Terraform @Base https://www.meetup.com/DevOpsKRK/events/246479142/

1. Terraform @Base
by @swladyka, @miroslawnagas

2. Terraform 101

3. • building, changing and versioning infrastructure in a (very much) descriptive way
• managing current state of the infrastructure, preparing and executing change plans
• providing locking mechanism to prevent concurrent executions of the same
resources
motivation

4. motivation
TERRAFORM
ALL
THE
THINGS

5. everyone to be able to manage their
infrastructure parts
motivation

6. this process should be predictable,
auditable and secure
motivation

7. infrastructure as a code experience and working
with GitHub is the most natural way to go
motivation

8. state management

9. terraform {
backend "s3" {
bucket = "<bucket name>"
key = "<unique sub-project state file path>"
region = "<region>"
dynamodb_table = "<dynamoDB table name>"
role_arn = "<state access IAM role arn>"
encrypt = true
kms_key_id = "<kms key arn>"
}
}
state management

10. locking mechanism

11. terraform {
backend "s3" {
bucket = "<bucket name>"
key = "<unique sub-project state file path>"
region = "<region>"
dynamodb_table = "<dynamoDB table name>"
role_arn = "<iam role arn>"
encrypt = true
kms_key_id = "<kms key arn>"
}
}
locking mechanism

12. locking mechanism

13. locking mechanism

14. privileges

15. provider "aws" {
region = "<region>"
assume_role {
role_arn = “<sub-project specific IAM role arn>"
session_name = "${var.atlantis_user}"
}
}
variable "atlantis_user" {
default = "atlantis_user"
}
privileges

16. resource "aws_iam_role" "atlantis-terraform-ecs-sandbox" {
name = "atlantis-terraform-ecs-sandbox"
assume_role_policy = <<EOF
.
.
.
EOF
}
resource "aws_iam_role_policy" "atlantis-terraform-ecs-sandbox" {
name = "atlantis-terraform-ecs-sandbox"
role = "${aws_iam_role.atlantis-terraform-ecs-sandbox.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:*"
],
"Resource": "*"
}
]
}
EOF
}
privileges

17. secrets

18. data "aws_kms_secret" "hipchat" {
secret {
name = "token"
payload = "AQICAHjqP……mjuWjBA==“
}
}
"${data.aws_kms_secret.hipchat.token}"
secrets

19. resource "aws_ssm_parameter" "hipchat-token" {
name = “/hipchat/token“
type = "SecureString"
value = “${data.aws_kms_secret.hipchat.token}"
}
data "aws_ssm_parameter" “hipchat-token" {
name = “/hipchat/token“
}
"${data.aws_ssm_parameter.hipchat-token.value}"
secrets

20. workflow

21. Atlantis
• Simple yet powerful service which consumes GitHub web hooks
and executes terraform actions directly from the well known
GitHub PRs
• OpenSource, written in Go
• It provides additional locking mechanism on a level of PR
workflow

22. demo

23. batteries included

24. batteries included

25. batteries included

26. statistics

27. impact

28. infrastructure treated as code
impact

29. infrastructure state history
impact

30. shift to a higher abstraction layer
impact

31. self-service (NoOps-compatible)
impact

32. increased infrastructure awareness
impact

33. no need to have AWS admin privileges
impact

34. what’s next

35. Continuous Integration
Configuration management
Terraform state drift detection
100% infrastructure coverage
100% adoption
what’s next

36. Thank you!