4. About me
Bruno Costa
●
Background of SysAdmin on Linux, VMware,
SAN, …
●
Team Leader of DevOps Team @Eurotux
●
More than 2 years using AWS, managing a dozen
of AWS Accounts
●
Using Terraform for a year on Production
Environments
4
Reach me on Slack
5. Intro Terraform
Terraform - It is a tool to automate your infrastructure:
1) Write a configuration file (.tf file)
2) Terraform will make sure it will reach your desired state
3) Later on, make some changes to your configuration
4) Terraform will evaluate what has changed and it will apply
accordingly
5
Features:
●
Written in Go
●
Open Source
●
From Hashicorp - other tools like Vagrant / Packer / Vault / Consul
●
98 official providers (AWS, GCP, Azure, Cloudflare, Gitlab,
PostgreSQL,...)
●
102 community providers (oVirt, AWX, Kafka,…)
●
Bring IaC to a new level
6. Intro Terraform – Phase 0
6
●
Write your config (HCL or JSON)
●
Sample with AWS Route 53
●
Objective: create an DNS zone and A record pointing
“blc.mydomain.org” => “10.10.10.21”
●
Provider (1) ●
Resources (2) ●
Variables (2)
Interpolation
8. Intro Terraform – Phase 2
8
●
Use the terraform CLI command
●
Phase 2 – terraform plan
Nothing has changed yet!
Dependency
9. Intro Terraform – Phase 3
9
●
Use the terraform CLI command
●
Phase 3 – terraform apply
10. Intro Terraform
10
What happened?
●
Planning – described the action that should be taken to get to the desired state
●
Approval – the user reviewed and approved the changes that need to be done
●
Execution – using AWS API, Terraform applied the desired changed
●
Update State – Terraform wrote data into the state (state file or backend) to keep track of
the resources it manages
11. Core Concepts
11
Resources:
●
Key element on HCL – it defines an object that
Terraform manages
●
Some of them, can be imported into state
●
AWS has over 500 different resource types (eg:
aws_security_group, aws_instance, aws_iam_role)
●
Some resources can be imported into state and be
managed by Terraform: terraform import
12. Core Concepts
12
Providers:
●
You need to provide the credentials to connect to
provider (user/passwd, token, ...)
●
All the resources are tied to a provider, but you
may interleave resources from different provider.
Eg.: After adding an EC2 instance, you may add a
Cloudflare A record
●
You may build your own providers
●
You need to define alternate providers to talk with
different AWS Regions
13. Core Concepts
13
Data Sources:
●
Instead of declaring a resource, you
may use computed variables from
other sources
●
Eg: get AMI id, get list of AZs
Outputs:
●
You may need to output Terraform
result, to feed into other scripts
●
Output can be used on Modules
Inputs:
●
Can be used as vars. Eg:
var.aws_provider
14. Core Concepts
14
Interpolation Syntax:
●
Adds expressiveness into a declarative
language
●
Have conditionals and “pseudo-for” loops
●
Built-in functions to manipulate strings,
maps and lists
●
Terraform 0.12 will bring many changes
on interpolation syntax
15. Core Concepts
15
Backends:
●
The backend store the state of Terraform.
●
By default, it is a terraform.tfstate file
●
Remote State: Keep the state shared and keep locking mechanisms between team
members
●
AWS: Typical setup Bootstrap – chicken/egg problem
●
Have a local file backend to bootstrap
DynamoDB and S3
16. Modules / Registry
16
Modules
●
You may multiples related resources
to create a module
●
Improve code reuse between projects
●
Can be called many times, but you
cannot transparently use count
●
Eg: Create a module to add an ACM
certificate and the corresponding
validation DNS records on Cloudflare
Registry
●
https://registry.terraform.io/
●
Share verified modules and
community modules
●
Eg: terraform-aws-modules/vpc/aws can
create a VPC with corresponding
subnets, IGW, , Routing Tables
●
Cloud Posse has some nice modules,
despite being community-based
modules
17. Comparison with Other Tools
17
●
Configuration Tools – Chef, Puppet, ...
– Terraform focus on resource creation, rather than configure a server that already exist
●
Infra Tools – CloudFormation
– Similar to Terraform, but Terraform can mix resource from different Cloud providers
●
API – Boto3, SDK
– Too much low-level. Need to manually manage resource dependency, lifecycle and implement
logic to interact with different providers
●
But...
– You may combine Terraform with native provisioners (chef, salt) or local-exec
provisioner (Ansible)
18. Demo
18
Network
●
Create a VPC on us-east-1
●
The VPC should have 2 AZs, each one
with a /24 subnet
●
VPC CIDR should be 10.230.0.0/22
●
Only one NAT instance for both Private
Subnets
19. Demo
19
Sample App PHP+MySQL
●
Add a MySQL/MariaDB on
Private Subnet
●
Add an Apache HTTP with
PHP to Public Subnet
●
Grab the output from
Terraform, test the website