20170831 - Greg Palmier: Terraform & AWS at Tempus
- 1. Terraform and AWS at Tempus
- 2. What is Terraform? • Collection of DSLs for the AWS API
- 3. DRYing Terraform • App Specific things - Plugins for Blueprints • “Blueprints” - Iterate over modules • Modules
- 4. Network Blueprint / Module • VPCs (Scenario 2) • Public/Private • Multi-Zone • Peering • MGMT (bastion, proxy)
- 7. VPC Module
- 8. App Stack Overview • Module / Blueprints • CloudFront -> S3 • AutoScaling Groups • Instances • ELB • RDS • Security Groups
- 9. Shared Data • Certs • SSH Public Keys • VPC Data
- 10. App Deploy • File = Just a bunch of bash • Every app uses the same module for Deploying
- 11. Instance Cloud-init • Write Docker-compose (user data) • Auth with ECR • docker-compose -f thatfile.yml -d • Healthcheck = Success
- 12. RDS -> S3 • There should be an ingress rule here too • “I’m going to open this up to the pub real quick”
- 13. Common Utils • Common VPC Peered to all other “App” VPCs • Output Security Info, CIDRs, etc (sick of IPV4 stuff yet?) • Jenkins (workers in specific SGs) • Log Shipping
- 14. IAM • Users (Devs and Machine Users) • Groups / Products • Roles & Policies • Controlling Dev and Machine access to Specific ENVs
- 15. CloudFront • CDNs with Bucket origins • Static Assets are Deployed to Buckets • Certs are pushed out to CDNs through Cert Manager • CORS policies
- 16. Deploying • Jenkins - Builds Container off Merges, Runs TF code (Jenkinsfile) • Docker Compose • Glue for extraneous TF things • Gem - GitHub -> AWS SDK -> Terraform
- 17. Monitoring • Cloudwatch -> SNS -> Pagerduty • Cloudwatch -> ASGs -> scaling and rolling instances
- 18. One-off Scaffolding • Stateful Instances (<5%) • Everything “around” the instance is in TF and we plug in an AMI
- 19. Globals and API Region Support
- 20. Results • The more we control, the less configuration drift there is • Output and Import all the things; tight grasp on ACLs • Deploy times ~ 5 Minutes • Build Time ~5 Minutes
- 21. Questions