Terraform Enterprise vs Maestro Terraform as a Service - Part III.


In the third and the last part of this article, we will talk about Policy Enforcement, Cost Estimation, Notifications, SAML Integration and other functionality without which we cannot imagine handling the virtual infrastructure management routine.
  • Notifications
TFE: Triggers external notifications. Provides support of Slack calls and webhooks.
M3: Maestro supports the notifications functionality upon different events occurring in the system, such as: Terraform template execution, resources deployment from the Terraform template, running/stopping an instance, etc. We have implemented a set of notifications that is sufficient for working with the Maestro system.
Currently, we support emails and push-notifications. The support of other systems can be easily implemented.
  • Terraform Enterprise Provider
TFE: Automates workspace provisioning. Presents a Terraform provider that allows flexible workflow and configuration.
M3: Maestro from its side supports the same workflow as in Terraform Enterprise, plus we add its own features, such as approve\reject if the quota is exceeded, notifications showing that the infrastructure was deployed, e.g. instance is run successfully. We can also review this information on other pages, e.g. on the Reporting page, we can see that the new infrastructure is deployed, review infrastructure costs. The resources can also be viewed on the Management page.
  • Enhanced Remote State
TFE: Supports flexible workflows. It allows its clients to have workflow similar to Open Source version while enjoying the benefits of Terraform Enterprise.
M3: In general, there are several ways to store remote state files: locally or in special systems intended for storing such data. In Maestro such data is stored in the database. Terraform Enterprise does it in a similar way - it stores the remote state files on its servers in order to drive up the logic, as when to apply the rules of the policy specified in Sentinel. Thus, in this regard, Terraform Enterprise and Maestro work similarly.

In addition, in Maestro we drive up the logic when determining ownership for certain resources, i.e. if an instance is run, Maestro will automatically limit ownership, since the system acknowledges that this user performed a particular action, he applied a particular template, under which a particular infrastructure was deployed, a particular instance run. Thus, in such a way Maestro defines the user’s ownership rights.
  • Audit Logs
TFE: Intended for enterprise compliance. Allows logging of every request made within Terraform.
M3: Maestro records an audit of all actions occurred in the infrastructure. The audit can be reviewed in a Content View section of Catalog and Stacks pages. Additionally, it is possible to review the completed requests as well as the Terraform logs themselves.
Maestro has a View execution log, where users can see the existing logs, the content of the Terraform log when executing commands, and who and when run a certain command.
  • SAML integration
TFE: Automates user creation. Connects to existing servers to import users directly into Terraform teams, intended for an easy onboarding experience.
M3: Maestro already provides the ability to integrate with Active Directory. Thus, Terraform will be available for those users who will log in via Active Directory or SSO.
With one exception - auto user creation is not performed in Maestro.

Unlike Š¢erraform Enterprise, Maestro does not automatically create a new temporary account for the logged-in user. At the time of service activation, a system user is created, who is identified with a particular service so that it could be controlled. Policies for this user can be applied and updated when necessary, which provides an additional level of control for the IT and Security departments. Thus, Maestro does not create accounts, and neither does it update or delete them. Maestro works from its users’ behalf, considering this way as a more secure. In this part, the Maestro approach is different from the one of Terraform Enterprise.
  • Cost Estimation
TFE: Cloud infrastructure provides compelling pay-as-you-go pricing. When provisioning infrastructure is challenging to understand the cost implications of new or changed infrastructure before it is applied. Most organizations rely on after-the-fact alerts from their cloud provider, using dedicated third-party services that continually monitor changes in cost, or potentially waiting until they receive their end of month bill to understand the cost impact of their changes. Terraform Enterprise provides a cost estimation capability that programmatic estimates cost for new cloud deployments or changes to existing ones, before applying those changes or actually incurring costs.
M3: Currently, the Maestro team is working on implementing the cost estimation functionality. In addition to this, the team is creating the unified Terraform provider, which will allow deploying instances in a similar way for all supported cloud providers. Thus, it will allow providing not only the cost estimation at the time of applying a Terraform template but also an infrastructure cost comparison and prediction of a cloud on which this infrastructure will cost less.
  • Policy Enforcement
TFE: Sentinel also allows cost-centric policies to be created and then automatically enforced in the Terraform workflow. Administrators then have the ability to approve significant changes or to completely prevent specific workspaces from exceeding predetermined thresholds.
For example, administrators could write policies that prevent large, expensive machines from being provisioned unnecessarily, or enforce overall budget restrictions for a teams’ deployments without prescribing what machines to use. Even further, policies can be dynamically written such that a certain threshold of change is allowed month over month, but nothing exceeding a certain dollar limit.
M3: In Maestro, policies are driven up by its own Policy Engine:
  • Disabling the possibility to deploy resources in other regions
  • Checking quotas at the time of deploying the infrastructure
  • Disabling the possibility to deploy the infrastructure if the quota is exceeded. The infrastructure then will be deployed only after the respective manager's approval.
In Maestro the cost management is implemented as well as the ability to manage schedules and quotas, which will work the same way as the standard infrastructure management tools.

An infrastructure, deployed from the Terraform template, can be marked by certain tags. The tags mechanism is deeply integrated into the Maestro system, so Maestro users automatically receive benefits like quotas, scheduling by tags, searching resources by tags, and others. Thus, for example, if an instance was deployed via a Terraform template, and is marked by tags, you can apply a schedule to it and start/stop the instance throughout the week at a certain time.

Maestro application has a lot of tools and services to be used: RBAC model, a unified API, billing with quotas, schedules, approvals, etc., and it is all integrated into Terraform. This makes the Terraform solution in Maestro completely different compared to Terraform Enterprise.

To sum up –

Below you can review the comparative matrix of features available in Terraform Enterprise and Maestro Terraform as a Service:
Terraform Enterprise solution is designed to manage large environments with thousands of servers by very skilled DevOps. Maestro solution, on the contrary, eliminates deep knowledge, when we have users who can use this engine through marketplaces. Yes, Maestro does not work with exotic configurations for thousands of servers. But as part of the creation of full-fledged e-commerce stores with 20-30 servers, all the necessary features are already implemented in Maestro.
Additionally, since the Maestro application has functionality related to quotas and approvals, many additional options which, when used in Terraform Enterprise, require additional programming and scripting via Sentinel, in Maestro are already implemented as default policies. And this is the main difference and the main similarity.

Terraform Enterprise itself is gorgeous, this tool is effective and convenient, but it is intended for slightly different purposes, than Maestro.

You can review the preceding parts of this article here: Part I, Part II.
;)

Comments

Post a Comment

Popular posts from this blog

Maestro Analytics: Essentials at the Fingertips

Image
Infrastructure analytics is one of the cornerstones for effective cloud management. Each cloud provider offers its own set of features and services for such purpose. We can say that AWS QuickSight, Google Data Studio, and Microsoft BI are among the top of the native analytics and BI offerings. They are deeply integrated into their native infrastructures, provide the detailed review of the infrastructure state, events and cost, and allow to take a deep dive into details, being powered by strong internal mechanisms and AI/ML engines. However, in many cases they provide a huge volume of data which needs a BI expert to cope with, as well as may have limited customization possibilities in terms of the covered data scope. Also, if you use more than one cloud, or have private datacenters, the fact that each of these tools is limited to its vendor, may be a reason for you to find a third-party analytics tool. Here is where you may consider solutions such as CloudHealth, AppOptics, or IBM C
Read more

Maestro: Greeting the Green Dragon

Image
The year is coming to the end, and it's high time for our traditional lookback on Maestro evolution, changes, and important events. The year of 2023 has been dynamic and full of updates, both technical and strategic.  We kept to our previous commitments , meanwhile adjusting to the new trends in Cloud and technologies in general.  We met our user's expectation and need for  cross-cloud FinOps, automated infrastructure analytics, security assessment and the "Fix it" button , aimed to simplify issues remediation. We also took into account the rising demand for  Open Stack-based resources, Cloud Native approaches,  AI/ML integrations .  As a result, we came up with our standard "six release per year" cycle, highlighted with the following milestones: Maestro Insights With the ML technologies growth, the amount of services offering infrastructure recommendations and analytics, grow. This is true for the public cloud providers' native services, as well as thir
Read more

Maestro Orchestrator: Product? SaaS? Framework!

Image
In 2012, EPAM Cloud Orchestrator was created as a cloud solution for the EPAM Systems community. It appeared when the issue of redesigning the growing infrastructure of more than 500 projects became critical. After a thorough analysis of the existing solutions, EPAM experts had to admit that none of them fit the company needs. However, that was not a problem but a challenge. If no perfect solution existed, EPAM created its own from scratch. In six years, EPAM Cloud Orchestrator evolved into a true hybrid cloud with over 8000 virtual machines in hundreds of projects. In addition to its basic function - hosting virtual resources - it supports a number of related components helping the users to be in full control of their virtual infrastructures, such as audit, monitoring, billing, reporting. Meanwhile, a time has come to go out of the box of an enterprise solution and meet the market. This is how the new generation of EPAM Cloud Orchestrator - Maestro was born. Maestro is
Read more