Mastering Terraform and the Provider for OCI

Mastering Terraform and
the OCI provider
#OracleCode AND @gregoryguillou

Agenda
Mastering Terraform with OCI
● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices
● Summary

@gregoryguillou
gregoryguillou
Ops with an angle

● Self-service and Chatops
● Elasticity: Training, dev, test
● International deployment
● Ability to invest to add value
● Time to Market
● Impact on all our teams
● Number of environments
● Mission critical “Ops”

Why Ops also live for the code?
● We need monitoring, CI/CD, AB testing, DRP
● We need to move faster and faster
● People should not need us!
● Let’s stop building from the ground
● Focus on products and businesses, not infrastructure
● Ops are deadly alive!

Terraform Key concepts - https://terraform.io
● Infrastructure as Code
● A go application
● HCL/JSON with an inference syntax
● Immutable Infrastructure
● State management
● Dozens of providers, including OCI
● GIT and Registry
● Open-source and enterprise versions

Installing Terraform for OCI (master)
● Download the software from terraform.io
● Install terraform OCI provider
● Install the OCI Command Line Interface
● Create a RSA key and register it in your API Keys
● Defines your OCI CLI configuration
● Create a provider.tf file and set the associated variables
● Initialize the project with the `init` command
● Define resources and `apply` them

OCI Terraform resource overview
● Core: Images, Instances, Volumes, VCN, Security List,
Subnets...
● Database
● DNS: Records, Zones
● File Storage
● Identity: Keys, Groups, Policies, Users
● Load Balancer
● Object Storage Checkout the documentation

A few coding good practices
● Create a specific compartment (master)
● Manage your state on a bucket (02-demo)
● Variables, inferences and dependencies (03-demo)
● Modules (04-demo)
● Packer (05-demo)
● dynamicgroups and OCI_CLI_AUTH (06-demo)
● Use other providers (07-demo)
● An easy (and bad) way to manage secrets (08-demo)

Create a specific compartment (master)
● Use OCI CLI to create a compartment
● Add it to the .env file and with variables Checkout 01-install.md
oci iam compartment create
--compartment-id="${TF_VAR_tenancy}"
--name="DevTeam"
--description="A compartiment to be used by developers"
--wait-for-state=ACTIVE
--max-wait-seconds=300
--wait-interval-seconds 5

Manage your state on a bucket (02-demo)
● Create a bucket
● Upload the current state as an object in that bucket
● Create a pre-authenticated request for that object
● Test you can access the file from the request
● Add a backend.tf file that reference the preauth request
● Re-initialize terraform with the backend
● Verify you can access the remote state
Checkout 02-remote-state.md

Variables, inferences and dependencies (03-demo)
● Add access to the `compartment` variable
● Create a variable with a default value
● Infer variable value from another variable with `lookup`
● Create a VCN, DCHP Options and an Internet Gateway
● Create multiple resource and inferences with `count`
Checkout 03-inferences.md

Modules (04-demo)
● Create a directory to move the resource for your module
● Remove the resource from your original stack
● Create variable and output to encapsulate your logic
● Use `terraform init` to reference the new module
Checkout 04-modules.md
module "livecode" {
tenancy = "${var.tenancy}"
compartment = "${var.compartment}"
source = "github.com/gregoryguillou/oci-workshop?ref=04-demo//modules/public-network"
}

Packer (05-demo)
● Installing Packer
● Finding the latest Oracle Linux Image
● Subnet and Compartment
● Building an OCI image with Packer
Checkout 05-packer.md
packer build -var "subnet=$SUBNET"
-var "compartment=$TF_VAR_compartment"
template.json

dynamicgroups and OCI_CLI_AUTH (06-demo)
● Deploy a dynamic group and its policy
● Access the remote instance from SSH
● Use the metadata API to figure out the compartment
● Use the OCI CLI without any credentials
Checkout 06-dynamicgroups.md
export OCI_CLI_AUTH=instance_principal
oci os bucket list --compartment-id=$COMPARTMENT
--query='data[].{bucket: name}' --output=table

Use other providers (07-demo)
● There are a lot of useful providers, including random, null,
http, external, template or terraform_remote, for instance:
● You can use many more: kubernetes, consul, vault...
Checkout 07-other-providers.md
data "external" "version" {
program = ["${path.module}/version.sh"]
query = {
workspace = "${terraform.workspace}"
}
}
output "oci-workshop" {
value = "${lookup(data.external.version.result, "oci-workshop")}"
}

An easy and bad way to manage secrets (08-demo)
● Rely on Hashicorp Vault for a best configuration:
○ Automatic password rotation
○ Access token expiration
○ Emergency process
● An easy way to manage secrets is to store them in a
bucket:
○ Easy to push/pull new values
○ Dynamic Groups make it easy to get back from an instance
Checkout 08-secrets.md

Destroy your stack (08-demo)
Checkout 08-secrets.md
oci os object delete
--bucket-name=ftclnpb3wrytejru.resetlogs.com
--name=/configuration/secret/secret.json
--force
terraform destroy
…
● Destroy the stack as part of the last part:

Random thoughts
● KISS and DRY
○ Use as few external tools as possible
○ Avoid provisioners and null_resource
● Add +1 to tag support for Terraform OCI provider #400
● Add +1 to support the container registry and OKE
● Don’t use terraform for Windows
● Rely on LetsEncrypt/DNS to generate SSL certificates
● Use Kubernetes (OKE) and a CI/CD for your application
● Implement Chatops and self-service

Summary
● Terraform is easy to use, quick to learn and popular
● OCI is a powerful and fast infrastructure
● The terraform-provider-oci leverage both OCI and TF
● The workshop explores many aspects: configuration,
compartment, state, inference, modules, templates,
dynamic groups, providers…
● Try the oci-workshop, provide feedback and open issues
● OCI gets more advanced tools like DCS, OKE

gregoryguillou/terraform-api
gregoryguillou/hubot-terraform
Another demo: terraform from slack...

Thank you !!!
We are hiring...

Mastering Terraform and the Provider for OCI

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Mastering Terraform and the Provider for OCI

Similar to Mastering Terraform and the Provider for OCI (20)

Recently uploaded

Recently uploaded (20)

Mastering Terraform and the Provider for OCI