HashiConf 2024 Now streaming live from Boston! Attend for free
HVD Home
HVD Home

Introduction

Note

Unless specifically mentioned, concepts that apply to HCP Terraform also apply to its self-hosted version, Terraform Enterprise (TFE).

Note

Our objective in these HashiCorp Validated Designs (HVD) is to give you prescriptive guidance based on our experience partnering with hundreds of organizations who have implemented HCP Terraform. We should acknowledge that our field is complex and the same solution can be implemented in many permutations. No matter what choices you make, what matters most is that you are able to safely provision and manage cloud resources at scale and experience the business benefits and value that automated HCP Terraform workflows provide.

Note

This document gives recommendations on how to implement Terraform infrastructure-as-code (IaC) as a shared service for your organization. Different organizations call the team responsible for this task different names, including the "Platform Team" or "Cloud Center of Excellence" (CCoE). No matter what your team is called, this document helps teams responsible for owning Terraform IaC in their organization.

Terraform maturity stages

While working with our customers, we have identified common patterns of maturity, allowing us to categorize customers into three main stages: Adopt, Standardize, and Scale. Each of the maturity stages is covered in a separate HVD document and assumes that the previous maturity stage is successfully implemented.

AdoptStandardizeScale
Infrastructure-as-code (IaC), cloud provisioning, secure variables, VCS integration/pipeline, RBAC (team collaboration), observabilityCentral registry development (policy-as-code, run tasks, modules), image management, day 2 resource management, network infrastructure managementCost management and optimization, private DC provisioning, self-service workflows, event notification, API integration

Adopt: These customers have recently partnered with HashiCorp and are investing substantially in adopting IaC for their enterprise. These customers lay the groundwork for growth by embracing fundamental use cases (as listed in the table above) facilitated by the HCP Terraform platform.

Standardize: These customers have completed the Adopt use cases and are now prioritizing the availability of the Platform as a shared service for the entire organization. At this stage of maturity, the platform team focuses on establishing guardrails by implementing policy-as-code and utilizing modules from the private registry and completing the development of an automated onboarding process for internal customers.

Scale: Once the platform is available to the wider organization and workloads are provisioned using an efficient, unified workflow, the platform team will need to address issues such as cost management, optimization, and other related use cases. These measures will ensure efficient scaling of operations for the organization over time.

Prerequisites

Review HashiCorp's cloud operating model which enables your organization to unlock the fastest path to value in a modern multi-cloud datacenter:

If you are using Terraform Enterprise, this guide assumes that you have reviewed and implemented the following HVDs:

HVD document structure

This document covers the "Adopt" phase of operating Terraform on the maturity scale and includes the following:

SectionSummary
BackgroundProvides an overview of the document
People and processRecommendations on how to organize teams for optimum effectiveness for IaC provisioning
Configuration for first usePrescriptive configuration of the deployed platform (HCP Terraform/Terraform Enterprise) and making it ready for provisioning.
IaC and cloud provisioningDiscussion on infrastructure as code (IaC) concepts and best practices. Using the configured platform to provision resources in the cloud.
Terraform workflowsDiscussion on the three main pipeline workflows (VCS, CLI, API) along with their pros and cons. Discussing best practices for branching strategy and other considerations for workflows.
ObservabilityDetails on how to leverage audit logs to answer questions such as "who made what changes.

Objectives

You are implementing HCP Terraform/Enterprise to achieve your company's business and functional objectives. Here, we list what we expect the goals you should realize after implementing the recommendations detailed in this guide.

Business objectives

  1. Reduce time to market: This guide will assist you in establishing a robust standard workflow for provisioning, configuring, and managing the lifecycle of hybrid/multi cloud infrastructure. When implemented effectively, developers can provision infrastructure more efficiently, reducing the time it takes for your organization to introduce new products and features to the market.
  2. Mitigate risk: By securing Terraform state, protecting cloud credentials, and implementing RBAC (role-based access control), you will significantly reduce the risk associated with your infrastructure.
  3. Consistent compliance: Through policy-as-code, organizations will achieve compliant infrastructure, automate audit, address asset lineage concerns, manage against cost expectations, and respond proactively to regulatory change.
  4. Improve skills and retention: Through infrastructure as code reuse, organizations reduce the cognitive load associated with onboarding new talent and retain that talent longer by improving productivity for team members.
  5. Optimize cloud cost: By implementing a central shared service for provisioning, you will be able to optimize cloud spend and costs. This is achieved by standardizing and enforcing best practices on providing visibility into what is being provisioned across the organization. While details on how to do this and implement the necessary guardrails is covered in later HVDs, this guide is a necessary prerequisite towards that goal.

Functional objectives

  1. Adopt a mature golden workflow for infrastructure provisioning.
  2. Enhance security posture.
  3. Improve traceability of actions and ensure audit readiness.

Onboarding/adoption checklist

We recommend that the following tasks be accomplished for a successful onboarding and adoption of HCP Terraform/Enterprise. The time it takes to complete this initial phase will vary depending on the complexity of your organization and the level of executive alignment. However, we have found that using HashiCorp Professional Services or partner-provided services can significantly accelerate the process.

Project checklist

  1. Identify key people from the Platform Team who will own and operate Terraform. In your organization, the Platform Team may own the architecture but the day-to-day operations may be delegated to a production services/support team who have 24/7 staffing arrangements. Both teams must be engaged at the outset.
  2. Identify key executives sponsoring this project.
  3. Establish cadences with the HashiCorp account team. We recommend the following:
    • Weekly/bi-weekly cadence.
    • Quarterly business review with sponsoring executives.
  4. Enablement plan:
    • Platform Team enablement plan: We recommend that key platform team members attend HashiCorp Academy training. This training will also enable the Platform Team to be trained as trainers for the organization.
    • Application team enablement plan: We recommend that application teams be trained either by the Platform Team "trainers" or attend free hands-on workshops offered by HashiCorp solution engineers and architects.
  5. Business unit onboarding schedule: Create a schedule for onboarding business units and/or application teams. We recommend for the "adopt" phase that you start with one or a handful of business units. (see note below)
  6. Establish key milestones to track progress. We recommend the following key milestones:
    • HCP Terraform onboarding.
    • Platform team enablement.
    • Application team early-adopter enablement.
    • Application team early-adopter onboarding.

Tip

On onboarding business units/application teams

HashiCorp recommends that you base the initial business unit/application team onboarding schedule on a representative set of early-adopter teams with one or more of the following characteristics:

  • A high incentive to use infrastructure as code to achieve their goals.
  • Have a DevOps skill set.

Those characteristics will increase the chances of early success.

The schedule should introduce approximately five teams in the first set, working with them from development to UAT. Then, the Platform Team should aim to introduce a second set of about twenty teams into development. This second set would benefit from the feedback the more experienced first set provides as part of pipeline refinement.

When the first set has reached the production environment and the second set has reached UAT, the Platform Team should aim to introduce a third set of approximately 50-100 application teams into development, benefiting from the further refinement brought through feedback and collaboration with the first and second sets of teams. Through working with this third set, increased scale is both visible and demonstrable to senior management, making project success highly likely and standardization, efficiency gains and cost savings clearly visible.

Onboarding checklist

  1. Establish core integrations:
    1. VCS
    2. SSO/IdP
    3. HCP Terraform agents (optional)
    4. System logs and metrics (for Terraform Enterprise)
    5. HCP Terraform agent logs and metrics (optional)
    6. Audit logs
  2. Establish a workflow to onboard application teams to HCP Terraform/Enterprise:
    • Workflow vending
    • Cloud credentials for workspaces
  3. Test of initial end-to-end CLI-driven run.
  4. Test of end-to-end VCS-driven run.
  5. Test SSO for the Platform Team and application teams.
  6. Initial discussions with first set of early adopter teams regarding user onboarding experience and updates to the project backlog with next step improvements

Adoption checklist

  1. Determine the consumption model most suited for your organization.
  2. Establish a GitOps-based workflow for application teams. This should map to your existing organizational git repository standards.
  3. Branching strategy: Decide on the branching strategy for managing environments.
  4. Complete an adoption maturity assessment with a HashiCorp solution architect.

Note

We strongly recommend scheduling time with a HashiCorp solution architect as soon after license acqusition as possible as they will provide key architectural and integration advice for the project, and then again within three months in order to ensure transition architecture and associated migration plans are still clear and not blocked. We also recommend regular cadence with your HashiCorp solution engineer throughout the project and into production to ensure business value continues to grow.

Next

People and process