Hashicorp Sentinel vs Terraform

Overview

Terraform

Stacks22.9K

Followers14.7K

Votes344

GitHub Stars47.0K

Forks10.1K

Hashicorp Sentinel

Stacks25

Followers28

Votes0

Hashicorp Sentinel vs Terraform: What are the differences?

Introduction:

1. Integration with Terraform: HashiCorp Sentinel allows you to add policy as code enforcement to your Terraform plans and deployments, ensuring compliance and security at every stage of the infrastructure lifecycle. This integration helps in making sure that only compliant infrastructure configurations are applied.

2. Policy as Code vs. Infrastructure as Code: While Terraform focuses on defining and managing infrastructure as code, Sentinel focuses on defining and enforcing policy as code. This means that Terraform creates and manages infrastructure, while Sentinel ensures that the defined policies are adhered to during the provisioning process.

3. Granular Control: Sentinel provides more granular control over policies by enabling conditional checks, parameterized policies, and the ability to define policies based on specific criteria. This level of control allows organizations to tailor policies to their specific requirements and enforce them effectively.

4. Real-Time Observability: Sentinel offers real-time observability by providing detailed insights into policy evaluation, allowing users to track and monitor policy compliance during Terraform execution. This feature helps in identifying and addressing policy violations promptly, enhancing the security and compliance of the infrastructure.

5. Customization and Extensibility: Sentinel allows users to create custom functions, imports, and data sources to extend the capabilities of policy enforcement. This customization enables organizations to implement unique policies and integrations to meet their specific infrastructure requirements effectively.

6. Compliance Automation: HashiCorp Sentinel streamlines compliance automation by integrating with various compliance standards and frameworks, allowing organizations to automate policy enforcement and compliance checking seamlessly within their Terraform workflows.

In Summary, HashiCorp Sentinel and Terraform differ in their focus on policy as code enforcement, granular control, real-time observability, customization, and compliance automation within the infrastructure lifecycle.

Share your Stack

Help developers discover the tools you use. Get visibility for your team's tech choices and contribute to the community's knowledge.

View Docs

CLI (Node.js)

Manual

Advice on Terraform, Hashicorp Sentinel

Sung Won

Nov 4, 2019

Decidedon

Google Cloud IoT Core

Terraform

Python

Context: I wanted to create an end to end IoT data pipeline simulation in Google Cloud IoT Core and other GCP services. I never touched Terraform meaningfully until working on this project, and it's one of the best explorations in my development career. The documentation and syntax is incredibly human-readable and friendly. I'm used to building infrastructure through the google apis via Python , but I'm so glad past Sung did not make that decision. I was tempted to use Google Cloud Deployment Manager, but the templates were a bit convoluted by first impression. I'm glad past Sung did not make this decision either.

Solution: Leveraging Google Cloud Build Google Cloud Run Google Cloud Bigtable Google BigQuery Google Cloud Storage Google Compute Engine along with some other fun tools, I can deploy over 40 GCP resources using Terraform!

Check Out My Architecture: CLICK ME

Check out the GitHub repo attached

2.25M views2.25M

Comments

Timothy

SRE

Mar 20, 2020

Decided

I personally am not a huge fan of vendor lock in for multiple reasons:

I've seen cost saving moves to the cloud end up costing a fortune and trapping companies due to over utilization of cloud specific features.
I've seen S3 failures nearly take down half the internet.
I've seen companies get stuck in the cloud because they aren't built cloud agnostic.

I choose to use terraform for my cloud provisioning for these reasons:

It's cloud agnostic so I can use it no matter where I am.
It isn't difficult to use and uses a relatively easy to read language.
It tests infrastructure before running it, and enables me to see and keep changes up to date.
It runs from the same CLI I do most of my CM work from.

385k views385k

Comments

Daniel

May 4, 2020

Decided

Because Pulumi uses real programming languages, you can actually write abstractions for your infrastructure code, which is incredibly empowering. You still 'describe' your desired state, but by having a programming language at your fingers, you can factor out patterns, and package it up for easier consumption.

426k views426k

Comments

Detailed Comparison

Terraform	Hashicorp Sentinel
With Terraform, you describe your complete infrastructure as code, even as it spans multiple service providers. Your servers may come from AWS, your DNS may come from CloudFlare, and your database may come from Heroku. Terraform will build all these resources across all these providers in parallel.	Sentinel is an embeddable policy as code framework to enable fine-grained, logic-based policy decisions that can be extended to source external information to make decisions.
Infrastructure as Code: Infrastructure is described using a high-level configuration syntax. This allows a blueprint of your datacenter to be versioned and treated as you would any other code. Additionally, infrastructure can be shared and re-used.;Execution Plans: Terraform has a "planning" step where it generates an execution plan. The execution plan shows what Terraform will do when you call apply. This lets you avoid any surprises when Terraform manipulates infrastructure.;Resource Graph: Terraform builds a graph of all your resources, and parallelizes the creation and modification of any non-dependent resources. Because of this, Terraform builds infrastructure as efficiently as possible, and operators get insight into dependencies in their infrastructure.;Change Automation: Complex changesets can be applied to your infrastructure with minimal human interaction. With the previously mentioned execution plan and resource graph, you know exactly what Terraform will change and in what order, avoiding many possible human errors	policy as code;Fine-grained, condition-based policy; Multiple enforcement levels; Multi-cloud compatible
Statistics
GitHub Stars 47.0K	GitHub Stars -
GitHub Forks 10.1K	GitHub Forks -
Stacks 22.9K	Stacks 25
Followers 14.7K	Followers 28
Votes 344	Votes 0
Pros & Cons
Pros 121 Infrastructure as code 73 Declarative syntax 45 Planning 28 Simple 24 Parallelism Cons 1 Doesn't have full support to GKE	No community feedback yet
Integrations
Heroku Amazon EC2 CloudFlare DNSimple Microsoft Azure Consul Equinix Metal DigitalOcean OpenStack Google Compute Engine	Nomad Vault Consul

What are some alternatives to Terraform, Hashicorp Sentinel?

Ansible

Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates. Ansible’s goals are foremost those of simplicity and maximum ease of use.

Chef

Chef enables you to manage and scale cloud infrastructure with no downtime or interruptions. Freely move applications and configurations from one cloud to another. Chef is integrated with all major cloud providers including Amazon EC2, VMWare, IBM Smartcloud, Rackspace, OpenStack, Windows Azure, HP Cloud, Google Compute Engine, Joyent Cloud and others.

Capistrano

Capistrano is a remote server automation tool. It supports the scripting and execution of arbitrary tasks, and includes a set of sane-default deployment workflows.

Puppet Labs

Puppet is an automated administrative engine for your Linux, Unix, and Windows systems and performs administrative tasks (such as adding users, installing packages, and updating server configurations) based on a centralized specification.

Salt

Salt is a new approach to infrastructure management. Easy enough to get running in minutes, scalable enough to manage tens of thousands of servers, and fast enough to communicate with them in seconds. Salt delivers a dynamic communication bus for infrastructures that can be used for orchestration, remote execution, configuration management and much more.

AWS CloudFormation

You can use AWS CloudFormation’s sample templates or create your own templates to describe the AWS resources, and any associated dependencies or runtime parameters, required to run your application. You don’t need to figure out the order in which AWS services need to be provisioned or the subtleties of how to make those dependencies work.

Fabric

Fabric is a Python (2.5-2.7) library and command-line tool for streamlining the use of SSH for application deployment or systems administration tasks. It provides a basic suite of operations for executing local or remote shell commands (normally or via sudo) and uploading/downloading files, as well as auxiliary functionality such as prompting the running user for input, or aborting execution.

AWS OpsWorks

Start from templates for common technologies like Ruby, Node.JS, PHP, and Java, or build your own using Chef recipes to install software packages and perform any task that you can script. AWS OpsWorks can scale your application using automatic load-based or time-based scaling and maintain the health of your application by detecting failed instances and replacing them. You have full control of deployments and automation of each component

Packer

Packer automates the creation of any type of machine image. It embraces modern configuration management by encouraging you to use automated scripts to install and configure the software within your Packer-made images.

Scalr

Scalr is a remote state & operations backend for Terraform with access controls, policy as code, and many quality of life features.

Related Comparisons

Hashicorp Sentinel vs Terraform: What are the differences?

Introduction:

Hashicorp Sentinel vs Terraform

Overview