SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

HashiCorp's cloud provisioning tool Terraform gets upgraded

Fri, 7th Oct 2022
FYI, this story is more than a year old

HashiCorp has introduced some major improvements to HashiCorp Terraform that will help users to consistently provision and manage any cloud, infrastructure and service.

The new offerings contain capabilities for both Day 1 provisioning, Day 2 management and beyond.

The complete list of offerings includes:

  • Continuous validation for Terraform Cloud Business (beta)
  • No-code provisioning for Terraform Cloud Business (beta)
  • Native Open Policy Agent (OPA) support for Terraform Cloud (beta)
  • The general availability of Terraform 1.3

HashiCorp has also announced some new features that were not covered in detail during the keynote.

These include Azure Provider Automation, beta support for Terraform Plugin Framework, and integration with ServiceNow Service Graph.

Noting that migrating to the cloud is leading enterprises to adopt infrastructure automation to provision and manage their cloud resources, HashiCorp says as organisations grow, they are faced with issues such as how to maintain code health and visibility, dealing with inefficient manual workflows and mitigating security or compliance problems.

The company adds that provisioning and managing infrastructure in a multi-cloud environment involves new challenges, including managing disparate workflows and infrastructure sprawl, handling teams separated into silos and dealing with critical skills gaps.

The latest Terraform improvements are designed to address a number of these issues by standardising an enterprise's infrastructure automation for multi-cloud.

Drift detection and continuous validation

Further, once the infrastructure has been provisioned, it can be hard to ensure the state of resources actually reflects the recorded, desired state and health.

This is because aspects that worked when they were provisioned, such as service configuration, identity and access management, as well as anything used by an application's business logic, may no longer work properly, even if the end result of a Terraform implementation was successful.

HashiCorp previously announced the availability of drift detection at HashiConf Europe, a capability that continuously checks the state of infrastructure to identify any changes and provide alerts.

Continuous validation represents the next step in Day 2 infrastructure management by expanding infrastructure checks beyond configuration drift.

Instead, this capability offers users long-term visibility and checks infrastructure health, allowing users to add assertions through pre or post-conditions to a Terraform configuration or modules.

From here, Terraform continuously checks to see if configurations or modules with assertions are passing and notifies users if a check fails, reducing risk, downtime and cost.

No-code provisioning

The 2022 HashiCorp State of Cloud Strategy Survey found that skills shortages were ranked as the top multi-cloud barrier for technology practitioners and decision-makers.

Historically, to provision something that is of immediate use with Terraform, users have needed to know about infrastructure or networking and be familiar with HashiCorp Configuration Language (HCL), potentially preventing adoption.

By introducing a private registry for Terraform Cloud and Terraform Enterprise, it is now simple to publish validated and approved modules capable of being reused throughout an enterprise.

However, HashiCorp notes that this level of self-service only goes so far, as developers will still have to choose a module based on its contents, add it to a version control repo, create a workspace in Terraform Cloud, and provision the module from that workspace.

HashiCorp says it took this all into account when designing these new features, aiming to provide better self-service capabilities with a new no-code provisioning workflow.

In addition, by enabling users to avoid these processes, the number of staff needing to be trained in Terraform could be reduced.

No-code provisioning also allows administrators and module publishers to manage a catalogue of no-code-ready modules for users, such as application developers, to deploy directly to workspaces.

Developers can self-serve infrastructure from the Terraform private registry by selecting the no-code-ready module they need, entering the required variables, and deploying directly into a new workspace, all without writing HCL.

This means that platform teams can spend less time servicing repetitive internal requests and more on building on existing work to drive innovation and support the business.

OPA for Terraform Cloud

The bigger organisations become and the more complex their infrastructure, the more risks of security breaches and non-compliance with regulatory requirements.

In 2018, HashiCorp released Sentinel, a policy as code framework.

In August 2022, the company added Sentinel policies to the Terraform Registry, facilitating a means for experts to make and share reusable policies with their wider enterprise.

Additionally, the company made Run Tasks generally available, an offering that provides users with a way to extend Terraform policy enforcement using external services.

With today's announcements comes native OPA support for Terraform Cloud, extending the policy as code features of Terraform Cloud to support OPA, based on the Rego policy language.

Moreover, support for OPA in Terraform gives customers who have already standardised on OPA the ability to carry those policies over into Terraform Cloud.

OPA also works with Sentinel to increase the number of supported ways for customers to adopt a policy as code framework for secure multi-cloud provisioning.

Additional updates

The company also announced the availability of the Azure Provider Automation tool, which ensures that users can access the new resources and services of the Azure Resource Manager in Terraform Azure provider quickly.

This feature automatically generates newly added or modified Azure resources so Terraform users can benefit from new or updated features when Microsoft releases them.

Further, HashiCorp introduced ServiceGraph Connector for Terraform, a cloud-based single system of record for IT infrastructure and digital service data.

The company explains that this integration will give ServiceNow customers information about Terraform infrastructure state and resources that were generated from ServiceNow.

In addition, users can now use this integration to gain complete visibility of cloud resource tracking, with the ability to see which resources have been provisioned and who created them.

Terraform Plugin Framework has reached beta phase with a redesigned provider development experience that exposes all available Terraform functionality to providers and enables more readable code.

Developers can either start building the providers by using the company's new HashiCorp Learn guide or upgrade their existing provider using its migration guide.

Continuous validation, no-code provisioning, and native OPA support with Terraform Cloud are available today as public beta features.

HashiCorp is also hosting 'Set up a No-Code Provisioning Workflow with Terraform Cloud' on November 1, a webinar designed to give attendees a greater understanding of no-code provisioning.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X