Apply for invite to IaCP

Introduction to Scalr IaCP

What is IaCP?

Scalr IaC Platform is a remote backend for Terraform that helps your organization adopt Terraform and DevOps practices at scale. It does so by:

  • Centralization of state files and ensuring safe concurrent access to state files

  • Tracking all provisioned resources and the dependencies between them

  • Using Open Policy Agent to ensure a compliant and automated infrastructure as code workflow

  • Forecasting costs prior to deployments

  • Easily deploy infrastructure through a template registry based on Terraform templates

  • Implementing multi-tenancy allowing multiple organizations to create and maintain their own workflows while adhering to enterprise standards

Concepts and Terminology

Remote Backend Advantages

Scalr remote state and operations backend has 3 modes of use that all benefit from the same advantages over Terraform open source.

Advantage

Description

Centrally managed state with locking

State is stored in the IaCP. Collaboration is easy and locking ensures consistency. You can also share state across workspaces allowing new deployments to reference outputs from other workspaces.

Deployment Policies

Automatic governance checks using Open Policy Agent (OPA) policies written as code and stored in VCS alongside your Terraform templates. Policies written and configured by administrators and applied to all Terraform runs in all modes of use.

Access Controls

Centrally defined access controls ensuring only authorised personnel and systems can apply changes to infrastructure.

Centralized Auditing

All deployments (applies) tracked in one place to allow easy auditing of who did what and when.

Cost Estimation

Every plan include cost estimation to show new or adjusted monthly cost for each individual resource that will be deployed. Cost data is also available to the OPA policies so you can set limits on allowed costs.

Drift Detection

Automated detection and detailed reporting on changes of state in deployed infrastructure. Future releases will allow automation if repairs.

CLI/API support

Continue to work with the Terraform CLI and API as you always have done, but through Scalr so you benefit from many of the advantages above.


VCS Providers

VCS (Version Control System) Providers are the mechanism for registering credentials of source code repositories in Scalr. The template registry and workspaces in Scalr environments are linked to a specific repository in a VCS Provider, and the Terraform templates are pulled into Scalr from the repo for execution. The VCS provider configuration is only the access credentials. Each VCS provider configuration will potentially provide access to multiple Terraform template repositories as specified in either the template registry or Workspace configuration.

Currently supported VCS’s:

  • github Github SaaS

  • github Github Enterprise

  • gitlab Gitlab SaaS

  • gitlab Gitlab CE/EE

  • azure_dos Azure Devops Services

  • bitbucket Bitbucket cloud

Where next : VCS Integration


Workspaces

A workspace in Scalr environments is analogous to a Terraform workspace. A workspace is where a Terraform template will run and will provide configuration information, visibility of deployed resources, details of all runs, variable configuration and drift management.

Workspaces are created in 3 different ways.

  1. Create manually and linked to a repository in a VCS Provider to provide Devops automation (PR checks and automated deployment for CI/CD)

  2. Created from the Template Registry.

  3. Created by terraform init as a remote backend for CLI driven runs.

Where next : Workspace Management


Open Policy Agent

Scalr includes the definition of Open Policy Agent (OPA) policies to enforce governance across all deployments. This causes the policies to be applied to ALL runs taking place in every Scalr workspace regardless of where they are triggered from. This ensures deployments will meet all required business policies and also applies to dry runs triggered from VCS so the PR checks will fail if the template violates policy.

_images/policy_diagram.png

OPA Policies are widely used across a variety of platforms, such as Kubernetes and Jenkins, so by utilising OPA you can create a central repository of consistently implemented policy definitions for you entire cloud ecosystem. Policies for Terraform can be written to apply to any resource being deployed and any aspect of the run time environment and workspace configuration.

In Scalr, OPA policies are stored in VCS repositories so they can sit alongside you IaC and be managed and deployed through standard Devops workflows, such as CI/CD.

Policy Impact Analysis

Scalr provides the capability to “dry run” your policies in order to see the future impact of policy changes and identify non-compliant deployments. Scalr can automatically track pull requests in the policy repository and provide rapid visual analysis of the impact.

_images/policy_pr_check.png

Where next : Open Policy Agent (OPA)


Remote Backend Configuration

Scalr remote state and operations backend stores state centrally and executes Terraform runs. Your templates and working environment can quickly be configured to work with the Scalr remote backend.

  1. Get an API Token from Scalr and configure the Terraform client

    _images/api_token.png
credentials "my.scalr.com" {
  token = "<user-token>"
}
  1. Configure your template to use Scalr remote backend.

    _images/org_id.png
terraform {
  backend "remote" {
    hostname = "my.scalr.com"
    organization = "<organization-id of environment>"
    workspaces {
      name = "<workspace-name>"
    }
  }
}

Where next : Guide : CLI driven runs with IaCP


Module Registry

Scalr IaCP provides an hierarchical module registry that allows registration of Terraform modules at all scopes in Scalr for automatic sharing to lower scopes.

Modules in the registry are automatically pulled into workspaces where they are needed and the registration process automatically creates internal references to the module to be used in the template.

_images/module_pub_2.png

Template Registry

The Scalr template registry allows DevOps to publish Terraform templates in order provide end users with a streamlined capability to create workspaces. A template registration is a link to a specific repository, branch and optional sub-directory within a VCS provider.

_images/offerings.png

Terraform input variables in the template will automatically create user prompts in the UI when a user requests a deployment. The Terraform variables can be bound to Scalr policy and Scalr global variables in order to provide governance and control of allowed input values, such as restrictions on cloud deployment parameters (Location, Instance type etc), and to offer input drop down lists.

_images/new_sc_request2.png

Template registrations can be configured to be automatically updated when new code versions are committed to the associated repository, thus enabling the final step in complete CI/CD pipelines that publishes templates to end users.

Where next : Guide : Self service with Terraform


Drift Detection

Scalr workspaces include automatic drift detection. You can configure your workspace to run terrafrom plan periodically and Scalr will provide clear and detailed views of any variance between the actual and desired state of your resources. This allows you to quickly detect and rectify anomalies.

_images/drift.png

Multi Tenancy

Scalr’s flexible multi-tenancy model enables any organizational model to be implemented easily and securely. Scalr supports multiple identity providers (great for MSPs) and provides complete isolation of teams, environments and resources to allow independent implementation of policy and access controls to suit the varying requirements of different business units and customers.

_images/multi_tenant.png

This model allows secure configuration and integration of provider credentials and the highly granular IAM system provides fine grained control of access to Scalr functionality.

_images/iam.png

Where next : Accounts


Using IacP

There are three distinct methods for utilising IaCP for all aspects of deploying infrastructure through Terraform. Terraform templates can be run through IaCP using any of these methods without any modification. This includes the following capabilities.

Self service

Self service for deployment and operations based on Terraform templates

_images/overview-sc-new.png

DevOps automation

Workspaces tied to templates in a VCS for DevOps workflows

  • Automated Deployments (CI/CD)

  • Dry runs triggered by PR’s and Commits in linked VCS repos

    _images/overview-devops-new1.png

CLI driven runs

CLI/API driven runs with Scalr IaC Platform remote back end for DevOps

_images/overview_cli_runs.png

Where next :