Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Terraform
make some simple, readable, reusable
code and don't commit a suicide
a novel about modules, providers, security,...
Who am I?
Sergii Marchenko
Head of IT at Dev-Pro
More than 10 years in IT
Loves Terraform, and PowerShell :))
Knows a bit ...
Good
TF is good
● Well documented (code is a configuration guideline)
● Clear change management (version control)
● Reusable (d...
Reusable
● Test
● Dev
● QA
● Automation
○ AQA Development
○ Integration tests
○ Performance tests
● Demo
● Staging
● Prod
Modules
1. DRY
2. Reusable
3. Versioning and smooth updates
4. Roll back is more or less simple
5. You see all changes
Bad
The state file
1. Security
2. More security!!!
3. Backups of the state file
What if I already have some envs?
1. Import does NOT generate TF code
2. If your setup is complicated (local-exec, API pro...
If in TF is a joke
CONDITION ? TRUEVAL : FALSEVAL
resource "aws_instance" "web" {
subnet = "${var.env == "production" ? va...
Sometimes it’s hard to understand
resource "aws_eip" "example" {
count = "${var.create_eip}"
instance = "${aws_instance.ex...
Or this one
depends_on = ["azurerm_network_security_group.AKS-security-group"]
depends_on = ["azurerm_subnet.AKS-subnet"]
Backend
Interpolation is NOT supported.
terraform {
backend "s3" {
bucket = "${var.env_name}-state"
key = "state.tfstate"
...
Count in modules
module "my-awesome-app" {
source = "../my-module"
name = "Prod-VM"
count = 2
}
Count does NOT work in mod...
Acceptance
Why?
1. In most cases it is easy to understand
2. Fast (Hi Ansible)
3. Declarative
4. Count
5. Modules, Modules, Modules
Our vision
No manual actions!
1. No manual actions
2. No, you can't create a tiny resource manually
3. Yes, it matters
4. No, there a...
Use Hashi Vault for secrets
1. Integration with AD (SSO)
2. Vault provider out of the box
3. RBAC is flexible
4. Supports ...
Use Hashi Vault instead of remote backend
1. Supports interpolation in secret path
2. Can save and get required data in se...
Use Hashi Vault instead of remote backend
Use Hashi Vault instead of remote backend
resource "vault_generic_secret" "AKS_Ingress_IP" {
path = "${var.hashivault_root...
Keys structure
Keys structure
Keys structure
How to store states
1. Storage account with firewall rules and VPN (+MFA)
2. We have to rotate access keys (one by one)
3....
Git structure, files structures
Demo
Pull requests
1. 1-2 people who can review and approve a PR
2. Pull request validation
Validate pull requests
Terraform tests
1. Use QA automation team
2. If you don’t have it, terratest works as well
Terraform is about immutable infrastructure
1. PaaS services
2. Deploy containers or images
3. If you have to run remote-e...
TIPS
TF tips
BAD
depends_on = ["azurerm_network_security_group.AKS-security-group"]
depends_on = ["azurerm_subnet.AKS-subnet"]
...
If you don’t have a required provider, use restapi
provider "restapi" {
uri = "https://api.sendgrid.com"
username = "secur...
Or just write your own
Yes, just write it
https://www.terraform.io/docs/extend/writing-custom-providers.html
How to write a provider
func resourceServer() *schema.Resource {
return &schema.Resource{
Create: resourceServerCreate,
Re...
API requests
Q/A
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, providers, security, and pain
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, providers, security, and pain
You’ve finished this document.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next

Share

DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, providers, security, and pain

В Dev-Pro DevOps-специалисты работают с Terraform в рамках Azure. Команда работает с множеством окружений и ресурсов, среди которых есть AKS (Kubernetes). Сергей поделится опытом успешного написания модулей и провайдеров для Terraform.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, providers, security, and pain

  1. 1. Terraform make some simple, readable, reusable code and don't commit a suicide a novel about modules, providers, security, and pain April 6, 2019
  2. 2. Who am I? Sergii Marchenko Head of IT at Dev-Pro More than 10 years in IT Loves Terraform, and PowerShell :)) Knows a bit about DevOps Thinks he can write some code in Go Email: sergii.marchenko@dev-pro.net Skype: dev-pro.sergii.marchenko
  3. 3. Good
  4. 4. TF is good ● Well documented (code is a configuration guideline) ● Clear change management (version control) ● Reusable (dev, stg, prod) ● Not only for a small team, works for 10+ DevOps ● The best way to implement Immutable infrastructure approach ● Fast (hey, Ansible)
  5. 5. Reusable ● Test ● Dev ● QA ● Automation ○ AQA Development ○ Integration tests ○ Performance tests ● Demo ● Staging ● Prod
  6. 6. Modules 1. DRY 2. Reusable 3. Versioning and smooth updates 4. Roll back is more or less simple 5. You see all changes
  7. 7. Bad
  8. 8. The state file 1. Security 2. More security!!! 3. Backups of the state file
  9. 9. What if I already have some envs? 1. Import does NOT generate TF code 2. If your setup is complicated (local-exec, API provider) you can NOT import that
  10. 10. If in TF is a joke CONDITION ? TRUEVAL : FALSEVAL resource "aws_instance" "web" { subnet = "${var.env == "production" ? var.prod_subnet : var.dev_subnet}" } What if I have Dev, QA, Stg, Prod?
  11. 11. Sometimes it’s hard to understand resource "aws_eip" "example" { count = "${var.create_eip}" instance = "${aws_instance.example.id}" } resource "aws_route53_record" "example" { count = "${1 - var.create_eip}" zone_id = "A1B2CDEF3GH4IJ" name = "foo.example.com" type = "A" ttl = 300 records = ["${aws_instance.example.public_ip}"] }
  12. 12. Or this one depends_on = ["azurerm_network_security_group.AKS-security-group"] depends_on = ["azurerm_subnet.AKS-subnet"]
  13. 13. Backend Interpolation is NOT supported. terraform { backend "s3" { bucket = "${var.env_name}-state" key = "state.tfstate" } } Our current recommendation is to treat Terraform -- and thus the Terraform states -- as something "outside" the environments they manage, rather than as part of the environment.
  14. 14. Count in modules module "my-awesome-app" { source = "../my-module" name = "Prod-VM" count = 2 } Count does NOT work in modules
  15. 15. Acceptance
  16. 16. Why? 1. In most cases it is easy to understand 2. Fast (Hi Ansible) 3. Declarative 4. Count 5. Modules, Modules, Modules
  17. 17. Our vision
  18. 18. No manual actions! 1. No manual actions 2. No, you can't create a tiny resource manually 3. Yes, it matters 4. No, there are no exceptions to the rule 5. Yes, local-exec is better than manual actions
  19. 19. Use Hashi Vault for secrets 1. Integration with AD (SSO) 2. Vault provider out of the box 3. RBAC is flexible 4. Supports interpolation in secret path
  20. 20. Use Hashi Vault instead of remote backend 1. Supports interpolation in secret path 2. Can save and get required data in secure way
  21. 21. Use Hashi Vault instead of remote backend
  22. 22. Use Hashi Vault instead of remote backend resource "vault_generic_secret" "AKS_Ingress_IP" { path = "${var.hashivault_root_path}/Global/AKS/${var.cluster_name}/Ingress" data_json = <<EOT { "ingress_public_ip": "${data.kubernetes_service.k8s_cluster.load_balancer_ingress.0.ip}" } EOT } data "vault_generic_secret" "AKS_Ingress_IP" { path = "${var.hashivault_root_path}/Global/AKS/${var.cluster_name}/Ingress" }
  23. 23. Keys structure
  24. 24. Keys structure
  25. 25. Keys structure
  26. 26. How to store states 1. Storage account with firewall rules and VPN (+MFA) 2. We have to rotate access keys (one by one) 3. Different storage accounts for different ENVs 4. Go wrapper. We call it init.
  27. 27. Git structure, files structures Demo
  28. 28. Pull requests 1. 1-2 people who can review and approve a PR 2. Pull request validation
  29. 29. Validate pull requests
  30. 30. Terraform tests 1. Use QA automation team 2. If you don’t have it, terratest works as well
  31. 31. Terraform is about immutable infrastructure 1. PaaS services 2. Deploy containers or images 3. If you have to run remote-exec, use Ansible :)
  32. 32. TIPS
  33. 33. TF tips BAD depends_on = ["azurerm_network_security_group.AKS-security-group"] depends_on = ["azurerm_subnet.AKS-subnet"] GOOD depends_on = ["azurerm_network_security_group.AKS-security-group","azurerm_subnet.AKS-subnet"] THE BEST depends_on = [ "azurerm_network_security_group.AKS-security-group", "azurerm_subnet.AKS-subnet" ]
  34. 34. If you don’t have a required provider, use restapi provider "restapi" { uri = "https://api.sendgrid.com" username = "securrency_test" password = "**************" debug = true id_attribute = "api_key_id" create_returns_object = true } resource "restapi_object" "sgkey" { path = "/v3/api_keys" data = "{ "name": "Dev-Pro Test Terraform API key creation", "scopes": ["alerts.read"] }" } https://github.com/Mastercard/terraform-provider-restapi
  35. 35. Or just write your own Yes, just write it https://www.terraform.io/docs/extend/writing-custom-providers.html
  36. 36. How to write a provider func resourceServer() *schema.Resource { return &schema.Resource{ Create: resourceServerCreate, Read: resourceServerRead, Update: resourceServerUpdate, Delete: resourceServerDelete, Schema: map[string]*schema.Schema{ "address": &schema.Schema{ Type: schema.TypeString, Required: true, }, }, } }
  37. 37. API requests
  38. 38. Q/A
  • IanLi1

    May. 23, 2020
  • BorisBondarev

    May. 19, 2019

В Dev-Pro DevOps-специалисты работают с Terraform в рамках Azure. Команда работает с множеством окружений и ресурсов, среди которых есть AKS (Kubernetes). Сергей поделится опытом успешного написания модулей и провайдеров для Terraform.

Views

Total views

429

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

0

Shares

0

Comments

0

Likes

2

×