HashiCorp Cloud Platform (HCP) provides a robust suite of tools to help teams collaborate, maintain security, and ensure compliance. In this comprehensive guide, we'll explore HCP Terraform's key features, focusing on Private Registry, Workspaces, and Sentinel Policies.
What is HCP Private Registry?
HCP Private Registry is a centralized repository for storing and sharing private Terraform modules within your organization. It provides a secure, versioned, and controlled environment for managing reusable infrastructure code.
Key Features
Version Control: Maintain different versions of modules
Access Control: Fine-grained permissions management
Module Discovery: Easy search and discovery of internal modules
Documentation: Automated documentation generation
Security: Private hosting with encryption at rest
Setting Up Private Registry
# Configure the Terraform provider to use private registry
terraform {
required_providers {
aws = {
source = "app.terraform.io/my-org/aws"
version = "~> 4.0"
}
}
}
# Example of using a private module
module "vpc" {
source = "app.terraform.io/my-org/vpc/aws"
version = "1.0.0"
vpc_cidr = "10.0.0.0/16"
environment = "production"
}
Understanding Workspaces
Workspaces in HCP Terraform allow you to manage multiple states for the same infrastructure code, enabling you to maintain different environments or configurations.
Benefits of Workspaces
Environment Separation: Maintain dev, staging, and production environments
State Isolation: Prevent accidental changes across environments
Variable Management: Environment-specific variable sets
Access Control: Role-based access control per workspace
Workspace Configuration
# Create and select a workspace
terraform workspace new production
# Workspace-specific variables
variable "environment" {
type = string
default = terraform.workspace
}
# Conditional resource configuration
resource "aws_instance" "server" {
instance_type = var.environment == "production" ? "t3.large" : "t3.micro"
tags = {
Environment = var.environment
}
}
Introduction to Sentinel Policies
Sentinel is HashiCorp's policy as code framework that enables fine-grained, logic-based policy decisions that can be enforced across all HashiCorp enterprise products.
Types of Policies
Mandatory Policies: Must pass for Terraform to proceed
Advisory Policies: Generate warnings but don't block execution
Soft-Mandatory Policies: Can be overridden by authorized users
Example Sentinel Policy
# Policy to enforce instance types
policy "allowed-instance-types" {
enforcement_level = "hard-mandatory"
rule "verify-instance-type" {
condition = all tfplan.resources.aws_instance as _, instances {
instances.applied.instance_type in ["t3.micro", "t3.small", "t3.medium"]
}
error_message = "Instance type must be t3.micro, t3.small, or t3.medium"
}
}
Implementing Cost Controls
# Cost control policy
policy "restrict-cost-by-workspace" {
enforcement_level = "soft-mandatory"
rule "check-estimated-cost" {
condition = rule {
tfrun.cost_estimate.delta_monthly_cost <
lookup(workspace_cost_limits, tfrun.workspace.name, 1000)
}
error_message = "Monthly cost estimate exceeds allowed limit for workspace"
}
}
Private Registry Best Practices
Version Constraints: Use specific version constraints for modules
Documentation: Maintain comprehensive README files
Testing: Implement automated testing for modules
Tagging: Use semantic versioning for module releases
Workspace Management
Naming Conventions: Implement consistent naming patterns
State Management: Regular state backups and versioning
Variable Sets: Use variable sets for common configurations
Team Structure: Align workspaces with team responsibilities
Sentinel Policy Guidelines
Policy Organization: Group related policies together
Testing: Maintain policy test cases
Documentation: Document policy intentions and exceptions
Governance: Regular policy reviews and updates
Example Implementation Workflow
# Initialize with private registry
terraform init
# Select workspace
terraform workspace select production
# Plan with policy check
terraform plan
# Apply with approved policies
terraform apply