2. Anton Babenko
Terraform AWS fanatic since 2015
Organiser of HashiCorp UG, AWS UG, DevOps Norway, DevOpsDays Oslo
I 💚 open-source:
terraform-community-modules + terraform-aws-modules
antonbabenko/pre-commit-terraform — clean code and documentation
antonbabenko/terraform-docs-as-pdf
antonbabenko/modules.tf-lambda — generate Terraform code from visual diagrams
www.terraform-best-practices.com
medium.com/@anton.babenko
@antonbabenko — Twitter, GitHub, Linkedin
3. Collection of open-source Terraform AWS modules supported by the community.
More than 2 mil. downloads since September 2017.
(VPC, Autoscaling, RDS, Security Groups, ELB, ALB, Redshift, SNS, SQS, IAM, EKS, ECS…)
github.com/terraform-aws-modules
registry.terraform.io/modules/terraform-aws-modules
4. Write, plan and manage infrastructure as code
www.terraform.io
14. Why Terraform and not AWS CloudFormation,
Azure ARM, Google Cloud Deployment Manager?
• Terraform manages 100+ providers, has easier syntax (HCL), has native
support for modules and remote states, has teamwork related features, is an
open-source project.
• Provides a high-level abstraction of infrastructure (IaC)
• Allows for composition and combination
• Supports parallel management of resources (graph, fast)
• Separates planning from execution (dry-run)
15. Terraform — universal tool for everything with an API
GSuite
Dropbox files and access
New Relic metrics
Datadog users and metrics
Jira issues
All Terraform providers
51. Call Terraform modules
Amount of resources and code keeps growing
How to organize and call?
How to orchestrate calls?
52. All-in-one
Good:
Declare variables and outputs in
fewer places
Bad:
Large blast radius
Everything is blocked at once
Impossible to specify dependencies
between modules (depends_on)
84. Edge cases
Different AWS regions (version of S3 signature, EC2 ClassicLink,
IPv6)
Date of creation of AWS account
Limits on resources in AWS
Services and features availability
85. Avoid in Terraform
Not secret arguments should not be specified as command line
arguments => put them in tfvars
Reduce usage of "-target" and "-parallelism"
"Terraform workspaces" evil in=> separate by directories
Dependency hell in modules
88. Terraform 0.12
HCL2 — simplified syntax
Loops ("for")
Dynamic blocks ("for_each")
Correct conditional operators (… ? … : …)
Extended types of variables
Templates in values
Links between resources are supported (depends_on everywhere)
Read more — https://www.hashicorp.com/blog/announcing-terraform-0-1-2-beta
89. Summary
Write less and simpler (Terraform 0.12 won’t fix your code for you!)
Use existing modules and utilities
90. How to handle secrets in Terraform?
• Can you accept secrets to be saved in state file in plaintext? Probably not.
• AWS IAM password & access secret keys — use PGP as keybase.io
• AWS RDS — set dummy password and change after DB is created
• AWS RDS — use iam_database_authentication_enabled = true
• EC2 instance user-data + AWS KMS
• EC2 instance user-data + AWS System Manager’s Parameter Store
• AWS Secrets Manager
• https://github.com/opencredo/terrahelp
• Other options:
• Secure remote state location (S3 bucket policy, KMS key)
91. What are the tools/solutions out there?
• Terraform Registry — collection of public Terraform modules for common
infrastructure configurations for any provider — https://registry.terraform.io/
• Terraform linter to detect errors that can not be detected by `terraform plan`
— https://github.com/wata727/tflint
• Terraform version manager — https://github.com/kamatama41/tfenv
• A web dashboard to inspect Terraform States — https://github.com/
camptocamp/terraboard
• Jsonnet — The data templating language — http://jsonnet.org
• terraform-compliance - BDD style Terraform validation/compliancy check —
https://github.com/eerkunt/terraform-compliance
92. Atlantis — Start working on Terraform as a team
A unified workflow for collaborating on Terraform through GitHub, GitLab and
Bitbucket
https://www.runatlantis.io
https://github.com/terraform-aws-modules/terraform-aws-atlantis
98. ✓ cloudcraft.co — design, plan and visualize
✓ terraform-aws-modules — building blocks of AWS infrastructure
✓ Terraform — infrastructure as code
99. Infrastructure as code generator — from visual diagrams to Terraform
https://github.com/antonbabenko/modules.tf-lambda
Demo video: https://www.youtube.com/watch?v=F1Ax1zfZbiY
100. 1. Go to cloudcraft.co
2. Sign up, sign in (free account)
3. Draw your AWS infrastructure
4. Click "Export"
5. Click "Terraform code export"
Try it yourself!
101. modules.tf — generated code
✓ Potentially ready-to-use Terraform configurations
✓ Suits best for bootstrapping
✓ Enforces Terraform best-practices
✓ Batteries included (terraform-aws-modules, terragrunt, pre-commit)
✓ 100% free and open-source (https://github.com/antonbabenko/
modules.tf-lambda)
✓ Released under MIT license