Our HashiConf 2023 Recap
Author: John 'JJ' Jarvis
Release Date: 07/12/2023
HashiConf ‘23 is a wrap! And what a time it is to be working with Infrastructure as Code (IaC)!
HashiCorp announced the biggest changes to its Terraform engine since the product’s launch, and didn’t stop there; I’ll go through a few of the highlights, showing how HashiCorp continues to prioritise their customers, including putting up their hands when even they, leaders in the DevOps space, get it wrong.
The Rise of the Platform Team!
In fact, I’ll start with their latest misstep, as that leads on nicely to their latest Terraform / IaC-related announcements. Part of the first keynote was launching what Armon Dadgar, CTO and co-founder of HashiCorp, coined as HCP Waypoint reimagined. In a nutshell, Armon admitted that, based on customer feedback, they hadn’t got the abstraction quite right with the product. To quote the associated blog post (1),
“Going forward, HCP Waypoint is aimed at empowering platform teams to define golden patterns and workflows for developers to manage applications at scale.”
These golden patterns will follow on naturally from the Producer↔Consumer model that HashiCorp recommends for module development, as well as the principles behind, and features of, their No Code Provisioning (2) offer with Terraform Cloud. HCP Waypoint Templates and Add-ons — both now in public beta — continue these abstractions, allowing developers to get on with their work in a managed way, while providing that facility to dig down in the details when deployments do go wrong.
Terraform Stacks (3): a repeatable way to deploy large-scale IaC
There’s been some speculation about how HashiCorp might deal with the growing complexity of IaC deployments, particularly in the context of their championed principles of imdepotence and repeatability. The answer is, again, a reimagining of deployments as compromised of what will now be known as components, themselves composed of interdependent systems represented as, for example, network modules, database modules, etc. We can then talk about these deployments as being largely similar across multiple environments (e.g., development, user acceptance testing, production), the terminology for which will be deployments in a stack.
To quote many, down through the ages, this changes everything. But not just yet! Terraform Stacks is now in private preview, with sign-up still open (4). As I’ve said time and time again, HashiCorp is listening, and your company could be the one that changes how the world provisions IaC in 2024 and beyond!
Terraform test framework is now generally available (GA)
As many will know, answering the question of how best to test your Terraform code often came down to whether your developers were more comfortable with Go, Ruby or Python. But no more! With the Terraform test framework now GA, native unit and integration testing using HashiCorp Configuration Language will be a straightforward step.
In addition, by integrating tests with the new branch-based publishing feature — now in public beta — the private registry becomes the driver of change management, and the central point, both for getting a quick snapshot of a module’s status, and for promulgating your organisation’s current standards.
Finally, the ability to quickly generate module tests — now in public beta — and then get meaningful feedback on any mistakes through enhancements to validation in Visual Studio Code means that your development and platform teams can get a leg up on what was previously a very time consuming (but necessary!) part of IaC best practice.
Get secrets sprawl on your Radar
HashiConf wouldn’t be the same without Vault news, and this year didn’t disappoint. Based on HashiCorp’s acquisition of BluBracket, HCP Vault Radar is now available through an alpha, early access program (5) to detect, identify and remove secrets in code from across your estate (6), integrating with your enterprise CI/CD tools and HashiCorp Vault for full secret lifecycle management.
Getting a handle on where your secrets are doesn't necessarily mean that then all teams and all code must talk to HashiCorp Vault from then on. HashiCorp Vault has always provided many means of integrating modern, centralised secret management with legacy code and applications. And now they’ve extended that further, with Secrets Sync, in both Vault Enterprise (7) and HCP Vault Secrets, the latter released as beta earlier this year and now as GA during HashiConf (8). In a nutshell, it means that your teams can continue to use the secrets manager of your cloud provider of choice, as well as GitHub and Vercel, confident that their lifecycle is centrally managed, in Vault.
HCP Vault Secrets offers more than Secrets Sync, of course. For those who aren’t familiar with the product, you’ll probably have guessed that HashiCorp runs the kit for you: all HashiCorp Cloud Platform or HCP products are Software-as-a-Service that’s available to you based on agreed uptimes, etc. However, with HCP Vault Secrets, you don’t even need to run, or know anything about, HashiCorp Vault at all: you can just store and retrieve secrets, straight away! And, with the free tier of the service, it won’t cost you anything to try it out; integrate it with Docker, GitHub, GitLab (9), etc. and let us and / or HashiCorp know what you think.
References
(1) https://www.hashicorp.com/blog/a-new-vision-for-hcp-waypoint
(2) https://developer.hashicorp.com/terraform/tutorials/cloud/no-code-provisioning
(3) https://www.hashicorp.com/blog/new-terraform-testing-and-ux-features-reduce-toil-errors-and-costs
(4) https://hashi.co/stacks-signup
(5) https://www.hashicorp.com/go/blubracket-integration-updates
(6) https://www.hashicorp.com/blog/new-hcp-vault-secrets-radar-and-other-features-fight-secrets-sprawl
(7) https://www.hashicorp.com/blog/announcing-secrets-sync-beta-for-self-managed-vault-enterprise
(8) https://www.hashicorp.com/blog/hcp-vault-secrets-is-now-generally-available
(9) https://developer.hashicorp.com/hcp/docs/vault-secrets/integrations
