Derek C. Ashmore gave a presentation on managing AWS infrastructure using Terraform. He began with an introduction and discussed Terraform basics like resources, data sources, providers and variables. He then compared Terraform to other tools like Ansible, Chef and CloudFormation. Finally, he covered using Terraform for teams, including managing state and features of Terraform Enterprise for collaboration and security. The presentation provided an overview of deploying and managing cloud infrastructure with Terraform.

1. Managing AWS using Terraform
Given by Derek C. Ashmore
AWS Atlanta
July 18, 2018
©2018 Derek C. Ashmore, All Rights Reserved 1

2. Who am I?
• Professional Geek
since 1987
• Java/J2EE/Java EE
since 1999
• AWS since 2010
• Specialties
• Cloud
Workshops
• Cloud-native
Applications
• Yes – I still code!
©2018 Derek C. Ashmore, All Rights Reserved 2

3. Discussion Resources
• This slide deck
– http://www.slideshare.net/derekashmore
• Example Terraform project on my GitHub
– https://github.com/Derek-Ashmore/terraform-hands-on-lab
• Slide deck has hyper-links!
– Don’t bother writing down URLs
©2018 Derek C. Ashmore, All Rights Reserved 3

4. Agenda
Introduction
Terraform
Basics
Terraform
Competitors
Terraform
with Teams
Summary /
Q&A
©2018 Derek C. Ashmore, All Rights Reserved 4

5. Infrastructure as Code
• Manual changes
– Increase errors
– Increase unwanted differences
between environments
– Increase admin workload
• Scripted/Coded changes
– Larger upfront cost, but…..
– Less busywork
– Leverage Others Work
– Decreases Errors
– Errors fixed in one place
– Eliminates unwanted differences
– Change history (with source control)
©2018 Derek C. Ashmore, All Rights Reserved 5

6. Terraform
• Cloud Management
– Open Source
• Very active community
– Extensible to any cloud vendor
• AWS, Azure, GCP, AliCloud, Digital Ocean, OpenStack
– Supported for Cloud Support products
• Chef, Consul, Kubernetes, Datadog
• 62 Providers as of April, 2017 and growing
©2018 Derek C. Ashmore, All Rights Reserved 6

7. Agenda
Introduction
Terraform
Basics
Terraform
Competitors
Terraform
with Teams
Summary /
Q&A
©2018 Derek C. Ashmore, All Rights Reserved 7

8. Terraform Basics
• Declarative Programming Paradigm
– Describe what the end product contains
• Terraform figures out how to get there
• Like SQL
– Terraform Resources
• Describes deployed artifacts
– Network  Virtual Networks, Subnets, Network ACLs, Gateways, ELB/ALB
– Hosts  Virtual Machines, Databases
– Security  Security groups/policies/roles/groups/users
– Much more
©2017 Derek C. Ashmore, All Rights Reserved 8

9. Terraform Basics (con’t)
• Coding Statement Order
– All *.tf files loaded  Terraform decides execution order
– No GUI  All command line and text editor
• Top Commands
– Terraform plan  Describes planned changes
– Terraform apply  Makes planned changes
– Terraform taint  Forces re-creation of a resource
– Terraform destroy  deletes all resources
– Terraform refresh  shows configuration drift
©2018 Derek C. Ashmore, All Rights Reserved 9

10. Terraform Resources
• AWS Subnet Resource
– Count = 3  Three subnets created
– Availability Zones come from a data source (lookup)
– CIDR blocks are input variables
• Sample source
©2018 Derek C. Ashmore, All Rights Reserved 10

11. Terraform Data Sources
• Example Data Sources (lookups)
• Sample source
©2018 Derek C. Ashmore, All Rights Reserved 11

12. Terraform Providers
• Example Provider
• Sample AWS source
• Azure Provider
©2018 Derek C. Ashmore, All Rights Reserved 12

13. Terraform Input Variables
• Example Provider
• Sample source
©2018 Derek C. Ashmore, All Rights Reserved 13

14. Reusing Terraform Templates
• Example Template Reuse
• Sample source
©2018 Derek C. Ashmore, All Rights Reserved 14

15. Typical Project Structure
©2018 Derek C. Ashmore, All Rights Reserved 15

16. Terraform State
• Terraform stores state
– Local file terraform.tfstate
• Teams need to manage state centrally
– Terraform Backends
• Locks so that only one person at a time can update
• Remote storage
– S3, Azure containers, Google cloud storage, etc.
©2018 Derek C. Ashmore, All Rights Reserved 16

17. Agenda
Introduction
Terraform
Basics
Terraform
Competitors
Terraform
with Teams
Summary /
Q&A
©2018 Derek C. Ashmore, All Rights Reserved 17

18. Terraform vs. Ansible/Chef
• Terraform designed for infrastructure
– Not designed for configuration management
– Terraform deploys images
• Not good at maintaining what’s on those images
• If deployments update existing VMs
– You need Ansible, Chef, or Puppet
• If deployments are “new” VMs
– Terraform can handle deployments too
©2018 Derek C. Ashmore, All Rights Reserved 18

19. Paradigm Shift
• Deployment as new infrastructure
– New version  new VMs
• Software versions baked into images
– Advantages
• Facilitates Canary Deployments
– Route53 Routing Policies
• Go-live operation has less risk
– Deploy/Backout is just a load balancer switch
– Disadvantages
• More moving parts
• Impossible to do manually
©2018 Derek C. Ashmore, All Rights Reserved 19

20. Terraform vs CloudFormation
Terraform
• Scripting skills translate to Azure,
Google Cloud, etc.
• Less verbose (>50%)
• Data Lookups
• Custom Plug-ins possible
• Active Community Support
• Configuration Drift Detection
(‘refresh’)
CloudFormation
• Quicker to follow AWS enhancements
• GUI support
• Automatic centralized state
• Vendor Support
©2018 Derek C. Ashmore, All Rights Reserved 20

21. Agenda
Introduction
Terraform
Basics
Terraform
Competitors
Terraform
with Teams
Summary /
Q&A
©2018 Derek C. Ashmore, All Rights Reserved 21

22. Terraform with Multiple Admins
• State Management
– Backends
• Terraform Enterprise Enhancements
– Collaboration
– Security
– Audit History
©2018 Derek C. Ashmore, All Rights Reserved 22

23. Managing Terraform State
• Terraform State
– JSON format
– File terraform.tfstate
(Default)
• Backend Options
– S3 Bucket
– Azure
– Terraform Enterprise
– Many more……
©2018 Derek C. Ashmore, All Rights Reserved 23

24. Managing State using S3
• S3 as a Backend
– Requires bucket name, key, region
• Key == folder name within bucket
• S3:ListBucket, GetObject,
PutObject
– Supports Encryption
• You provide KMS key
– Locks using DynamoDB table
• Primary Key = LockID
– Supports Assuming IAM Role
• Best Practices
– Turn on versioning!
– Establish Naming Convention
• Clearly identify environment, terraform
project used.
– Configure back-end in
implementation projects, not re-
used modules.
©2018 Derek C. Ashmore, All Rights Reserved 24

25. Terraform Enterprise Add-Ons
• “Jenkins” for Infrastructure build-outs
– Provides non-command line UI
– Terraform runs on central server
• Laptop install not required
– Provides automatic audit history and output from previous runs
– User security by Workspace
– Workspaces associated with
• AWS Keys (integration with HashiCorp Vault)
• back-end configuration
©2018 Derek C. Ashmore, All Rights Reserved 25

26. Further Reading
• This slide deck
– http://www.slideshare.net/derekashmore
• The Gruntwork Blog
– https://blog.gruntwork.io/
©2018 Derek C. Ashmore, All Rights Reserved 26

27. Questions?
• Derek Ashmore:
– Blog: www.derekashmore.com
– LinkedIn: www.linkedin.com/in/derekashmore
• Connect Invites from attendees welcome
– Twitter: https://twitter.com/Derek_Ashmore
– GitHub: https://github.com/Derek-Ashmore
– Book: http://dvtpress.com/
©2018 Derek C. Ashmore, All Rights Reserved 27