HashiCorp: New names and functions for Terraform, Packer and Vault
HashiCorp has streamlined its products and announced new functions and improved integrations. The HCP Cloud is also coming to European data centers.
(Image: heise online / jam)
As part of its European conference Hashidays, HashiCorp, a company specializing in cloud and infrastructure tools, announced new features for its products and revealed how it will be sorting its product portfolio more clearly in future. There will also be improved integration between products. Take Nomad and Consul, for example: users repeatedly complained about gaps where one product already had functions that could not be accessed in the other. Hashicorp has now rectified this; Consul is now virtually a natural runtime environment for Nomad. This also applies in the other direction: Consul actions can be executed on a time-controlled basis using cron-like expressions.
New names for familiar products have also been announced. What is new is that HashiCorp is sorting these into two large categories. On the one hand, infrastructure with Terraform, Packer, Waypoint and Nomad. Category two is called Security and includes Vault, Boundary and Consul.
Under one roof
All products together belong to the "HashiCorp (HCP) Cloud Platform". The former "Terraform Cloud" is now called "HCP Terraform" and the same applies to HCP Vagrant. Both belong to the "HCP Cloud Platform". In general, the naming is now consistent with the prefix "HCP". The "HCP Cloud Platform" is now also available in a European version. HashiCorp is thus fulfilling the wish of many customers to keep their data in Europe wherever possible. The primary data center is located in Dublin, Ireland. If it fails, the services will run in Frankfurt/Main. At present, only "HCP Terraform" is available. The Vagrant counterpart will follow.
Innovations in the infrastructure
The majority of the new functions are in the infrastructure area. The first is "HCP Packer". The tool now recognizes webhooks. This means that lifecycle management for images can be integrated into workflows and automated in a simple and familiar way. The metadata is also easier for the user to view. This makes it easy to determine which components were used and in which version. Among the changes to Terraform, the "AWS Cloud Control Provider" should be highlighted. It is the result of the strategic partnership between HashiCorp and the internet giant AWS. New AWS functions and services can now be used immediately for Terraform via the Cloud Control API. There are also enhancements to the "HCP Terraform Agent" and the Explorer. The latter includes better search filters and more precise reports on managed resources. The agent enhancements now allow the use of self-managed version control or policy systems. Users of "HCP Terraform" can now also implement their own configuration functions.
The infrastructure section concludes with "HCP Waypoint Actions". These now allow the integration of operations and workflows from day-to-day operations via Github Actions, Jenkins or other third-party services. In a personal conversation with heise online, Field CTO Sarah Polan named "HCP Waypoint Actions" as one of her favorite features.
In the area of security, the majority of announcements come from the area of secrets management. Sarah Polan's favorite function here is "HCP Vault Radar". This allows passwords and other secrets to be found in the source code and even correlated with Vault. In a beta version, even Confluence and Jira can be used as a data source. GitHub, Gitlab and Bitbucket are also included. This makes it easy to curb the unwanted publication of passwords and other secrets. These can now also be synchronized with other secret managers. This allows centralized management and control of secrets across multiple tools and platforms. A simple example is the integration of Vault with GitHub Actions. This means that all the advantages of password management with the Hashicorp tool can also be used for workflows of this version control system if they are based on secrets. The integration of the major cloud providers and their in-house systems for controlling and managing secrets is also included.
Rotating secrets
With Vault, HashiCorp not only wants to enable the use of dynamic, i.e. short-lived, passwords, but also make them the standard. Regular rotation is an important milestone towards this goal. Vault can now do this automatically for some applications - initially only in MongoDB and Twilio. The period for the forced rotation can be defined by the administrator and can also be triggered early. Normally, there is an overlap period between the old and new passwords. This should minimize operational failures in borderline cases.
Good news for the Openshift world: The Vault-Secrets-Operator now also supports Openshift. This is actually now a must, as HashiCorp and RedHat are both IBM subsidiaries and therefore part of the same family.
HCP now also supports the so-called "Workload Identity Federation" for applications and services in the clouds of Amazon, Google and Microsoft. This completely eliminates the need for passwords there. The function can be used to map a Vault identity token to the login functions of a corresponding IdP (identity provider). There is also an innovation for Boundary, a tool to give admins access to services and servers. Specifically, this involves the recording of SSH sessions. Previously, these could only be saved in AWS S3. Now this is also possible in MinIO, so that the data can also be stored completely outside the cloud within your own four walls.
Overall, HashiCorp has thoroughly restructured its ecosystem and improved the interaction. This starts with the names and extends to the various integration functions and clean categorization and classification.
(dahe)
