Martin Schütte, profile picture
Uploaded byMartin Schütte
8,554 views

Terraform -- Infrastructure as Code

This document discusses Terraform, an open-source infrastructure as code tool. It begins by explaining how infrastructure can be defined and managed as code through services that have APIs. It then provides an overview of Terraform, including its core concepts of providers, resources, and data sources. The document demonstrates Terraform's declarative configuration syntax and process of planning and applying changes. It also covers features like modules, state management, data sources, and developing custom plugins.

Technology
In this document
Powered by AI

Introduction to Terraform and the concept of Infrastructure as Code, discussing how services interact through APIs and emphasizing a source-code based approach for infrastructure.

Analysis of core ideas and concepts in Terraform, including resource management, lifecycle states, and the importance of declarative configuration.

Key design considerations in Terraform such as order of resources, execution plans, and state management.

List of available service providers and resources supported by Terraform, showcasing its extensibility across various platforms.

Introduction to HCL, comparing its syntax to JSON, and highlighting its features like variables and data interpolation.

Overview of the Terraform execution process with examples including initialization, validation, planning, applying changes and outputs.

Features of Terraform, focusing on the importance of modules for code reusability and structure.

Discussion on Terraform's state management, including local and remote state functionalities as well as workspace usage.

Explanation of how to use data sources and external data in Terraform methods to enhance resource management.

Guidelines for developing custom Terraform plugins, emphasizing knowledge in Golang and the future of plugin support.

Common challenges users may face when using Terraform, including testing difficulties and provider support variations.

Introduction to recent updates in Terraform (versions 0.7-0.10) including state import and data sources.

Comparison of Terraform with other configuration management and vendor tools like Azure Resource Manager and AWS CloudFormation.

Best practices for using Terraform securely, including credential management, workflow strategies, and the use of version control.

Closing remarks with links and resources for further learning about Terraform, and an invitation for questions.

Embed presentation

Downloaded 291 times
Terraform: Infrastructure as Code Martin Schütte 20 August 2017
Concepts
by Rodzilla at Wikimedia Commons (CC-BY-SA-3.0) From Servers … Martin Schütte | Terraform | FrOSCon’17 2/39
…to Services Martin Schütte | Terraform | FrOSCon’17 3/39
Services have APIs • Starting servers is just a command line or function call • Add to build process (phoenix/immutable servers) • Replace “click paths” with source code in VCS • Fewer “black box” setup steps, better team handovers ⇒ Infrastructure as Code Martin Schütte | Terraform | FrOSCon’17 4/39
Services also need Configuration Management • Lifecycle awareness, not just a setup.sh • Multiple stages/environments • Specification, documentation, policy enforcement ⇒ Tool support Martin Schütte | Terraform | FrOSCon’17 5/39
TERRAFORM Build,  Combine,  and  Launch  Infrastructure
Example: Simple Webservice (part 1) ### AWS Setup provider ”aws” { profile = ”${var.aws_profile}” region = ”${var.aws_region}” } # Queue resource ”aws_sqs_queue” ”importqueue” { name = ”${var.app_name}-${var.aws_region}-importqueue” } # Storage resource ”aws_s3_bucket” ”importdisk” { bucket = ”${var.app_name}-${var.aws_region}-importdisk” acl = ”private” } Martin Schütte | Terraform | FrOSCon’17 7/39
Example: Simple Webservice (part 2) ### Heroku Setup provider ”heroku” { ... } # Importer resource ”heroku_app” ”importer” { name = ”${var.app_name}-${var.aws_region}-import” region = ”eu” config_vars { SQS_QUEUE_URL = ”${aws_sqs_queue.importqueue.id}” S3_BUCKET = ”${aws_s3_bucket.importdisk.id}” } } resource ”heroku_addon” ”mongolab” { app = ”${heroku_app.importer.name}” plan = ”mongolab:sandbox” } Martin Schütte | Terraform | FrOSCon’17 8/39
Core Ideas in Terraform • Simple model of resource entities with attributes • Stateful lifecycle with CRUD operations • Declarative configuration • Dependencies by inference • Parallel execution Martin Schütte | Terraform | FrOSCon’17 9/39
Core Concepts in Terraform • Provider: a source of resources (usually with an API endpoint & authentication) • Resource: every thing “that has a set of configurable attributes and a lifecycle (create, read, update, delete)” – implies ID and state • Data Source: information read from provider (e. g. lookup own account ID or AMI-ID) • Provisioner: initialize a resource with local or remote scripts Martin Schütte | Terraform | FrOSCon’17 10/39
Design Choices in Terraform • Order: directed acyclic graph of all resources • Plan: generate an execution plan for review before applying a configuration • State: execution result is kept in state file (local or remote) • Lightweight: little provider knowledge, no error handling Martin Schütte | Terraform | FrOSCon’17 11/39
Available services Providers: • AWS • Azure • Google Cloud • Alicloud • Heroku • DNSMadeEasy • OpenStack • Docker • … Resources: • aws_instance • aws_vpc • aws_iam_user • azurerm_subnet • azurerm_dns_zone • azure_instance • aws_iam_user • heroku_app • postgresql_schema • … Provisioners: • chef • file • local-exec • remote-exec Martin Schütte | Terraform | FrOSCon’17 12/39
DSL Syntax • Hashicorp Configuration Language (HCL), think “JSON-like but human-friendly” • Variables • Interpolation, e. g. ”number ${count.index + 1}” • Attribute access with resource_type.resource_name • Few build-in functions, e. g. base64encode(string), format(format, args…) Martin Schütte | Terraform | FrOSCon’17 13/39
HCL vs. JSON # An AMI variable ”ami” { description = ”custom AMI” } /* A multi line comment. */ resource ”aws_instance” ”web” { ami = ”${var.ami}” count = 2 source_dest_check = false connection { user = ”root” } } { ”variable”: { ”ami”: { ”description”: ”custom AMI” } }, ”resource”: { ”aws_instance”: { ”web”: { ”ami”: ”${var.ami}”, ”count”: 2, ”source_dest_check”: false, ”connection”: { ”user”: ”root” } } } } }Martin Schütte | Terraform | FrOSCon’17 14/39
terraform graph | dot -Tpdf aws_s3_bucket.importdisk provider.aws aws_sqs_queue.importqueue heroku_addon.mongolab heroku_app.importer provider.heroku Martin Schütte | Terraform | FrOSCon’17 15/39
Terraform Process *.tf override.tfModules “source” terraform.tfvars plan state get plan apply destroy Martin Schütte | Terraform | FrOSCon’17 16/39
Example: Add Provisioning # Importer resource ”heroku_app” ”importer” { name = ”${var.app_name}-${var.aws_region}-import” region = ”eu” config_vars { ... } provisioner ”local-exec” { command = <<EOT cd ~/projects/go-testserver && git remote add heroku ${heroku_app.importer.git_url} && git push heroku master EOT } } Martin Schütte | Terraform | FrOSCon’17 17/39
Example: Add Outputs # Storage resource ”aws_s3_bucket” ”importdisk” { ... } # Importer resource ”heroku_app” ”importer” { ... } # Outputs output ”importer_bucket_arn” { value = ”${aws_s3_bucket.importdisk.arn}” } output ”importer_url” { value = ”${heroku_app.importer.web_url}” } output ”importer_gitrepo” { value = ”${heroku_app.importer.git_url}” } Martin Schütte | Terraform | FrOSCon’17 18/39
Example: Add Lifecycle Meta-Parameter # Storage resource ”aws_s3_bucket” ”importdisk” { bucket = ”${var.app_name}-${var.aws_region}-importdisk” acl = ”private” lifecycle { prevent_destroy = true } } Martin Schütte | Terraform | FrOSCon’17 19/39
Demo $ terraform init $ terraform validate $ terraform plan -out=my.plan $ terraform show my.plan $ terraform apply my.plan $ terraform output $ terraform output -json $ terraform output importer_url $ curl -s $(terraform output importer_url) $ terraform graph | dot -Tpdf > graph.pdf && evince graph.pdf $ terraform plan -destroy $ terraform destroy Martin Schütte | Terraform | FrOSCon’17 20/39
Features
Modules “Plain terraform code” lacks structure and reusability Modules • are subdirectories with self-contained terraform code • may be sourced from Git, Mercurial, HTTPS locations • use variables and outputs to pass data Martin Schütte | Terraform | FrOSCon’17 21/39
Example Module module ”database” { source = ”github.com/terraform-community-modules/tf_aws_rds” # DB Instance Inputs rds_instance_identifier = ”${terraform.workspace}-${var.app}-db” rds_allocated_storage = ”${var.database_size}” database_name = ”${var.database_name}” database_user = ”${var.database_user}” database_password = ”${var.database_password}” # DB Subnet Inputs subnets = [”${aws_subnet.dbnet.*.id}”] rds_vpc_id = ”${data.aws_vpc.app.id}” tags { Name = ”${terraform.workspace} - ${var.app} - DB” } } Martin Schütte | Terraform | FrOSCon’17 22/39
terraform.tfstate • Terraform keeps known state of resources • Defaults to local state in terraform.tfstate • Optional remote state with different backends (S3, Azure Storage, Consul, Atlas, …) • Useful to sync multiple team members • May need additional mutex mechanism (v0.9 added state locking for Local, S3, and Consul) • Remote state is a data source Martin Schütte | Terraform | FrOSCon’17 23/39
Example: Using State Import $ terraform import azurerm_storage_account.my_storage_account /subscriptions/e9b2ec19-ab6e-4547-a3ec-5a58e234ce5e/resourceGroups/ demo-res-group/providers/Microsoft.Storage/storageAccounts/demostorage20170418 azurerm_storage_account.my_storage_account: Importing from ID ... azurerm_storage_account.my_storage_account: Import complete! Imported azurerm_storage_account (ID: ...) azurerm_storage_account.my_storage_account: Refreshing state... (ID: ...) Import success! The resources imported are shown above. These are now in your Terraform state. Import does not currently generate configuration, so you must do this next. If you do not create configuration for the above resources, then the next ‘terraform plan‘ will mark them for destruction. $ terraform state list azurerm_storage_account.my_storage_account $ terraform state show azurerm_storage_account.my_storage_account id = /subscriptions/e9b2ec19... account_kind = Storage account_type = Standard_LRS location = westeurope name = demostorage20170418 ... Martin Schütte | Terraform | FrOSCon’17 24/39
Example: Use Remote State (with Workspaces) terraform { required_version = ”>= 0.9.8” environment = ”${terraform.workspace}” backend ”s3” { bucket = ”ms-terraform-state” key = ”infra/ms-tf-demo/state” region = ”eu-central-1” } } $ terraform workspace new prod $ terraform workspace new dev $ aws s3 ls --recursive ”s3://ms-terraform-state/” ... 282 workspace:/dev/infra/ms-tf-demo/state ... 282 workspace:/prod/infra/ms-tf-demo/state Martin Schütte | Terraform | FrOSCon’17 25/39
Example: Use Remote State to Chain Projects data ”terraform_remote_state” ”infra” { backend = ”s3” config { bucket = ”ms-terraform-state” key = ”workspace:/${terraform.workspace}/infra/ ⌋ ms-tf-demo/state”→ region = ”eu-central-1” } } resource ”aws_instance” ”foo” { # use state from vpc_project subnet_id = ”${data.terraform_remote_state.infra.app_subnet_id}”→ instance_type = ”t2.micro” ami = ”ami-b968bad6” } Martin Schütte | Terraform | FrOSCon’17 26/39
Example: Using Data Source to Lookup Data # searches for most recent tagged AMI in own account data ”aws_ami” ”webami” { most_recent = true owners = [”self”] filter { name = ”tag:my_key” values = [”my_value”] } } # use AMI resource ”aws_instance” ”web” { instance_type = ”t2.micro” ami = ”${data.aws_ami.webami.id}” } Martin Schütte | Terraform | FrOSCon’17 27/39
Example: “External” Data Source data ”external” ”dyndns” { program = [”bash”, ”${path.module}/variomedia_dyndns.sh”] query = { hostname = ”aws-demo.martin-schuette.de” ipaddress = ”${aws_eip.foo.public_ip}” } } Martin Schütte | Terraform | FrOSCon’17 28/39
How to Write Own Plugins Now: • Learn you some Golang • Use the schema helper lib • Adapt to model of Provider (setup steps, authentication) and Resources (arguments/attributes and CRUD methods) • Start reading of simple plugins like builtin/providers/mysql  Future: • interface, support for Python, Ruby, C#, Java, … Martin Schütte | Terraform | FrOSCon’17 29/39
Usage
General Problemes for all Tools • Testing is inherently difficult • Provider coverage largely depends on community • Resource model mismatches, e. g. with Heroku apps • Ignorant of API rate limits, account ressource limits, etc. Martin Schütte | Terraform | FrOSCon’17 30/39
Issues Under active development, current version 0.10.2 (August 16) • Modules are very simple • Lacking syntactic sugar (e. g. aggregations, common repetitions) • Big improvements in state management • Large variation in provider support, new project boundaries Martin Schütte | Terraform | FrOSCon’17 31/39
New Features Recent Features in 0.7–0.10 • State Import • Data Sources • Workspaces (previously: State Environments) • Separate sub-projects for providers terraform-providers  • Support for gRPC-based plugins, i. e. providers in other languages Martin Schütte | Terraform | FrOSCon’17 32/39
Comparable Tools Configuration Management Tools: • SaltStack Salt Cloud • Ansible modules • Puppet modules Vendor Tools: • Azure Resource Manager Templates • AWS CloudFormation • OpenStack Heat Martin Schütte | Terraform | FrOSCon’17 33/39
Workflow • Avoid user credentials in Terraform code, use e. g. profiles and assume-role wrapper scripts • At least use separate user credentials, know how to revoke them • To hold credentials in VCS use PGP encryption, e. g. with Blackbox Martin Schütte | Terraform | FrOSCon’17 34/39
Workflow (contd.) • Use a VCS, i. e. git • Namespaces! – Always add some ”${var.shortname}-${var.env}” • per project • per region • per account • per provider • Use remote state and consider access locking, e. g. with a single build server • Take a look at Hashicorp Atlas and its workflow Martin Schütte | Terraform | FrOSCon’17 35/39
Hashicorp Toolset Martin Schütte | Terraform | FrOSCon’17 36/39
Links and Resources • Terraform.io and hashicorp/terraform  • terraform-providers  • terraform-community-modules  • newcontext/kitchen-terraform  • Terraforming – Export existing AWS resources • Terraform: Beyond the Basics with AWS • A Comprehensive Guide to Terraform • Terraform, VPC, and why you want a tfstate file per env Martin Schütte | Terraform | FrOSCon’17 37/39
Books Hopefully, deployments will become routine and boring–and in the world of operations, boring is a very good thing. — Terraform: Up & Running by Yevgeniy Brikman Defining system infrastructure as code and building it with tools doesn’t make the quality any better. At worst, it can complicate things. — Infrastructure as Code by Kief Morris Martin Schütte | Terraform | FrOSCon’17 38/39
The End Thank You! — Questions? Workshop Terraform und AWS at 14:00 h in C 120 Martin Schütte @m_schuett info@martin-schuette.de slideshare.net/mschuett/  tinyurl.com/froscon17-tf Martin Schütte | Terraform | FrOSCon’17 39/39

More Related Content

PDF
Best Practices of Infrastructure as Code with Terraform
byDevOps.com
 
PDF
Terraform: An Overview & Introduction
byLee Trout
 
PPTX
Comprehensive Terraform Training
byYevgeniy Brikman
 
PPTX
Terraform modules restructured
byAmi Mahloof
 
PPTX
Terraform
byAdam Vincze
 
PDF
Terraform introduction
byJason Vance
 
PDF
Terraform
byMarcelo Serpa
 
PDF
Terraform
byChristophe Marchal
 
Best Practices of Infrastructure as Code with Terraform
byDevOps.com
 
Terraform: An Overview & Introduction
byLee Trout
 
Comprehensive Terraform Training
byYevgeniy Brikman
 
Terraform modules restructured
byAmi Mahloof
 
Terraform
byAdam Vincze
 
Terraform introduction
byJason Vance
 
Terraform
byMarcelo Serpa
 
Terraform
byChristophe Marchal
 

What's hot

PPTX
Terraform
byPhil Wilkins
 
PPTX
Infrastructure-as-Code (IaC) Using Terraform (Advanced Edition)
byAdin Ermie
 
PPTX
Infrastructure-as-Code (IaC) using Terraform
byAdin Ermie
 
PPTX
Terraform training 🎒 - Basic
byStephaneBoghossian1
 
PDF
Intro to Terraform
byJosh Michielsen
 
PPTX
Terraform Basics
byMohammed Fazuluddin
 
PPTX
Introduction To Terraform
bySasitha Iresh
 
PPTX
Terraform
byPathum Fernando ☁
 
PPTX
Terraform
byHarish Kumar
 
PDF
Introduce to Terraform
bySamsung Electronics
 
PDF
Terraform: Infrastructure as Code
byPradeep Bhadani
 
PPTX
Terraform
byAn Nguyen
 
PPTX
Infrastructure-as-Code (IaC) Using Terraform (Intermediate Edition)
byAdin Ermie
 
PPTX
Deploying Azure DevOps using Terraform
byAdin Ermie
 
PDF
Terraform
byOtto Jongerius
 
PPTX
Terraform on Azure
byMithun Shanbhag
 
PDF
Advanced Terraform
bySamsung Electronics
 
PPTX
Terraform on Azure
byJulien Corioland
 
PDF
Kubernetes
byerialc_w
 
PPTX
Introduction to helm
byJeeva Chelladhurai
 
Terraform
byPhil Wilkins
 
Infrastructure-as-Code (IaC) Using Terraform (Advanced Edition)
byAdin Ermie
 
Infrastructure-as-Code (IaC) using Terraform
byAdin Ermie
 
Terraform training 🎒 - Basic
byStephaneBoghossian1
 
Intro to Terraform
byJosh Michielsen
 
Terraform Basics
byMohammed Fazuluddin
 
Introduction To Terraform
bySasitha Iresh
 
Terraform
byPathum Fernando ☁
 
Terraform
byHarish Kumar
 
Introduce to Terraform
bySamsung Electronics
 
Terraform: Infrastructure as Code
byPradeep Bhadani
 
Terraform
byAn Nguyen
 
Infrastructure-as-Code (IaC) Using Terraform (Intermediate Edition)
byAdin Ermie
 
Deploying Azure DevOps using Terraform
byAdin Ermie
 
Terraform
byOtto Jongerius
 
Terraform on Azure
byMithun Shanbhag
 
Advanced Terraform
bySamsung Electronics
 
Terraform on Azure
byJulien Corioland
 
Kubernetes
byerialc_w
 
Introduction to helm
byJeeva Chelladhurai
 

Similar to Terraform -- Infrastructure as Code

PDF
A Hands-on Introduction on Terraform Best Concepts and Best Practices
byNebulaworks
 
PPTX
"Continuously delivering infrastructure using Terraform and Packer" training ...
byAnton Babenko
 
PPTX
Infrastructure as Code with Terraform.pptx
bySamuel862293
 
PDF
Infrastructure as Code with Terraform
byPedro J. Molina
 
PDF
Terraform – Infrastructure as Code (Kielux'18)
byMartin Schütte
 
PPTX
terraform cours intéressant et super fort
byamar719595
 
PDF
Terraform at Scale - All Day DevOps 2017
byJonathon Brouse
 
PDF
Terraform: Configuration Management for Cloud Services
byMartin Schütte
 
PDF
Terraform-2.pdf
byrutiksankapal21
 
PDF
Hashicorp-Terraform-Deep-Dive-with-no-Fear-Victor-Turbinsky-Texuna.pdf
byssuser705051
 
PDF
Terraform: Cloud Configuration Management (WTC/IPC'16)
byMartin Schütte
 
PDF
OSDC 2016 - Configuration Management for Cloud Services by Martin Schütte
byNETWAYS
 
PPTX
Terraform in production - experiences, best practices and deep dive- Piotr Ki...
byPROIDEA
 
PPTX
Aprovisionamiento multi-proveedor con Terraform - Plain Concepts DevOps day
byPlain Concepts
 
PDF
OSDC 2018 | Lifecycle of a resource. Codifying infrastructure with Terraform ...
byNETWAYS
 
PDF
Infrastructure as Code with Terraform
byTim Berry
 
PPTX
Infrastructure as code with terraform and packer
byAlex Landa
 
PDF
The hitchhiker's guide to terraform your infrastructure
byFernanda Martins
 
PDF
Workshop Infrastructure as Code - Suestra
byMario IC
 
PDF
DevOps Braga #9: Introdução ao Terraform
byDevOps Braga
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
byNebulaworks
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
byAnton Babenko
 
Infrastructure as Code with Terraform.pptx
bySamuel862293
 
Infrastructure as Code with Terraform
byPedro J. Molina
 
Terraform – Infrastructure as Code (Kielux'18)
byMartin Schütte
 
terraform cours intéressant et super fort
byamar719595
 
Terraform at Scale - All Day DevOps 2017
byJonathon Brouse
 
Terraform: Configuration Management for Cloud Services
byMartin Schütte
 
Terraform-2.pdf
byrutiksankapal21
 
Hashicorp-Terraform-Deep-Dive-with-no-Fear-Victor-Turbinsky-Texuna.pdf
byssuser705051
 
Terraform: Cloud Configuration Management (WTC/IPC'16)
byMartin Schütte
 
OSDC 2016 - Configuration Management for Cloud Services by Martin Schütte
byNETWAYS
 
Terraform in production - experiences, best practices and deep dive- Piotr Ki...
byPROIDEA
 
Aprovisionamiento multi-proveedor con Terraform - Plain Concepts DevOps day
byPlain Concepts
 
OSDC 2018 | Lifecycle of a resource. Codifying infrastructure with Terraform ...
byNETWAYS
 
Infrastructure as Code with Terraform
byTim Berry
 
Infrastructure as code with terraform and packer
byAlex Landa
 
The hitchhiker's guide to terraform your infrastructure
byFernanda Martins
 
Workshop Infrastructure as Code - Suestra
byMario IC
 
DevOps Braga #9: Introdução ao Terraform
byDevOps Braga
 

More from Martin Schütte

PDF
Syslog Protocols
byMartin Schütte
 
PDF
Writing Ansible Modules (CLT'19)
byMartin Schütte
 
PDF
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
byMartin Schütte
 
PDF
PGP/GPG Einführung
byMartin Schütte
 
PDF
Writing Ansible Modules (DENOG11)
byMartin Schütte
 
PDF
Short Introduction to IPv6
byMartin Schütte
 
PDF
The IPv6 Snort Plugin (at DeepSec 2014)
byMartin Schütte
 
PDF
Software Testing on the Web
byMartin Schütte
 
PDF
NetBSD syslogd with IETF Syslog Protocols
byMartin Schütte
 
PDF
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
byMartin Schütte
 
Syslog Protocols
byMartin Schütte
 
Writing Ansible Modules (CLT'19)
byMartin Schütte
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
byMartin Schütte
 
PGP/GPG Einführung
byMartin Schütte
 
Writing Ansible Modules (DENOG11)
byMartin Schütte
 
Short Introduction to IPv6
byMartin Schütte
 
The IPv6 Snort Plugin (at DeepSec 2014)
byMartin Schütte
 
Software Testing on the Web
byMartin Schütte
 
NetBSD syslogd with IETF Syslog Protocols
byMartin Schütte
 
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
byMartin Schütte
 

Recently uploaded

PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
December Patch Tuesday
byIvanti
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
AI Technology important knowledge ......
byutkarshj2007
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

Terraform -- Infrastructure as Code

  • 1.
  • 2.
  • 3.
    by Rodzilla atWikimedia Commons (CC-BY-SA-3.0) From Servers … Martin Schütte | Terraform | FrOSCon’17 2/39
  • 4.
    …to Services Martin Schütte| Terraform | FrOSCon’17 3/39
  • 5.
    Services have APIs •Starting servers is just a command line or function call • Add to build process (phoenix/immutable servers) • Replace “click paths” with source code in VCS • Fewer “black box” setup steps, better team handovers ⇒ Infrastructure as Code Martin Schütte | Terraform | FrOSCon’17 4/39
  • 6.
    Services also needConfiguration Management • Lifecycle awareness, not just a setup.sh • Multiple stages/environments • Specification, documentation, policy enforcement ⇒ Tool support Martin Schütte | Terraform | FrOSCon’17 5/39
  • 7.
    TERRAFORM Build,  Combine,  and Launch  Infrastructure
  • 8.
    Example: Simple Webservice(part 1) ### AWS Setup provider ”aws” { profile = ”${var.aws_profile}” region = ”${var.aws_region}” } # Queue resource ”aws_sqs_queue” ”importqueue” { name = ”${var.app_name}-${var.aws_region}-importqueue” } # Storage resource ”aws_s3_bucket” ”importdisk” { bucket = ”${var.app_name}-${var.aws_region}-importdisk” acl = ”private” } Martin Schütte | Terraform | FrOSCon’17 7/39
  • 9.
    Example: Simple Webservice(part 2) ### Heroku Setup provider ”heroku” { ... } # Importer resource ”heroku_app” ”importer” { name = ”${var.app_name}-${var.aws_region}-import” region = ”eu” config_vars { SQS_QUEUE_URL = ”${aws_sqs_queue.importqueue.id}” S3_BUCKET = ”${aws_s3_bucket.importdisk.id}” } } resource ”heroku_addon” ”mongolab” { app = ”${heroku_app.importer.name}” plan = ”mongolab:sandbox” } Martin Schütte | Terraform | FrOSCon’17 8/39
  • 10.
    Core Ideas inTerraform • Simple model of resource entities with attributes • Stateful lifecycle with CRUD operations • Declarative configuration • Dependencies by inference • Parallel execution Martin Schütte | Terraform | FrOSCon’17 9/39
  • 11.
    Core Concepts inTerraform • Provider: a source of resources (usually with an API endpoint & authentication) • Resource: every thing “that has a set of configurable attributes and a lifecycle (create, read, update, delete)” – implies ID and state • Data Source: information read from provider (e. g. lookup own account ID or AMI-ID) • Provisioner: initialize a resource with local or remote scripts Martin Schütte | Terraform | FrOSCon’17 10/39
  • 12.
    Design Choices inTerraform • Order: directed acyclic graph of all resources • Plan: generate an execution plan for review before applying a configuration • State: execution result is kept in state file (local or remote) • Lightweight: little provider knowledge, no error handling Martin Schütte | Terraform | FrOSCon’17 11/39
  • 13.
    Available services Providers: • AWS •Azure • Google Cloud • Alicloud • Heroku • DNSMadeEasy • OpenStack • Docker • … Resources: • aws_instance • aws_vpc • aws_iam_user • azurerm_subnet • azurerm_dns_zone • azure_instance • aws_iam_user • heroku_app • postgresql_schema • … Provisioners: • chef • file • local-exec • remote-exec Martin Schütte | Terraform | FrOSCon’17 12/39
  • 14.
    DSL Syntax • HashicorpConfiguration Language (HCL), think “JSON-like but human-friendly” • Variables • Interpolation, e. g. ”number ${count.index + 1}” • Attribute access with resource_type.resource_name • Few build-in functions, e. g. base64encode(string), format(format, args…) Martin Schütte | Terraform | FrOSCon’17 13/39
  • 15.
    HCL vs. JSON #An AMI variable ”ami” { description = ”custom AMI” } /* A multi line comment. */ resource ”aws_instance” ”web” { ami = ”${var.ami}” count = 2 source_dest_check = false connection { user = ”root” } } { ”variable”: { ”ami”: { ”description”: ”custom AMI” } }, ”resource”: { ”aws_instance”: { ”web”: { ”ami”: ”${var.ami}”, ”count”: 2, ”source_dest_check”: false, ”connection”: { ”user”: ”root” } } } } }Martin Schütte | Terraform | FrOSCon’17 14/39
  • 16.
    terraform graph |dot -Tpdf aws_s3_bucket.importdisk provider.aws aws_sqs_queue.importqueue heroku_addon.mongolab heroku_app.importer provider.heroku Martin Schütte | Terraform | FrOSCon’17 15/39
  • 17.
    Terraform Process *.tf override.tfModules “source”terraform.tfvars plan state get plan apply destroy Martin Schütte | Terraform | FrOSCon’17 16/39
  • 18.
    Example: Add Provisioning #Importer resource ”heroku_app” ”importer” { name = ”${var.app_name}-${var.aws_region}-import” region = ”eu” config_vars { ... } provisioner ”local-exec” { command = <<EOT cd ~/projects/go-testserver && git remote add heroku ${heroku_app.importer.git_url} && git push heroku master EOT } } Martin Schütte | Terraform | FrOSCon’17 17/39
  • 19.
    Example: Add Outputs #Storage resource ”aws_s3_bucket” ”importdisk” { ... } # Importer resource ”heroku_app” ”importer” { ... } # Outputs output ”importer_bucket_arn” { value = ”${aws_s3_bucket.importdisk.arn}” } output ”importer_url” { value = ”${heroku_app.importer.web_url}” } output ”importer_gitrepo” { value = ”${heroku_app.importer.git_url}” } Martin Schütte | Terraform | FrOSCon’17 18/39
  • 20.
    Example: Add LifecycleMeta-Parameter # Storage resource ”aws_s3_bucket” ”importdisk” { bucket = ”${var.app_name}-${var.aws_region}-importdisk” acl = ”private” lifecycle { prevent_destroy = true } } Martin Schütte | Terraform | FrOSCon’17 19/39
  • 21.
    Demo $ terraform init $terraform validate $ terraform plan -out=my.plan $ terraform show my.plan $ terraform apply my.plan $ terraform output $ terraform output -json $ terraform output importer_url $ curl -s $(terraform output importer_url) $ terraform graph | dot -Tpdf > graph.pdf && evince graph.pdf $ terraform plan -destroy $ terraform destroy Martin Schütte | Terraform | FrOSCon’17 20/39
  • 22.
  • 23.
    Modules “Plain terraform code”lacks structure and reusability Modules • are subdirectories with self-contained terraform code • may be sourced from Git, Mercurial, HTTPS locations • use variables and outputs to pass data Martin Schütte | Terraform | FrOSCon’17 21/39
  • 24.
    Example Module module ”database”{ source = ”github.com/terraform-community-modules/tf_aws_rds” # DB Instance Inputs rds_instance_identifier = ”${terraform.workspace}-${var.app}-db” rds_allocated_storage = ”${var.database_size}” database_name = ”${var.database_name}” database_user = ”${var.database_user}” database_password = ”${var.database_password}” # DB Subnet Inputs subnets = [”${aws_subnet.dbnet.*.id}”] rds_vpc_id = ”${data.aws_vpc.app.id}” tags { Name = ”${terraform.workspace} - ${var.app} - DB” } } Martin Schütte | Terraform | FrOSCon’17 22/39
  • 25.
    terraform.tfstate • Terraform keepsknown state of resources • Defaults to local state in terraform.tfstate • Optional remote state with different backends (S3, Azure Storage, Consul, Atlas, …) • Useful to sync multiple team members • May need additional mutex mechanism (v0.9 added state locking for Local, S3, and Consul) • Remote state is a data source Martin Schütte | Terraform | FrOSCon’17 23/39
  • 26.
    Example: Using StateImport $ terraform import azurerm_storage_account.my_storage_account /subscriptions/e9b2ec19-ab6e-4547-a3ec-5a58e234ce5e/resourceGroups/ demo-res-group/providers/Microsoft.Storage/storageAccounts/demostorage20170418 azurerm_storage_account.my_storage_account: Importing from ID ... azurerm_storage_account.my_storage_account: Import complete! Imported azurerm_storage_account (ID: ...) azurerm_storage_account.my_storage_account: Refreshing state... (ID: ...) Import success! The resources imported are shown above. These are now in your Terraform state. Import does not currently generate configuration, so you must do this next. If you do not create configuration for the above resources, then the next ‘terraform plan‘ will mark them for destruction. $ terraform state list azurerm_storage_account.my_storage_account $ terraform state show azurerm_storage_account.my_storage_account id = /subscriptions/e9b2ec19... account_kind = Storage account_type = Standard_LRS location = westeurope name = demostorage20170418 ... Martin Schütte | Terraform | FrOSCon’17 24/39
  • 27.
    Example: Use RemoteState (with Workspaces) terraform { required_version = ”>= 0.9.8” environment = ”${terraform.workspace}” backend ”s3” { bucket = ”ms-terraform-state” key = ”infra/ms-tf-demo/state” region = ”eu-central-1” } } $ terraform workspace new prod $ terraform workspace new dev $ aws s3 ls --recursive ”s3://ms-terraform-state/” ... 282 workspace:/dev/infra/ms-tf-demo/state ... 282 workspace:/prod/infra/ms-tf-demo/state Martin Schütte | Terraform | FrOSCon’17 25/39
  • 28.
    Example: Use RemoteState to Chain Projects data ”terraform_remote_state” ”infra” { backend = ”s3” config { bucket = ”ms-terraform-state” key = ”workspace:/${terraform.workspace}/infra/ ⌋ ms-tf-demo/state”→ region = ”eu-central-1” } } resource ”aws_instance” ”foo” { # use state from vpc_project subnet_id = ”${data.terraform_remote_state.infra.app_subnet_id}”→ instance_type = ”t2.micro” ami = ”ami-b968bad6” } Martin Schütte | Terraform | FrOSCon’17 26/39
  • 29.
    Example: Using DataSource to Lookup Data # searches for most recent tagged AMI in own account data ”aws_ami” ”webami” { most_recent = true owners = [”self”] filter { name = ”tag:my_key” values = [”my_value”] } } # use AMI resource ”aws_instance” ”web” { instance_type = ”t2.micro” ami = ”${data.aws_ami.webami.id}” } Martin Schütte | Terraform | FrOSCon’17 27/39
  • 30.
    Example: “External” DataSource data ”external” ”dyndns” { program = [”bash”, ”${path.module}/variomedia_dyndns.sh”] query = { hostname = ”aws-demo.martin-schuette.de” ipaddress = ”${aws_eip.foo.public_ip}” } } Martin Schütte | Terraform | FrOSCon’17 28/39
  • 31.
    How to WriteOwn Plugins Now: • Learn you some Golang • Use the schema helper lib • Adapt to model of Provider (setup steps, authentication) and Resources (arguments/attributes and CRUD methods) • Start reading of simple plugins like builtin/providers/mysql  Future: • interface, support for Python, Ruby, C#, Java, … Martin Schütte | Terraform | FrOSCon’17 29/39
  • 32.
  • 33.
    General Problemes forall Tools • Testing is inherently difficult • Provider coverage largely depends on community • Resource model mismatches, e. g. with Heroku apps • Ignorant of API rate limits, account ressource limits, etc. Martin Schütte | Terraform | FrOSCon’17 30/39
  • 34.
    Issues Under active development, currentversion 0.10.2 (August 16) • Modules are very simple • Lacking syntactic sugar (e. g. aggregations, common repetitions) • Big improvements in state management • Large variation in provider support, new project boundaries Martin Schütte | Terraform | FrOSCon’17 31/39
  • 35.
    New Features Recent Featuresin 0.7–0.10 • State Import • Data Sources • Workspaces (previously: State Environments) • Separate sub-projects for providers terraform-providers  • Support for gRPC-based plugins, i. e. providers in other languages Martin Schütte | Terraform | FrOSCon’17 32/39
  • 36.
    Comparable Tools Configuration ManagementTools: • SaltStack Salt Cloud • Ansible modules • Puppet modules Vendor Tools: • Azure Resource Manager Templates • AWS CloudFormation • OpenStack Heat Martin Schütte | Terraform | FrOSCon’17 33/39
  • 37.
    Workflow • Avoid usercredentials in Terraform code, use e. g. profiles and assume-role wrapper scripts • At least use separate user credentials, know how to revoke them • To hold credentials in VCS use PGP encryption, e. g. with Blackbox Martin Schütte | Terraform | FrOSCon’17 34/39
  • 38.
    Workflow (contd.) • Usea VCS, i. e. git • Namespaces! – Always add some ”${var.shortname}-${var.env}” • per project • per region • per account • per provider • Use remote state and consider access locking, e. g. with a single build server • Take a look at Hashicorp Atlas and its workflow Martin Schütte | Terraform | FrOSCon’17 35/39
  • 39.
    Hashicorp Toolset Martin Schütte| Terraform | FrOSCon’17 36/39
  • 40.
    Links and Resources •Terraform.io and hashicorp/terraform  • terraform-providers  • terraform-community-modules  • newcontext/kitchen-terraform  • Terraforming – Export existing AWS resources • Terraform: Beyond the Basics with AWS • A Comprehensive Guide to Terraform • Terraform, VPC, and why you want a tfstate file per env Martin Schütte | Terraform | FrOSCon’17 37/39
  • 41.
    Books Hopefully, deployments willbecome routine and boring–and in the world of operations, boring is a very good thing. — Terraform: Up & Running by Yevgeniy Brikman Defining system infrastructure as code and building it with tools doesn’t make the quality any better. At worst, it can complicate things. — Infrastructure as Code by Kief Morris Martin Schütte | Terraform | FrOSCon’17 38/39
  • 42.
    The End Thank You!— Questions? Workshop Terraform und AWS at 14:00 h in C 120 Martin Schütte @m_schuett info@martin-schuette.de slideshare.net/mschuett/  tinyurl.com/froscon17-tf Martin Schütte | Terraform | FrOSCon’17 39/39