Application teams must wait for manual changes in the network to release, scale up/down and re-deploy their applications. This creates a bottleneck, especially in frequent workflows related to scaling up/down the application, breaking the DevOps goal of self-service enablement.
Networking and security teams cannot scale processes to the speed and changes needed. Manual approaches don't scale well, causing backlogs in network and security teams. Even in organisations that have some amount of automation (such as scripting), there is a need for an accurate, real-time source of data to trigger and drive their network automation workflows.
Consul-Terraform-Sync automates this process, thus decreasing the possibility of human error in manually editing configuration files, as well as decreasing the overall time taken to push out configuration changes.
Consul-Terraform-Sync runs in near real-time to keep up with the rate of change.
Network Infrastructure Automation (NIA) enables dynamic updates to network infrastructure devices triggered by service changes.
Consul Terraform Sync (just Sync from here on) is a service-oriented tool for managing network infrastructure near real-time. Sync runs as a daemon and integrates the network topology maintained by your Consul cluster with your network infrastructure to dynamically secure and connect services.
Github Repo -
To install Sync, find the appropriate package for your system and download it as a zip archive. Unzip the package to extract the binary named consul-terraform-sync. Move the consul-terraform-sync binary to a location available on your $PATH.
1. Download a pre-compiled, released version from the Sync release page.
2. Extract the binary using unzip or tar.
3. Move the binary into $PATH.
Once installed, verify the installation works by prompting the help option.
Documentation on various configuration parameters -
1. The infrastructure is deployed onAzure and has 3 VNETs
a. Hashicorp Consul Service hosting VNET.
b. Shared Service VNET (Shared service like Hashicorp Vault and Bastian Host).
c. Application and Network service stack.
2. A Two Tier Application running VirtualMachines that uses Consul for Service discovery.
NOTE: It should be a Consul Ecosystem. Applications need to register themselves to Consul i.e a consul agent should be running and registered to Consul server.
New virtual machines are frequently added and removed to handle scaling requirements.
The overworked NetOps and SecOps teams have to frequently reconfigure the load balancers and firewalls.
The long hours and lengthy job queues result in deployment errors and, potentially security issues.
Current Solution - Scripts to Automate health checks for new servers and add them to Route53.
The Consul - Terraform -Sync sits at the NetOps layer.
Consul monitors application state changes in real-time (IP Addresses and App meta-data).
Consul Terraform Sync uses this information to automatically configure the various network infrastructure, eliminating the need for NetOps teams to be involved after the initial configuration.
NOTE: Consul Terraform Sync automates the management of policy address groups on the Palo Alto Firewalls. This facilitates having fine-grained policies without increasing operational overhead.
Terraform Templates and Configuration file for above setup
buffer_period - Configures the default buffer period for all tasks to dampen the affects of flapping services to downstream network devices. It defines the minimum and maximum amount of time to wait for the cluster to reach a consistent state and accumulate changes before triggering task executions. The default is enabled to reduce the number of times downstream infrastructure is updated within a short period of time. This is useful to enable in systems that have a lot of flapping.
The consul block is used to configure Consul-Terraform-Sync connection with a Consul agent to perform queries to the Consul Catalog and Consul KV pertaining to task execution.
The driver block configures the subprocess for Consul-Terraform-Sync to propagate infrastructure change. The Terraform driver is a required configuration for Consul-Terraform-Sync to relay provider discovery and installation information to Terraform, specifically the required_providers stanza. Other driver options do not need to be explicitly configured and has reasonable default values..
A terraform_provider block configures the options to interface with network infrastructure. Define a block for each provider required by the set of Terraform modules across all tasks. This block resembles provider blocks for Terraform configuration. To find details on how to configure a provider, refer to the corresponding documentation for the Terraform provider. The main directory of publicly available providers are hosted on the Terraform Registry.
A task block configures which task to run in automation for the selected services. The list of services can include services explicitly defined by a service block or implicitly declared by the service name. The task block may be specified multiple times to configure multiple tasks.