Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to get rid of terraform plan diffs

337 views

Published on

Terraform meetup tokyo#1 でのLT資料です。

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How to get rid of terraform plan diffs

  1. 1. 私がterraform planの 差分に怯えなくなった訳 
 オイシックス・ラ・大地(株)@morihaya55 Photo by Alexandr Podvalny on Unsplash: https://unsplash.com/photos/WOxddhzhC1w LT at Terraform meetup tokyo #1 2019-08-01
  2. 2. 本日の流れ ● Who am I ? ● 結論を最初に言うと「出力を読もう」 ● 差分具体例 ● 差分を取り込もう ● まとめ
  3. 3. 簡単な自己紹介 林 如弥(Yukiya Hayashi) @morihaya55 ● これまで、インフラエンジニアとしてSier、ゲーム会 社等を経験してきました ● terraform歴は直近のシステムで4ヶ月程 ● 今は安全・安心な野菜をお届けするオイラ大地の システムの運用、改善をするSREです
  4. 4. 最初に結論を言います
  5. 5. 結論 terraform planの差分は 「ちゃんと出力を読めば怖く ない」></
  6. 6. ...だけだと怒られが発生し ますので
  7. 7. 具体例を挙げます
  8. 8. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 注: ID,サブネットは適当なものに変換してます
  9. 9. よく(?)ある AWSのSGを手動で 更新したケース 「あー、あの時は急いでたからさー(^^;」
  10. 10. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ]
  11. 11. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 削除される内容
  12. 12. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容
  13. 13. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容
  14. 14. ここまで見ての通り そして
  15. 15. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容
  16. 16. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容
  17. 17. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容
  18. 18. 2つ目のルールは 完全に一致
  19. 19. つまり
  20. 20. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, 削除される内容 このルールが 消えるだけ
  21. 21. ここでTerraformの 仕組みのおさらい
  22. 22. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 書く
  23. 23. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 plan/apply指示
  24. 24. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 コードを読み込み
  25. 25. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 突き合せ
  26. 26. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 コードとして宣言した状態に、 実際の状態を変更する
  27. 27. 差分がある= コードが正しい or 実際の状態が正しい
  28. 28. 差分を見て、 どちらが正しいのか判断す る必要がある
  29. 29. コードが正しいなら (これが普通) terraform apply
  30. 30. 実際の状態が正しいなら コードに取り込む必要があ る
  31. 31. ここでもう一度 plan の差分を見ましょう
  32. 32. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容 再掲
  33. 33. あれ? よく見るとこの出力、 ほぼHCLでは?
  34. 34. 差分からコードへ - 1 ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, 再掲
  35. 35. 差分からコードへ - 2 { cidr_blocks = [ "10.150.0.0/16", ] description = "" from_port = 65432 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 65432 }, ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ingress = [ { cidr_blocks = [ "10.150.0.0/16", ] description = "SSH Allow from private" from_port = 22 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 22 }, 再掲
  36. 36. ‘~’と’-’を置換で消して コードへ反映し、 terraform fmtで整える だけ!
  37. 37. 反映したら plan !!!
  38. 38. No changes ! Mission Complete!
  39. 39. と言うのが簡単な パターン (こんなのばかりなら楽)
  40. 40. 簡単じゃないケースもある ● モジュールが対応してない ● プロバイダのバージョンが不足 ● 不具合 etc...
  41. 41. 立ち向かうには... ● terraform state list/show/pull/push... ● terraform show ● terraform console ● terraform import ...
  42. 42. 正直難しいケースもあるけど Slackで相談してみては?!
  43. 43. 結論(再掲) terraform planの差分は 「ちゃんと出力を読めば怖く ない」></ (基本的には)

×