סיפור לקוח: מדוע US Air Force משתמשים ב- Sentinel + Terraform + Vault Enterprise
במהלך הכנס האחרון של HashiCorp באירופה (בחודש שעבר), עלתה לבמה Tamekia Reed מחברת Expansia (וגם המייסדת של קבוצת Women In Linux) שביצעה פרוייקט הטמעה ל- US Air Force שכלל גם את Sentinel, Terraform Enterprise, Vault Enterprise, GitLab וכלים נוספים. היא פירטה כיצד הם משתמשים בכלי HashiCorp בכדי לבצע אוטומציה לתהליכים ידניים, לנהל קונפיגורציה ותשתית, תהליכי security ומדיניות באמצעות קוד (policy-as-code & infrastructure-as-code) , וכן על ההטמעה של כלי HashiCorp בחיל האויר האמריקאי — ומדוע בחרו בגירסאות Enterprise .
כמפיצי פתרונות HashiCorp וכנציגי היצרן קיבלנו את ההקלטה – ותמצתנו אותה לסרטון של 4 דקות הכולל את החלקים הרלבנטים של Sentinel-Terraform-Vault, את השקפים הרלבנטים, וכן הוספנו כתוביות לסרטון וכן את הטקסט עצמו בסוף מאמר זה.
לשאלות נוספות על מוצרי HashiCorp ניתן לפנות אלינו.
אנו מייצגים רשמית את חברת Hashicorp ומספקים רישוי, הטמעה, יעוץ והדרכה ל- Terraform, Vault, Sentinel, Consul ו- Nomad .
אנו מציעים פתרונות מקצה לקצה בתחומי ALM, DevOps וענן, בניית סביבות פיתוח ובדיקות והעברתם לקונטיינרים, לענן ועוד.
כמו כן גם אנו מספקים רישוי והטמעה של כלים משלימים – GitLab, Jenkins, Spotinst, AWS, GCP, Kubernetes, Chef, Rancher, SonarQube, Nexus, Digital Ocean, Artifactory ועוד
שאלות? נשמח לענות על כל שאלה – אפשר לפנות אלינו במייל hashicorp@almtoolbox.com או טלפונית 072-240-5222
קישורים רלבנטים:
- אתר HashiCorp Vault הכולל מידע בעברית
- אתר Terraform בעברית
- הקלטת וובינר "Ask Me Anything about Vault" שקיימנו עם חברת HashiCorp
- דמו מוקלט על Terraofrm ותשתית כקוד (עברית)
- דמו מוקלט על Vault (עברית)
Transcript:
So a little bit of background about me – he gave you the introduction—I also worked for a company called Expansia. The main topic that we're going to talk about today is how we're trying to solve problems in government, in particular for the U.S. Air Force. The topic here is called the journey—and I should have put up there a continuous journey as well because that is exactly what it is—it’s a continuous journey.
Policy as code
Policy as code. We want to implement this—as we talked about in the image policy. We want to create it; we want to be able to deploy to different environments—quicker time for responses in terms of failures—in terms of successes. Knowledge transfer through code—how did you do it—being able to share with other teams, and also bringing ops and developers together for quicker feedback loops on deployments.
We talked about it earlier—we heard about Sentinel. How does that apply in our world? And when I say our world is policy as code is huge and something that is ongoing every day.
As you see at the bottom—and I talked about this—checking your code in, building out, whether it's a Docker container or a VM, and then using Sentinel to say, Hey, I can deploy to the staging environment. If not, I'll stop and say I can't deploy to that state in your environment. But I have that ability now to say yes or no. I can go back and say I want to scan that environment as well too. And get that feedback loop to JIRA. That's what that looks like.
One of the bigger issues in this project is having a multi-environment. Well, with that multi-environment, I'm not sure if anyone here plays where Azure Stack or AWS Outpost. Outpost is coming out—I think roughly around September/October frame—is what they were looking at. But as we prepare to go forward, we want to be prepared to play in those environments and we will too. We will have that option and we will have that pipeline already set out.
Terraform Enterprise advantages
Terraform Enterprise—the advantages that we have seen is—one–we're able to hold state viewing where we can't hold state unless you're using vRealize. But then there are other issues that go along with that.
Control policies on the environment. We need to have the ability to audit. Now if we have those policies that are written out in code, we can see who was able to push the button on their environment and say,”Hey, we deploy to staging,” or, “We deploy it to production."
The next one is see who actually did what and have that feedback in JIRA. Super important.
Vault Enterprise advantages
We're also using Vault. So we're using VaultEnterprise for a couple of things. One, we need PKI integration. The other one that we need it for is Terraform. We also need it for controlling logging into servers.
When we're talking about logging into servers—in some cases you may need someone to log into a server depending on if it's a monolithic application and it's been around forever—and that's what they've been used to. You want to get away from that. But at least we can have that controlled on Vault saying that you only have 30 minutes to log in and check and see what was going on and then log out. We can put that on Vault.
The other thing we do here is tying that back into Kerberos or LDAP—or even, in this case, Windows which is still underneath Kerberos.
