Why should I consider Terraform Enterprise?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the question we're often asked is you know if I'm using terraform what's the value of using terraform enterprise why should I consider it and I think what's helpful is really looking at what is the adoption journey as we go from an individual to many people using terraform so we talk about an individual using terraform right there sort of pattern is you know I locally write some terraform then I do a plan operation we're gonna see what is this gonna change validate by change make sense then I do a local apply to make those changes and then I continue on this loop right much like writing software it's that iterative process of write test apply right so now as I go from one individual to multiple people write a team of people now trying to use Tara for I have a few new challenges right so great I still locally write terraform I run plant to validate my change but now what I don't want to have happen is multiple people apply at the same time on top of each other right if multiple people are running at the same time we get a divergence they'll step on each other it can cause corruption of the state file right so we need to make sure there's a only a linear application of terraform one at a time so the common approach to solving that is then I push my config into a version control system right so get bitbucket something else and when that buys me is now there's one source of truth for what this configuration is it doesn't diverge and Alice has one version and bob has a second and Charlie has a third they have a consistent view of what is the current definition of the infrastructure right and once I have that then I can use it to drive application of terraform one at a time so they don't step on each other and then locally manage the state files right so this quadrant is really where we're introducing challenges around how do we collaborate right so as a team of people multiple users of terraform what we need to do is each you know manage parts of the infrastructure but without stepping on each other's toes right so if we do step on each other's toes we're gonna cause issues for ourselves right so this is the core of the collaboration challenges how do we have a consistent definition how do we apply one at a time and not step on each other and how do we make sure we're managing the state file in a consistent way without leading to that being corrupted right so this is the first point at which terraform enterprise really comes in and it's looking at the challenge of how do I make a team of people productive without forcing them to first come up with a workflow and solve how they do collaboration right so what happens is I go from a small team right two to eight people to now have teams of teams right it's kind of the next scale of usage for terraform we're now I have sort of multiple teams that are all trying to write terraform just like we would do for an application we don't want to have one mega git repo right with every application sort of loaded into one huge repository will create one repository per application or per project or per service will do a similar thing with terraform right which is we'll start to decompose the infrastructure into multiple pieces right so we might have core networking team right and then there's shared middleware it's a logs you know monitoring database let's say and then our end application teams app 1 & app 2 these are consumers of these so they consume logs consume database you know consume monitoring and so we've done a sort of decompose the infrastructure so that many different teams could all work in parallel just like we would do for an application and have many applications so they're all being developed in parallel so the challenge is we start doing this is you know how do we actually do this safely right how do we manage the risk so particularly what I'd like to be able to do is say my networking team they're the ones that are allowed to actually change the networks definition everyone else they're allowed to view it consume it interact with the network but they can't redefine it right similarly my database team they should be able to manage the database right consume the network and expose it to the app teams but as an app team I shouldn't be able to modify the database right and so what we really want to be able to do is have this notion of role-based access control right so this is kind of classic our back so we're creating different teams tying them to what terraform calls a workspace so each of these are a workspace and then we're composing multiple workspaces together to build a larger application so what terraform Enterprise gives us is this ability to define different teams to find multiple workspaces have the permissioning of which teams are allowed to do what tie all of that back to our single sign-on experience right so we don't have to recreate users just for terraform enterprise so this starts to let us say how do we get multiple teams productive right in this environment but doing a way that we're managing our risk right we're not letting everyone modify everything in that environment so as we go even larger right we start to say you know we want sort of end the application teams consuming it or we want the whole organization consuming it then we end up with a different set of challenges which is not everyone is actually a terraform expert so how we deal with this is what we call using or sort of a registry and a producer/consumer model so I have a small set of producers right these tend to be more terraform experts and what they're going to do is publish a set of modules write a Java module c-sharp module a database module so on and so forth and then these are gonna get consumed by our many different consumers right and so in this example what we might have is the producers are sort of classic IT operations DevOps folks they're familiar with the cloud and how all of our infrastructure works where consumers might be more of our application teams they're less familiar with the nuances of how the infrastructure works they just want to come in and say it's a Java app and it really care how it's running right and so what this lets them do is come in and sort of point and click and say I need a Java app and here's the three variables I have right i specify what's my jar how many do i want and what region to deploy it to and then the rest of it is a black box for these consumers right they just point and click but under the hood what's happening is we're templating terraform does then going to execute to bring up and deploy their Java based application so this lets us do is expose a lot of consumers in a way that we don't have to train all of them in a way that they don't have to be experts on how it works right they can just kind of point and click and get to other trying to cheat right so this really helps us gain agility for a broader section of the organization who's not experts in cloud or infrastructure right so the final challenge is how do we do all of this safely right and so you often find us you know I trust the first user I trust the second user I start trust the first 50 users a little bit less and I certainly don't trust the next 500 users right and so we often see is will create this sort of ticketing pipeline right so as an end user you can write terraform but then you're going to submit it to sort of a review queue so we're basically going to do is bottleneck all of the sort of changes in our organization through a single ticketing queue where we're manually reviewing all of us right and traditionally this is a central group of teams that are looking at sort of a word doc of a policy let's just say of did you set your s3 bucket to public did you open the firewall to the whole Internet did you ask for a thousand instances all that good stuff and then if you're allowed great you can go through otherwise try again right and so this often ends up breaking a lot of the agility we gained as we went through this right because now we have this manual review process so part of our goal is how do we automate this with policy as code right so the policy is code we capture the same set of policy checks but in a automated codified way and within terraform Enterprise we can install these rules so this becomes an automated checkpoint right as an application team or a middleware team I can submit my changes and as long as I'm within policy the system automatically approves it and I'm allowed to go through if I'm outside of policy it will reject it and I need to either get manual review or I need to change my policy right and you change my configuration try again and I'm allowed to go through so this is really looking at as we scale up terraform how do we do it in a way that work controlling risk right we don't let people do whatever they want and sort of the keys to the kingdom they can ask for a thousand VMs but at the same time how do we do it in a way that's still productive right we're not putting someone in a queue and making them wait for weeks right we're doing it in an automated way to maintain the agility and self-service of terraform so as we talk about terraform Enterprise that's really the goal is how do we do the sort of collaboration problem at a smaller scale how do we start to think about role based access control and decomposition of the problem at a larger scale how do we onboard users who don't know things about cloud infrastructure terraform but make them productive and how do we do it in a way that we're managing risk without putting a ticketing queue in front of everything right and so that's really the value of terraform Enterprise as we grow our usage is really enabling us to solve these problems so that we still get those benefits of terraform as an IC but we can do it at an organizational scale

Info

Channel: HashiCorp

Views: 20,009

Rating: 4.8715596 out of 5

Keywords: Terraform, Terraform Enterprise, HashiCorp, HashiCorp Terraform, Infrastructure as Code

Id: s8IZa_o5UGw

Channel Id: undefined

Length: 9min 59sec (599 seconds)

Published: Thu Nov 15 2018