LOS ANGELES — HashiCorp launched a new continuous authentication feature in public beta for Terraform Cloud this week that could expand the ways it can be used for GitOps.
Continuous validation follows another feature introduced in June called drift detection, which became generally available for Terraform Cloud Business last month. Drift detection checks for changes made to infrastructure state configurations outside of the Terraform workflow. Continuous validation is now expanding to perform lifelong health checks on a wider range of criteria.
For example, Terraform’s continuous authentication can determine whether a resource is using an approved Amazon Machine Image, a HashiCorp Packer image or a valid security certificate.
“Maybe there is a security vulnerability and you deployed a new release for [a machine] image,” said Meghan Liese, senior director of product marketing at HashiCorp, in a press and analyst briefing.[Terraform continuous validation] will check if the image deployed is the most recently promoted image, and if that is no longer true, it will send a notification.”
Along with that notification, Terraform Cloud drift detection provides users with automatic remediation options. This feature is not specifically mentioned with continuous validation this week but may follow. Self-managed Terraform Enterprise will also add continuous authentication in a future release.
Questions arise about the ambitions of Terraform GitOps
These updates could set the stage for Terraform to become a replacement for app-level GitOps tools like Argo CD and Flux, analysts said.
On the DevOps spectrum, GitOps sits a little more to the left — closer to software developers — than Terraform, which focuses on infrastructure, Liese said when asked about Terraform as a GitOps tool. When asked directly during the briefing if continuous authentication could replace the Argo CD, he was noncommittal.
“Possibly, but I need to know more about the details [of that scenario],” he says.
HashiCorp senior director of product marketing Meghan Liese presents Terraform and Waypoint updates to press and analysts at HashiConf.
But to IDC analyst Jim Mercer, who pressed Liese on this point, those questions remain open. Terraform’s continuous validation looks like cluster drift reconciliation, known as a self-heal in Argo CD or a reconcile command in Flux, he said.
“It feels like it’s interfering with something like Argo in GitOps, which is about trying to stop configuration drift,” Mercer said. “I don’t know what the cables are exactly, but to me it looks like a reconciler.”
One big difference — for now — is that Argo self-heals and Flux automatically implements the desired state of a Kubernetes cluster or app whenever a drift is detected. Terraform Cloud drift detection and continuous validation notifies an administrator of the drift and requires them to take action to respond to it.
So, like this week’s updates to Boundary that push the vendor into privileged access management, and a new API gateway that brings Consul into a new segment of cloud-native networking, it’s not exactly a match for its existing competitors. . But it could become one if HashiCorp decides to go in that direction, Mercer said.
A further GitOps step is possible for HashiCorp, another analyst agreed.
“They have pieces — they even have Terraform Operator running on Kubernetes that, connected to continuous authentication, can do a lot of things that are related to GitOps today,” said Gregg Siegfried, an analyst at Gartner. “But on the other hand, Terraform is broader than that. … HashiCorp may see GitOps as a disruptor, as well.”
A Terraform Cloud customer presented at HashiConf is already using infrastructure as code as part of a GitOps workflow, where a homegrown tool plays the role of Argo CD or Flux for Kubernetes apps. He said he’d be willing to consider Terraform to replace that as well.
“Our support staff doesn’t have access to production resources because we use a static infrastructure. But we will consider incorporating that kind of control and validation in an automated way,” said Andrew Rau, vice president and manager of cloud services at BOK Financial, in an interview after his presentation. “Because we have internally developed [Kubernetes GitOps] product doesn’t mean we’ll stick with it — and if we don’t have to manage the code [in Terraform Cloud]big.”
Andrew Rau (left) and Kris Jackson of BOK Financial present their use of Terraform for GitOps at HashiConf.
Terraform Cloud builds on OPA, no-code features
HashiCorp’s Liese mentioned user choice alongside HashiCorp’s own Sentinel policy-as-code tool when he announced new native support for its rival, Open Policy Agent (OPA), in public beta for Terraform Cloud this week .
“We believe Sentinel is the best way to run policies. We wrote its domain-specific language in a way that we did to make it highly customizable and very granular,” he said in his presentation. “However, we recognize that there is a whole market around policy as code, and we have a number of partners [there]. … Terraform should be the place where policies are enforced, but we don’t care which policy framework [users] choose.”
But Siegfried says he sees this as a likely death for the Sentinel.
“Sentinel is used in other products beyond just Terraform, but there are a lot of organizations that have gone all-in on OPA, and they don’t want to write policies twice,” he said. “When HashiCorp created Sentinel, OPA was not that mature. And [before Terraform] drift detection is available, if you want to enforce policy beyond planning and deployment, you still need to use something else.”
It feels like it’s attacking something like Argo in GitOps, which is about trying to stop configuration drift.
Jim MercerAnalyst, IDC
Finally, a new no-code provisioning workflow, also released in beta this week for Terraform Cloud, adds a graphical user interface to Terraform private registries. IT ops admins can use that interface to publish a catalog of Terraform modules that developers can choose from without having to understand the Terraform DSL.
One Terraform user disagreed with this and said he believes software engineers should understand infrastructure as code.
“If you can’t tell me how [your application] running on the infrastructure you’re targeting … you don’t understand the behavior of your workload under stress,” said Martin Eggenberger, chief architect at Monster Worldwide Inc., owner of the hiring and recruiting website Monster .com.
That may be the ideal, Siegfried said, but HashiCorp’s move is in line with a trend toward DevOps platform engineering fueled by the rarity of deep infrastructure skills among software developers.
“This requires you to have your cloud or platform team build verified modules,” he said. “It’s a way to expand access to them in the same way that ServiceNow’s integration with Terraform allows you to request resources without having to know anything about the Terraform environment. It doesn’t reduce your need for some expertise, but it can reduce your need to spread that expertise very widely.”
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. He can be reached at [email protected] or on Twitter @PariseauTT.
