Building infrastructure as code using Terraform - DevOps Krakow
4 likes2,040 views
This document provides an overview of a DevOps meetup on building infrastructure as code using Terraform. The agenda includes Terraform basics, frequent questions, and problems. The presenter then discusses Terraform modules, tools, and solutions. He addresses common questions like secrets handling and integration with other tools. Finally, he solicits questions from the audience on Terraform use cases and challenges.
Building infrastructure as code using Terraform - DevOps Krakow
- 1. Building infrastructure as code using Terraform (Q&P) DevOps Krakow meetup 17.1.2018
- 2. Agenda 1. Terraform basics 2. Frequent Terraform Questions 3. Frequent Terraform Problems 4. Your turn Any questions? I read all emails - [email protected] Follow me on twitter and github - @antonbabenko
- 3. Anton Babenko I enjoy: ● DevOps, AWS, Terraform (since 2015) ● Open-source: ○ https://github.com/terraform-aws-modules ○ https://modules.tf (work in progress) ○ https://github.com/antonbabenko - more projects ● Organise events (AWS User Group Norway, HashiCorp User Group Oslo, DevOpsDays Oslo) ● Solving problems PS: I am looking for Terraform companions to join me!
- 4. Some facts about terraform-aws-modules ● Terraform AWS modules have 450K+ downloads per month (Dec 2017) from the Terraform Registry ● Terraform AWS security group module was mostly written offline
- 6. Featuring... Write, Plan, and Create Infrastructure as Code
- 7. Terraform 101 (main.tf) provider "aws" { region = "eu-west-1" } resource "random_pet" "bucket" {} resource "aws_s3_bucket" "app" { bucket = "hi-${random_pet .bucket. id}" website { index_document = "index.html" } } data "template_file" "index" { template = "${file("index.html")}" vars { BUCKET = "${aws_s3_bucket .app.website_endpoint }" } } resource "aws_s3_bucket_object" "object" { bucket = "${aws_s3_bucket .app.id}" key = "index.html" content = "${data. template_file .index.rendered }" etag = "${md5(data. template_file .index.rendered )}" content_type = "text/html" acl = "public-read" } output "app_website_endpoint" { value = "${aws_s3_bucket .app.website_endpoint }" } index.html can access: ${BUCKET} $ terraform init $ terraform plan $ terraform apply Apply complete! Resources: 3 added, 0 changed, 0 destroyed. Outputs: app_website_endpoint = hi-feasible-basilisk.s3-website-eu-west-1.a mazonaws.com
- 9. Frequent Terraform Questions (FTQ)
- 10. So, how to get started with Terraform? 1. https://www.terraform.io/intro/getting-started/install.html 2. Get infrastructure modules from Terraform Registry. For example, AWS modules - https://registry.terraform.io/modules/terraform-aws-modules 3. Follow instructions in README.md, check examples, open issues and pull requests 4. Read a book (Getting Started with Terraform or Terraform Up & Running)
- 11. Why Terraform and not AWS CloudFormation/Azure ARM templates/Google Cloud Deployment Manager? Terraform manages 70+ providers, has easier syntax (HCL), has native support for modules and remote states, has teamwork related features. Terraform is an open-source project (670 stars on AWS provider, 10K stars on Terraform core). https://medium.com/@piotrgospodarek/cloudformation-vs-terraform-990318d6a7de https://cloudonaut.io/cloudformation-vs-terraform/ https://www.slideshare.net/AntonBabenko/continuously-delivering-infrastructure-using-terrafo rm-and-packer-training-material
- 12. What is the point of using Terraform if you’re running AWS only? Isn’t Terraform just an unnecessary abstraction, why not stick to CloudFormation? ● Terraform has easier syntax (HCL) ● Native support for modules and remote states ● Teamwork related features (eg, lock, plan to file) ● Abstractions (primitives and modules) are necessary for anything good ● Terraform Registry (check verified modules) ● Terraform is an open-source project!
- 13. What are the tools/solutions out there? ● Terraform Registry (https://registry.terraform.io/) - collection of public Terraform modules for common infrastructure configurations for any provider. I maintain verified AWS modules there. ● Thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules - https://github.com/gruntwork-io/terragrunt ● Terraform linter to detect errors that can not be detected by `terraform plan` - https://github.com/wata727/tflint ● Terraform version manager - https://github.com/kamatama41/tfenv ● A web dashboard to inspect Terraform States - https://github.com/camptocamp/terraboard ● Jsonnet - The data templating language - http://jsonnet.org ● A unified workflow for collaborating on Terraform through GitHub and GitLab - https://atlantis.run/ This list is much longer, really…
- 14. How to handle secrets in Terraform? 1. Can you accept secrets to be saved in state file in plaintext? Probably not. a. AWS IAM password & access secret keys - use PGP as keybase.io b. AWS RDS - set dummy password and change after DB is created c. AWS RDS - use iam_database_authentication_enabled = true d. EC2 instance user-data + AWS KMS e. EC2 instance user-data + AWS System Manager’s Parameter Store 2. Other options: a. Secure remote state location (S3 bucket policy, KMS key)
- 15. How to integrate Terraform with ...? ● Use outputs (human-friendly) ● Use null_resource + local-provisioner for WAF associations resource "null_resource" "auto_instructions" { triggers = { waf_acl_id = "${aws_waf_web_acl .this.id}" } provisioner "local-exec" { command = "aws waf-regional associate-web-acl --web-acl-id ${ aws_waf_web_acl .this.id} --resource-arn ${data. terraform_remote_state .alb_public.this_alb_arn }" } }
- 16. Frequent Terraform Problems (FTP)
- 17. Upgraded Terraform version, and there is a breaking bug, so I want to rollback, but I can’t because state file has been upgraded already. ● State file should be versioned (!), download previous version of state file, run “terraform state push old_version.tfstate” ● Lock terraform version, lock module and providers version (available in Terraform 0.11) ● Read upgrade guides and CHANGELOG.md files: ○ https://www.terraform.io/upgrade-guides/0-11.html ○ https://github.com/hashicorp/terraform/blob/master/CHANGELOG.md ○ https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANG ELOG.md
- 18. What is your Terraform question or problem? Hints: Testing? Versioning? Code structure? Working as a team? CI/CD? Automation? Integration with other tools? modules.tf ? Code generation? Missing tools/features? Syntax sugar (features and types of variables)? How to contribute?