SlideShare a Scribd company logo

Terraform - Taming Modern Clouds

Nic Jackson
Nic Jackson

Slides form Config Management Camp, looking at how you can take a collaborative GitFlow approach to Terraform using Remote State, Modules and Dynamically Generated Credentials using Vault

Software
1 of 57
Download to read offline
DEVOPS DELIVERED sheriffjackson TAMING MODERN CLOUD ENVIRONMENTS WITH TERRAFORM
 Nic Jackson Developer Advocate, HashiCorp sheriffjackson
 Adgenda • Why you have a problem • Quick Terraform intro • Collaborating with Terraform • Remote State • Modules • GitFlow • CI/CD • Managing provider secrets
 Why you have a problem! sheriffjackson
 Why you have a problem sheriffjackson
 Why you have a problem • Infrastructure as a service (e.g. AWS, Azure, GCP, DigitalOcean) • Platform as a service (e.g. Heroku) sheriffjackson
 Why you have a problem • Many organizations start with PaaS • Fast default to IaaS as organization grows • PaaS is amazing, but limitations do not scale with well with application complexity sheriffjackson
 What is Terraform? sheriffjackson
 What is Terraform? - Write • Define infrastructure as code to increase operator productiveity and transparency • Configuration can be stored in version control, shared, and collaborated on by teams • If it can be codified, it can be automated sheriffjackson
 What is Terraform? - Plan • Understand how a minor change could have cascading effects across infrastructure before executing the change • Plans show operators what would happen, applies execute changes • Single workflow across all infrastructure providers (AWS, GCP, Azure, OpenStack, VMware, and more) sheriffjackson
 What is Terraform? - Apply • Use the same configuration in multiple places to reduce mistakes and save time • Provision identical staging, QA, and production environments • Effortlessly combine high-level system providers • Dependency resolution means things happen in the right order sheriffjackson
provider "aws" {} data "aws_availability_zones" "available" {} resource "aws_vpc" "main" { cidr_block = "${var.cidr_block}" } terraform.tf Simple Terraform config
 Collaborating with Terraform sheriffjackson
 Collaborating with Terraform - 4 phases of collaboration • Manual • Semi-automated • Infrastructure as Code • Collaborative Infrastructure as Code sheriffjackson
Terraform  Remote State sheriffjackson
 Collaborating with Terraform - Remote state • Backends are responsible for storing state and providing an API for state locking. State locking is optional. • Backends determine where state is stored • 10 officially supported backends • Allows state to be stored remotely • Keeps sensitive information off disk sheriffjackson
 Remote state backends • artifactory - not locking • azurerm - locking • consul - locking • etcd - not locking • gcs - locking • http - optional locking • manta - locking • s3 - locking • swift - not locking • terraform enterprise - not locking
terraform { backend "s3" { bucket = "tfremotestatenic" key = "cfmngmnt" region = "eu-west-1" } } terraform.tf Terraform remote state
Terraform  Introduction to Modules sheriffjackson
 Introduction to Modules - What is a module? • A module is simply a blueprint for your application • A module is a high level abstraction • A module is your own PaaS • Modules can be shared in Github or the Terraform Module registry sheriffjackson
 Introduction to Modules - What is a module? • Modules abstract complexity • Module perform a single task and have a single purpose • Build once, use many sheriffjackson
 Introduction to Modules - Reference Architecture sheriffjackson
Terraform sheriffjackson
 Introduction to Modules - Versioning modules • Ability to use Git tags • Move immutable versions across environments sheriffjackson
provider "aws" {} module "vpc" "default" { source = "git@github.com:hashicorp/example.git//subdir" cidr_block = "${var.cidr_block}" } terraform.tf Module source from Git
provider "aws" {} module "vpc" "default" { source = "git@github.com:hashicorp/example.git//subdir?ref=hotfix" cidr_block = "${var.cidr_block}" } terraform.tf Module source from Git with branch reference
 Introduction to Modules - Modules can contain modules • Modules can be composed of sub-modules • Sub-modules can be composed of sub-sub-modules • Sub-sub-modules can be composed of sub-sub-sub-modules • ... sheriffjackson
 Introduction to Modules - Multi-Cloud • It will never be possible to write a common abstraction at a resource level for an instance in different cloud providers • Modeling infrastructure on a high level such as K8s cluster with modules allows abstraction and hides implementation sheriffjackson
Terraform  Terraform GitFlow and CI sheriffjackson
 Collaborating with Terraform - Git Flow sheriffjackson master branch commit plan pull request validate merge plan apply version 1.0 version 1.1
 Collaborating with Terraform - GitHub sheriffjackson
 Collaborating with Terraform - Pull Requests sheriffjackson
 Collaborating with Terraform - Automated builds sheriffjackson
 Collaborating with Terraform - Build workflow sheriffjackson
 Collaborating with Terraform - Plan sheriffjackson
 Collaborating with Terraform - Apply sheriffjackson ONLY PRODUCTION BRANCH / ENFORCE TAGS
 Public Service Announcement! • DO NOT EXPOSE Vault / CI WITH PUBLIC GitHub • THIS IS A SIMPLIFIED EXAMPLE FOR DEMONSTRATION ONLY
 Collaborating with Terraform - Fork me sheriffjackson https://github.com/nicholasjackson/ terraform-cfgmgmtcamp 1) Fork the below repository 2) Create a new branch 3) Refactor into a module 4) Pull request
Terraform  Managing Credentials With Vault sheriffjackson
 Managing Credentials with Vault - Why? • Separating read / write credentials • TTL on credentials with automatic revoke • Fine grained control over access • Audit log • Reduce secret sprawl • Developers / operators DO NOT require explicit credentials sheriffjackson
 Managing Credentials with Vault - Process sheriffjackson login to vault create AWS credentials (with TTL) create IAM user (with policy) request AWS credentials terraform plan/apply/ destroy write to audit log revoke credentials (TTL expired) delete IAM user return credentials GitHub token validate login with GitHub vault token admin IAM policy IAM
 AWS Secrets Managing Credentials with Vault - hierarchy sheriffjackson role A (aws_read) role B (aws_write) policy A (aws_read) [read] policy C (aws_write) [read] policy B (aws_read) [read, create] GitHub Auth user B (ricksanchez) user A (nicholasjackson)
Terminal # enable the vault secrets engine for AWS $ vault secrets enable aws Success! Enabled the aws secrets engine at: aws/ # add IAM credentials which have the capability to manage IAM credentials $ vault write aws/config/root access_key=AKIAJWVN5Z4FOFT7NLNA secret_key=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 region=us-east-1 Configure AWS secret engine
Terminal # enable the vault secrets engine for AWS $ vault auth enable github # set the auth endpoint to a GitHub organization $ vault write auth/github/config organization=hashicorp Configure GitHub auth
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::tfremotestatenic"] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": ["arn:aws:s3:::tfremotestatenic/*"] }, { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe*", "Resource": "*" }, ... terraform.tf Create a read-only AWS IAM policy https://github.com/nicholasjackson/terraform-cfgmgmtcamp/blob/master/vault/templates/aws_read.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::tfremotestatenic"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::tfremotestatenic/*"] }, { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, terraform.tf Create a write AWS IAM policy https://github.com/nicholasjackson/terraform-cfgmgmtcamp/blob/master/vault/templates/aws_write.json
Terminal # create the read only role $ vault write aws/roles/aws_readonly policy=@aws_read_policy.json Success! Data written to: aws/roles/aws_readonly # create the write role $ vault write aws/roles/aws_write policy=@aws_write_policy.json Success! Data written to: aws/roles/aws_write Configure roles
path "aws/creds/aws_readonly" { capabilities = ["read"] # "create", "read", "update", "delete", "list" } terraform.tf Create a read-only Vault policy
path "aws/creds/aws_write" { capabilities = ["read"] } terraform.tf Create a write Vault policy
Terminal # Add the read only policy to vault $ vault write sys/policy/aws_readonly policy=@aws_readonly.hcl Success! Data written to: sys/policy/aws_readonly # Add the write policy to vault $ vault write sys/policy/aws_write policy=@aws_write.hcl Success! Data written to: sys/policy/aws_write Add the policy to Vault
Terminal # Assign the policy to the GitHub user $ vault write auth/github/map/users/nicholasjackson value=aws_readonly,aws_write Success! Data written to: auth/github/map/users/nicholasjackson # Or assign the policy to a GitHub team $ vault write auth/github/map/teams/hasicorp value=aws_readonly,aws_write Success! Data written to: auth/github/map/teams/hashicorp Assign the policy to the GitHub user
Terminal # login to vault with GitHub token $ vault login -token-only -method=github token=${GITHUB_TOKEN} The token was not stored in token helper. Set the VAULT_TOKEN environment variable or pass the token below with each request to Vault. ebb39457-cdb8-41ae-c227-9e0245837873 # use vault token to obtain AWS credentials $ VAULT_TOKEN=ebb39457-cdb8-41ae-c227-9e0245837873 vault read aws/creds/ aws_readonly Key Value --- ----- lease_id aws/creds/aws_readonly/0bb798a3-c4fd-0609-6bcd- f34673156c8a lease_duration 15m lease_renewable true access_key AKIAJMWSOATIG3VQJCNA secret_key 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 security_token <nil> Login with GitHub obtain IAM credentials
provider "vault" { address = "http://pi01.local.demo.gs:8200" } module "vault" { source = "./vault" github_org = "hashicorp" aws_access_key_id = "xxxxxxxxxxxxxx" aws_access_key_secret = "xxxxxxxxxxxxxxxxxxxxxx" aws_region = "us-east-1" } We can also do this with a module https://github.com/nicholasjackson/terraform-cfgmgmtcamp/tree/master/vault
 Putting it all together sheriffjackson
THANKS FOR LISTENING • https://www.terraform.io • https://www.vaultproject.io • https://registry.terraform.io FURTHER INFO: @sheriffjackson, nic@hashicorp.com DEVOPS DELIVERED • https://github.com/nicholasjackson/terraform-cfgmgmtcamp EXAMPLE PROJECT:
AGENDA DEVOPS DELIVERED 14:55 - CoreOS baremetal provisioning with Terraform, Ignition and Matchbox ★ Rafael Porres Molina 15:35 - Break 15:55 - Introduction to provisioning basic infrastructure on Google Cloud Platform with Terraform ★ Stein Inge Morisbak 16:35 - Terraform for fun and profit ★ Bram Vogelaar & Julien Pivottto 17:15 - Terraboard ★ Raphael Pinson

Recommended

A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
Nebulaworks
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
Grzegorz Adamowicz
 
Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017
Jonathon Brouse
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modules
Yevgeniy Brikman
 
Comprehensive Terraform Training
Comprehensive Terraform TrainingComprehensive Terraform Training
Comprehensive Terraform Training
Yevgeniy Brikman
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipeline
Anton Babenko
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with Terraform
Tim Berry
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECS
Yevgeniy Brikman
 

Recommended

A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
Nebulaworks
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
Grzegorz Adamowicz
 
Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017
Jonathon Brouse
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modules
Yevgeniy Brikman
 
Comprehensive Terraform Training
Comprehensive Terraform TrainingComprehensive Terraform Training
Comprehensive Terraform Training
Yevgeniy Brikman
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipeline
Anton Babenko
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with Terraform
Tim Berry
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECS
Yevgeniy Brikman
 
Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with Terraform
Radek Simko
 
Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and Power
Calvin French-Owen
 
Refactoring terraform
Refactoring terraformRefactoring terraform
Refactoring terraform
Nell Shamrell-Harrington
 
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Stephane Jourdan
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
Ami Mahloof
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
Yevgeniy Brikman
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ..."Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ...
Anton Babenko
 
Terraform at Scale
Terraform at ScaleTerraform at Scale
Terraform at Scale
Calvin French-Owen
 
Final terraform
Final terraformFinal terraform
Final terraform
Gourav Varma
 
Terraform Introduction
Terraform IntroductionTerraform Introduction
Terraform Introduction
soniasnowfrog
 
Introductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with TerraformIntroductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with Terraform
Michael Heyns
 
Scaling terraform
Scaling terraformScaling terraform
Scaling terraform
Paolo Tonin
 
Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...
Shih Oon Liong
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous Deployment
Zane Williamson
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021
TomStraub5
 
Infrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to TerraformInfrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to Terraform
Alexander Popov
 
Intro to Terraform
Intro to TerraformIntro to Terraform
Intro to Terraform
Josh Michielsen
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
Jason Vance
 
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on OpenstackScaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
Bobby DeVeaux, DevOps Consultant
 
Terraform day02
Terraform day02Terraform day02
Terraform day02
Gourav Varma
 
Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018
Anton Babenko
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using Terraform
Harkamal Singh
 

More Related Content

What's hot

Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with Terraform
Radek Simko
 
Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and Power
Calvin French-Owen
 
Refactoring terraform
Refactoring terraformRefactoring terraform
Refactoring terraform
Nell Shamrell-Harrington
 
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Stephane Jourdan
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
Ami Mahloof
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
Yevgeniy Brikman
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ..."Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ...
Anton Babenko
 
Terraform at Scale
Terraform at ScaleTerraform at Scale
Terraform at Scale
Calvin French-Owen
 
Final terraform
Final terraformFinal terraform
Final terraform
Gourav Varma
 
Terraform Introduction
Terraform IntroductionTerraform Introduction
Terraform Introduction
soniasnowfrog
 
Introductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with TerraformIntroductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with Terraform
Michael Heyns
 
Scaling terraform
Scaling terraformScaling terraform
Scaling terraform
Paolo Tonin
 
Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...
Shih Oon Liong
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous Deployment
Zane Williamson
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021
TomStraub5
 
Infrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to TerraformInfrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to Terraform
Alexander Popov
 
Intro to Terraform
Intro to TerraformIntro to Terraform
Intro to Terraform
Josh Michielsen
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
Jason Vance
 
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on OpenstackScaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
Bobby DeVeaux, DevOps Consultant
 
Terraform day02
Terraform day02Terraform day02
Terraform day02
Gourav Varma
 

What's hot (20)

Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with Terraform
 
Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and Power
 
Refactoring terraform
Refactoring terraformRefactoring terraform
Refactoring terraform
 
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ..."Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ...
 
Terraform at Scale
Terraform at ScaleTerraform at Scale
Terraform at Scale
 
Final terraform
Final terraformFinal terraform
Final terraform
 
Terraform Introduction
Terraform IntroductionTerraform Introduction
Terraform Introduction
 
Introductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with TerraformIntroductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with Terraform
 
Scaling terraform
Scaling terraformScaling terraform
Scaling terraform
 
Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous Deployment
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021
 
Infrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to TerraformInfrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to Terraform
 
Intro to Terraform
Intro to TerraformIntro to Terraform
Intro to Terraform
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
 
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on OpenstackScaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
 
Terraform day02
Terraform day02Terraform day02
Terraform day02
 

Similar to Terraform - Taming Modern Clouds

Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018
Anton Babenko
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using Terraform
Harkamal Singh
 
Kubernetes and AWS Lambda can 
play nicely together
Kubernetes and AWS Lambda can 
play nicely togetherKubernetes and AWS Lambda can 
play nicely together
Kubernetes and AWS Lambda can 
play nicely together
Edward Wilde
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
Amazon Web Services
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
J V
 
How we scale DroneCi on demand
How we scale DroneCi on demandHow we scale DroneCi on demand
How we scale DroneCi on demand
Patrick Jahns
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
smattoon
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - Milan
Alex Ellis
 
56k.cloud training
56k.cloud training56k.cloud training
56k.cloud training
Brian Christner
 
Ingesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedIngesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmed
whoschek
 
Terraform for azure: the good, the bad and the ugly -
Terraform for azure: the good, the bad and the ugly - Terraform for azure: the good, the bad and the ugly -
Terraform for azure: the good, the bad and the ugly -
Giulio Vian
 
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?
smattoon
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Docker, Inc.
 
Effective terraform
Effective terraformEffective terraform
Effective terraform
Calvin French-Owen
 
Introduction to IAC and Terraform
Introduction to IAC and Terraform Introduction to IAC and Terraform
Introduction to IAC and Terraform
Venkat NaveenKashyap Devulapally
 
Debasihish da final.ppt
Debasihish da final.pptDebasihish da final.ppt
Debasihish da final.ppt
Kalkey
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
smattoon
 
TIAD : Automating the modern datacenter
TIAD : Automating the modern datacenterTIAD : Automating the modern datacenter
TIAD : Automating the modern datacenter
The Incredible Automation Day
 

Similar to Terraform - Taming Modern Clouds (20)

Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using Terraform
 
Kubernetes and AWS Lambda can 
play nicely together
Kubernetes and AWS Lambda can 
play nicely togetherKubernetes and AWS Lambda can 
play nicely together
Kubernetes and AWS Lambda can 
play nicely together
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
 
How we scale DroneCi on demand
How we scale DroneCi on demandHow we scale DroneCi on demand
How we scale DroneCi on demand
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - Milan
 
56k.cloud training
56k.cloud training56k.cloud training
56k.cloud training
 
Ingesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedIngesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmed
 
Terraform for azure: the good, the bad and the ugly -
Terraform for azure: the good, the bad and the ugly - Terraform for azure: the good, the bad and the ugly -
Terraform for azure: the good, the bad and the ugly -
 
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
 
Effective terraform
Effective terraformEffective terraform
Effective terraform
 
Introduction to IAC and Terraform
Introduction to IAC and Terraform Introduction to IAC and Terraform
Introduction to IAC and Terraform
 
Debasihish da final.ppt
Debasihish da final.pptDebasihish da final.ppt
Debasihish da final.ppt
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
 
TIAD : Automating the modern datacenter
TIAD : Automating the modern datacenterTIAD : Automating the modern datacenter
TIAD : Automating the modern datacenter
 

Recently uploaded

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 

Recently uploaded (20)

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 

Terraform - Taming Modern Clouds

  • 1. DEVOPS DELIVERED sheriffjackson TAMING MODERN CLOUD ENVIRONMENTS WITH TERRAFORM
  • 2.  Nic Jackson Developer Advocate, HashiCorp sheriffjackson
  • 3.
  • 4.  Adgenda • Why you have a problem • Quick Terraform intro • Collaborating with Terraform • Remote State • Modules • GitFlow • CI/CD • Managing provider secrets
  • 5.  Why you have a problem! sheriffjackson
  • 6.  Why you have a problem sheriffjackson
  • 7.  Why you have a problem • Infrastructure as a service (e.g. AWS, Azure, GCP, DigitalOcean) • Platform as a service (e.g. Heroku) sheriffjackson
  • 8.  Why you have a problem • Many organizations start with PaaS • Fast default to IaaS as organization grows • PaaS is amazing, but limitations do not scale with well with application complexity sheriffjackson
  • 10.  What is Terraform? - Write • Define infrastructure as code to increase operator productiveity and transparency • Configuration can be stored in version control, shared, and collaborated on by teams • If it can be codified, it can be automated sheriffjackson
  • 11.  What is Terraform? - Plan • Understand how a minor change could have cascading effects across infrastructure before executing the change • Plans show operators what would happen, applies execute changes • Single workflow across all infrastructure providers (AWS, GCP, Azure, OpenStack, VMware, and more) sheriffjackson
  • 12.  What is Terraform? - Apply • Use the same configuration in multiple places to reduce mistakes and save time • Provision identical staging, QA, and production environments • Effortlessly combine high-level system providers • Dependency resolution means things happen in the right order sheriffjackson
  • 13. provider "aws" {} data "aws_availability_zones" "available" {} resource "aws_vpc" "main" { cidr_block = "${var.cidr_block}" } terraform.tf Simple Terraform config
  • 15.  Collaborating with Terraform - 4 phases of collaboration • Manual • Semi-automated • Infrastructure as Code • Collaborative Infrastructure as Code sheriffjackson
  • 17.  Collaborating with Terraform - Remote state • Backends are responsible for storing state and providing an API for state locking. State locking is optional. • Backends determine where state is stored • 10 officially supported backends • Allows state to be stored remotely • Keeps sensitive information off disk sheriffjackson
  • 18.  Remote state backends • artifactory - not locking • azurerm - locking • consul - locking • etcd - not locking • gcs - locking • http - optional locking • manta - locking • s3 - locking • swift - not locking • terraform enterprise - not locking
  • 19. terraform { backend "s3" { bucket = "tfremotestatenic" key = "cfmngmnt" region = "eu-west-1" } } terraform.tf Terraform remote state
  • 21.  Introduction to Modules - What is a module? • A module is simply a blueprint for your application • A module is a high level abstraction • A module is your own PaaS • Modules can be shared in Github or the Terraform Module registry sheriffjackson
  • 22.  Introduction to Modules - What is a module? • Modules abstract complexity • Module perform a single task and have a single purpose • Build once, use many sheriffjackson
  • 23.  Introduction to Modules - Reference Architecture sheriffjackson
  • 25.  Introduction to Modules - Versioning modules • Ability to use Git tags • Move immutable versions across environments sheriffjackson
  • 26. provider "aws" {} module "vpc" "default" { source = "git@github.com:hashicorp/example.git//subdir" cidr_block = "${var.cidr_block}" } terraform.tf Module source from Git
  • 27. provider "aws" {} module "vpc" "default" { source = "git@github.com:hashicorp/example.git//subdir?ref=hotfix" cidr_block = "${var.cidr_block}" } terraform.tf Module source from Git with branch reference
  • 28.  Introduction to Modules - Modules can contain modules • Modules can be composed of sub-modules • Sub-modules can be composed of sub-sub-modules • Sub-sub-modules can be composed of sub-sub-sub-modules • ... sheriffjackson
  • 29.  Introduction to Modules - Multi-Cloud • It will never be possible to write a common abstraction at a resource level for an instance in different cloud providers • Modeling infrastructure on a high level such as K8s cluster with modules allows abstraction and hides implementation sheriffjackson
  • 31.  Collaborating with Terraform - Git Flow sheriffjackson master branch commit plan pull request validate merge plan apply version 1.0 version 1.1
  • 32.  Collaborating with Terraform - GitHub sheriffjackson
  • 33.  Collaborating with Terraform - Pull Requests sheriffjackson
  • 34.  Collaborating with Terraform - Automated builds sheriffjackson
  • 35.  Collaborating with Terraform - Build workflow sheriffjackson
  • 36.  Collaborating with Terraform - Plan sheriffjackson
  • 37.  Collaborating with Terraform - Apply sheriffjackson ONLY PRODUCTION BRANCH / ENFORCE TAGS
  • 38.  Public Service Announcement! • DO NOT EXPOSE Vault / CI WITH PUBLIC GitHub • THIS IS A SIMPLIFIED EXAMPLE FOR DEMONSTRATION ONLY
  • 39.  Collaborating with Terraform - Fork me sheriffjackson https://github.com/nicholasjackson/ terraform-cfgmgmtcamp 1) Fork the below repository 2) Create a new branch 3) Refactor into a module 4) Pull request
  • 41.  Managing Credentials with Vault - Why? • Separating read / write credentials • TTL on credentials with automatic revoke • Fine grained control over access • Audit log • Reduce secret sprawl • Developers / operators DO NOT require explicit credentials sheriffjackson
  • 42.  Managing Credentials with Vault - Process sheriffjackson login to vault create AWS credentials (with TTL) create IAM user (with policy) request AWS credentials terraform plan/apply/ destroy write to audit log revoke credentials (TTL expired) delete IAM user return credentials GitHub token validate login with GitHub vault token admin IAM policy IAM
  • 43.  AWS Secrets Managing Credentials with Vault - hierarchy sheriffjackson role A (aws_read) role B (aws_write) policy A (aws_read) [read] policy C (aws_write) [read] policy B (aws_read) [read, create] GitHub Auth user B (ricksanchez) user A (nicholasjackson)
  • 44. Terminal # enable the vault secrets engine for AWS $ vault secrets enable aws Success! Enabled the aws secrets engine at: aws/ # add IAM credentials which have the capability to manage IAM credentials $ vault write aws/config/root access_key=AKIAJWVN5Z4FOFT7NLNA secret_key=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 region=us-east-1 Configure AWS secret engine
  • 45. Terminal # enable the vault secrets engine for AWS $ vault auth enable github # set the auth endpoint to a GitHub organization $ vault write auth/github/config organization=hashicorp Configure GitHub auth
  • 46. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::tfremotestatenic"] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": ["arn:aws:s3:::tfremotestatenic/*"] }, { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe*", "Resource": "*" }, ... terraform.tf Create a read-only AWS IAM policy https://github.com/nicholasjackson/terraform-cfgmgmtcamp/blob/master/vault/templates/aws_read.json
  • 47. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::tfremotestatenic"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::tfremotestatenic/*"] }, { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, terraform.tf Create a write AWS IAM policy https://github.com/nicholasjackson/terraform-cfgmgmtcamp/blob/master/vault/templates/aws_write.json
  • 48. Terminal # create the read only role $ vault write aws/roles/aws_readonly policy=@aws_read_policy.json Success! Data written to: aws/roles/aws_readonly # create the write role $ vault write aws/roles/aws_write policy=@aws_write_policy.json Success! Data written to: aws/roles/aws_write Configure roles
  • 49. path "aws/creds/aws_readonly" { capabilities = ["read"] # "create", "read", "update", "delete", "list" } terraform.tf Create a read-only Vault policy
  • 50. path "aws/creds/aws_write" { capabilities = ["read"] } terraform.tf Create a write Vault policy
  • 51. Terminal # Add the read only policy to vault $ vault write sys/policy/aws_readonly policy=@aws_readonly.hcl Success! Data written to: sys/policy/aws_readonly # Add the write policy to vault $ vault write sys/policy/aws_write policy=@aws_write.hcl Success! Data written to: sys/policy/aws_write Add the policy to Vault
  • 52. Terminal # Assign the policy to the GitHub user $ vault write auth/github/map/users/nicholasjackson value=aws_readonly,aws_write Success! Data written to: auth/github/map/users/nicholasjackson # Or assign the policy to a GitHub team $ vault write auth/github/map/teams/hasicorp value=aws_readonly,aws_write Success! Data written to: auth/github/map/teams/hashicorp Assign the policy to the GitHub user
  • 53. Terminal # login to vault with GitHub token $ vault login -token-only -method=github token=${GITHUB_TOKEN} The token was not stored in token helper. Set the VAULT_TOKEN environment variable or pass the token below with each request to Vault. ebb39457-cdb8-41ae-c227-9e0245837873 # use vault token to obtain AWS credentials $ VAULT_TOKEN=ebb39457-cdb8-41ae-c227-9e0245837873 vault read aws/creds/ aws_readonly Key Value --- ----- lease_id aws/creds/aws_readonly/0bb798a3-c4fd-0609-6bcd- f34673156c8a lease_duration 15m lease_renewable true access_key AKIAJMWSOATIG3VQJCNA secret_key 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 security_token <nil> Login with GitHub obtain IAM credentials
  • 54. provider "vault" { address = "http://pi01.local.demo.gs:8200" } module "vault" { source = "./vault" github_org = "hashicorp" aws_access_key_id = "xxxxxxxxxxxxxx" aws_access_key_secret = "xxxxxxxxxxxxxxxxxxxxxx" aws_region = "us-east-1" } We can also do this with a module https://github.com/nicholasjackson/terraform-cfgmgmtcamp/tree/master/vault
  • 55.  Putting it all together sheriffjackson
  • 56. THANKS FOR LISTENING • https://www.terraform.io • https://www.vaultproject.io • https://registry.terraform.io FURTHER INFO: @sheriffjackson, nic@hashicorp.com DEVOPS DELIVERED • https://github.com/nicholasjackson/terraform-cfgmgmtcamp EXAMPLE PROJECT:
  • 57. AGENDA DEVOPS DELIVERED 14:55 - CoreOS baremetal provisioning with Terraform, Ignition and Matchbox ★ Rafael Porres Molina 15:35 - Break 15:55 - Introduction to provisioning basic infrastructure on Google Cloud Platform with Terraform ★ Stein Inge Morisbak 16:35 - Terraform for fun and profit ★ Bram Vogelaar & Julien Pivottto 17:15 - Terraboard ★ Raphael Pinson