{"id":4528,"date":"2019-08-15T15:46:47","date_gmt":"2019-08-15T12:46:47","guid":{"rendered":"https:\/\/www.almtoolbox.com\/blog_he\/?p=4528"},"modified":"2019-10-21T21:11:00","modified_gmt":"2019-10-21T18:11:00","slug":"case-study-us-air-force-use-hashicorp-terraform-vault-sentinel","status":"publish","type":"post","link":"https:\/\/www.almtoolbox.com\/blog_he\/case-study-us-air-force-use-hashicorp-terraform-vault-sentinel\/","title":{"rendered":"\u05e1\u05d9\u05e4\u05d5\u05e8 \u05dc\u05e7\u05d5\u05d7: \u05de\u05d3\u05d5\u05e2 US Air Force \u00a0\u05de\u05e9\u05ea\u05de\u05e9\u05d9\u05dd \u05d1- Sentinel + Terraform + Vault Enterprise"},"content":{"rendered":"<p>\u05d1\u05de\u05d4\u05dc\u05da \u05d4\u05db\u05e0\u05e1 \u05d4\u05d0\u05d7\u05e8\u05d5\u05df \u05e9\u05dc HashiCorp \u05d1\u05d0\u05d9\u05e8\u05d5\u05e4\u05d4 (\u05d1\u05d7\u05d5\u05d3\u05e9 \u05e9\u05e2\u05d1\u05e8), \u05e2\u05dc\u05ea\u05d4 \u05dc\u05d1\u05de\u05d4\u00a0Tamekia Reed \u05de\u05d7\u05d1\u05e8\u05ea Expansia\u00a0(\u05d5\u05d2\u05dd \u05d4\u05de\u05d9\u05d9\u05e1\u05d3\u05ea \u05e9\u05dc \u05e7\u05d1\u05d5\u05e6\u05ea Women In Linux) \u05e9\u05d1\u05d9\u05e6\u05e2\u05d4 \u05e4\u05e8\u05d5\u05d9\u05d9\u05e7\u05d8 \u05d4\u05d8\u05de\u05e2\u05d4 \u05dc- US Air Force \u05e9\u05db\u05dc\u05dc \u05d2\u05dd \u05d0\u05ea Sentinel, Terraform Enterprise, Vault Enterprise, GitLab \u05d5\u05db\u05dc\u05d9\u05dd \u05e0\u05d5\u05e1\u05e4\u05d9\u05dd. \u05d4\u05d9\u05d0 \u05e4\u05d9\u05e8\u05d8\u05d4\u00a0\u05db\u05d9\u05e6\u05d3 \u05d4\u05dd \u05de\u05e9\u05ea\u05de\u05e9\u05d9\u05dd \u05d1\u05db\u05dc\u05d9 HashiCorp \u05d1\u05db\u05d3\u05d9 \u05dc\u05d1\u05e6\u05e2 \u05d0\u05d5\u05d8\u05d5\u05de\u05e6\u05d9\u05d4 \u05dc\u05ea\u05d4\u05dc\u05d9\u05db\u05d9\u05dd \u05d9\u05d3\u05e0\u05d9\u05d9\u05dd, \u05dc\u05e0\u05d4\u05dc \u05e7\u05d5\u05e0\u05e4\u05d9\u05d2\u05d5\u05e8\u05e6\u05d9\u05d4 \u05d5\u05ea\u05e9\u05ea\u05d9\u05ea, \u05ea\u05d4\u05dc\u05d9\u05db\u05d9 security \u05d5\u05de\u05d3\u05d9\u05e0\u05d9\u05d5\u05ea \u05d1\u05d0\u05de\u05e6\u05e2\u05d5\u05ea \u05e7\u05d5\u05d3 (policy-as-code &amp; infrastructure-as-code) , \u05d5\u05db\u05df \u05e2\u05dc \u05d4\u05d4\u05d8\u05de\u05e2\u05d4 \u05e9\u05dc \u05db\u05dc\u05d9 HashiCorp \u05d1\u05d7\u05d9\u05dc \u05d4\u05d0\u05d5\u05d9\u05e8 \u05d4\u05d0\u05de\u05e8\u05d9\u05e7\u05d0\u05d9 &#8212; \u05d5\u05de\u05d3\u05d5\u05e2 \u05d1\u05d7\u05e8\u05d5 \u05d1\u05d2\u05d9\u05e8\u05e1\u05d0\u05d5\u05ea Enterprise .<\/p>\n<p>\u05db\u05de\u05e4\u05d9\u05e6\u05d9 \u05e4\u05ea\u05e8\u05d5\u05e0\u05d5\u05ea HashiCorp \u05d5\u05db\u05e0\u05e6\u05d9\u05d2\u05d9 \u05d4\u05d9\u05e6\u05e8\u05df \u05e7\u05d9\u05d1\u05dc\u05e0\u05d5 \u05d0\u05ea \u05d4\u05d4\u05e7\u05dc\u05d8\u05d4 &#8211; \u05d5\u05ea\u05de\u05e6\u05ea\u05e0\u05d5 \u05d0\u05d5\u05ea\u05d4 \u05dc\u05e1\u05e8\u05d8\u05d5\u05df \u05e9\u05dc 4 \u05d3\u05e7\u05d5\u05ea \u05d4\u05db\u05d5\u05dc\u05dc \u05d0\u05ea \u05d4\u05d7\u05dc\u05e7\u05d9\u05dd \u05d4\u05e8\u05dc\u05d1\u05e0\u05d8\u05d9\u05dd \u05e9\u05dc Sentinel-Terraform-Vault, \u05d0\u05ea \u05d4\u05e9\u05e7\u05e4\u05d9\u05dd \u05d4\u05e8\u05dc\u05d1\u05e0\u05d8\u05d9\u05dd, \u05d5\u05db\u05df \u05d4\u05d5\u05e1\u05e4\u05e0\u05d5 \u05db\u05ea\u05d5\u05d1\u05d9\u05d5\u05ea \u05dc\u05e1\u05e8\u05d8\u05d5\u05df \u05d5\u05db\u05df \u05d0\u05ea \u05d4\u05d8\u05e7\u05e1\u05d8 \u05e2\u05e6\u05de\u05d5 \u05d1\u05e1\u05d5\u05e3 \u05de\u05d0\u05de\u05e8 \u05d6\u05d4.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/cEfnVhzskAU\" width=\"700\" height=\"393.75\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>\u05dc\u05e9\u05d0\u05dc\u05d5\u05ea \u05e0\u05d5\u05e1\u05e4\u05d5\u05ea \u05e2\u05dc \u05de\u05d5\u05e6\u05e8\u05d9 HashiCorp \u05e0\u05d9\u05ea\u05df \u05dc\u05e4\u05e0\u05d5\u05ea \u05d0\u05dc\u05d9\u05e0\u05d5.<\/p>\n<p>&nbsp;<\/p>\n<div class=\"alm-box alm-contact\">\n<div dir=\"rtl\">\n<p>\u05d0\u05e0\u05d5 \u05de\u05d9\u05d9\u05e6\u05d2\u05d9\u05dd \u05e8\u05e9\u05de\u05d9\u05ea \u05d0\u05ea \u05d7\u05d1\u05e8\u05ea Hashicorp \u05d5\u05de\u05e1\u05e4\u05e7\u05d9\u05dd \u05e8\u05d9\u05e9\u05d5\u05d9, \u05d4\u05d8\u05de\u05e2\u05d4, \u05d9\u05e2\u05d5\u05e5 \u05d5\u05d4\u05d3\u05e8\u05db\u05d4 \u05dc- Terraform, Vault, Sentinel, Consul \u05d5- Nomad .<br \/>\n<em>\u05d0\u05e0\u05d5 \u05de\u05e6\u05d9\u05e2\u05d9\u05dd \u05e4\u05ea\u05e8\u05d5\u05e0\u05d5\u05ea \u05de\u05e7\u05e6\u05d4 \u05dc\u05e7\u05e6\u05d4 \u05d1\u05ea\u05d7\u05d5\u05de\u05d9 ALM, DevOps \u05d5\u05e2\u05e0\u05df, \u05d1\u05e0\u05d9\u05d9\u05ea \u05e1\u05d1\u05d9\u05d1\u05d5\u05ea \u05e4\u05d9\u05ea\u05d5\u05d7 \u05d5\u05d1\u05d3\u05d9\u05e7\u05d5\u05ea \u05d5\u05d4\u05e2\u05d1\u05e8\u05ea\u05dd \u05dc\u05e7\u05d5\u05e0\u05d8\u05d9\u05d9\u05e0\u05e8\u05d9\u05dd, \u05dc\u05e2\u05e0\u05df \u05d5\u05e2\u05d5\u05d3.<\/em><\/p>\n<p>\u05db\u05de\u05d5 \u05db\u05df \u05d2\u05dd \u05d0\u05e0\u05d5 \u05de\u05e1\u05e4\u05e7\u05d9\u05dd \u05e8\u05d9\u05e9\u05d5\u05d9 \u05d5\u05d4\u05d8\u05de\u05e2\u05d4 \u05e9\u05dc \u05db\u05dc\u05d9\u05dd \u05de\u05e9\u05dc\u05d9\u05de\u05d9\u05dd &#8211;\u00a0 GitLab, Jenkins, Spotinst, AWS, GCP, Kubernetes, Chef, Rancher, SonarQube, Nexus, Digital Ocean, Artifactory \u05d5\u05e2\u05d5\u05d3<\/p>\n<\/div>\n<div dir=\"rtl\">\n<p><em>\u05e9\u05d0\u05dc\u05d5\u05ea? \u05e0\u05e9\u05de\u05d7 \u05dc\u05e2\u05e0\u05d5\u05ea \u05e2\u05dc \u05db\u05dc \u05e9\u05d0\u05dc\u05d4 &#8211; \u05d0\u05e4\u05e9\u05e8 \u05dc\u05e4\u05e0\u05d5\u05ea \u05d0\u05dc\u05d9\u05e0\u05d5 \u05d1\u05de\u05d9\u05d9\u05dc\u00a0<a href=\"mailto:hashicorp@almtoolbox.com\" target=\"_blank\" rel=\"noopener\">hashicorp@almtoolbox.com<\/a>\u00a0 \u05d0\u05d5 \u05d8\u05dc\u05e4\u05d5\u05e0\u05d9\u05ea 072-240-5222<\/em><\/p>\n<\/div>\n<\/div>\n<h3>\u05e7\u05d9\u05e9\u05d5\u05e8\u05d9\u05dd \u05e8\u05dc\u05d1\u05e0\u05d8\u05d9\u05dd:<\/h3>\n<ul>\n<li>\u05d0\u05ea\u05e8 <a href=\"https:\/\/www.almtoolbox.com\/il\/hashicorp-vault\" target=\"_blank\" rel=\"noopener\">HashiCorp Vault \u05d4\u05db\u05d5\u05dc\u05dc \u05de\u05d9\u05d3\u05e2 \u05d1\u05e2\u05d1\u05e8\u05d9\u05ea<\/a><\/li>\n<li>\u05d0\u05ea\u05e8 <a href=\"https:\/\/www.almtoolbox.com\/il\/terraform\" target=\"_blank\" rel=\"noopener\">Terraform \u05d1\u05e2\u05d1\u05e8\u05d9\u05ea<\/a><\/li>\n<li>\u05d4\u05e7\u05dc\u05d8\u05ea \u05d5\u05d5\u05d1\u05d9\u05e0\u05e8 &quot;Ask Me Anything about Vault&quot; \u05e9\u05e7\u05d9\u05d9\u05de\u05e0\u05d5 \u05e2\u05dd \u05d7\u05d1\u05e8\u05ea HashiCorp<\/li>\n<li>\u05d3\u05de\u05d5 \u05de\u05d5\u05e7\u05dc\u05d8 \u05e2\u05dc Terraofrm \u05d5\u05ea\u05e9\u05ea\u05d9\u05ea \u05db\u05e7\u05d5\u05d3 (\u05e2\u05d1\u05e8\u05d9\u05ea)<\/li>\n<li>\u05d3\u05de\u05d5 \u05de\u05d5\u05e7\u05dc\u05d8 \u05e2\u05dc Vault (\u05e2\u05d1\u05e8\u05d9\u05ea)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2 id=\"transcript\" dir=\"ltr\" style=\"text-align: left;\">Transcript:<\/h2>\n<p dir=\"ltr\" style=\"text-align: left;\">So a little bit of background about me &#8211; he gave you the introduction\u2014I also worked for a company called Expansia. The main topic that we're going to talk about today is how we're trying to solve problems in government, in particular for the U.S. Air Force. The topic here is called the\u00a0journey\u2014and I should have put up there a continuous journey as well because that is exactly what it is\u2014it\u2019s a continuous journey.<\/p>\n<h3 id=\"policy-as-code\" dir=\"ltr\">Policy as code<\/h3>\n<p dir=\"ltr\">Policy as code. We want to implement this\u2014as we talked about in the image policy. We want to create it; we want to be able to deploy to different environments\u2014quicker time for responses in terms of failures\u2014in terms of successes. Knowledge transfer through code\u2014how did you do it\u2014being able to share with other teams, and also bringing ops and developers together for quicker feedback loops on deployments.<\/p>\n<p dir=\"ltr\">We talked about it earlier\u2014we heard about\u00a0Sentinel. How does that apply in our world? And when I say our world is policy as code is huge and something that is ongoing every day.<\/p>\n<p dir=\"ltr\">As you see at the bottom\u2014and I talked about this\u2014checking your code in, building out, whether it's a Docker container or a VM, and then using Sentinel to say, Hey, I can deploy to the staging environment. If not, I'll stop and say I can't deploy to that state in your environment. But I have that ability now to say yes or no. I can go back and say I want to scan that environment as well too. And get that feedback loop to JIRA. That's what that looks like.<\/p>\n<p dir=\"ltr\">One of the bigger issues in this project is having a multi-environment. Well, with that\u00a0multi-environment, I'm not sure if anyone here plays where Azure Stack or AWS Outpost. Outpost is coming out\u2014I think roughly around September\/October frame\u2014is what they were looking at. But as we prepare to go forward, we want to be prepared to play in those environments and we will too. We will have that option and we will have that pipeline already set out.<\/p>\n<h3 id=\"terraform-enterprise-advantages\" dir=\"ltr\">Terraform Enterprise advantages<\/h3>\n<p dir=\"ltr\">Terraform Enterprise\u2014the advantages that we have seen is\u2014one&#8211;we're able to hold state viewing where we can't hold state unless you're using vRealize. But then there are other issues that go along with that.<\/p>\n<p dir=\"ltr\">Control policies on the environment. We need to have the ability to audit. Now if we have those policies that are written out in code, we can see who was able to push the button on their environment and say,\u201dHey, we deploy to staging,\u201d or, \u201cWe deploy it to production.&quot;<\/p>\n<p dir=\"ltr\">The next one is see who actually did what and have that feedback in JIRA. Super important.<\/p>\n<h3 id=\"vault-enterprise-advantages\" dir=\"ltr\">Vault Enterprise advantages<\/h3>\n<p dir=\"ltr\">We're also using Vault. So we're using VaultEnterprise for a couple of things. One, we need\u00a0PKI\u00a0integration. The other one that we need it for is Terraform. We also need it for controlling logging into servers.<\/p>\n<p dir=\"ltr\">When we're talking about logging into servers\u2014in some cases you may need someone to log into a server depending on if it's a monolithic application and it's been around forever\u2014and that's what they've been used to. You want to get away from that. But at least we can have that\u00a0controlled\u00a0on Vault saying that you only have 30 minutes to log in and check and see what was going on and then log out. We can put that on Vault.<\/p>\n<p dir=\"ltr\">The other thing we do here is tying that back into Kerberos or LDAP\u2014or even, in this case, Windows which is still underneath Kerberos.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u05d1\u05de\u05d4\u05dc\u05da \u05d4\u05db\u05e0\u05e1 \u05d4\u05d0\u05d7\u05e8\u05d5\u05df \u05e9\u05dc HashiCorp \u05d1\u05d0\u05d9\u05e8\u05d5\u05e4\u05d4 (\u05d1\u05d7\u05d5\u05d3\u05e9 \u05e9\u05e2\u05d1\u05e8), \u05e2\u05dc\u05ea\u05d4 \u05dc\u05d1\u05de\u05d4\u00a0Tamekia Reed \u05de\u05d7\u05d1\u05e8\u05ea Expansia\u00a0(\u05d5\u05d2\u05dd \u05d4\u05de\u05d9\u05d9\u05e1\u05d3\u05ea \u05e9\u05dc \u05e7\u05d1\u05d5\u05e6\u05ea Women In Linux) \u05e9\u05d1\u05d9\u05e6\u05e2\u05d4 \u05e4\u05e8\u05d5\u05d9\u05d9\u05e7\u05d8 \u05d4\u05d8\u05de\u05e2\u05d4 \u05dc- US Air Force \u05e9\u05db\u05dc\u05dc \u05d2\u05dd \u05d0\u05ea Sentinel, Terraform Enterprise, Vault Enterprise, GitLab \u05d5\u05db\u05dc\u05d9\u05dd \u05e0\u05d5\u05e1\u05e4\u05d9\u05dd. \u05d4\u05d9\u05d0 \u05e4\u05d9\u05e8\u05d8\u05d4\u00a0\u05db\u05d9\u05e6\u05d3 \u05d4\u05dd \u05de\u05e9\u05ea\u05de\u05e9\u05d9\u05dd \u05d1\u05db\u05dc\u05d9 HashiCorp \u05d1\u05db\u05d3\u05d9 \u05dc\u05d1\u05e6\u05e2 \u05d0\u05d5\u05d8\u05d5\u05de\u05e6\u05d9\u05d4 \u05dc\u05ea\u05d4\u05dc\u05d9\u05db\u05d9\u05dd \u05d9\u05d3\u05e0\u05d9\u05d9\u05dd, \u05dc\u05e0\u05d4\u05dc \u05e7\u05d5\u05e0\u05e4\u05d9\u05d2\u05d5\u05e8\u05e6\u05d9\u05d4 \u05d5\u05ea\u05e9\u05ea\u05d9\u05ea, \u05ea\u05d4\u05dc\u05d9\u05db\u05d9 security \u05d5\u05de\u05d3\u05d9\u05e0\u05d9\u05d5\u05ea \u05d1\u05d0\u05de\u05e6\u05e2\u05d5\u05ea [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[64,279,358,280,281],"tags":[],"class_list":["post-4528","post","type-post","status-publish","format-standard","hentry","category-case-studies","category-hashicorp","category-sentinel","category-terraform","category-vault"],"_links":{"self":[{"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/posts\/4528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/comments?post=4528"}],"version-history":[{"count":0,"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/posts\/4528\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/media?parent=4528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/categories?post=4528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.almtoolbox.com\/blog_he\/wp-json\/wp\/v2\/tags?post=4528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}