Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow...
Transcript of Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow...
![Page 1: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/1.jpg)
Misadventures With Terraform
Matthew Revell Senior DevOps Consultant
#CodeMeshLDN
@nightowlmatt
![Page 2: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/2.jpg)
In 5 minutes or less
Introduction To Terraform
#CodeMeshLDN
![Page 3: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/3.jpg)
Terraform is an Infrastructure as Code product from Hashicorp. Used to automate provisioning of cloud infrastructure, SaaS, and other software. Uses a plugin framework, called ‘providers’ to support a wide range of vendors.
What is Terraform?
#CodeMeshLDN
![Page 4: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/4.jpg)
Terraform is an Infrastructure as Code product from Hashicorp. Used to automate provisioning of cloud infrastructure, SaaS, and other software. Uses a plugin framework, called ‘providers’ to support a wide range of vendors.
What is Terraform?
#CodeMeshLDN
![Page 5: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/5.jpg)
provider "aws" {
version = "~> 2.26"
}
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
}
Terraform Resources
#CodeMeshLDN
![Page 6: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/6.jpg)
module "local" {
source = "../modules/app"
instance_type = "t3.medium"
}
module "git" {
source = "git::https://example.com/app.git?ref=0.4.20"
instance_type = "m4.xlarge"
}
Terraform Modules
#CodeMeshLDN
![Page 7: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/7.jpg)
terraform {
backend "s3" {
bucket = "terraform-states"
key = "example/terraform.tfstate"
}
}
Terraform Statefile
#CodeMeshLDN
![Page 8: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/8.jpg)
Terraform Plan
#CodeMeshLDN
![Page 9: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/9.jpg)
Terraform Apply
#CodeMeshLDN
![Page 10: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/10.jpg)
How Did I Get Here?
#CodeMeshLDN
![Page 11: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/11.jpg)
In the beginning...
Bash & Python
#CodeMeshLDN
![Page 12: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/12.jpg)
A few years ago...
Terraform 0.6.xx
Bash & Python
#CodeMeshLDN
![Page 13: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/13.jpg)
Into the future...
Terraform 0.6.xx
Terraform 0.12.xx
Bash & Python
#CodeMeshLDN
![Page 14: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/14.jpg)
when modules get too small
Honey, I Shrunk The Modules
#CodeMeshLDN
![Page 15: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/15.jpg)
Monolith Terraform State
#CodeMeshLDN
![Page 16: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/16.jpg)
Reusable Modules
#CodeMeshLDN
![Page 17: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/17.jpg)
Single Resource Modules
#CodeMeshLDN
![Page 18: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/18.jpg)
Complex Deployment
#CodeMeshLDN
![Page 19: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/19.jpg)
Consider whether a single resource
module adds any value
Consider whether the additional
complexity is worth the perceived value
Consider whether the module will be
usable by the intended
consumer(s)
Value Complexity Usability
Lessons Learned (small modules)
#CodeMeshLDN
![Page 20: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/20.jpg)
pray the code works the second time
Run Once And Forget
#CodeMeshLDN
![Page 21: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/21.jpg)
A Service
#CodeMeshLDN
![Page 22: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/22.jpg)
Two Services
#CodeMeshLDN
![Page 23: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/23.jpg)
Two Connected Services
#CodeMeshLDN
![Page 24: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/24.jpg)
A Service On FIRE!
#CodeMeshLDN
![Page 25: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/25.jpg)
Testing modules in isolation can only
validate the internals
Full deployment tests are essential
to validate the entire Terraform
structure
A dedicated account can allow
continuous testing without disruption
Testing Testing Testing
Lessons Learned (running code once)
#CodeMeshLDN
![Page 26: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/26.jpg)
in this case dividing Terraform States
How To Slice The Cake
![Page 27: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/27.jpg)
Terraform States and Modules
#CodeMeshLDN
![Page 28: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/28.jpg)
Terraform States and Modules
#CodeMeshLDN
![Page 29: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/29.jpg)
Resources should be grouped such that states do not grow exponentially
States should have a limited scope to minimise impact in
the event of mistakes
Teams should be able to manage
their own Terraform independently
Scalability Blast Radius Ownership
Lessons Learned (dividing states)
#CodeMeshLDN
![Page 30: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/30.jpg)
but DRY is divine
To dir Is Human
#CodeMeshLDN
![Page 31: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/31.jpg)
terraform + env + dev - terraform.tfvars - backend.tf - main.tf + prod - terraform.tfvars - backend.tf - main.tf
Terraform Code Repo
#CodeMeshLDN
![Page 32: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/32.jpg)
variable "instance_type" {}
module "vpc" {
source = "git::https://example.com/vpc.git?ref=0.1.0"
}
module "app" {
source = "git::https://example.com/app.git?ref=0.4.20"
instance_type = var.instance_type
}
Terraform main.tf
#CodeMeshLDN
![Page 33: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/33.jpg)
instance_type = "m4.large"
instance_count = "3"
Terraform terraform.tfvars
#CodeMeshLDN
![Page 34: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/34.jpg)
terraform {
backend "s3" {
bucket = "terraform-states"
key = "prod/terraform.tfstate"
}
}
Terraform backend.tf
#CodeMeshLDN
![Page 35: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/35.jpg)
terraform + env + dev - terraform.tfvars - backend.tf - main.tf + prod - terraform.tfvars - backend.tf - main.tf
Terraform Code Repo
#CodeMeshLDN
![Page 36: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/36.jpg)
● Thin wrapper for Terraform
● Allows for easier management of backends
● Reduces amount of repeated code
● Developed by Gruntworks
Terragrunt
Image courtesy of Gruntworks Inc.
#CodeMeshLDN
![Page 37: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/37.jpg)
terraform + env - common.tfvars + dev - terraform.tfvars + prod - terraform.tfvars
Terragrunt Code Repo
#CodeMeshLDN
![Page 38: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/38.jpg)
terragrunt = { remote_state { backend = "s3" config { bucket = "my-terraform-state" key = "${path_relative_to_include()}/terraform.tfstate" } } } instance_type = "m4.medium"
Terragrunt common.tfvars
#CodeMeshLDN
![Page 39: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/39.jpg)
terragrunt = { include { path = "../common.tfvars" } terraform { source = "git::https://example.com/deployment.git?ref=v0.0.1" } } instance_type = "m4.xlarge"
Terragrunt terraform.tfvars
#CodeMeshLDN
![Page 40: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/40.jpg)
terraform + env - common.tfvars + dev - terraform.tfvars + prod - terraform.tfvars
Terragrunt Code Repo
#CodeMeshLDN
![Page 41: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/41.jpg)
Repeated code and copy and pasting will definitely lead
to mistakes
A lack of clarity and readability will also lead to confusion
and mistakes
Tooling can help maintain clean code
in complex deployments
Keep it DRY Clarity Tooling
Lessons Learned (repo structures)
#CodeMeshLDN
![Page 42: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/42.jpg)
● Terragrunt - Filling the gaps in Terraform https://github.com/gruntwork-io/terragrunt
● Atlantis - Bringing GitOps to Terraform workflows https://www.runatlantis.io
● Kapitan - General purpose templating engine https://kapitan.dev
Additional tooling links
#CodeMeshLDN
![Page 43: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/43.jpg)
Concluding Remarks
#CodeMeshLDN
![Page 44: Misadventures With Terraform€¦ · entire Terraform structure A dedicated account can allow continuous testing without disruption Testing Testing Testing Lessons Learned (running](https://reader034.fdocuments.us/reader034/viewer/2022042318/5f073cea7e708231d41bfed4/html5/thumbnails/44.jpg)
Questions
#CodeMeshLDN