My look at HashiCorp’s new tools

Written by Gareth Saxby, Senior Cloud Engineer

Thousands of technologists from around the world have gathered in San Francisco for the 2018 HashiConf, and I’ve been fortunate enough to fly over there to experience it for the first time.

HashiConf 2018 promises an opportunity to learn about the latest trends in DevOps, multi-cloud and next-generation infrastructure.

During the opening keynote, HashiCorp made some exciting product announcements. I’d like to talk about some of these tools, which will improve the day-to- day operations for both our clients and team at DevOpsGroup.

Terraform

Hashiconf 2018 Highlights

At DevOpsGroup, we use HashiCorp Terraform extensively for managing our internal services and for helping our customers to better manage and grow their cloud resources.

Paul Hinze, Director of Terraform at HashiCorp, took to the stage to make a number of big announcements for Terraform, HashiCorp’s Infrastructure as Code tool.

Free Remote State Storage and a new Business Tier

A common challenge when using Terraform within teams is managing shared state – the files in which Terraform stores information about the resources that it controls.

Terraform Enterprise users are already able to use it for managed remote state storage, while other users have to deal with the additional overheads of managing their own state storage backends either within Cloud Object storage, such as AWS S3, or other key value storage such as HashiCorp’s own Consul.

HashiCorp has announced that it will offer free remote state storage for all Terraform users, with a beta due to start this year.

In addition, a new tier for HashiCorp’s hosted Terraform service has been announced to allow more affordable access to some features from Terraform Enterprise. However, the finer details of this have not been provided yet.

Terraform 0.12 Alpha Launched

The highly anticipated Terraform 0.12 has been given an alpha release for early testing.

Terraform 0.12 brings HCL2 to Terraform, which is the next step in the language used to write Terraform Configurations. The tool boasts enhancements such as native looping, strong type declarations and passing entire resources as input parameters.

It also includes much-improved error reporting.  To make writing Terraform Configurations easier, you’re given error messages with the direct context for the problem that has occurred.

All of this makes it much easier to write advanced Terraform configurations to have greater control over infrastructure, and also allows for even greater code reuse to minimise time spent writing.

Vault

Hashiconf Highlights 2018

HashiCorp Vault is a secrets management service designed to grant access to databases, cloud APIs and other services dynamically based on the application requesting access.

It’s a great tool for scaling the management and consumption of secrets within both cloud and on-premise environments.  HashiConf made a number of big announcements for Vault.

Vault 1.0 announced, Beta Released

The next release of Vault will be version 1.0, a milestone for HashiCorp products. HasiCorp believes that the software covers all of the expected use cases effectively and has matured enough to be considered highly stable.

The first day of HashiConf 2018 marked the release of the Vault Version 1.0 beta, including a number of new updates.

Automatic Unsealing of Vault has been added to the open source release of the product in Version 1.0, after previously only being available in Vault Enterprise.

Typically, Vault requires a customisable number of users to provide their own keys to ‘unseal’ Vault – allowing access to the secrets storage.

With Automatic Unsealing, the key management services within cloud providers like AWS Key Management Service (KMS) can be used to take custody of these keys. And Vault can automatically unseal its secrets removing the need for operators to intervene.

Batch Tokens have also been added to Vault 1.0. They’re useful when Vault needs to create a high volume of short-lived credentials that only need simple access to its functionality, such as within a serverless application or batch processing jobs using of parallel execution.

Vault doesn’t have to track every Batch Token within its own storage. Instead, the client manages their own token state entirely. It’s now less work for the Vault cluster to perform, compared to a standard Service Token. This tool is perfect for short-lived tasks.

Vault Advisor

Announced as a HashiCorp research project, Vault Advisor looks like it could be a fantastic update for Vault.

Advisor is being designed to monitor usage patterns for services talking to Vault and to notify the Vault user when a service has been granted permissions in excess of what it is actually using. By comparing the Vault Access Control List granted to a service and the actual secrets that it is requesting, a differential is calculated between the two – showing what access is unused.

This means that Vault will make it easier to use the principle of least privilege for your Vault Access Control Lists, giving suggestions for what access can be removed.

There isn’t currently a launch date for Vault Advisor, as it is still being actively worked on. But the end goal is to launch Advisor into General Availability for Vault users.

HashiCorp Learn

Hashiconf Highlights
Finally, HashiCorp Learn is the new web-based tutorial site. It’s designed for users to learn more about how to use HashiCorp products, starting with a guide for using Vault.

By the end of the year, HashiCorp plans to have guides for Consul, Terraform and Nomad as well. This will make the site a valuable place for users who are new to the tools, as well as those looking to learn more advanced topics.

This information is also available for free and should make for a great addition on top of the existing product documentation for helping users to understand the HashiCorp product suite.

Share this:

Leave a comment

Your email address will not be published. Required fields are marked *

*

View our privacy policy