptable for Enterprise

Private
Datacenter
Terraform OSS
Custom Process
03

Terraform
Cloud
Building on Open Source
Terraform Cloud
▪ Fully-managed Infrastructure as Code cloud service.

▪ Cloud Compliance & Management to provision and manage any

infrastructure with one workflow

▪ Self-Service infrastructure for users to easily provision

infrastructure on-demand with a library of approved infrastructure
modules

▪ Enterprise features to provide advanced security, compliance and

governance organization wide
04

Infrastructure as
Code
Consistent
Workflow
Perform deployments in any cloud
and service, allowing organizations
to quickly leverage new technology
with the same learned, secured,
audited, and governed workflow.
Infrastructure State
State is Terraform’s
understanding of an
infrastructure
State files are managed by Terraform, providing
understanding of infrastructure as it is currently as
well as all previously provisioned configurations.
Remote state management with Terraform Cloud
encrypt state file storage.
VCS Connection
Terraform connects to the major VCS providers
allowing for automated versioning and running
of configuration files.

▪ Integrates into existing VCS workflow

▪ Automatically trigger runs and policy checks upon pull

requests

▪ Support for Azure DevOps, BitBucket, GitHub, and Gitlab

▪ Default Workspaces to VCS pairing

Secure Variable Storage
Input variables serve as parameters for a
Terraform configurations, allowing aspects to be
customized and shared between different
configurations.

▪ Share and manage access to variables in your

organization
▪ Connect Terraform to other applications or services
without compromising credential security
▪ Terraform Vault provider integration for secrets
management
Workspaces
Workspaces offer powerful decomposition for
monolithic configurations to match your
organization and application structures.

▪ Remote, persistent shared resources

▪ Fine grained access controls
▪ Workflows for VCS integration, remote CLI calls, and
API-driven
05

Compliance and
Governance
Hybrid-Cloud
Compliance &
Governance
Reduce risk with a central point for
automated checks on compliance, business
best practices, and even cost validation
across hundreds of unique providers.
 CODE EDITOR

import "tfrun"
import "tfplan"

Sentinel Policy desired_vm_size = "Standard_D2"

workspace_name = tfrun.workspace.name
as Code
configured_vm_size = tfplan.module([]).resources.`
Framework azurerm_virtual_machine.catapp[0].applied.vm_size

Codify policies to create automated main = rule {

guardrails around provisioning to desired_vm_size == configured_vm_size
enforce best-practices, security }
measures, or compliance.
Cost Estimation
Understand associated costs for a
given deployment and apply
automated policy checks based on
those costs
Single Sign-On (SSO)
Integrate with existing SAML-based identity
provider to authenticate and authorize users by
using standard cryptography and digital
signatures to pass a secure sign-in token.
Team Management
Enable organizations to define roles and
teams that have access to certain
workspaces and environments, and
perform certain operations.
Audit Logs
Store detailed operations of every API call made
for every provider and service Terraform has
provisioned across the organization.
06

Self-Service
Infrastructure
Self-Service
Infrastructure
Increase productivity using a library of
infrastructure modules for technical and
non-technical end-users alike.
Modules
By creating hardened modules, operations teams
empower their organization to efficiently provision
vetted, secured, and standardized infrastructure.

▪ Reusable, templated infrastructure as code

▪ Customize as needed with variable inputs

Producer / Consumer Workflow

▪ Producers create modules from functioning workspaces
▪ Modules published to a registry for discovery
▪ Consumers leverage registry to create infrastructure as
needed for applications
Module Registry
Module Registry
The public module registry offers the large community
a repository to store and share modules.

Private Module Registry

The private module registry, built into Terraform
Enterprise, offers organizations a private repository to
store and share modules internally.
Remote Operations
Enable users to trigger runs remotely, while
automatically coording the runs of multiple users.
Options include pull requests and code commits,
API call within a CI/CD pipeline, and even
Command Line Interface.
07

Terraform Cloud
Adoption
Terraform Cloud Journey
BUILD STANDARDIZE INNOVATE

Terraform Cloud

Package Free Team & Governance Business

Admin User, Applies,

Pricing Up to 5 Users Users, Concurrency*
Concurrency

Capabilities

Infrastructure as Code
✓ ✓ ✓
Create and provision infrastructure
Collaborative Infrastructure as Code
✓ ✓ ✓
Manage and share infrastructure
Team Management & Governance
✓ ✓
Manage & enforce teams & policies (as code)
Advanced Security, Compliance, and Governance
✓
SSO, Audit, Private Datacenter Networking
Self-Service Infrastructure
✓
Support for ServiceNow integration and workflow
Performance ✓
✓
Ability to scale across hosted runs and self-hosted agents (Option for 1 additional)

Support

Community ✓ ✓ ✓
Get Started Now
Test drive Terraform Cloud for Business with a FREE TRIAL via AWS Marketplace, and receive 60
days free on AWS.

To claim your free trial or if you have questions

Contact [email protected]

Go hands-on with a self-paced workshop: https://hashicorp-terraform.awsworkshop.io/

Thank you
[email protected]
www.hashicorp.com