TerraformMake infrastructure great again

A gopher

@advincze

https://github.com/advincze

WeltN24 & AWS

Using AWS for 1++ year

Started with an ops guy, ruby sdk, AWS cli, cloudformation,

Terraform helped adoption among non ops

What is terraform?

Declarative infrastructure Management

Better cloudformation? (code writability, open source, speed of dev, planning)

Network Setup to application deployment

Cloud / vendor agnostic

AWS first class citizen (uses directly AWS Go sdk, not CF)

Application Code vs. Infrastructure code

Imperative

Hopefully stateless

>50y

Declarative

Global state (dns, ips, s3 buckets, ssl certs)

<10y

Quick look at code

How Terraform works

State-Before

Get state

Configuration:*.tf files

Get config Validate config

Config errors

Calculate Diff (graph) Execute plan Write new State

State After

Exec errorsOutput plan

Three states

configuration Terraform state Real world

UI

Commands: plan, apply, destroy

Dev workflow : click, click-delete, read docs (similar to CF), write code, plan, apply, destroy, fmt !

- Input/Output: Variables

- Interpolation

- Strings, functions

demo

Default VPC

EC2 instanceSecurity group CNAME: demo1.mob.welt.de

code

- File names don’t matter: *.tf

- Interpolation + var maps to switch regions easily (genesis example)

- Tag the resources

state

- What terraform knows about the real world

- Validated before application

- Used for planning (to create and ! to destroy)

Remote

- Store remote in artifactory, Atlas, Consul, S3, HTTP, etcd, swift (openstack)

- Easy to forget to configure (gist: terraformw)

- From relative filepath or e.g. github

- enable shared, reusable components

- Abstraction (!) for service developers

- Examples: ECS cluster, private_nets, public_nets

Modules - teams share code

Real Life demo

VPC

Public subnet

Internet gateway

Public subnet

Internet gateway

routingrouting

VPC

Public subnet

Internet gateway

Public subnet

Internet gateway

routingrouting

ECS instance

ECS cluster

SGECS instance

IAM

SG

VPC

Public subnet

Internet gateway

Public subnet

Internet gateway

routingrouting

ECS instance

ECS cluster

SGECS instance

IAM

SG ECR repository

APP image

VPC

Public subnet

Internet gateway

Public subnet

Internet gateway

routingrouting

ECS instance

ECS cluster

SGECS instance

IAM

SG ECR repository

APP imageECS task ECS task

ECS service

ELB

CNAME: demo2.mob.welt.de

SSL

State dependencies

State VPC

State ECS

State ECR

State App

vpc.tf ecs.tf ecr.tf app.tf

- Input/Output in separate files

- Resource names: the resource type is part of the name

Best practices - code

- For production, use remote state only

- Separate repos/states for big logical parts (how often do you change this? Who contributes?)

- Central components

- Shared components, services

- Service individual infrastructure

- Service deployment

- This is not Free !

- For dependent state, commit and execute intermediate steps with added resources

- Create script to not forget remote config until https://github.com/hashicorp/terraform/issues/4546 is solved

Best practices - state

- Start with (repo) local modules and

- move them into separate repo if used elsewhere + mature

- Use ID prefix for module resources to avoid problems

- Practice: create + destroy all every day

- Don’t apply locally (only plan) - Centralize plan+apply

- Pin module versions

Best practices - modules

- Terraform is Production ready

- It can be used with your existing setup

- Extendable with custom plugins - standard lifecycle CRUD

- Main benefits: easy installation,ease of use, readable code, fast dev cycle, open source - often quicker than CF

- Drawback: no rollbacks

- helps devOps culture

- Written in go, you should learn go.

summary

Thanks, questions?

@advincze