Better Practices when Using Terraform to Manage Oracle Cloud Infrastructure

Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
BEST PRACTICES WHEN USING
TERRAFORM TO MANAGE ORACLE
CLOUD INFRASTRUCTURE
Simon Haslam
eProseed

ABOUT ME
2
Simon Haslam
• Platform / Infrastructure
Architect
• Focus includes HA, DR,
security, automation
Relevant to this session
• WebLogic / FMW installations
since 2000s
• First research/webcast on JCS
in 2016
• Designed & built SOA CS
integration platform for global
use since Oct 2017
• On team migrating eProseed
Lux data centres to OCI@simon_haslam
since
2009

ABOUT EPROSEED?
3
Oracle ACE
Directors

DISCLAIMER
What is are “best practices” anyway…? ☺
4

Copyright © 2019, eProseed and/or its affiliates. All rights reserved.5
➢ Why automate OCI provisioning?
➢ Real-world Terraform OCI examples
➢ Terraform ‘better practices’
➢ A few more tips ☺
AGENDA

AGENDA

WHY AUTOMATE OCI PROVISIONING?
7

PAAS PROVISIONING
8

PAAS PROVISIONING
9
Terraform provides an abstraction layer above OCI’s REST APIs

TERRAFORM’S PURPOSE
“Terraform is a tool for building, changing and versioning
infrastructure safely and efficiently”
10
Cloud-agnostic
but not generic
(each cloud has own
providers)

BOUNDARIES
12
resourcesPROVISIONING
This provisions resources
& optionally calls
“provisioner”
e.g.
network
VM instance
PaaS instance
VM images might be
Oracle supplied plain
ones, Oracle-supplied
PaaS ones, or your own
(e.g. from Packer),
Maintains state of infra
Optional
Provisioner
CONFIGURATION
MANAGEMENT
This configures
resources
e.g.
TLS certificates & identity
CM self-registration
Maintains internal state of
resources (instances)

TERRAFORM PROVIDERS
• A provider tells Terraform how to build and manage one or many resource types
• Providers are supplied by Hashicorp, a resource provider (like Oracle), or 3rd
party/community
13

MORE ABOUT TERRAFORM PROVIDERS
• Providers are either:
– Integrated: downloaded by Terraform when needed
– Non-integrated: install from 3rd party or write your own
• 3 Oracle-developed providers available:
14
oci oracle
paas
opc
More about these in a minute..These 3 Oracle providers are all
now integrated into TF
X X

oci
oracle
paas
opc
almost
legacy
legacy

OCI PROVIDER
Infrastructure & OCI-native PaaS
https://www.terraform.io/docs/providers/oci/index.html
16
Lots of resources
- examples:

AGENDA

GETTING STARTED
• You need a host to run Terraform from
– could be your PC, a cloud instance, or build server
• Oracle Linux 7 example:
sudo yum install -y terraform
• Create/reuse .tf config files & set up .tfvars for your account/env
• The .tf files need to have one or more providers specified
18
terraform init
terraform plan
terraform apply
…terraform destroy

DEMO

BIG PICTURE EXAMPLE
20
DRG
Dynamic
Routing
Gateway
On-prem
Another
VCN
Another
cloud
admin

AGENDA

1. IT’S NEVER TOO EARLY TO START TERRAFORM
• Using the OCI consoles can be time consuming
• Cumulative effect
• You want to experiment as much as possible
• Exception:
Compartment creation: slow, leaves trail don’t
(re)create compartments often
22

2. USE SOURCE CODE CONTROL
• Infrastructure as Code… naturally you want to version it
– You probably can’t go back far but you can see who changed what & when
• Use git
– De-facto SCM these days
• Don’t use branches
– Or if you do, have branches for different environments (e.g. Puppet model)
23

3. STORE YOUR .TFSTATE CENTRALLY
• OCI Object storage (simple), or,
• terraform.io service (more advanced)
24

4. USE TERRAFORM 0.12
• Language updates from 0.11 to 0.12
• There’s an auto upgrade from 0.11 to 0.12 but I found a
couple of things broke
https://www.terraform.io/upgrade-guides/0-12.html
25

5. STRUCTURE MULTIPLE TF CONFIGURATIONS
• You only want one person at a time making changes in same area
• Probably best to have TF by top-level compartment plus one
global
• Depends on organisation structure
26

6. DON’T USE -AUTO-APPROVE
• This is my opinion of a best practice ☺
• -auto-approve means an apply makes changes without prompting
• You get into habit of up-up-return… errors can easily happen
(once, twice,…)
• Exception: use -auto-approve on CI server ☺
27

7. DECIDE WHEN TO USE TF & WHEN NOT
• Terraform:
– Its strength is converged state – use it often but for few changes
– State convergence sophistication is up to the provider developer
• Update OCI Instance hostname - good
• Update OCI Database Service PDB name – not so good
– Use for static deployments – compartments, networks, load balancers etc
• Ansible
– Can manage state but often run in fire & forget mode
– Fire & forget is more aligned to traditional change processes
– You need a tool to customise most PaaS instances anyway
– Use for most types of instances
28

8. UPDATE YOUR OCI PROVIDER REGULARLY
• Terraform Provider for OCI changes in 2 ways:
– New features & bug fixes
– Changes to OCI REST APIs
• You may be forced to update it in a hurry otherwise
29

9. USE A MODERN EDITOR + TF PLUG-IN
Extension available for
Microsoft VS Code editor
30

10. SUBSCRIBE TO TERRAFORM-PROVIDER-OCI ISSUES
31

TERRAFORM FOR OCI – BETTER PRACTICES
1. Start with Terraform early, really early, on your OCI journey
2. Use Git, but one branch (or one per env for separate TF state)
3. Store your .tfstate centrally (e.g. in OCI object storage bucket)
4. Use Terraform 0.12, especially if starting from scratch
5. Structure multiple TF configurations, probably by compartment
6. Don’t use -auto-approve (except from CI server)
7. Decide when to use TF & when not
8. Update your OCI provider regularly (you may be forced to in a hurry otherwise)
9. Use a modern editor (like VS Code) + TF plug-in
10. Subscribe to terraform-provider-oci issues33

AGENDA

A FEW MORE TIPS
• Watch your costs! This is cloud after all…
• Environment variables
• TF modules are very handy for scaling number of instances
35

ENVIRONMENT VARIABLES FOR DIFFERENT TENANCIES
36
From OCI provider doc:
https://www.terraform.io/docs/providers/oci/index.html

TERRAFORM MODULES
Our example use case
• Lots of identical compute instances needed for on-prem
provisioning automation
• 3 different types of modules:
– Fusion Middleware
– Database
– Provisioning Server
• All VMs identical for module type – pick how many you
want
• But YMMV - there may be a better way than this for you ☺
37

TERRAFORM FOR OCI – BETTER PRACTICES
1. Start with Terraform early, really early, on your OCI journey
2. Use Git, but one branch (or one per env for separate TF state)
3. Store your .tfstate centrally (e.g. in OCI object storage bucket)
4. Use Terraform 0.12, especially if starting from scratch
5. Structure multiple TF configurations, probably by compartment
6. Don’t use -auto-approve (except from CI server)
7. Decide when to use TF & when not
8. Update your OCI provider regularly (you may be forced to in a hurry otherwise)
9. Use a modern editor (like VS Code) + TF plug-in
10. Subscribe to terraform-provider-oci issues38

ORACLE EXAMPLES
• https://github.com/oracle/terraform-examples
Starting point for some cases – reasonable activity (91 commits)
• https://oracle.rainfocus.com/widget/oracle/oow18/catalogoow18?search=HOL6376
39
Start here!
Probably takes
1-3h

HANDS-ON-LAB TIP
Trial account does not have sufficient compute resources to run the HOL:
=> Raise an SR to get this increased, e.g. to 10 for 2.1 shape (change shape in .tf config):
40Paid for accounts have default limit of 40 per AD for small VMs
https://docs.cloud.oracle.com/iaas/Content/General/Concepts/servicelimits.htm

@simon_haslam
Q
&
A

Mobile Process /
Integration
Analytics /
Big Data
Database /
Data
Management
Identity &
Access
Management
Oracle Cloud
eProseed Confidential42

Better Practices when Using Terraform to Manage Oracle Cloud Infrastructure

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Better Practices when Using Terraform to Manage Oracle Cloud Infrastructure

Similar to Better Practices when Using Terraform to Manage Oracle Cloud Infrastructure (20)

More from Simon Haslam

More from Simon Haslam (20)

Recently uploaded

Recently uploaded (20)

Better Practices when Using Terraform to Manage Oracle Cloud Infrastructure