Streamline application deployments
This guide describes the best practices for creating an application delivery strategy with HashiCorp tools. A well-designed deployment strategy helps you deliver your application to production faster and catch bugs before your users run into them. A complete deployment strategy has five fundamental components:
- Write and test your application
- Package your application
- Provision infrastructure
- Deploy your application
- Connect and monitor your application
There are also two components to consider throughout the entire deployment process:
- Define your security strategy
- Integrate with your CI/CD pipeline
Your organization may have additional requirements for delivering your applications. For example, your security guidelines may require you to perform static code analysis on your codebase before you package it. After you package your application, your operations team may have a package registry that they require you to upload your application to.
Once you identify and implement each required step of your deployment strategy, we recommend automating them in a CI/CD pipeline. These pipelines will help every team in your organization adopt your deployment strategy by enforcing your designed strategy.
This guide gives our recommendations on how your organization can implement these seven steps, and covers how HashiCorp tools can fit into that cycle.
Define your security strategy
Security is an important component of every step of the application deployment pipeline. You should consider the security implications from when you write your code, when you design your deployment patterns, and day two and beyond while your code runs in production.
Vault lets you secure, store, and tightly control access to sensitive data, such as passwords, certificates, and API keys. Vault also manages dynamic secrets to services such as databases or cloud providers. These dynamic secrets protect malicious access to your services by providing valid credentials for short windows of time, automatically generating new credentials for your application to use automatically. Finally, Vault also provides encryption-as-a-service, which lets you encrypt data in your application without the need to manage the protection and rotation of encryption keys.
HCP Vault Dedicated is a hosted version of Vault Enterprise operated by HashiCorp. You can use the same CLI, API, and UI to communicate with HCP Vault Dedicated as you use to communicate with a self-hosted Vault Enterprise. HCP Vault Dedicated offers automated deployments, fully managed upgrades, and backups to reduce operational overhead.
HCP Vault Secrets is a multi-tenant, SaaS platform that offers teams a secure and simplified workflow for secret lifecycle management. It keeps secrets centralized while syncing them to platforms and tools such as CSPs, GitHub, and Vercel. You can use the HCP CLI to inject secrets into your application as environment variables, or pull from your application's code using the HCP Vault Secrets API.
HCP Vault Radar automates detecting and identifying unmanaged secrets in your code. It continuously scans for secrets, personally identifiable information, and non-inclusive language in real-time to alert you when it finds sensitive information in your code base.
HashiCorp resources:
- Get started with Vault
- Get started with HCP Vault Dedicated
- HCP Vault Secrets quickstart
- Get started with HCP Vault Radar
Write and test your application
We recommend that your application environments (development, test, and production) be as similar as possible. Inconsistent environments, such as different operating systems, external dependencies like databases, and configurations, may impact your application's behavior. These inconsistencies are usually more prominent between development and production environments.
Vagrant lets you define a development environment in a configuration file called a Vagrantfile. The Vagrantfile describes all the information about the development environment, including the base operating system image, setup scripts, and network configuration. When a developer runs the command vagrant up
, Vagrant uses the Vagrantfile to build and configure a virtual machine, allowing you to reliably create consistent development environments.
Using Vagrant, developers can automatically create development and test environments that mimic production as closely as possible. When your production environment changes, you can update the Vagrantfile to update the development environments. Using a common Vagrantfile also lets you create consistent development environments between teams for common tooling.
HashiCorp resources:
Package your application
Packaging your application is the process of turning your source code, configuration, and dependencies into a single deployable artifact, such as a virtual machine image or Docker container.
Packer lets you create identical artifacts for multiple platforms, such as AWS, Azure, and GCP, from a single source template. Packer templates define which source images to use and the steps to build your artifacts.
HCP Packer stores and manages metadata associated with the artifacts you build with Packer, such as inheritance between artifacts HCP Packer lets you label artifact versions with channels. If you find a security issue in an artifact and want to prevent people from deploying it, you can revoke a version of an artifact and point the label to a previous version.
You can use the HCP Terraform provider to query your HCP Packer registry from your Terraform configuration and ensure that your infrastructure is using the most up-to-date artifact version.
Together, this creates a golden image pipeline. This pipeline may look like the following example:
- Your DevOps team builds a base OS image that includes common dependencies between your applications.
- Your application team builds their application image on top of the base image.
- Your platform team deploys the application image with Terraform.
- If your security team finds a vulnerability, they can update the base image and revoke the vulnerable version so that no new images are built on top of it.
- Since HCP Packer knows the child images are now out of date, it shows which images need to be rebuilt on the new base image.
HashiCorp resources:
Provision and manage infrastructure
Depending on your organization's deployment strategy, you may provision your infrastructure separately from deploying your application. For example, you might deploy your database, configure IAM roles, or set up access in your secrets management software. In this case, we recommend using a predictable, repeatable process for deploying your application stack.
Terraform is an infrastructure-as-code tool that lets you define and manage infrastructure resources through human-readable configuration files. Terraform has over 4000 providers, letting you deploy to any cloud provider or platform that has an API.
HCP Terraform manages Terraform runs in a consistent and reliable environment instead of on your local machine. HCP Terraform securely stores your state files, letting your team safely collaborate on the same Terraform deployment by preventing simultaneous deployments. HCP Terraform offers features that enhance the Terraform workflow, such as the following:
- Connect to your VCS provider so that you can develop your infrastructure using a workflow similar to application development.
- Store modules in a private registry, making it easy to reuse Terraform code in your organization.
- Run tasks let you connect to third-party services during a Terraform run lifecycle. This lets you add additional steps to your deployment process to do things like scan for security vulnerabilities or analyze your configuration to ensure that you are deploying the latest version of a machine image.
- Granular access controls to manage team permissions. This level of control ensures that only authorized team members can make changes, enhancing the security of your infrastructure deployment.
- Policy enforcement to enforce guardrails on the Terraform configuration your organization writes. For example, you can write policies to limit the size of VMs the configuration deploys, or confine deployments to defined maintenance windows.
HashiCorp resources:
- Phases of Terraform adoption
- Get started with HCP Terraform
- Manage RDS instances with Terraform
- Provision an EKS Kubernetes cluster with Terraform
Deploy your application
Your application deployment process depends on how you package your application. For example, the process differs when you deploy your application on virtual machines (VM) versus deploying to a container orchestrator like Kubernetes or Nomad.
If your applications run on virtual machines directly, we recommend that you package your application in the machine image itself rather than install it after deploying the VM. This immutable infrastructure approach means you know exactly what's running on the VM, simplifies scaling, and reduces deployment time. When you need to update the application, build a new machine image and deploy it as a new VM. This prevents ad-hoc changes from putting the VM in an unknown state.
You can use Terraform to manage and deploy your applications to a container orchestrator like Nomad or Kubernetes. By using Terraform, you have a unified workflow to manage your application and infrastructure resources.
Kubernetes
Kubernetes is a system for automating the deployment and scaling of containerized workloads. You tell Kubernetes the desired state of your workload, and it will automatically determine how to meet those requirements. The Kubernetes Terraform provider lets you interact with the Kubernetes API to deploy and manage workloads. Helm is a popular packaging tool for Kubernetes workloads, and you can also deploy these packages with the Helm Terraform provider.
HashiCorp Resources:
Nomad
Nomad lets you orchestrate and manage workloads such as containers, standalone binaries, and batch jobs. Nomad jobs define the entire workload to deploy to Nomad. Jobs include information about the applications to deploy, where to deploy them, how to network them, and more. To manage, update, and scale jobs, you can update your job file with the desired resources and Nomad will automatically reconcile the changes that you require.
While you can manage workloads with the Nomad CLI or API, we recommend that you use Terraform or Nomad Pack. The Nomad Terraform provider lets you manage workloads using infrastructure-as-code, just as you would with your infrastructure. You can also use Nomad Pack, a package manager and templating tool for Nomad.
HashiCorp resources:
Connect and monitor your application
Your application needs to know how to talk to other services on the network. As application architecture becomes more distributed, it can be challenging to configure and maintain communication between applications and services. As your application scales, it may be more difficult to troubleshoot issues and balance traffic to multiple instances of your services.
Consul is a networking solution that lets you securely connect your services and manage traffic..
HashiCorp resources:
If you already have existing solutions to collect and monitor metrics in your organization, Consul and many other HashiCorp tools can integrate with existing solutions. For example, if your metrics solution requires an agent to be installed on the machine your application runs on, you can use Packer to create a golden image that includes the agent, ensuring that every application that you build automatically collects and sends metrics.
HashiCorp resources:
- Manage infrastructure and service monitoring
- Monitor application health and performance with Consul proxy metrics
Integrate with your CI/CD pipeline
You can integrate each recommendation from this guide into your existing CI/CD pipeline. If you already have a solution to address some of these recommendations but are looking to improve other aspects of your application deployment strategy, each of these recommendations can be implemented individually.
HashiCorp resources:
- Automate Packer with GitHub Actions
- Automate Terraform with GitHub Actions
- Retrieving CI/CD secrets from Vault
Next steps
This guide covered the many pieces of the HashiCorp toolchain that you can use to build your application deployment strategy. You can use these suggestions to build your strategy from scratch, or pick and choose individual pieces to enhance your already existing strategy.
A well-planned strategy ensures that your organization delivers features to production safely, securely, and quickly. To learn more, refer to the following links: