HashiConf Digital 2020 Recap and Announcements
There have been plenty of exciting announcements from this year’s HashiConf digital conferences - including the introduction of the HashiCorp Cloud Platform (HCP) and the announcements during HashiConf Digital 2020 of Consul for AWS and Vault for AWS. An also notable announcement in the most recent HashiConf Digital event is the addition of Consul Terraform Sync (Tech Preview) which enables self-service network automation capabilities. Last but not least, the addition of two new products: HashiCorp Boundary which provides a zero-trust access solution for the cloud and HashiCorp Waypoint which is used for building, deploying, and releasing.
Consul, Consul Terraform Sync, and the underlying network infrastructure devices
Consul Terraform Sync is a tool that helps enable network automation with self-service capabilities for teams. This allows organizations to streamline their process of creating new networking resources for cloud teams and facilitates rapid, secure development of cloud infrastructure. This reduces the amount of manual approval processes common throughout enterprises. Consul Terraform Sync works by using compatible Terraform modules that leverage the existing Terraform provider ecosystem. For more information, read the announcement here.
Access Hosts and Services Across Clouds with HashiCorp Boundary
Similar to Google Cloud’s BeyondCorp, HashiCorp Boundary is a new open-source project that cloud security practitioners and operators can employ to enable Zero trust security patterns. Zero trust security products provide assistance in enforcement of the principle of least privilege by restricting access to sensitive systems even if an identity was previously authenticated.
Boundary differs from typical zero trust security offerings by enabling first class integration with other HashiCorp products such as Consul Service Mesh and Vault Secrets Manager. Boundary authenticates, then authorizes each request by associating users to services and hosts at the application layer. In the process, a user establishes a TCP connection through a Boundary worker node which acts as a proxy. By doing this, onboarding and management of identities throughout an organization are simplified and are a far cry from traditional VPN or SSH bastion hosts. In this respect, Boundary acts similar to Identity-Aware Proxy (IAP) on GCP. New features such as additional application (Layer 7) connection protocols, OIDC authentication, authorization methods, and dynamic target discovery should be looked at for the near future for this product. For more information, read the announcement here.
Workflows with HashiCorp Waypoint
Having a robust build, deployment, and release process is essential for workloads running securely in the cloud. Waypoint helps with this by providing a way to develop a modern workflow for deployments on a variety of platforms including Amazon EC2, HashiCorp Nomad, Google Cloud Run, and Kubernetes. Waypoint comes with logging/auditing features, live execution of commands in applications, publicly-accessible preview URLs for deployments, a Web UI to monitor projects, and integrations with CI/CD systems using an extensible plugin interface. For more information, read the announcement here.
HashiCorp Consul on the HashiCorp Cloud Platform (HCP)
HashiCorp Consul for HCP was announced, enabling a fully-managed, easy to deploy service mesh for Amazon EKS, ECS, and EC2 applications. Along with a walkthrough in setting up Consul on the HashiCorp Virtual Network (HVN), the HCP portal supports an access control feature, meaning that identities can be set up with granular privileges to the Consul service mesh. Support for other clouds has been mentioned as an eventuality in the announcement. For more information, read the announcement here.
Comparison of AWS Secrets Managers: Operationally, Vault price varies on implementation
One drawback of HashiCorp Vault, outlined in our comparison of secrets managers articles for GCP and AWS is the operational overhead associated with deploying it. Before this announcement, it was up to cloud practitioners and operators to deploy Vault (which can be performed via an AWS or GCP Terraform Module, Helm chart on Kubernetes, etc.) and be responsible for the maintenance of Vault (updating, scaling, backups, etc.). With Vault for HCP, Vault is fully managed with deployment and maintenance that is taken care of by HashiCorp. Pricing for this private beta has not been announced, and this platform is only available for deployment on HashiCorp’s Virtual Network (HVN) on AWS (but can be used for multiple clouds). Deployment for other clouds is in the plans for this product. For more information, read the announcement here.