SlideShare a Scribd company logo

AWS DevOps - Terraform, Docker, HashiCorp Vault

Grzegorz Adamowicz
Grzegorz Adamowicz

This document provides an agenda and notes for a 3-day AWS, Terraform, and advanced techniques training. Day 1 covers AWS networking, scaling techniques, automation with Terraform and covers setting up EC2 instances, autoscaling groups, and load balancers. Day 2 continues EC2 autoscaling, introduces Docker, ECS, monitoring, and continuous integration/delivery. Topics include IAM, VPC networking, NAT gateways, EC2, autoscaling policies, ECS clusters, Docker antipatterns, monitoring servers/applications/logs, and Terraform code structure. Day 3 will cover Docker, ECS, configuration management, Vault, databases, Lambda, and other advanced AWS and DevOps topics.

Technology
1 of 99
Download to read offline
AWS, Terraform, advanced techniques DevOps Training
Few things... before we start
Shall we use our first name instead Mr/Ms? ??
Are current hours OK? ??
Who am I? Who are we all? Who are you? What do we do here? What’s my purpose? Is there something more than this? Why we all are here? Why 42? Grzegorz Adamowicz Occupation: Consultant, Freelance Cloud Engineer Skillset: - Crazy Linux geek - Development (PHP, Python, JavaScript, …) - DevOps Engineer - Automation Engineer (AWS), Terraform - Freelancer, Entrepreneur wannabe - Events organizer (https://szot.tech) - Job interview failure expert (200+ interviews) - Writer (IT Professional) - Barista (no coffee, no workee) - Coach (sort-of) - Lifetime learner URL: https://adamowicz.cx email: grzegorz@adamowicz.cx Twitter: @gadamowicz
How about you? ● What’s your name? ● What do you want to get out of this training? ● What’s your superpower? :-)
Practice practice, practice, practice
Three days agenda Day 1 AWS: networks, scaling, automation Terraform - howto EC2, (auto)scaling Load balancing (ELB, ALB) Day 2 EC2, (auto)scaling CI/CD Monitoring Docker ECS cluster Day 3 Dockery, ECS - continue Configuration management Hashicorp Vault Databases (RDS, ElastiCache, ...) AWS Lambda (Serverless)
Day 1 AWS IAM, role, EC2, autoscaling, Terraform
Agenda 1. Architecting in the cloud 2. IAM - security 3. VPC and networks 4. EC2 5. Autoscaling (scaling up, scaling out) 6. Terraform: basic networking 7. Terraform: EC2, scaling groups 8. Roles 9. Alerts and scaling triggers
Architecting challenges/problems HERE BE DRAGONS!
AWS architecting Source:unknown:(
AWS (cloud) architecting Source:unknown:(
AWS architecting Effectiveness vs efficiency
IAM - access control Identities ● Users ● Groups ● Roles ● Resources IAM Policy Generator: https://awspolicygen.s3.amazonaws.com/policygen. html ARNs ● arn:aws:iam::account-ID-without-hyphens:user/Richard ● arn:aws:s3:::my_corporate_bucket/exampleobject.png ● arn:aws:iam::aws:policy/ReadOnlyAccess ● arn:aws:autoscaling:region:account-id:scalingPolicy:policyid:auto ScalingGroupName/groupfriendlyname:policyName/policyfriendl yname ● arn:partition:service:region:account-id:resource ● arn:partition:service:region:account-id:resourcetype/resource
IAM - examples { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/<INSTANCE-ID>"} } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "<SERVICE-NAME>:<ACTION-NAME>", "Resource": "*", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} } } }
EC2 - scaling applications using VMs ● EC2 LaunchConfiguration ● EC2 LaunchTemplate ● Single EC2 instance ● Autoscaling Group ● Load Balancers (ELB, ALB) ● Target Group
ElasticBeanstalk ● PaaS solution ● Pre-configured environments ● Docker possible ● docker-compose not, but there’s an alternative ● CloudFormation in the backend
ECS, also EKS (Kubernetes!) ● Cluster managing containers for you ● vCPU and memory reservation ● More complex scaling (dockers + EC2 instances) ● Generates higher costs if used incorrectly ● Restarts services for you ● Also kills, if service is trying to use to much resources ● You still need to manage your EC2 instances inside the cluster (system updates, agent updates)
ECS Fargate ● You don’t manage EC2 instances ● Can’t mount persistent data volume ● … well, you can, but it’ll be ephemeral volume (nonpersistent) See: https://docs.aws.amazon.com/AmazonEC S/latest/developerguide/fargate-task-stora ge.html
Docker ● Single process ● No logs inside container ● No IP address for container ● Small images ● Use Dockerfile or Packer ● NO security credentials in container ● … but put your code in there ● Don’t use “latest” tag ● Don’t run as root user ● Stateless services - no dependencies across containers FROM ubuntu:18.04 RUN apt-get update && apt-get -y upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 php7.2 php7.2-mysql libapache2-mod-php7.2 curl lynx EXPOSE 80 ENTRYPOINT ["/bin/sh"] CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
Route53 - DNS ● ALIAS != CNAME ● strtolower() ● Can act as a load balancer ● Implements health checks ● Zone can be removed after deleting all records ● Public ● Private (non-routable, second address in available pool)
S3 - object storage ● Eventually consistent ● Easy to use ● Can be attached to VPC ● Can be encrypted (KMS) ● Versioning available ● Replication ● Can serve static pages (Vue, React, Angular)
AWS limits ● Every service have set some limits (eg. number of EC2 instances) - very important to think ahead demand - show ● Limits for LB naming, services naming (eg. Lambdas name) - different for every service (!) - 74, 128, 512 characters ● API rate limiting ● Hard to predict cost of running services
Before we go to Terraform - CloudFormation ● Many services using it in the backend ● There is no state file ● Automatic rollbacks (should anything fail) ● Sometimes rollback fail ● There can be multiple stacks that depend on each other ● It’s YAML or JSON, basically ● Hard to read (example) ● One can use DSL to simplify things: ○ Lono ○ Troposphere (Python) ○ SparkleFormation A big no-no: “When building CloudFormation templates, I’ve seen engineers search the internet, find an example CloudFormation template that is closed to what they are looking for, modify it ever so slightly so it works for their business use case, and then run with it.” Source: https://medium.com/boltops/why-generate-cloudformation-templates -with-lono-65b8ea5eb87d
CloudFormation best practices book
Terraform - how it works ● Have a state file ● Different “providers” (like AWS, GCP) ● NOT multicloud - you still need different code for each provider ● It has own markup language (HCL) ● You define resources and dependencies between them ● Can group resources into “modules” ● Have “workspaces” to switch between environments ● No rollback - it stops should anything fail ● Some “dry-run” - plan provider "aws" { region = "eu-central-1" }
Terraform - state file ● local file ● file in S3 bucket ● Atlas / Terraform Enterprise ● etcd ● Consul ● Artifactory ● http ● ... Need to take care of: ● state versioning ● state locking terraform { backend "local" { path = "state/terraform.tfstate" } }
Terraform - let’s install! ● AWSCLI ● https://terraform.io (0.11.x) $ export AWS_PROFILE=blah $ export PATH=$PATH:/path/to/terraform $ terraform init $ terraform plan $ terraform fmt $ terraform apply
Terraform - VPC and basic subnets ● Multi AZ ● Public and private subnets ● NAT gateway ● Internet gateway ● Endpoints ● Route tables ● Network ACLs https://randops.org/2016/11/29/quick-vpc-reference-configuration-for-scenario-2/
Terraform - NAT gateways, internet gateways ● Internet gateway connected to a VPC ● NAT gateways in a public network ● Route tables must contain IGW and NAT GW
Terraform - basic EC2 instance ● Single EC2 instance in a public subnet ● t2.micro ● SSH open ● Must create SSH key in AWS resource "aws_instance" "ssh_host" { ami = "ami-0bdf93799014acdc4" instance_type = "t2.micro" key_name = "${aws_key_pair.admin.key_name}" subnet_id = "${aws_subnet.public.id}" vpc_security_group_ids = [ "${aws_security_group.allow_ssh.id}", "${aws_security_group.allow_all_outbound.id}", ] tags { Name = "SSH bastion" } }
Terraform - EC2 (auto)scaling ● Launch configuration ● Autoscaling group ● Load balancer (ELB) ● EC2 in a private subnet ● LB in a public subnet (public) ● CloudWatch setup: ○ EC2 instance role ○ CloudWatch metrics sent from EC2 using cron job ● Alerts (high/low) ● Scale strategy
VPC and subnets resource "aws_vpc" "main" { cidr_block = "10.100.0.0/16" tags { Name = "Terraform main VPC" } } resource "aws_subnet" "public_a" { vpc_id = "${aws_vpc.main.id}" cidr_block = "10.100.1.0/24" map_public_ip_on_launch = "true" availability_zone = "eu-central-1a" tags { Name = "Terraform main VPC, public subnet zone A" } }
Internet Gateway (public subnets) and route table resource "aws_internet_gateway" "default" { vpc_id = "${aws_vpc.main.id}" tags { Name = "Terraform internet gateway" } } resource "aws_route" "public_internet_gateway" { route_table_id = "${aws_route_table.public.id}" destination_cidr_block = "0.0.0.0/0" gateway_id = "${aws_internet_gateway.default.id}" } resource "aws_route_table" "public" { vpc_id = "${aws_vpc.main.id}" tags { Name = "Public route table" } } resource "aws_route_table_association" "public_a" { subnet_id = "${aws_subnet.public_a.id}" route_table_id = "${aws_route_table.public.id}" }
NAT gateway and private subnets resource "aws_subnet" "private_a" { vpc_id = "${aws_vpc.main.id}" cidr_block = "10.100.10.0/24" map_public_ip_on_launch = false availability_zone = "eu-central-1a" tags { Name = "Terraform main VPC, private subnet zone A" } } resource "aws_nat_gateway" "natgw_a" { allocation_id = "${element(aws_eip.nateip.*.id, 0)}" subnet_id = "${aws_subnet.public_a.id}" depends_on = ["aws_internet_gateway.default"] }
EC2 instance, security group, ssh key (bastion host) resource "aws_security_group" "allow_ssh" { name = "allow_ssh" description = "Allow inbound SSH traffic" vpc_id = "${aws_vpc.main.id}" ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } resource "aws_key_pair" "admin" { key_name = "admin-key" public_key = "${var.ssh_key}" } resource "aws_instance" "ssh_host" { ami = "ami-0bdf93799014acdc4" instance_type = "t2.micro" key_name = "${aws_key_pair.admin.key_name}" subnet_id = "${aws_subnet.public_a.id}" vpc_security_group_ids = [ "${aws_security_group.allow_ssh.id}", "${aws_security_group.allow_all_outbound.id}", ] tags { Name = "SSH bastion" } }
How autoscaling works? ● Launch Configuration / Launch Template ● Autoscaling group ● Autoscaling policy ● Metrics ● Alarms and alarm actions
Launch configuration resource "aws_launch_configuration" "as_conf" { image_id = "${data.aws_ami.ubuntu.id}" instance_type = "${var.instance_type}" key_name = "${aws_key_pair.admin.key_name}" user_data = "${data.template_file.init.rendered}" security_groups = [ "${aws_security_group.http_server_public.id}", "${aws_security_group.allow_ssh_ip.id}", "${aws_security_group.allow_all_outbound.id}", ] iam_instance_profile = "${aws_iam_instance_profile.ec2_default.name}" associate_public_ip_address = "${var.associate_public_ip_address}" }
Autoscaling group resource "aws_autoscaling_group" "application" { name = "ASG" launch_configuration = "${aws_launch_configuration.as_conf.name}" vpc_zone_identifier = [ "${aws_subnet.private_a.id}", "${aws_subnet.private_b.id}", "${aws_subnet.private_c.id}" ] min_size = "${var.min_size}" max_size = "${var.max_size}" load_balancers = ["${aws_elb.default-elb.name}"] termination_policies = ["OldestInstance"] tag { key = "Name" value = "EC2-sample-service" propagate_at_launch = true } }
Autoscaling policy resource "aws_autoscaling_policy" "scale_up" { name = "scale-up" scaling_adjustment = 1 adjustment_type = "ChangeInCapacity" cooldown = 120 autoscaling_group_name = "${aws_autoscaling_group.application.name }" } resource "aws_autoscaling_policy" "scale_down" { name = "scale-down" scaling_adjustment = -1 adjustment_type = "ChangeInCapacity" cooldown = 120 autoscaling_group_name = "${aws_autoscaling_group.application.name }" }
Metric and alarm action resource "aws_cloudwatch_metric_alarm" "cpu_utilization_high" { alarm_name = "cpu-utilization" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "2" metric_name = "CPUUtilization" namespace = "AWS/EC2" period = "60" statistic = "Average" threshold = "80" dimensions { AutoScalingGroupName = "${aws_autoscaling_group.application.name}" } alarm_description = "CPU Utilization high" alarm_actions = ["${aws_autoscaling_policy.scale_up.arn}"] }
Setting up a basic server in autoscaling group For a service we need: ● Launch Configuration / Launch Template ● Autoscaling group ● Autoscaling policy Autoscaling: ● Remember metrics must be sent by the EC2 instance to CloudWatch ● There are alerts for “high” (scaling up) and “low” (scaling down)
Side quest: Let’s develop a service ● Python 3.x ● Have /health URI ● Automatically deployed! ● Need an S3 bucket for deployment ● Launch configuration should deploy “latest” build ● Remember IAM role to allow EC2 access the S3 bucket ● You need AWSCLI on EC2 instance ● ELB in public subnet(s) ● EC2 in private subnet(s) Autoscaling: ● Remember metrics must be sent by the EC2 instance to CloudWatch ● There are alerts for “high” (scaling up) and “low” (scaling down)
See you tomorrow! :-)
Day 2 EC2 autoscaling, ECS + Terraform, Monitoring, CI/CD
Three days doing stuff Day 1 AWS: networks, scaling, automation Terraform - howto EC2, (auto)scaling Load balancing (ELB, ALB) Day 2 EC2, (auto)scaling CI/CD Monitoring Docker ECS cluster Day 3 Dockery, ECS - continue Configuration management Hashicorp Vault Databases (RDS, ElastiCache, ...) AWS Lambda
Agenda 1. Finishing up EC2 autoscaling 2. Let’s talk about Docker antipatterns 3. ECS cluster intro 4. Monitoring (Servers, Applications, Logs) 5. Continuous everything (CI/CD) 6. Terraform: code structure 7. Terraform: ECS cluster + services with autoscaling
EC2 autoscaling - continue! ● Launch configuration ● Autoscaling group ● Load balancer (ELB) ● EC2 in a private subnet ● LB in a public subnet (public) ● CloudWatch setup: ○ EC2 instance role ○ CloudWatch metrics sent from EC2 using cron job ● Alerts (high/low) ● Scale strategy
Docker ● Single process ● No logs inside container ● No IP address for container ● Small images ● Use Dockerfile or Packer ● NO security credentials in container ● … but put your code in there ● Don’t use “latest” tag ● Don’t run as root user ● Stateless services - no dependencies across containers
ECS ● Cluster managing containers for you ● vCPU and memory reservation ● More complex scaling (dockers + EC2 instances) ● Generates higher costs if used incorrectly ● Restarts services for you ● Also kills, if service is trying to use too much resources ● You still need to manage your EC2 instances inside the cluster (system updates, agent updates)
Monitoring From Amazon: ● CloudWatch ● X-Ray (need code alterations, APM) ● ElasticSearch (logs, SaaS) ● CloudTrail (logs) External: ● Datadog (metrics, APM, logs) ● NewRelic ● Ruxit ● ...
CI/CD Continuous Integration “practice of merging all developer working copies to a shared mainline several times a day” - Wikipedia Continuous Delivery “making sure the software checked in on the mainline is always in a state that can be deployed to users and makes the actual deployment process very rapid” - Wikipedia Continuous Deployment “software engineering approach in which software functionalities are delivered frequently through automated deployments” - also Wikipedia
What that means?
Terraform code structure . └── terraform ├── accounts │ ├── bootstrap │ │ └── tfstate │ └── main.tld │ └── eu-west-1 ├── bin └── modules Example: https://github.com/TechnologyMinimalists/terraform-skeleton
Jenkins - Jenkinsfile example node("master") { stage("Prep") { deleteDir() // Clean up the workspace checkout scm withCredentials([file(credentialsId: 'tfvars', variable: 'tfvars')]) { sh "cp $tfvars terraform.tfvars" } sh "terraform init --get=true" } stage("Plan") { sh "terraform plan -out=plan.out -no-color" } if (env.BRANCH_NAME == "master") { stage("Apply") { input 'Do you want to apply this plan?' sh "terraform apply -no-color plan.out" } } }
ECS + 1-2 services ● Let’s use a module to set up cluster with autoscaling ● Reuse module for task definition ● Reuse code of Python app we created ● ELB and ALB - differences and why using ALB? ● Where to keep your images? (Docker HUB, ECR)
Terraform modules ● There are community modules ● https://registry.terraform.io/ ● https://github.com/terraform-community-modules ● Modules take inputs (variables) and generate outputs that could be used in other code
More on modules ECS cluster module "ecs-cluster" { source = "azavea/ecs-cluster/aws" version = "2.0.0" vpc_id = "${aws_vpc.main.id}" instance_type = "t2.small" key_name = "blah" root_block_device_type = "gp2" root_block_device_size = "10" health_check_grace_period = "600" desired_capacity = "1" min_size = "0" max_size = "2" enabled_metrics = [...] private_subnet_ids = [...] project = "Something" environment = "Staging" lookup_latest_ami = "true" } ● It’s worth to invest time to prepare modules tailored to your needs, but there are great ones ready to use ● It’s going to take time to understand how module works ● … but it’ll be shorter than creating your own ● Not everything should be a module (do NOT securityGroupModuleFactory) ● Group important things together
ECS cluster ● IAM Role for EC2 instances ● Use ECS-optimized instances (Amazon Linux) ● IAM Role for Services ● VPC and networking ● ECR for keeping home-baked images (optional) ● Aggregated metrics for “group” ● CloudWatch log group for logs (optional)
Source:https://stackoverflow.com/questions/36057445/several-amazon-ecs-tasks-on-the-same-instance-host
ECS task definition resource "aws_ecs_task_definition" "main" { family = "some-name" container_definitions = "${var.task_definition}" task_role_arn = "${var.task_role_arn}" network_mode = "${var.task_network_mode}" cpu = "${var.task_cpu}" memory = "${var.task_memory}" requires_compatibilities = ["service_launch_type"] execution_role_arn = execution_role_arn } https://github.com/TechnologyMinimalists/aws-containers -task-definitions [{ "environment": [{ "name": "SECRET", "value": "KEY" }], "essential": true, "memoryReservation": 128, "cpu": 10, "image": "nginx:latest", "name": "nginx", "portMappings": [ { "hostPort": 80, "protocol": "tcp", "containerPort": 80 } ] } }]
ECS - service resource "aws_ecs_service" "awsvpc_alb" { name = "service_name" cluster = "ecs_cluster_id" task_definition = "aws_ecs_task_definition" desired_count = "1" load_balancer = { target_group_arn = "${aws_alb_target_group}" container_name = "${thename}" container_port = "80" } launch_type = "${var.service_launch_type}" network_configuration { security_groups = ["${security_groups}"] subnets = ["${subnets}"] } }
Setting up Nginx inside ECS cluster ● Reuse modules from Terraform registry ● Test every change with plan ● One instance will be sufficient ● Don’t bother with autoscaling, let’s keep it simple for now ● You can use ready Docker image from Docker Hub
Side quest: Let’s develop a service ● Python 3.x ● Have /health URI ● Automatically deployed! ● Need an S3 bucket for deployment ● Launch configuration should deploy “latest” build ● Remember IAM role to allow EC2 access the S3 bucket ● You need AWSCLI on EC2 instance ● ALB in public subnet(s) ● EC2 in private subnet(s) ● ECR keeping Docker image ● Process to build and send image to ECR Autoscaling: ● Let’s leave services autoscaling for now
See you tomorrow! :-)
Day 3 ECS - continue Various tools: Configuration Management, HashiCorp Vault + Consul, Databases, Serverless
Three days doing stuff Day 1 AWS: networks, scaling, automation Terraform - howto EC2, (auto)scaling Load balancing (ELB, ALB) Day 2 EC2, (auto)scaling CI/CD Monitoring Docker ECS cluster Day 3 Dockery, ECS - continue Configuration management Hashicorp Vault Databases (RDS, ElastiCache, ...) AWS Lambda
Yesterday's assignment ● Status check ● Let’s finish what we’ve started yesterday
Configuration management ● What’s that? ● What’s being used in AWS? ● Toolset ● Idempotence - what that means?
Configuration management - tools ● CFEngine (mid 90s) ● Puppet ● Chef ● Ansible ● Saltstack
Configuration management - architecture Source: https://blogs.msdn.microsoft.com/uk_faculty_connection/2016/06/29/solving-configuration-management-obstacles-with-chef/
AWS OpsWorks ● Chef solo (localhost) or Puppet Enterprise ● CloudFormation in the backend ● Can be provisioned via Terraform (yay!) ● Autoscaling using Lambda Hacks ● AWS console - let’s see how this looks
HashiCorp Vault ● Key-value secret storage ● Encrypt secrets at rest (storage) and at transfer (https) ● Takes care of invalidating old secrets (API keys rotation) ● Versioning of the key-value storage is also possible ● One-time secrets ● “Cubbyhole” secrets wrapping ● Possible to integrate with Terraform (yay!) ● … and more
HashiCorp Vault - seal/unseal ● default (key) ● AWS KMS ● Azure Key Vault ● GCP Cloud KMS
HashiCorp Vault - authentication ● Username and password ● GitHub (token actually) ● AWS IAM ● LDAP ● Radius ● Tokens https://www.vaultproject.io/docs/auth/index.html
HashiCorp Vault - testing locally $ vault server -dev $ export VAULT_ADDR='http://127.0.0.1:8200' $ vault status ● Already unsealed ● In-memory data store ● Good for testing ● Do NOT use in production
HashiCorp Consul - service discovery and more Source:https://www.consul.io/docs/internals/architecture.html
HashiCorp Vault and Consul as a backend Source:https://www.consul.io/docs/internals/architecture.html
HashiCorp Vault + Consul - setting up Consul { "acl_datacenter": "dev1", "server": true, "datacenter": "dev1", "data_dir": "/var/lib/consul", "disable_anonymous_signature": true, "disable_remote_exec": true, "encrypt": "Owpx3FUSQPGswEAeIhcrFQ==", "log_level": "DEBUG", "enable_syslog": true, "start_join": ["192.168.33.10", "192.168.33.20", "192.168.33.30"], "services": [] } # consul agent -server -bootstrap-expect=1 -data-dir /var/lib/consul/data -bind=192.168.33.10 -enable-script-checks=true -config-dir=/etc/consul/bootstrap CTRL+C when done # servicectl start consul
HashiCorp Vault + Consul - connecting Vault # vault server -config=/etc/vault/vault.hcl backend "consul" { address = "127.0.0.1:8500" path = "vault" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = "1" }
HashiCorp Vault + Consul - init $ vault init -tls-skip-verify Unseal Key 1: sahg1Y48nQ4fAzfzCM6UN8d9RTB+uqJiu0/HsQxr+CDF Unseal Key 2: tGk1p191YACXyhJ/SHjRjnGYw1zMLGapAuJ40zMX4qT7 Unseal Key 3: J/ZgUCosSnr2VRP803aBX+UMRK6lfQU2gmZ98yIFbxOu Unseal Key 4: y6j8nwL/VHNwOgL80HFf89ztPEB06POetitLf6ndrL59 Unseal Key 5: 7TiRQ/F4An6wMrjX6k1Qe8VGUwyYpTawcXHdMkNg7aNH Initial Root Token: s.7DGCNrZsF2gbIK9BMRLWymZp
HashiCorp Vault + Consul - unseal # vault operator unseal -tls-skip-verify Unseal Key (will be hidden):Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress ⅓ Unseal Nonce 36bba3e0-8ac6-b2e6-80a3-cfe3cbd0202c Version 1.0.0 HA Enabled true
HashiCorp Vault - first secret [vagrant@vault-01 ~]$ vault kv put secret/hello foo=world Key Value --- ----- created_time 2018-12-12T11:50:21.722423496Z deletion_time n/a destroyed false version 1
HashiCorp Vault - get secret [vagrant@vault-01 ~]$ vault kv get secret/hello ====== Metadata ====== Key Value --- ----- created_time 2018-12-12T11:50:21.722423496Z deletion_time n/a destroyed false version 1 === Data === Key Value --- ----- foo world [vagrant@vault-01 ~]$ vault kv get -format=json secret/hello
HashiCorp Vault - token create [vagrant@vault-01 ~]$ vault token create Key Value --- ----- token s.4fQYZpivxLRZVYGhjpTQm1Ob token_accessor XYOqtACs0aatIkUBgAcI6qID token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
HashiCorp Vault - login using token [vagrant@vault-01 ~]$ vault login s.hAnm1Oj9YYoDtxkqQVkLyxr7 Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token s.hAnm1Oj9YYoDtxkqQVkLyxr7 token_accessor 6bPASelFhdZ2ClSzwfq31Ucr token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
HashiCorp Vault - token revoke [vagrant@vault-01 ~]$ vault token revoke s.6WYXXVRPNmEKfaXfnyAjcMsR Success! Revoked token (if it existed) See more on auth: https://learn.hashicorp.com/vault/getting-started/authentication
HashiCorp Vault - multi-tenant Source: https://learn.hashicorp.com/vault/operations/namespaces
HashiCorp Vault - multi-tenant - exercises ● Let’s create two namespaces ● Create policies for the namespaces ● Create a few secrets in each ● Create one user in each ● Test if users have access to their own namespaces
Databases in AWS - quick introduction ● Aurora ● RDS ● DynamoDB ● Elasticsearch + Kibana ● ElastiCache (Memcache, Redis)
AWS Lambda and Serverless http://www.slideshare.net/danveloper/microservices-the-right-way
AWS Lambda and Serverless https://www.fiverr.com/natasha_bab/setup-cloud-based-backend-for-mobile-n-web ● Actually it’s more mixed and also complex ● Layered architecture (think MVC) + Event-driven (ESB, but not that heavy) ● In a Docker ● … or as lambdas
AWS Lambda and Serverless
AWS Lambda and Serverless ● There’s no “server less” ● Using VPC slows things down ● Utilize SaaS provided by the AWS (SQS, SNS, DynamoDB, CloudWatch, X-Ray) ● Mind Lambda limitations (memory, cpu, execution time) ● Big packages tend to run slower, keep it simple ● Workflows or long running with step functions
Let’s create a function ● Python ● IAM role allowing interacting with Autoscaling ● Function will increase instances by one ● Manual trigger ● Setup using Terraform ● Code upload using AWSCLI (Bash/Makefile)
Side quest: Vault + Consul in AWS ● Use Terraform and an Autoscaling Group/Launch Configuration to set up Consul hosts - manual cluster set up, for simplicity ● Alternatively, use ECS cluster and public Conul image https://hub.docker.com/_/consul/ ● Same for Vault ● (Re)use Python service to grab configuration key/values from Vault
Thanks a bunch! Grzegorz Adamowicz LinkedIN: /in/gadamowicz Twitter: @gadamowicz grzegorz@adamowicz.cx https://szot.tech

Recommended

What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
Edureka!
 
Docker Tutorial For Beginners | What Is Docker And How It Works? | Docker Tut...
Docker Tutorial For Beginners | What Is Docker And How It Works? | Docker Tut...Docker Tutorial For Beginners | What Is Docker And How It Works? | Docker Tut...
Docker Tutorial For Beginners | What Is Docker And How It Works? | Docker Tut...
Simplilearn
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)
Akash Agrawal
 
Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
Patrick Chanezon
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 

Recommended

What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
Edureka!
 
Docker Tutorial For Beginners | What Is Docker And How It Works? | Docker Tut...
Docker Tutorial For Beginners | What Is Docker And How It Works? | Docker Tut...Docker Tutorial For Beginners | What Is Docker And How It Works? | Docker Tut...
Docker Tutorial For Beginners | What Is Docker And How It Works? | Docker Tut...
Simplilearn
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)
Akash Agrawal
 
Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
Patrick Chanezon
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
Amit Manwade
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
Cheah Eng Soon
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
Jeeva Chelladhurai
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
Sneha Inguva
 
Docker Container Introduction
Docker Container IntroductionDocker Container Introduction
Docker Container Introduction
Innfinision Cloud and BigData Solutions
 
DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best Practices
Giragadurai Vallirajan
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
Jason Vance
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
Simplilearn
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
Docker, Inc.
 
Container Orchestration with Docker Swarm and Kubernetes
Container Orchestration with Docker Swarm and KubernetesContainer Orchestration with Docker Swarm and Kubernetes
Container Orchestration with Docker Swarm and Kubernetes
Will Hall
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Janusz Nowak
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Luong Vo
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
Yevgeniy Brikman
 
Deploying Perl apps on dotCloud
Deploying Perl apps on dotCloudDeploying Perl apps on dotCloud
Deploying Perl apps on dotCloud
daoswald
 
Back-end (Flask_AWS)
Back-end (Flask_AWS)Back-end (Flask_AWS)
Back-end (Flask_AWS)
GDSC UofT Mississauga
 

More Related Content

What's hot

Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
Amit Manwade
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
Cheah Eng Soon
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
Jeeva Chelladhurai
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
Sneha Inguva
 
Docker Container Introduction
Docker Container IntroductionDocker Container Introduction
Docker Container Introduction
Innfinision Cloud and BigData Solutions
 
DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best Practices
Giragadurai Vallirajan
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
Jason Vance
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
Simplilearn
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
Docker, Inc.
 
Container Orchestration with Docker Swarm and Kubernetes
Container Orchestration with Docker Swarm and KubernetesContainer Orchestration with Docker Swarm and Kubernetes
Container Orchestration with Docker Swarm and Kubernetes
Will Hall
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Janusz Nowak
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Luong Vo
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
Yevgeniy Brikman
 

What's hot (20)

Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
 
Docker Container Introduction
Docker Container IntroductionDocker Container Introduction
Docker Container Introduction
 
DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best Practices
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
What Is A Docker Container? | Docker Container Tutorial For Beginners| Docker...
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
 
Container Orchestration with Docker Swarm and Kubernetes
Container Orchestration with Docker Swarm and KubernetesContainer Orchestration with Docker Swarm and Kubernetes
Container Orchestration with Docker Swarm and Kubernetes
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 

Similar to AWS DevOps - Terraform, Docker, HashiCorp Vault

Deploying Perl apps on dotCloud
Deploying Perl apps on dotCloudDeploying Perl apps on dotCloud
Deploying Perl apps on dotCloud
daoswald
 
Back-end (Flask_AWS)
Back-end (Flask_AWS)Back-end (Flask_AWS)
Back-end (Flask_AWS)
GDSC UofT Mississauga
 
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsI Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
Michael Lange
 
Scaling symfony apps
Scaling symfony appsScaling symfony apps
Scaling symfony apps
Matteo Moretti
 
Nodejs
NodejsNodejs
Nodejs
Vinod Kumar Marupu
 
Declarative Infrastructure Tools
Declarative Infrastructure Tools Declarative Infrastructure Tools
Declarative Infrastructure Tools
Yulia Shcherbachova
 
Future of Serverless
Future of ServerlessFuture of Serverless
Future of Serverless
Yoav Avrahami
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
orkaplan
 
NodeJS
NodeJSNodeJS
NodeJS
LinkMe Srl
 
murakumo Cloud Controller
murakumo Cloud Controllermurakumo Cloud Controller
murakumo Cloud Controller
Shingo Kawano
 
Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018
Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018
Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018
Holden Karau
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
rkr10
 
Node azure
Node azureNode azure
Node azure
Emanuele DelBono
 
Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?
Christian Joudrey
 
The Future is Now: Leveraging the Cloud with Ruby
The Future is Now: Leveraging the Cloud with RubyThe Future is Now: Leveraging the Cloud with Ruby
The Future is Now: Leveraging the Cloud with Ruby
Robert Dempsey
 
[AWS Builders] Effective AWS Glue
[AWS Builders] Effective AWS Glue[AWS Builders] Effective AWS Glue
[AWS Builders] Effective AWS Glue
Amazon Web Services Korea
 
ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven Infrastructure
Yury Tsarev
 
Node.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniquesNode.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniques
Manuel Eusebio de Paz Carmona
 
Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)
Radek Simko
 

Similar to AWS DevOps - Terraform, Docker, HashiCorp Vault (20)

Deploying Perl apps on dotCloud
Deploying Perl apps on dotCloudDeploying Perl apps on dotCloud
Deploying Perl apps on dotCloud
 
Back-end (Flask_AWS)
Back-end (Flask_AWS)Back-end (Flask_AWS)
Back-end (Flask_AWS)
 
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsI Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
 
Scaling symfony apps
Scaling symfony appsScaling symfony apps
Scaling symfony apps
 
Nodejs
NodejsNodejs
Nodejs
 
Declarative Infrastructure Tools
Declarative Infrastructure Tools Declarative Infrastructure Tools
Declarative Infrastructure Tools
 
Future of Serverless
Future of ServerlessFuture of Serverless
Future of Serverless
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
NodeJS
NodeJSNodeJS
NodeJS
 
murakumo Cloud Controller
murakumo Cloud Controllermurakumo Cloud Controller
murakumo Cloud Controller
 
Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018
Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018
Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Node azure
Node azureNode azure
Node azure
 
Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event Loop
 
The Future is Now: Leveraging the Cloud with Ruby
The Future is Now: Leveraging the Cloud with RubyThe Future is Now: Leveraging the Cloud with Ruby
The Future is Now: Leveraging the Cloud with Ruby
 
[AWS Builders] Effective AWS Glue
[AWS Builders] Effective AWS Glue[AWS Builders] Effective AWS Glue
[AWS Builders] Effective AWS Glue
 
ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven Infrastructure
 
Node.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniquesNode.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniques
 
Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)
 

Recently uploaded

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 

Recently uploaded (20)

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 

AWS DevOps - Terraform, Docker, HashiCorp Vault

  • 1. AWS, Terraform, advanced techniques DevOps Training
  • 3. Shall we use our first name instead Mr/Ms? ??
  • 5. Who am I? Who are we all? Who are you? What do we do here? What’s my purpose? Is there something more than this? Why we all are here? Why 42? Grzegorz Adamowicz Occupation: Consultant, Freelance Cloud Engineer Skillset: - Crazy Linux geek - Development (PHP, Python, JavaScript, …) - DevOps Engineer - Automation Engineer (AWS), Terraform - Freelancer, Entrepreneur wannabe - Events organizer (https://szot.tech) - Job interview failure expert (200+ interviews) - Writer (IT Professional) - Barista (no coffee, no workee) - Coach (sort-of) - Lifetime learner URL: https://adamowicz.cx email: grzegorz@adamowicz.cx Twitter: @gadamowicz
  • 6. How about you? ● What’s your name? ● What do you want to get out of this training? ● What’s your superpower? :-)
  • 8. Three days agenda Day 1 AWS: networks, scaling, automation Terraform - howto EC2, (auto)scaling Load balancing (ELB, ALB) Day 2 EC2, (auto)scaling CI/CD Monitoring Docker ECS cluster Day 3 Dockery, ECS - continue Configuration management Hashicorp Vault Databases (RDS, ElastiCache, ...) AWS Lambda (Serverless)
  • 9. Day 1 AWS IAM, role, EC2, autoscaling, Terraform
  • 10. Agenda 1. Architecting in the cloud 2. IAM - security 3. VPC and networks 4. EC2 5. Autoscaling (scaling up, scaling out) 6. Terraform: basic networking 7. Terraform: EC2, scaling groups 8. Roles 9. Alerts and scaling triggers
  • 15. IAM - access control Identities ● Users ● Groups ● Roles ● Resources IAM Policy Generator: https://awspolicygen.s3.amazonaws.com/policygen. html ARNs ● arn:aws:iam::account-ID-without-hyphens:user/Richard ● arn:aws:s3:::my_corporate_bucket/exampleobject.png ● arn:aws:iam::aws:policy/ReadOnlyAccess ● arn:aws:autoscaling:region:account-id:scalingPolicy:policyid:auto ScalingGroupName/groupfriendlyname:policyName/policyfriendl yname ● arn:partition:service:region:account-id:resource ● arn:partition:service:region:account-id:resourcetype/resource
  • 16. IAM - examples { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/<INSTANCE-ID>"} } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "<SERVICE-NAME>:<ACTION-NAME>", "Resource": "*", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} } } }
  • 17. EC2 - scaling applications using VMs ● EC2 LaunchConfiguration ● EC2 LaunchTemplate ● Single EC2 instance ● Autoscaling Group ● Load Balancers (ELB, ALB) ● Target Group
  • 18. ElasticBeanstalk ● PaaS solution ● Pre-configured environments ● Docker possible ● docker-compose not, but there’s an alternative ● CloudFormation in the backend
  • 19. ECS, also EKS (Kubernetes!) ● Cluster managing containers for you ● vCPU and memory reservation ● More complex scaling (dockers + EC2 instances) ● Generates higher costs if used incorrectly ● Restarts services for you ● Also kills, if service is trying to use to much resources ● You still need to manage your EC2 instances inside the cluster (system updates, agent updates)
  • 20. ECS Fargate ● You don’t manage EC2 instances ● Can’t mount persistent data volume ● … well, you can, but it’ll be ephemeral volume (nonpersistent) See: https://docs.aws.amazon.com/AmazonEC S/latest/developerguide/fargate-task-stora ge.html
  • 21. Docker ● Single process ● No logs inside container ● No IP address for container ● Small images ● Use Dockerfile or Packer ● NO security credentials in container ● … but put your code in there ● Don’t use “latest” tag ● Don’t run as root user ● Stateless services - no dependencies across containers FROM ubuntu:18.04 RUN apt-get update && apt-get -y upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 php7.2 php7.2-mysql libapache2-mod-php7.2 curl lynx EXPOSE 80 ENTRYPOINT ["/bin/sh"] CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
  • 22. Route53 - DNS ● ALIAS != CNAME ● strtolower() ● Can act as a load balancer ● Implements health checks ● Zone can be removed after deleting all records ● Public ● Private (non-routable, second address in available pool)
  • 23. S3 - object storage ● Eventually consistent ● Easy to use ● Can be attached to VPC ● Can be encrypted (KMS) ● Versioning available ● Replication ● Can serve static pages (Vue, React, Angular)
  • 24. AWS limits ● Every service have set some limits (eg. number of EC2 instances) - very important to think ahead demand - show ● Limits for LB naming, services naming (eg. Lambdas name) - different for every service (!) - 74, 128, 512 characters ● API rate limiting ● Hard to predict cost of running services
  • 25. Before we go to Terraform - CloudFormation ● Many services using it in the backend ● There is no state file ● Automatic rollbacks (should anything fail) ● Sometimes rollback fail ● There can be multiple stacks that depend on each other ● It’s YAML or JSON, basically ● Hard to read (example) ● One can use DSL to simplify things: ○ Lono ○ Troposphere (Python) ○ SparkleFormation A big no-no: “When building CloudFormation templates, I’ve seen engineers search the internet, find an example CloudFormation template that is closed to what they are looking for, modify it ever so slightly so it works for their business use case, and then run with it.” Source: https://medium.com/boltops/why-generate-cloudformation-templates -with-lono-65b8ea5eb87d
  • 27. Terraform - how it works ● Have a state file ● Different “providers” (like AWS, GCP) ● NOT multicloud - you still need different code for each provider ● It has own markup language (HCL) ● You define resources and dependencies between them ● Can group resources into “modules” ● Have “workspaces” to switch between environments ● No rollback - it stops should anything fail ● Some “dry-run” - plan provider "aws" { region = "eu-central-1" }
  • 28. Terraform - state file ● local file ● file in S3 bucket ● Atlas / Terraform Enterprise ● etcd ● Consul ● Artifactory ● http ● ... Need to take care of: ● state versioning ● state locking terraform { backend "local" { path = "state/terraform.tfstate" } }
  • 29. Terraform - let’s install! ● AWSCLI ● https://terraform.io (0.11.x) $ export AWS_PROFILE=blah $ export PATH=$PATH:/path/to/terraform $ terraform init $ terraform plan $ terraform fmt $ terraform apply
  • 30. Terraform - VPC and basic subnets ● Multi AZ ● Public and private subnets ● NAT gateway ● Internet gateway ● Endpoints ● Route tables ● Network ACLs https://randops.org/2016/11/29/quick-vpc-reference-configuration-for-scenario-2/
  • 31. Terraform - NAT gateways, internet gateways ● Internet gateway connected to a VPC ● NAT gateways in a public network ● Route tables must contain IGW and NAT GW
  • 32. Terraform - basic EC2 instance ● Single EC2 instance in a public subnet ● t2.micro ● SSH open ● Must create SSH key in AWS resource "aws_instance" "ssh_host" { ami = "ami-0bdf93799014acdc4" instance_type = "t2.micro" key_name = "${aws_key_pair.admin.key_name}" subnet_id = "${aws_subnet.public.id}" vpc_security_group_ids = [ "${aws_security_group.allow_ssh.id}", "${aws_security_group.allow_all_outbound.id}", ] tags { Name = "SSH bastion" } }
  • 33. Terraform - EC2 (auto)scaling ● Launch configuration ● Autoscaling group ● Load balancer (ELB) ● EC2 in a private subnet ● LB in a public subnet (public) ● CloudWatch setup: ○ EC2 instance role ○ CloudWatch metrics sent from EC2 using cron job ● Alerts (high/low) ● Scale strategy
  • 34. VPC and subnets resource "aws_vpc" "main" { cidr_block = "10.100.0.0/16" tags { Name = "Terraform main VPC" } } resource "aws_subnet" "public_a" { vpc_id = "${aws_vpc.main.id}" cidr_block = "10.100.1.0/24" map_public_ip_on_launch = "true" availability_zone = "eu-central-1a" tags { Name = "Terraform main VPC, public subnet zone A" } }
  • 35. Internet Gateway (public subnets) and route table resource "aws_internet_gateway" "default" { vpc_id = "${aws_vpc.main.id}" tags { Name = "Terraform internet gateway" } } resource "aws_route" "public_internet_gateway" { route_table_id = "${aws_route_table.public.id}" destination_cidr_block = "0.0.0.0/0" gateway_id = "${aws_internet_gateway.default.id}" } resource "aws_route_table" "public" { vpc_id = "${aws_vpc.main.id}" tags { Name = "Public route table" } } resource "aws_route_table_association" "public_a" { subnet_id = "${aws_subnet.public_a.id}" route_table_id = "${aws_route_table.public.id}" }
  • 36. NAT gateway and private subnets resource "aws_subnet" "private_a" { vpc_id = "${aws_vpc.main.id}" cidr_block = "10.100.10.0/24" map_public_ip_on_launch = false availability_zone = "eu-central-1a" tags { Name = "Terraform main VPC, private subnet zone A" } } resource "aws_nat_gateway" "natgw_a" { allocation_id = "${element(aws_eip.nateip.*.id, 0)}" subnet_id = "${aws_subnet.public_a.id}" depends_on = ["aws_internet_gateway.default"] }
  • 37. EC2 instance, security group, ssh key (bastion host) resource "aws_security_group" "allow_ssh" { name = "allow_ssh" description = "Allow inbound SSH traffic" vpc_id = "${aws_vpc.main.id}" ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } resource "aws_key_pair" "admin" { key_name = "admin-key" public_key = "${var.ssh_key}" } resource "aws_instance" "ssh_host" { ami = "ami-0bdf93799014acdc4" instance_type = "t2.micro" key_name = "${aws_key_pair.admin.key_name}" subnet_id = "${aws_subnet.public_a.id}" vpc_security_group_ids = [ "${aws_security_group.allow_ssh.id}", "${aws_security_group.allow_all_outbound.id}", ] tags { Name = "SSH bastion" } }
  • 38. How autoscaling works? ● Launch Configuration / Launch Template ● Autoscaling group ● Autoscaling policy ● Metrics ● Alarms and alarm actions
  • 39. Launch configuration resource "aws_launch_configuration" "as_conf" { image_id = "${data.aws_ami.ubuntu.id}" instance_type = "${var.instance_type}" key_name = "${aws_key_pair.admin.key_name}" user_data = "${data.template_file.init.rendered}" security_groups = [ "${aws_security_group.http_server_public.id}", "${aws_security_group.allow_ssh_ip.id}", "${aws_security_group.allow_all_outbound.id}", ] iam_instance_profile = "${aws_iam_instance_profile.ec2_default.name}" associate_public_ip_address = "${var.associate_public_ip_address}" }
  • 40. Autoscaling group resource "aws_autoscaling_group" "application" { name = "ASG" launch_configuration = "${aws_launch_configuration.as_conf.name}" vpc_zone_identifier = [ "${aws_subnet.private_a.id}", "${aws_subnet.private_b.id}", "${aws_subnet.private_c.id}" ] min_size = "${var.min_size}" max_size = "${var.max_size}" load_balancers = ["${aws_elb.default-elb.name}"] termination_policies = ["OldestInstance"] tag { key = "Name" value = "EC2-sample-service" propagate_at_launch = true } }
  • 41. Autoscaling policy resource "aws_autoscaling_policy" "scale_up" { name = "scale-up" scaling_adjustment = 1 adjustment_type = "ChangeInCapacity" cooldown = 120 autoscaling_group_name = "${aws_autoscaling_group.application.name }" } resource "aws_autoscaling_policy" "scale_down" { name = "scale-down" scaling_adjustment = -1 adjustment_type = "ChangeInCapacity" cooldown = 120 autoscaling_group_name = "${aws_autoscaling_group.application.name }" }
  • 42. Metric and alarm action resource "aws_cloudwatch_metric_alarm" "cpu_utilization_high" { alarm_name = "cpu-utilization" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "2" metric_name = "CPUUtilization" namespace = "AWS/EC2" period = "60" statistic = "Average" threshold = "80" dimensions { AutoScalingGroupName = "${aws_autoscaling_group.application.name}" } alarm_description = "CPU Utilization high" alarm_actions = ["${aws_autoscaling_policy.scale_up.arn}"] }
  • 43. Setting up a basic server in autoscaling group For a service we need: ● Launch Configuration / Launch Template ● Autoscaling group ● Autoscaling policy Autoscaling: ● Remember metrics must be sent by the EC2 instance to CloudWatch ● There are alerts for “high” (scaling up) and “low” (scaling down)
  • 44. Side quest: Let’s develop a service ● Python 3.x ● Have /health URI ● Automatically deployed! ● Need an S3 bucket for deployment ● Launch configuration should deploy “latest” build ● Remember IAM role to allow EC2 access the S3 bucket ● You need AWSCLI on EC2 instance ● ELB in public subnet(s) ● EC2 in private subnet(s) Autoscaling: ● Remember metrics must be sent by the EC2 instance to CloudWatch ● There are alerts for “high” (scaling up) and “low” (scaling down)
  • 46. Day 2 EC2 autoscaling, ECS + Terraform, Monitoring, CI/CD
  • 47. Three days doing stuff Day 1 AWS: networks, scaling, automation Terraform - howto EC2, (auto)scaling Load balancing (ELB, ALB) Day 2 EC2, (auto)scaling CI/CD Monitoring Docker ECS cluster Day 3 Dockery, ECS - continue Configuration management Hashicorp Vault Databases (RDS, ElastiCache, ...) AWS Lambda
  • 48. Agenda 1. Finishing up EC2 autoscaling 2. Let’s talk about Docker antipatterns 3. ECS cluster intro 4. Monitoring (Servers, Applications, Logs) 5. Continuous everything (CI/CD) 6. Terraform: code structure 7. Terraform: ECS cluster + services with autoscaling
  • 49. EC2 autoscaling - continue! ● Launch configuration ● Autoscaling group ● Load balancer (ELB) ● EC2 in a private subnet ● LB in a public subnet (public) ● CloudWatch setup: ○ EC2 instance role ○ CloudWatch metrics sent from EC2 using cron job ● Alerts (high/low) ● Scale strategy
  • 50. Docker ● Single process ● No logs inside container ● No IP address for container ● Small images ● Use Dockerfile or Packer ● NO security credentials in container ● … but put your code in there ● Don’t use “latest” tag ● Don’t run as root user ● Stateless services - no dependencies across containers
  • 51. ECS ● Cluster managing containers for you ● vCPU and memory reservation ● More complex scaling (dockers + EC2 instances) ● Generates higher costs if used incorrectly ● Restarts services for you ● Also kills, if service is trying to use too much resources ● You still need to manage your EC2 instances inside the cluster (system updates, agent updates)
  • 52. Monitoring From Amazon: ● CloudWatch ● X-Ray (need code alterations, APM) ● ElasticSearch (logs, SaaS) ● CloudTrail (logs) External: ● Datadog (metrics, APM, logs) ● NewRelic ● Ruxit ● ...
  • 53. CI/CD Continuous Integration “practice of merging all developer working copies to a shared mainline several times a day” - Wikipedia Continuous Delivery “making sure the software checked in on the mainline is always in a state that can be deployed to users and makes the actual deployment process very rapid” - Wikipedia Continuous Deployment “software engineering approach in which software functionalities are delivered frequently through automated deployments” - also Wikipedia
  • 55. Terraform code structure . └── terraform ├── accounts │ ├── bootstrap │ │ └── tfstate │ └── main.tld │ └── eu-west-1 ├── bin └── modules Example: https://github.com/TechnologyMinimalists/terraform-skeleton
  • 56. Jenkins - Jenkinsfile example node("master") { stage("Prep") { deleteDir() // Clean up the workspace checkout scm withCredentials([file(credentialsId: 'tfvars', variable: 'tfvars')]) { sh "cp $tfvars terraform.tfvars" } sh "terraform init --get=true" } stage("Plan") { sh "terraform plan -out=plan.out -no-color" } if (env.BRANCH_NAME == "master") { stage("Apply") { input 'Do you want to apply this plan?' sh "terraform apply -no-color plan.out" } } }
  • 57. ECS + 1-2 services ● Let’s use a module to set up cluster with autoscaling ● Reuse module for task definition ● Reuse code of Python app we created ● ELB and ALB - differences and why using ALB? ● Where to keep your images? (Docker HUB, ECR)
  • 58. Terraform modules ● There are community modules ● https://registry.terraform.io/ ● https://github.com/terraform-community-modules ● Modules take inputs (variables) and generate outputs that could be used in other code
  • 59. More on modules ECS cluster module "ecs-cluster" { source = "azavea/ecs-cluster/aws" version = "2.0.0" vpc_id = "${aws_vpc.main.id}" instance_type = "t2.small" key_name = "blah" root_block_device_type = "gp2" root_block_device_size = "10" health_check_grace_period = "600" desired_capacity = "1" min_size = "0" max_size = "2" enabled_metrics = [...] private_subnet_ids = [...] project = "Something" environment = "Staging" lookup_latest_ami = "true" } ● It’s worth to invest time to prepare modules tailored to your needs, but there are great ones ready to use ● It’s going to take time to understand how module works ● … but it’ll be shorter than creating your own ● Not everything should be a module (do NOT securityGroupModuleFactory) ● Group important things together
  • 60. ECS cluster ● IAM Role for EC2 instances ● Use ECS-optimized instances (Amazon Linux) ● IAM Role for Services ● VPC and networking ● ECR for keeping home-baked images (optional) ● Aggregated metrics for “group” ● CloudWatch log group for logs (optional)
  • 62.
  • 63. ECS task definition resource "aws_ecs_task_definition" "main" { family = "some-name" container_definitions = "${var.task_definition}" task_role_arn = "${var.task_role_arn}" network_mode = "${var.task_network_mode}" cpu = "${var.task_cpu}" memory = "${var.task_memory}" requires_compatibilities = ["service_launch_type"] execution_role_arn = execution_role_arn } https://github.com/TechnologyMinimalists/aws-containers -task-definitions [{ "environment": [{ "name": "SECRET", "value": "KEY" }], "essential": true, "memoryReservation": 128, "cpu": 10, "image": "nginx:latest", "name": "nginx", "portMappings": [ { "hostPort": 80, "protocol": "tcp", "containerPort": 80 } ] } }]
  • 64. ECS - service resource "aws_ecs_service" "awsvpc_alb" { name = "service_name" cluster = "ecs_cluster_id" task_definition = "aws_ecs_task_definition" desired_count = "1" load_balancer = { target_group_arn = "${aws_alb_target_group}" container_name = "${thename}" container_port = "80" } launch_type = "${var.service_launch_type}" network_configuration { security_groups = ["${security_groups}"] subnets = ["${subnets}"] } }
  • 65. Setting up Nginx inside ECS cluster ● Reuse modules from Terraform registry ● Test every change with plan ● One instance will be sufficient ● Don’t bother with autoscaling, let’s keep it simple for now ● You can use ready Docker image from Docker Hub
  • 66. Side quest: Let’s develop a service ● Python 3.x ● Have /health URI ● Automatically deployed! ● Need an S3 bucket for deployment ● Launch configuration should deploy “latest” build ● Remember IAM role to allow EC2 access the S3 bucket ● You need AWSCLI on EC2 instance ● ALB in public subnet(s) ● EC2 in private subnet(s) ● ECR keeping Docker image ● Process to build and send image to ECR Autoscaling: ● Let’s leave services autoscaling for now
  • 68. Day 3 ECS - continue Various tools: Configuration Management, HashiCorp Vault + Consul, Databases, Serverless
  • 69. Three days doing stuff Day 1 AWS: networks, scaling, automation Terraform - howto EC2, (auto)scaling Load balancing (ELB, ALB) Day 2 EC2, (auto)scaling CI/CD Monitoring Docker ECS cluster Day 3 Dockery, ECS - continue Configuration management Hashicorp Vault Databases (RDS, ElastiCache, ...) AWS Lambda
  • 70. Yesterday's assignment ● Status check ● Let’s finish what we’ve started yesterday
  • 71. Configuration management ● What’s that? ● What’s being used in AWS? ● Toolset ● Idempotence - what that means?
  • 72. Configuration management - tools ● CFEngine (mid 90s) ● Puppet ● Chef ● Ansible ● Saltstack
  • 73. Configuration management - architecture Source: https://blogs.msdn.microsoft.com/uk_faculty_connection/2016/06/29/solving-configuration-management-obstacles-with-chef/
  • 74. AWS OpsWorks ● Chef solo (localhost) or Puppet Enterprise ● CloudFormation in the backend ● Can be provisioned via Terraform (yay!) ● Autoscaling using Lambda Hacks ● AWS console - let’s see how this looks
  • 75. HashiCorp Vault ● Key-value secret storage ● Encrypt secrets at rest (storage) and at transfer (https) ● Takes care of invalidating old secrets (API keys rotation) ● Versioning of the key-value storage is also possible ● One-time secrets ● “Cubbyhole” secrets wrapping ● Possible to integrate with Terraform (yay!) ● … and more
  • 76. HashiCorp Vault - seal/unseal ● default (key) ● AWS KMS ● Azure Key Vault ● GCP Cloud KMS
  • 77. HashiCorp Vault - authentication ● Username and password ● GitHub (token actually) ● AWS IAM ● LDAP ● Radius ● Tokens https://www.vaultproject.io/docs/auth/index.html
  • 78. HashiCorp Vault - testing locally $ vault server -dev $ export VAULT_ADDR='http://127.0.0.1:8200' $ vault status ● Already unsealed ● In-memory data store ● Good for testing ● Do NOT use in production
  • 79. HashiCorp Consul - service discovery and more Source:https://www.consul.io/docs/internals/architecture.html
  • 80. HashiCorp Vault and Consul as a backend Source:https://www.consul.io/docs/internals/architecture.html
  • 81. HashiCorp Vault + Consul - setting up Consul { "acl_datacenter": "dev1", "server": true, "datacenter": "dev1", "data_dir": "/var/lib/consul", "disable_anonymous_signature": true, "disable_remote_exec": true, "encrypt": "Owpx3FUSQPGswEAeIhcrFQ==", "log_level": "DEBUG", "enable_syslog": true, "start_join": ["192.168.33.10", "192.168.33.20", "192.168.33.30"], "services": [] } # consul agent -server -bootstrap-expect=1 -data-dir /var/lib/consul/data -bind=192.168.33.10 -enable-script-checks=true -config-dir=/etc/consul/bootstrap CTRL+C when done # servicectl start consul
  • 82. HashiCorp Vault + Consul - connecting Vault # vault server -config=/etc/vault/vault.hcl backend "consul" { address = "127.0.0.1:8500" path = "vault" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = "1" }
  • 83. HashiCorp Vault + Consul - init $ vault init -tls-skip-verify Unseal Key 1: sahg1Y48nQ4fAzfzCM6UN8d9RTB+uqJiu0/HsQxr+CDF Unseal Key 2: tGk1p191YACXyhJ/SHjRjnGYw1zMLGapAuJ40zMX4qT7 Unseal Key 3: J/ZgUCosSnr2VRP803aBX+UMRK6lfQU2gmZ98yIFbxOu Unseal Key 4: y6j8nwL/VHNwOgL80HFf89ztPEB06POetitLf6ndrL59 Unseal Key 5: 7TiRQ/F4An6wMrjX6k1Qe8VGUwyYpTawcXHdMkNg7aNH Initial Root Token: s.7DGCNrZsF2gbIK9BMRLWymZp
  • 84. HashiCorp Vault + Consul - unseal # vault operator unseal -tls-skip-verify Unseal Key (will be hidden):Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress ⅓ Unseal Nonce 36bba3e0-8ac6-b2e6-80a3-cfe3cbd0202c Version 1.0.0 HA Enabled true
  • 85. HashiCorp Vault - first secret [vagrant@vault-01 ~]$ vault kv put secret/hello foo=world Key Value --- ----- created_time 2018-12-12T11:50:21.722423496Z deletion_time n/a destroyed false version 1
  • 86. HashiCorp Vault - get secret [vagrant@vault-01 ~]$ vault kv get secret/hello ====== Metadata ====== Key Value --- ----- created_time 2018-12-12T11:50:21.722423496Z deletion_time n/a destroyed false version 1 === Data === Key Value --- ----- foo world [vagrant@vault-01 ~]$ vault kv get -format=json secret/hello
  • 87. HashiCorp Vault - token create [vagrant@vault-01 ~]$ vault token create Key Value --- ----- token s.4fQYZpivxLRZVYGhjpTQm1Ob token_accessor XYOqtACs0aatIkUBgAcI6qID token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
  • 88. HashiCorp Vault - login using token [vagrant@vault-01 ~]$ vault login s.hAnm1Oj9YYoDtxkqQVkLyxr7 Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token s.hAnm1Oj9YYoDtxkqQVkLyxr7 token_accessor 6bPASelFhdZ2ClSzwfq31Ucr token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
  • 89. HashiCorp Vault - token revoke [vagrant@vault-01 ~]$ vault token revoke s.6WYXXVRPNmEKfaXfnyAjcMsR Success! Revoked token (if it existed) See more on auth: https://learn.hashicorp.com/vault/getting-started/authentication
  • 90. HashiCorp Vault - multi-tenant Source: https://learn.hashicorp.com/vault/operations/namespaces
  • 91. HashiCorp Vault - multi-tenant - exercises ● Let’s create two namespaces ● Create policies for the namespaces ● Create a few secrets in each ● Create one user in each ● Test if users have access to their own namespaces
  • 92. Databases in AWS - quick introduction ● Aurora ● RDS ● DynamoDB ● Elasticsearch + Kibana ● ElastiCache (Memcache, Redis)
  • 93. AWS Lambda and Serverless http://www.slideshare.net/danveloper/microservices-the-right-way
  • 94. AWS Lambda and Serverless https://www.fiverr.com/natasha_bab/setup-cloud-based-backend-for-mobile-n-web ● Actually it’s more mixed and also complex ● Layered architecture (think MVC) + Event-driven (ESB, but not that heavy) ● In a Docker ● … or as lambdas
  • 95. AWS Lambda and Serverless
  • 96. AWS Lambda and Serverless ● There’s no “server less” ● Using VPC slows things down ● Utilize SaaS provided by the AWS (SQS, SNS, DynamoDB, CloudWatch, X-Ray) ● Mind Lambda limitations (memory, cpu, execution time) ● Big packages tend to run slower, keep it simple ● Workflows or long running with step functions
  • 97. Let’s create a function ● Python ● IAM role allowing interacting with Autoscaling ● Function will increase instances by one ● Manual trigger ● Setup using Terraform ● Code upload using AWSCLI (Bash/Makefile)
  • 98. Side quest: Vault + Consul in AWS ● Use Terraform and an Autoscaling Group/Launch Configuration to set up Consul hosts - manual cluster set up, for simplicity ● Alternatively, use ECS cluster and public Conul image https://hub.docker.com/_/consul/ ● Same for Vault ● (Re)use Python service to grab configuration key/values from Vault
  • 99. Thanks a bunch! Grzegorz Adamowicz LinkedIN: /in/gadamowicz Twitter: @gadamowicz grzegorz@adamowicz.cx https://szot.tech