Secure Terraform Actions for Private Infrastructures

Proper organizing data and calls transfer within the IaaC processes is one of the crucial elements of establishing the sufficient level of security within the enterprise.

Traditionally, when Maestro users work with Terraform, all templates are stored and processed on Maestro side. However, this approach does not suit when the customer needs the sensitive data be kept within their private secure perimeter.

Recently, we introduced a new secure approach to process Terraform templates with the Private Agent.

The general idea of the approach is the following. Once you use a native cloud provider for Terraform templates execution, you (before the update was introduced) would pull the git repository and execute Terraform on Maestro side, which may not have direct access to your private cloud and execution would fail. However, now you have an option to choose execution on Maestro Private Agent, which has its own Terraform engine that is used to process the templates, staying within your secure perimeter.
What Maestro does is, by your request, informing the Agent about the need to process a template, pushing the necessary template details to the agent, and retrieving the information about the Terraform state.  The communication is performed via encrypted Maestro API atop RabbitMQ configured with Transport Layer Security (TLS) protocol.

In this scenario, the responsibility for processing a template is split between Maestro and Private agent.




Thus, retrieving the template content and all the Terraform-dependent actions (init, plan, apply, destroy, show) needed to process this template are performed on the Private Agent side.

Maestro, in its turn, remains responsible for the calling the process, passing the variables and temporary values, logs collection, checking approvals and quotas, and sharing the status of the execution with the end-user.

With this approach introduced, Maestro Private Agent becomes a secure and reliable mediator between your private safe perimeter and the Terraform. This makes it possible to increase the IaaC coverage of the infrastructure flows and bring enterprise cloud infrastructure management to a new level.

Comments

Post a Comment

Popular posts from this blog

Maestro Analytics: Essentials at the Fingertips

Image
Infrastructure analytics is one of the cornerstones for effective cloud management. Each cloud provider offers its own set of features and services for such purpose. We can say that AWS QuickSight, Google Data Studio, and Microsoft BI are among the top of the native analytics and BI offerings. They are deeply integrated into their native infrastructures, provide the detailed review of the infrastructure state, events and cost, and allow to take a deep dive into details, being powered by strong internal mechanisms and AI/ML engines. However, in many cases they provide a huge volume of data which needs a BI expert to cope with, as well as may have limited customization possibilities in terms of the covered data scope. Also, if you use more than one cloud, or have private datacenters, the fact that each of these tools is limited to its vendor, may be a reason for you to find a third-party analytics tool. Here is where you may consider solutions such as CloudHealth, AppOptics, or IBM C
Read more

Maestro: Greeting the Green Dragon

Image
The year is coming to the end, and it's high time for our traditional lookback on Maestro evolution, changes, and important events. The year of 2023 has been dynamic and full of updates, both technical and strategic.  We kept to our previous commitments , meanwhile adjusting to the new trends in Cloud and technologies in general.  We met our user's expectation and need for  cross-cloud FinOps, automated infrastructure analytics, security assessment and the "Fix it" button , aimed to simplify issues remediation. We also took into account the rising demand for  Open Stack-based resources, Cloud Native approaches,  AI/ML integrations .  As a result, we came up with our standard "six release per year" cycle, highlighted with the following milestones: Maestro Insights With the ML technologies growth, the amount of services offering infrastructure recommendations and analytics, grow. This is true for the public cloud providers' native services, as well as thir
Read more

Maestro Orchestrator: Product? SaaS? Framework!

Image
In 2012, EPAM Cloud Orchestrator was created as a cloud solution for the EPAM Systems community. It appeared when the issue of redesigning the growing infrastructure of more than 500 projects became critical. After a thorough analysis of the existing solutions, EPAM experts had to admit that none of them fit the company needs. However, that was not a problem but a challenge. If no perfect solution existed, EPAM created its own from scratch. In six years, EPAM Cloud Orchestrator evolved into a true hybrid cloud with over 8000 virtual machines in hundreds of projects. In addition to its basic function - hosting virtual resources - it supports a number of related components helping the users to be in full control of their virtual infrastructures, such as audit, monitoring, billing, reporting. Meanwhile, a time has come to go out of the box of an enterprise solution and meet the market. This is how the new generation of EPAM Cloud Orchestrator - Maestro was born. Maestro is
Read more