HashiConf 2024 Now streaming live from Boston! Attend for free
HVD Home
HVD Home

Introduction

This guide outlines best practices for standardizing use of Terraform for infrastructure provisioning within your organization.

Note

Unless specifically mentioned, concepts that apply to HCP Terraform also apply to its self-hosted version, Terraform Enterprise (TFE).

HashiCorp Validated Designs (HVD) leverage our experience from supporting customer journeys with HCP Terraform. In the Adoption guide we mention the various maturity stages. This guide falls under the "Standardizing" stage.

Prerequisites

Before using this guide, make sure you've completed these steps:

  1. Terraform Enterprise Operating Guide for Adoption
  2. Performed a maturity assessment/architecture review with HashiCorp's Solution Architecture team.
  3. Before implementing Sentinel, we recommend team members attend Sentinel Academy Training.

Standardizing - Maturity phase

Standardizing in the HashiCorp Cloud Operating Model is a transition point for organizations moving from initial cloud adoption towards a more structured and efficient approach to cloud infrastructure management. At this stage, the focus shifts from manual, ad-hoc processes to establishing standardized workflows, infrastructure as code (IaC) practices, and policies to ensure consistency, efficiency, and security across cloud environments. This standardization is foundational for scaling cloud operations in later stages.

Benefits of Standardizing

This stage is pivotal, enabling a shift from the initial adoption of infrastructure as code (IaC) to a more streamlined, efficient, and secure management of cloud resources at scale. Let's delve deeper into the benefits of this stage:

Increased efficiency

By standardizing on HCP Terraform for infrastructure provisioning, organizations reduce the variability in their infrastructure setups. This standardization is achieved through the use of version-controlled IaC, which ensures that all infrastructure deployments are reproducible and eliminates the "snowflake" infrastructure problem. The use of shared modules from the private registry further enhances this efficiency by allowing teams to reuse proven, tested code for common infrastructure patterns. This reuse not only speeds up the provisioning process but also significantly reduces manual effort and the potential for human error, leading to more reliable and predictable infrastructure deployments.

Enhanced security and compliance

The integration of policy as code through Terraform Sentinel policies is a cornerstone of the Standardizing stage. This approach allows platform teams to define and enforce security and compliance policies across all infrastructure deployments automatically. By codifying these policies, organizations ensure that every piece of infrastructure is compliant from the moment it is deployed, without requiring manual review processes. This proactive enforcement helps in maintaining a strong security posture and ensures compliance with internal policies and external regulatory requirements, reducing the risk of breaches and non-compliance penalties.

Improved scalability

Standardizing with HCP Terraform prepares organizations for scalable growth. The use of standardized modules and policies facilitates the efficient scaling of infrastructure to meet increasing demand. This scalability is not just about handling more workloads; it's about doing so in a manner that maintains consistency, control, and compliance across the entire infrastructure. The modular nature of Terraform allows for components to be scaled or replicated independently, providing flexibility in how resources are managed and deployed.

Better collaboration

One of the most significant benefits of standardizing is the improvement in collaboration across different teams. By adopting HCP Terraform, organizations establish a common language (HCL) and set of processes for managing infrastructure. This common framework breaks down silos between development, operations, and security teams, fostering a culture of collaboration and shared responsibility. The ability to review, approve, and audit infrastructure changes through pull requests and policy checks enhances transparency and accountability, leading to more secure and efficient infrastructure management practices.

How to standardize your infrastructure

  1. Assess: Evaluate your current infrastructure practices. Where are the inconsistencies or manual steps that need improvement?
  2. Define: Set clear goals for your standardized approach. Consider both your unique needs and industry best practices.
  3. Implement: Choose the right tools to help. HashiCorp solutions like Terraform, Sentinel, and HCP Packer automate and enforce your chosen standards.
  4. Train: Make sure your teams understand the new workflows and how to use the tooling effectively.
  5. Iterate: Regularly review your processes and adapt as technology and your needs evolve.

Standardizing checklist

While some portions of the Standardizing maturity phase (e.g., Run Tasks) are optional and will be dictated by the kind of integrations your organization requires, we recommend — at a minimum — that you adopt the following core capabilities:

Standardizing checklist

  • Golden image build and hardening pipeline development using HCP Packer.
    • Internal policy for machine and container image builds to standardize image management approach across the organization.
  • Ensure Drift Detection is enabled across all workspaces if feasible.
    • Ensure that when new workspaces are provisioned, notifications are enabled to ensure owners/teams are informed when configuration drift occurs.
  • Private Registry
    • Ensure that the Platform Team has a responsible member who oversees the contents and publishing processes in the private registry.
    • Ensure there is a clear intake process for the user community to submit requests for modules.
    • At a minimum, create a quarterly review cadence for modules in the private registry.
  • Sentinel: policy as code
    • Ensure that the Platform Team has a responsible member who oversees Sentinel
    • Establish a cloud policy working group involving members from the Security (cloud security), Networking, and Platform Teams. The working group should have executive sponsorship from the CISO and have accountability for compliance with relevant regulations.
    • Create a list of governance controls that will need to be implemented by policy as code automation.
    • Create a prioritized list of policies that will implement the governance controls and the list of resources that these governance controls will affect.

Use Cases Covered in this phase

This document covers the “Standardizing” phase of operating Terraform on the maturity scale and includes:

Use CaseSummary
Health AssessmentContinuously check for changes in actual infrastructure against the expected state.
Private registryInternal library of shared, approved modules and providers. Publish your own or curate from the public registry should internal policy permit.
Policy as code with SentinelEnforce policy guardrails during a Terraform run, before infrastructure is provisioned. Advisory and mandatory enforcement to inform next steps.
Run tasksCustom or 3rd-party partner integrations for extended compliance, security, cost, and visibility capabilities.
Next

Health Assessment