In this talk, I cover the typical evolution of Terraform in the organizations I have seen over the years, how most teams end up getting eventually buried in Pull Request reviews for infrastructure changes, and the easiest way to unbury a team by starting small with Conftest and Terraform policy automation.
13. HashiTalks
13
Works on my machine
Make Changes Quick
Engineers can just ship.
Terraform apply is easy to just
run.
Nothing to implement
Outside configuring state
buckets, there isn’t much work
on the frontend.
State & Config inconsistent
There is a chance engineers
running Terraform
independently will run into some
config/state drift.
High Risk
Engineers may inadvertently
introduce security risks. Also,
possibly destroy production
resources.
No Accountability
No audit trail of who did what
and when. Little to no
collaboration
23. HashiTalks
23
Looks good to me
Collaborative
Engineers able to collaborate
effectively. Allows for code
review and approval process
Auditable and Accountable
Clear change logs and the
ability to know who did what
and when.
Bottlenecks
More code reviews equates to
more engineering hours. Adds
up the more infrastructure you
manage.
Config reflects state
No more developers operating
on their own machine. Code is
accurate reflection of state of
world
27. HashiTalks
27
These (policies) are the things were actually looking for when we
do code reviews. We should be checking for violations before
there is ever a human involved.
Policy Enforcement
28. HashiTalks
28
OPA is an engine that
enables a single approach
for policy enforcement
across different services
Conftest
30. HashiTalks
30
Conftest
Purposeful Design
Designed specifically to be used
with CI or local testing.
Functionally same as OPA.
Works well with Atlantis
Not just HCL/Terraform
OPA supports a wide variety of
structured data, today we are
just talking about testing
Terraform
Everything is Rego
DSL for making policy
assertions on the given
structured data. Rego
playground awesome place to
experiment
50. HashiTalks
50
Conftest
Agility
With automated testing
engineers can move faster
without approvals
Auditable and Accountable
Clear change logs and the
ability to know who did what
and when.
More work on frontend
Implementing some initial
policies and a workflows around
conftest takes some work
Reliability
By codifying our policies, we
can feel confident on what can
and can’t slip into our codebase