SE Hangout

Secure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CI

See a demo illustrating how GitLab CI/CD Pipelines and Runners can interact with Terraform Cloud and integrate credential management with Vault.

Speakers

  • Kelly Hair
    Kelly HairSolutions Architect, GitLab
  • Kawsar Kamal
    Kawsar KamalStaff Solutions Engineer, HashiCorp

Terraform Cloud's API-driven run provides flexible provisioning workflows using an infrastructure as code approach that any organization can manage. A continuous integration (CI) system monitors changes in Terraform code and drives provisioning using Terraform Cloud's REST API. This approach allows organizations to implement a range of actions in their CI pipeline as part of an infrastructure provisioning workflow and still benefit from Terraform Cloud's capabilities such as private modules, state management, policy as code (Sentinel) and more.

In this webinar, HashiCorp solutions engineer Kawsar Kamal and GitLab solutions architect Kelly Hair will explore how to use GitLab CI/CD Pipelines and Runners to interact with Terrafirn Cloud.

Read the companion blog post for this demo on our solutions engineering Medium blog as well for a fuller picture of this workflow.

What you'll learn

  • Implementing a Terraform Cloud API-driven Run in GitLab CI/CD
  • Implement Sentinel policy as code as part of an infrastructure provisioning workflow
  • Enforce separation of concerns using Terraform Cloud Workspaces
  • Optionally use HashiCorp Vault to retrieve cloud credentials

Outline

0:00 — Introduction to Terraform Cloud and GitLab

6:52 — Integration patterns with Terraform

11:38 — GitLab CI/CD + Terraform Cloud and HashiCorp Vault Demo

28:21 — Q&A

Q&A

  • Can you expand on strategies for branching infrastructure as code? In particular, hitting different targets depending on the branch.
  • Why does your pipeline start with a "create workspace"? Why not reuse the existing prod / stage one?
  • How do you manage AWS multi-account deployments in terms of provider in an AWS Organization context using only one Terraform Cloud workspace?
  • Does the destroy.sh script delete all resources created in the last run id?
  • Does triggering the run and apply using gitlab-ci means that I won’t have to setup VCS connectivity on Terraform Cloud? Is it possible to create the workspace with variables in it using GitLab?
  • Can we expect to see a Vault GitLab auth method any time soon?
  • Is it possible for a Sentinel policy to load a whitelist from an external datasource?
  • Is there any guidance on how to pull configs and secrets from an on-premises Vault into Terraform Cloud?
  • Can Terraform Cloud notify GitLab at the end of a run to update badge status? -Why would I want to use Vault over AWS Parameter Store? What are the advantages?
  • When getting the temporary GCP credentials from Vault, is it possible to mask their contents so that they are not printed in the CI logs?
  • Can you replicate GitLab repos between TF organizations and TF workspaces?

Additional Resources

Slides

More resources like this one

Vault identity diagram
  • 12/28/2023
  • FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

  • 3/15/2023
  • Presentation

Advanced Terraform techniques

  • 3/14/2023
  • Article

5 best practices for secrets management

  • 2/3/2023
  • Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones