consulterraform

Announcing Consul-Terraform-Sync 0.3 for Terraform Enterprise

Compliance-driven network infrastructure automation with Consul-Terraform-Sync 0.3 is now generally available for HashiCorp Terraform Enterprise.

We are excited to announce the general availability of Consul-Terraform-Sync (CTS) 0.3 for HashiCorp Terraform Enterprise, the self-hosted distribution of HashiCorp Terraform Cloud. This release marks another step in the maturity of our larger Network Infrastructure Automation (NIA) solution. The focus for CTS is on automating Day 2 networking tasks and reducing the burden on operators caused by manual ticketing systems.

The 0.1 and 0.2 CTS releases enabled a publisher-subscriber paradigm to update the network infrastructure based on changes in the HashiCorp Consul catalog leveraging the Terraform CLI on the local node. These releases focused on establishing core networking use cases for practitioners, including applying firewall policies, updating load balancer member pools, and more.

With the 0.3 release, organizations can now manage their Day 2 application networking delivery lifecycle more dynamically while providing governance and security oversight of infrastructure across a broad range of network providers using Terraform Enterprise as the automation engine.

This post will highlight the new features in CTS 0.3, including regex support for service triggers and Terraform Enterprise integration. We’ll also discuss the benefits that the Terraform Enterprise integration opens up to users, and we’ll share a few words from our network vendor partners about the value of our shared integrations. CTS 0.3 is available for download on our release page.

»CTS Integration with Terraform Enterprise

CTS integration with Terraform Enterprise is an enterprise-only feature available through the CTS Enterprise binary. Operators require a valid Consul Enterprise license to get started. This binary supports a new CTS network driver named Terraform Cloud driver:

driver "terraform-cloud" {
  hostname     = "my.tfe.hostname.io"
  organization = "my-org"
  token        = "<TEAM_TOKEN>"
  // Optionally set the token to be securely queried from Vault instead of
  // written directly to the configuration file.
  // token = "{{ with secret \"secret/my/path\" }}{{ .Data.data.foo }}{{ end }}"

  required_providers {
    myprovider = {
      source = "namespace/myprovider"
      version = "1.3.0"
    }
  }
}
driver "terraform-cloud" {  hostname     = "my.tfe.hostname.io"  organization = "my-org"  token        = "<TEAM_TOKEN>"  // Optionally set the token to be securely queried from Vault instead of  // written directly to the configuration file.  // token = "{{ with secret \"secret/my/path\" }}{{ .Data.data.foo }}{{ end }}"   required_providers {    myprovider = {      source = "namespace/myprovider"      version = "1.3.0"    }  }}

Tasks are the heart of Consul-Terraform-Sync’s automation capabilities. The Terraform Cloud driver enables creation and management of Terraform Enterprise workspaces for all tasks defined in CTS configuration using the API-driven run workflow.

Runs queued by CTS

Users of the CTS integration with Terraform Enterprise can do a number of useful things, including:

  • Scale resources: Reduce dependency on ticketing systems traditionally handled by networking and security teams, allowing them to optimize their workflows to match the velocity of development teams.
  • Reduce risk: Provide teams with distinct workspaces that clearly define users’ privileges to access and manipulate resources. Restricting access to sensitive information can reduce human-driven misconfiguration errors and potential data leakage.
  • Improve automation controls: Choose the desired level of automation with approval workflows. While end-to-end automation may be the end goal, many organizations opt for an incremental approach. Set notification triggers to inform a team member when a predetermined event occurs. They can review a plan quickly to verify the configuration is as expected and apply the changes with just a few clicks.
  • Simplify auditing: Automatically catalog every change made to the environment. Provide a comprehensive forensic trail to keep compliance teams in the loop and analyze issues as they arise.
  • Apply compliance policies: Policy as code with Sentinel allows organizations to define, manage, and enforce key policies in order to safeguard against potentially dangerous actions and encourage efficient use of resources to control costs.

»Regex Support for Service Triggers

Consul is used as a service registry by different teams across an organization. Many times, these teams have inconsistent service naming practices. A task definition in CTS requires one or more service names as input. This leads to situations where the CTS operator finds it challenging to define tasks without knowing the exact name of the service.

To address this pain point, we are introducing a beta feature in 0.3 that triggers a task only for services that match a regex across the entire Consul catalog.

task {
  name = "services_condition_task"
  description = "execute on changes to services whose name starts with web"
  providers = ["my-provider"]
  source = "path/ti/services-condition-module"

  condition "services" {
    regexp= "^web.*"
  }
}
task {  name = "services_condition_task"  description = "execute on changes to services whose name starts with web"  providers = ["my-provider"]  source = "path/ti/services-condition-module"   condition "services" {    regexp= "^web.*"  }}

This feature is available in beta for both CTS OSS and Enterprise binaries.

»CTS for Terraform Enterprise Launch Partners

At the core of CTS for Terraform Cloud is the partner ecosystem. Customers are already using these vendors to manage critical workloads, enhance security, and improve performance. By helping us create modules for their Terraform providers, these partners are helping users automate common tasks right away.

We plan to continue expanding our ecosystem of partners for CTS, collaborating closely with our partners to grow our CTS module library, deepen our native integrations, and provide additional capabilities. Several of our launch partners shared a few words about the value of these integrations in helping alleviate the challenges addressed with this release:

»A10 Networks: ADC Server Pool Programmatic Updates

"Customers are constantly on the lookout for ways to optimize efficiency with existing and new networking infrastructure. A10 Networks and HashiCorp are partnering to help customers solve one of their biggest challenges — accelerating deployment of software and services — with Consul-Terraform-Sync for Terraform Enterprise. It facilitates the automation of many Day 2 tasks in a declarative and repeatable way across their organizations, while providing robust policy as code capabilities to help teams reduce cloud waste and safeguard access to sensitive information."
—Takahiro Mitsuhata, Senior Manager, Technical Marketing at A10 Networks

»Check Point Software Technologies: Automate Firewall Operation

"Manual workflows impede security teams’ ability to work quickly across multiple security infrastructure devices, contributing to the likelihood of a non-compliant solution being developed. Our partnership with HashiCorp enables customers to use Network Infrastructure Automation with Consul-Terraform-Sync for Terraform Enterprise in order to quickly deploy applications, which cuts down on security operations overhead and mitigates misconfigurations through managing access to variables and Terraform state that connects it to other applications or services without compromising credential security."
— T.J. Gonen, Head of Cloud Security Product Strategy at Check Point Software Technologies

»Cisco: Enhancing Infrastructure Visibility

"Cisco ACI and HashiCorp Consul together facilitate consistent, automated workflows to gather application information and network health data. The new integration with Consul-Terraform-Sync for Terraform Enterprise provides granular visibility across infrastructure and robust governance capabilities to optimize application delivery across multiple clouds in reproducible ways. While Cisco ACI can dynamically manage the lifecycle of the required backend network resources and policies, this allows organizations to establish their own approval workflows to better align with organizational standards and best practices."
— Srinivas Kotamraju, Director, Product Management at Cisco

»Citrix: Dynamic ADC Configuration Updates

"Our customers have security top of mind. Whether it’s integrating web application firewall (WAF) or API protection, they are always looking for ways to stay ahead. Citrix and HashiCorp are teaming up to integrate enterprise-ready policy functionality to network infrastructure automation workflows using Consul-Terraform-Sync for Terraform Enterprise to mitigate risk through best practices like secure state."
— Michael “Mikko” Disini, Senior Director, Product Management, Modernized Apps and Cloud Native at Citrix

»F5: Expediting Application Delivery

"Consul-Terraform-Sync for Terraform Cloud helps network teams bridge the gap between software development and production availability through dynamic automation and better management of F5 BIG-IP environments as code. We are excited to see the evolution of Consul-Terraform-Sync for Terraform Cloud to include more secure provisioning capabilities and look forward to our continued partnership to help customers along their network infrastructure automation journey."
— Phil de la Motte, Vice President of Business Development at F5

»Palo Alto Networks: Network Security Automation

"When security teams learn about a new vulnerability, every second counts. Our customers are using Palo Alto Networks’ advanced security technology to respond to these threats as quickly as possible while also modernizing their overall approach to cloud native architectures. By partnering with HashiCorp to help customers achieve Network Infrastructure Automation through Consul-Terraform-Sync for Terraform Enterprise, our shared customers can unilaterally make policy changes across their infrastructure to update their Palo Alto Networks firewalls in near real-time using automation. Customers can now track associated changes through audit logging as another important benefit of the strategic partnership between our companies."
— Matthew Scott, Senior Director of Business Development at Palo Alto Networks

»Get Started

CTS supports an integration with Terraform Enterprise to let organizations manage their application networking delivery lifecycle in a more dynamic way while providing governance and security oversight. This capability is delivered as an enterprise feature through the CTS Enterprise binary.

Moving forward, every CTS release will consist of separate OSS and Enterprise binaries. We will continue to add more capabilities to both open source CTS and CTS Enterprise. And look for updates on the upcoming integration with HashiCorp Terraform Cloud Business tier.

To get started, please refer to the Consul documentation and HashiCorp Learn guides, we also have a dedicated guide for CTS Enterprise. Feel free to try out CTS 0.3 (Docker image, Enterpries binaries) and give us feedback in the issue tracker. You can also stay up to date on CTS by following our public roadmap or checking the changelog. For more information about Consul, please visit our product page.

Sign up for the latest HashiCorp news