Olivier Le Moal - stock.adobe.co

Terraform Cloud continuous validation inches toward GitOps

Terraform is already part of the GitOps workflow for some enterprises, but a new continuous validation feature could increase its overlap with tools such as Argo CD and Flux.

LOS ANGELES -- HashiCorp launched a new continuous validation feature in public beta for Terraform Cloud this week that may expand the ways it can be used for GitOps.

Continuous validation follows another feature introduced in June called drift detection, which became generally available for Terraform Cloud Business last month. Drift detection checks whether changes have been made to infrastructure state configurations outside the Terraform workflow. Continuous validation broadens that to perform perpetual health checks on a wider set of criteria.

For example, Terraform continuous validation can detect whether a resource is using an approved Amazon Machine Image, a HashiCorp Packer image or a valid security certificate.

"Maybe there's a security vulnerability and you deploy a new release for [a machine] image," said Meghan Liese, senior director of product marketing at HashiCorp, in a press and analyst briefing. "[Terraform continuous validation] will check that the image deployed is the most recently promoted image, and if that's no longer true, it will send a notification."

Along with that notification, Terraform Cloud drift detection presents users with automated remediation options. This feature wasn't specifically mentioned with continuous validation this week but may follow. Self-managed Terraform Enterprise will also add continuous validation in a future release.

Questions arise about Terraform GitOps ambitions

These updates could set the stage for Terraform to become a replacement for app-level GitOps tools such as Argo CD and Flux, analysts said.

On the DevOps spectrum, GitOps sits a little to the left -- closer to software developers -- than Terraform, which is focused on infrastructure, Liese said when asked about Terraform as a GitOps tool. When asked directly during the briefing whether continuous validation could replace Argo CD, she was noncommittal.

"Possibly, but I would need to know more about the details [of that scenario]," she said.

Meghan Liese, HashiConf
HashiCorp senior director of product marketing Meghan Liese presents Terraform and Waypoint updates to press and analysts at HashiConf.

But to IDC analyst Jim Mercer, who pressed Liese on this point, those questions remain open. Terraform continuous validation looks like cluster drift reconciliation, known as a self-heal in Argo CD or a reconcile command in Flux, he said.

"It feels very much like it's encroaching on something like Argo in GitOps, which is about trying to stop configuration drift," Mercer said. "I don't know what the exact wiring is, but it sounds to me like a reconciler."

A big difference -- for now -- is that Argo self-heal and Flux automatically enforce the desired state of a Kubernetes cluster or app whenever drift is detected. Terraform Cloud drift detection and continuous validation notify an administrator of drift and require that they take action to respond to it.

Thus, as with this week's updates to Boundary that push the vendor into privileged access management, and a new API gateway that brings Consul into a fresh segment of cloud-native networking, it's not an exact match for established competitors yet. But it could become one if HashiCorp decides to go in that direction, Mercer said.

A further step into GitOps for HashiCorp is possible, another analyst agreed.

"They have the pieces -- they even have a Terraform Operator that runs on Kubernetes that, connected with continuous validation, can very much do GitOps-related stuff today," said Gregg Siegfried, an analyst at Gartner. "But on the other hand, Terraform is much broader than that. ... HashiCorp could see GitOps as a distraction, as well."

One Terraform Cloud customer who presented at HashiConf already uses infrastructure as code as part of a GitOps workflow, where a homegrown tool plays the role Argo CD or Flux would for Kubernetes apps. He said he's willing to consider Terraform to replace that too.

"Our support staff has no access to production resources because we use immutable infrastructure. But we'll consider including that kind of control and validation in an automated way," said Andrew Rau, vice president and manager of cloud services at BOK Financial, in an interview after his presentation. "Just because we have that internally developed [Kubernetes GitOps] product doesn't mean we'll stay on it -- and if we don't have to manage the code [in Terraform Cloud], great."

BOK Financial, HashiConf
Andrew Rau (left) and Kris Jackson of BOK Financial present on their use of Terraform for GitOps at HashiConf.

Terraform Cloud builds in OPA, no-code features

HashiCorp's Liese cited user choice alongside HashiCorp's own Sentinel policy-as-code tool when she unveiled new native support for its rival, Open Policy Agent (OPA), in public beta for Terraform Cloud this week.

"We believe Sentinel is the best way to run policies. We wrote its domain-specific language the way we did to make it highly customizable and very granular," she said in her presentation. "However, we recognize that there's a whole market around policy as code, and we have a number of partners [there]. ... Terraform should be the place policies get enforced, but we don't really care which policy framework [users] choose."

But Siegfried said he sees this as a likely death knell for Sentinel.

"Sentinel is in use in other products beyond just Terraform, but there are a lot of organizations that have gone all-in on OPA, and they don't want to write policies twice," he said. "When HashiCorp created Sentinel, OPA was much less mature. And [before Terraform] drift detection was available, if you wanted to enforce policy beyond planning and deployment, you had to use something else anyway."

It feels very much like it's encroaching on something like Argo in GitOps, which is about trying to stop configuration drift.
Jim MercerAnalyst, IDC

Finally, a new no-code provisioning workflow, also released in beta this week for Terraform Cloud, adds a graphical user interface to Terraform private registries. IT ops admins can use that interface to publish a catalog of Terraform modules developers can choose from without having to understand the Terraform DSL.

One Terraform user balked at this and said he believes software engineers should understand infrastructure as code.

"If you can't tell me how [your application] runs on the infrastructure that you're targeting ... you don't understand your workload's behavior under stress," said Martin Eggenberger, chief architect at Monster Worldwide Inc., owner of hiring and recruiting website Monster.com.

That may be the ideal, Siegfried said, but this move by HashiCorp is in keeping with the trend toward DevOps platform engineering that's been spurred by the rarity of deep infrastructure skills among software developers.

"It requires you to have your cloud or platform team build vetted modules," he said. "This is a way to expand access to them in the same way that ServiceNow's integration with Terraform lets you request resources without necessarily knowing anything about the Terraform environment. It doesn't reduce your need for some expertise, but it may reduce your need to spread that expertise so widely."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration