SlideShare una empresa de Scribd logo

Terraform - Taming Modern Clouds

Nic Jackson
Nic Jackson

Slides form Config Management Camp, looking at how you can take a collaborative GitFlow approach to Terraform using Remote State, Modules and Dynamically Generated Credentials using Vault

Software
1 de 57
Descargar para leer sin conexión
DEVOPS DELIVERED sheriffjackson TAMING MODERN CLOUD ENVIRONMENTS WITH TERRAFORM
 Nic Jackson Developer Advocate, HashiCorp sheriffjackson
 Adgenda • Why you have a problem • Quick Terraform intro • Collaborating with Terraform • Remote State • Modules • GitFlow • CI/CD • Managing provider secrets
 Why you have a problem! sheriffjackson
 Why you have a problem sheriffjackson
 Why you have a problem • Infrastructure as a service (e.g. AWS, Azure, GCP, DigitalOcean) • Platform as a service (e.g. Heroku) sheriffjackson
 Why you have a problem • Many organizations start with PaaS • Fast default to IaaS as organization grows • PaaS is amazing, but limitations do not scale with well with application complexity sheriffjackson
 What is Terraform? sheriffjackson
 What is Terraform? - Write • Define infrastructure as code to increase operator productiveity and transparency • Configuration can be stored in version control, shared, and collaborated on by teams • If it can be codified, it can be automated sheriffjackson
 What is Terraform? - Plan • Understand how a minor change could have cascading effects across infrastructure before executing the change • Plans show operators what would happen, applies execute changes • Single workflow across all infrastructure providers (AWS, GCP, Azure, OpenStack, VMware, and more) sheriffjackson
 What is Terraform? - Apply • Use the same configuration in multiple places to reduce mistakes and save time • Provision identical staging, QA, and production environments • Effortlessly combine high-level system providers • Dependency resolution means things happen in the right order sheriffjackson
provider "aws" {} data "aws_availability_zones" "available" {} resource "aws_vpc" "main" { cidr_block = "${var.cidr_block}" } terraform.tf Simple Terraform config
 Collaborating with Terraform sheriffjackson
 Collaborating with Terraform - 4 phases of collaboration • Manual • Semi-automated • Infrastructure as Code • Collaborative Infrastructure as Code sheriffjackson
Terraform  Remote State sheriffjackson
 Collaborating with Terraform - Remote state • Backends are responsible for storing state and providing an API for state locking. State locking is optional. • Backends determine where state is stored • 10 officially supported backends • Allows state to be stored remotely • Keeps sensitive information off disk sheriffjackson
 Remote state backends • artifactory - not locking • azurerm - locking • consul - locking • etcd - not locking • gcs - locking • http - optional locking • manta - locking • s3 - locking • swift - not locking • terraform enterprise - not locking
terraform { backend "s3" { bucket = "tfremotestatenic" key = "cfmngmnt" region = "eu-west-1" } } terraform.tf Terraform remote state
Terraform  Introduction to Modules sheriffjackson
 Introduction to Modules - What is a module? • A module is simply a blueprint for your application • A module is a high level abstraction • A module is your own PaaS • Modules can be shared in Github or the Terraform Module registry sheriffjackson
 Introduction to Modules - What is a module? • Modules abstract complexity • Module perform a single task and have a single purpose • Build once, use many sheriffjackson
 Introduction to Modules - Reference Architecture sheriffjackson
Terraform sheriffjackson
 Introduction to Modules - Versioning modules • Ability to use Git tags • Move immutable versions across environments sheriffjackson
provider "aws" {} module "vpc" "default" { source = "git@github.com:hashicorp/example.git//subdir" cidr_block = "${var.cidr_block}" } terraform.tf Module source from Git
provider "aws" {} module "vpc" "default" { source = "git@github.com:hashicorp/example.git//subdir?ref=hotfix" cidr_block = "${var.cidr_block}" } terraform.tf Module source from Git with branch reference
 Introduction to Modules - Modules can contain modules • Modules can be composed of sub-modules • Sub-modules can be composed of sub-sub-modules • Sub-sub-modules can be composed of sub-sub-sub-modules • ... sheriffjackson
 Introduction to Modules - Multi-Cloud • It will never be possible to write a common abstraction at a resource level for an instance in different cloud providers • Modeling infrastructure on a high level such as K8s cluster with modules allows abstraction and hides implementation sheriffjackson
Terraform  Terraform GitFlow and CI sheriffjackson
 Collaborating with Terraform - Git Flow sheriffjackson master branch commit plan pull request validate merge plan apply version 1.0 version 1.1
 Collaborating with Terraform - GitHub sheriffjackson
 Collaborating with Terraform - Pull Requests sheriffjackson
 Collaborating with Terraform - Automated builds sheriffjackson
 Collaborating with Terraform - Build workflow sheriffjackson
 Collaborating with Terraform - Plan sheriffjackson
 Collaborating with Terraform - Apply sheriffjackson ONLY PRODUCTION BRANCH / ENFORCE TAGS
 Public Service Announcement! • DO NOT EXPOSE Vault / CI WITH PUBLIC GitHub • THIS IS A SIMPLIFIED EXAMPLE FOR DEMONSTRATION ONLY
 Collaborating with Terraform - Fork me sheriffjackson https://github.com/nicholasjackson/ terraform-cfgmgmtcamp 1) Fork the below repository 2) Create a new branch 3) Refactor into a module 4) Pull request
Terraform  Managing Credentials With Vault sheriffjackson
 Managing Credentials with Vault - Why? • Separating read / write credentials • TTL on credentials with automatic revoke • Fine grained control over access • Audit log • Reduce secret sprawl • Developers / operators DO NOT require explicit credentials sheriffjackson
 Managing Credentials with Vault - Process sheriffjackson login to vault create AWS credentials (with TTL) create IAM user (with policy) request AWS credentials terraform plan/apply/ destroy write to audit log revoke credentials (TTL expired) delete IAM user return credentials GitHub token validate login with GitHub vault token admin IAM policy IAM
 AWS Secrets Managing Credentials with Vault - hierarchy sheriffjackson role A (aws_read) role B (aws_write) policy A (aws_read) [read] policy C (aws_write) [read] policy B (aws_read) [read, create] GitHub Auth user B (ricksanchez) user A (nicholasjackson)
Terminal # enable the vault secrets engine for AWS $ vault secrets enable aws Success! Enabled the aws secrets engine at: aws/ # add IAM credentials which have the capability to manage IAM credentials $ vault write aws/config/root access_key=AKIAJWVN5Z4FOFT7NLNA secret_key=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 region=us-east-1 Configure AWS secret engine
Terminal # enable the vault secrets engine for AWS $ vault auth enable github # set the auth endpoint to a GitHub organization $ vault write auth/github/config organization=hashicorp Configure GitHub auth
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::tfremotestatenic"] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": ["arn:aws:s3:::tfremotestatenic/*"] }, { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe*", "Resource": "*" }, ... terraform.tf Create a read-only AWS IAM policy https://github.com/nicholasjackson/terraform-cfgmgmtcamp/blob/master/vault/templates/aws_read.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::tfremotestatenic"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::tfremotestatenic/*"] }, { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, terraform.tf Create a write AWS IAM policy https://github.com/nicholasjackson/terraform-cfgmgmtcamp/blob/master/vault/templates/aws_write.json
Terminal # create the read only role $ vault write aws/roles/aws_readonly policy=@aws_read_policy.json Success! Data written to: aws/roles/aws_readonly # create the write role $ vault write aws/roles/aws_write policy=@aws_write_policy.json Success! Data written to: aws/roles/aws_write Configure roles
path "aws/creds/aws_readonly" { capabilities = ["read"] # "create", "read", "update", "delete", "list" } terraform.tf Create a read-only Vault policy
path "aws/creds/aws_write" { capabilities = ["read"] } terraform.tf Create a write Vault policy
Terminal # Add the read only policy to vault $ vault write sys/policy/aws_readonly policy=@aws_readonly.hcl Success! Data written to: sys/policy/aws_readonly # Add the write policy to vault $ vault write sys/policy/aws_write policy=@aws_write.hcl Success! Data written to: sys/policy/aws_write Add the policy to Vault
Terminal # Assign the policy to the GitHub user $ vault write auth/github/map/users/nicholasjackson value=aws_readonly,aws_write Success! Data written to: auth/github/map/users/nicholasjackson # Or assign the policy to a GitHub team $ vault write auth/github/map/teams/hasicorp value=aws_readonly,aws_write Success! Data written to: auth/github/map/teams/hashicorp Assign the policy to the GitHub user
Terminal # login to vault with GitHub token $ vault login -token-only -method=github token=${GITHUB_TOKEN} The token was not stored in token helper. Set the VAULT_TOKEN environment variable or pass the token below with each request to Vault. ebb39457-cdb8-41ae-c227-9e0245837873 # use vault token to obtain AWS credentials $ VAULT_TOKEN=ebb39457-cdb8-41ae-c227-9e0245837873 vault read aws/creds/ aws_readonly Key Value --- ----- lease_id aws/creds/aws_readonly/0bb798a3-c4fd-0609-6bcd- f34673156c8a lease_duration 15m lease_renewable true access_key AKIAJMWSOATIG3VQJCNA secret_key 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 security_token <nil> Login with GitHub obtain IAM credentials
provider "vault" { address = "http://pi01.local.demo.gs:8200" } module "vault" { source = "./vault" github_org = "hashicorp" aws_access_key_id = "xxxxxxxxxxxxxx" aws_access_key_secret = "xxxxxxxxxxxxxxxxxxxxxx" aws_region = "us-east-1" } We can also do this with a module https://github.com/nicholasjackson/terraform-cfgmgmtcamp/tree/master/vault
 Putting it all together sheriffjackson
THANKS FOR LISTENING • https://www.terraform.io • https://www.vaultproject.io • https://registry.terraform.io FURTHER INFO: @sheriffjackson, nic@hashicorp.com DEVOPS DELIVERED • https://github.com/nicholasjackson/terraform-cfgmgmtcamp EXAMPLE PROJECT:
AGENDA DEVOPS DELIVERED 14:55 - CoreOS baremetal provisioning with Terraform, Ignition and Matchbox ★ Rafael Porres Molina 15:35 - Break 15:55 - Introduction to provisioning basic infrastructure on Google Cloud Platform with Terraform ★ Stein Inge Morisbak 16:35 - Terraform for fun and profit ★ Bram Vogelaar & Julien Pivottto 17:15 - Terraboard ★ Raphael Pinson

Recomendados

A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Jonathon Brouse
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesYevgeniy Brikman
 
Comprehensive Terraform Training
Comprehensive Terraform TrainingComprehensive Terraform Training
Comprehensive Terraform TrainingYevgeniy Brikman
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with TerraformTim Berry
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 

Recomendados

A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Jonathon Brouse
 
Reusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesReusable, composable, battle-tested Terraform modules
Reusable, composable, battle-tested Terraform modulesYevgeniy Brikman
 
Comprehensive Terraform Training
Comprehensive Terraform TrainingComprehensive Terraform Training
Comprehensive Terraform TrainingYevgeniy Brikman
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with TerraformTim Berry
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformRadek Simko
 
Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerCalvin French-Owen
 
Refactoring terraform
Refactoring terraformRefactoring terraform
Refactoring terraformNell Shamrell-Harrington
 
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Stephane Jourdan
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructuredAmi Mahloof
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ..."Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ...Anton Babenko
 
Terraform at Scale
Terraform at ScaleTerraform at Scale
Terraform at ScaleCalvin French-Owen
 
Final terraform
Final terraformFinal terraform
Final terraformGourav Varma
 
Terraform Introduction
Terraform IntroductionTerraform Introduction
Terraform Introductionsoniasnowfrog
 
Introductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with TerraformIntroductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with TerraformMichael Heyns
 
Scaling terraform
Scaling terraformScaling terraform
Scaling terraformPaolo Tonin
 
Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...Shih Oon Liong
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentZane Williamson
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021TomStraub5
 
Infrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to TerraformInfrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to TerraformAlexander Popov
 
Intro to Terraform
Intro to TerraformIntro to Terraform
Intro to TerraformJosh Michielsen
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introductionJason Vance
 
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on OpenstackScaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on OpenstackBobby DeVeaux, DevOps Consultant
 
Terraform day02
Terraform day02Terraform day02
Terraform day02Gourav Varma
 
Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Anton Babenko
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using TerraformHarkamal Singh
 

Más contenido relacionado

La actualidad más candente

Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformRadek Simko
 
Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerCalvin French-Owen
 
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Stephane Jourdan
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructuredAmi Mahloof
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ..."Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ...Anton Babenko
 
Terraform Introduction
Terraform IntroductionTerraform Introduction
Terraform Introductionsoniasnowfrog
 
Introductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with TerraformIntroductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with TerraformMichael Heyns
 
Scaling terraform
Scaling terraformScaling terraform
Scaling terraformPaolo Tonin
 
Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...Shih Oon Liong
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentZane Williamson
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021TomStraub5
 
Infrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to TerraformInfrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to TerraformAlexander Popov
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introductionJason Vance
 
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on OpenstackScaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on OpenstackBobby DeVeaux, DevOps Consultant
 

La actualidad más candente (20)

Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with Terraform
 
Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and Power
 
Refactoring terraform
Refactoring terraformRefactoring terraform
Refactoring terraform
 
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ..."Continuously delivering infrastructure using Terraform and Packer" training ...
"Continuously delivering infrastructure using Terraform and Packer" training ...
 
Terraform at Scale
Terraform at ScaleTerraform at Scale
Terraform at Scale
 
Final terraform
Final terraformFinal terraform
Final terraform
 
Terraform Introduction
Terraform IntroductionTerraform Introduction
Terraform Introduction
 
Introductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with TerraformIntroductory Overview to Managing AWS with Terraform
Introductory Overview to Managing AWS with Terraform
 
Scaling terraform
Scaling terraformScaling terraform
Scaling terraform
 
Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...Transforming Infrastructure into Code - Importing existing cloud resources u...
Transforming Infrastructure into Code - Importing existing cloud resources u...
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous Deployment
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021
 
Infrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to TerraformInfrastructure as Code: Introduction to Terraform
Infrastructure as Code: Introduction to Terraform
 
Intro to Terraform
Intro to TerraformIntro to Terraform
Intro to Terraform
 
Terraform introduction
Terraform introductionTerraform introduction
Terraform introduction
 
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on OpenstackScaling Your App With Docker Swarm using Terraform, Packer on Openstack
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
 
Terraform day02
Terraform day02Terraform day02
Terraform day02
 

Similar a Terraform - Taming Modern Clouds

Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Anton Babenko
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using TerraformHarkamal Singh
 
Kubernetes and AWS Lambda can 
play nicely together
Kubernetes and AWS Lambda can 
play nicely togetherKubernetes and AWS Lambda can 
play nicely together
Kubernetes and AWS Lambda can 
play nicely togetherEdward Wilde
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...Amazon Web Services
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...J V
 
How we scale DroneCi on demand
How we scale DroneCi on demandHow we scale DroneCi on demand
How we scale DroneCi on demandPatrick Jahns
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scalingsmattoon
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanAlex Ellis
 
Ingesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedIngesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedwhoschek
 
Terraform for azure: the good, the bad and the ugly -
Terraform for azure: the good, the bad and the ugly - Terraform for azure: the good, the bad and the ugly -
Terraform for azure: the good, the bad and the ugly - Giulio Vian
 
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas MongoDB
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?smattoon
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Docker, Inc.
 
Debasihish da final.ppt
Debasihish da final.pptDebasihish da final.ppt
Debasihish da final.pptKalkey
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sunsmattoon
 

Similar a Terraform - Taming Modern Clouds (20)

Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using Terraform
 
Kubernetes and AWS Lambda can 
play nicely together
Kubernetes and AWS Lambda can 
play nicely togetherKubernetes and AWS Lambda can 
play nicely together
Kubernetes and AWS Lambda can 
play nicely together
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
 
How we scale DroneCi on demand
How we scale DroneCi on demandHow we scale DroneCi on demand
How we scale DroneCi on demand
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - Milan
 
56k.cloud training
56k.cloud training56k.cloud training
56k.cloud training
 
Ingesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedIngesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmed
 
Terraform for azure: the good, the bad and the ugly -
Terraform for azure: the good, the bad and the ugly - Terraform for azure: the good, the bad and the ugly -
Terraform for azure: the good, the bad and the ugly -
 
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
 
Effective terraform
Effective terraformEffective terraform
Effective terraform
 
Introduction to IAC and Terraform
Introduction to IAC and Terraform Introduction to IAC and Terraform
Introduction to IAC and Terraform
 
Debasihish da final.ppt
Debasihish da final.pptDebasihish da final.ppt
Debasihish da final.ppt
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
 
TIAD : Automating the modern datacenter
TIAD : Automating the modern datacenterTIAD : Automating the modern datacenter
TIAD : Automating the modern datacenter
 

Último

WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 

Último (20)

WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 

Terraform - Taming Modern Clouds

  • 1. DEVOPS DELIVERED sheriffjackson TAMING MODERN CLOUD ENVIRONMENTS WITH TERRAFORM
  • 2.  Nic Jackson Developer Advocate, HashiCorp sheriffjackson
  • 3.
  • 4.  Adgenda • Why you have a problem • Quick Terraform intro • Collaborating with Terraform • Remote State • Modules • GitFlow • CI/CD • Managing provider secrets
  • 5.  Why you have a problem! sheriffjackson
  • 6.  Why you have a problem sheriffjackson
  • 7.  Why you have a problem • Infrastructure as a service (e.g. AWS, Azure, GCP, DigitalOcean) • Platform as a service (e.g. Heroku) sheriffjackson
  • 8.  Why you have a problem • Many organizations start with PaaS • Fast default to IaaS as organization grows • PaaS is amazing, but limitations do not scale with well with application complexity sheriffjackson
  • 10.  What is Terraform? - Write • Define infrastructure as code to increase operator productiveity and transparency • Configuration can be stored in version control, shared, and collaborated on by teams • If it can be codified, it can be automated sheriffjackson
  • 11.  What is Terraform? - Plan • Understand how a minor change could have cascading effects across infrastructure before executing the change • Plans show operators what would happen, applies execute changes • Single workflow across all infrastructure providers (AWS, GCP, Azure, OpenStack, VMware, and more) sheriffjackson
  • 12.  What is Terraform? - Apply • Use the same configuration in multiple places to reduce mistakes and save time • Provision identical staging, QA, and production environments • Effortlessly combine high-level system providers • Dependency resolution means things happen in the right order sheriffjackson
  • 13. provider "aws" {} data "aws_availability_zones" "available" {} resource "aws_vpc" "main" { cidr_block = "${var.cidr_block}" } terraform.tf Simple Terraform config
  • 15.  Collaborating with Terraform - 4 phases of collaboration • Manual • Semi-automated • Infrastructure as Code • Collaborative Infrastructure as Code sheriffjackson
  • 17.  Collaborating with Terraform - Remote state • Backends are responsible for storing state and providing an API for state locking. State locking is optional. • Backends determine where state is stored • 10 officially supported backends • Allows state to be stored remotely • Keeps sensitive information off disk sheriffjackson
  • 18.  Remote state backends • artifactory - not locking • azurerm - locking • consul - locking • etcd - not locking • gcs - locking • http - optional locking • manta - locking • s3 - locking • swift - not locking • terraform enterprise - not locking
  • 19. terraform { backend "s3" { bucket = "tfremotestatenic" key = "cfmngmnt" region = "eu-west-1" } } terraform.tf Terraform remote state
  • 21.  Introduction to Modules - What is a module? • A module is simply a blueprint for your application • A module is a high level abstraction • A module is your own PaaS • Modules can be shared in Github or the Terraform Module registry sheriffjackson
  • 22.  Introduction to Modules - What is a module? • Modules abstract complexity • Module perform a single task and have a single purpose • Build once, use many sheriffjackson
  • 23.  Introduction to Modules - Reference Architecture sheriffjackson
  • 25.  Introduction to Modules - Versioning modules • Ability to use Git tags • Move immutable versions across environments sheriffjackson
  • 26. provider "aws" {} module "vpc" "default" { source = "git@github.com:hashicorp/example.git//subdir" cidr_block = "${var.cidr_block}" } terraform.tf Module source from Git
  • 27. provider "aws" {} module "vpc" "default" { source = "git@github.com:hashicorp/example.git//subdir?ref=hotfix" cidr_block = "${var.cidr_block}" } terraform.tf Module source from Git with branch reference
  • 28.  Introduction to Modules - Modules can contain modules • Modules can be composed of sub-modules • Sub-modules can be composed of sub-sub-modules • Sub-sub-modules can be composed of sub-sub-sub-modules • ... sheriffjackson
  • 29.  Introduction to Modules - Multi-Cloud • It will never be possible to write a common abstraction at a resource level for an instance in different cloud providers • Modeling infrastructure on a high level such as K8s cluster with modules allows abstraction and hides implementation sheriffjackson
  • 31.  Collaborating with Terraform - Git Flow sheriffjackson master branch commit plan pull request validate merge plan apply version 1.0 version 1.1
  • 32.  Collaborating with Terraform - GitHub sheriffjackson
  • 33.  Collaborating with Terraform - Pull Requests sheriffjackson
  • 34.  Collaborating with Terraform - Automated builds sheriffjackson
  • 35.  Collaborating with Terraform - Build workflow sheriffjackson
  • 36.  Collaborating with Terraform - Plan sheriffjackson
  • 37.  Collaborating with Terraform - Apply sheriffjackson ONLY PRODUCTION BRANCH / ENFORCE TAGS
  • 38.  Public Service Announcement! • DO NOT EXPOSE Vault / CI WITH PUBLIC GitHub • THIS IS A SIMPLIFIED EXAMPLE FOR DEMONSTRATION ONLY
  • 39.  Collaborating with Terraform - Fork me sheriffjackson https://github.com/nicholasjackson/ terraform-cfgmgmtcamp 1) Fork the below repository 2) Create a new branch 3) Refactor into a module 4) Pull request
  • 41.  Managing Credentials with Vault - Why? • Separating read / write credentials • TTL on credentials with automatic revoke • Fine grained control over access • Audit log • Reduce secret sprawl • Developers / operators DO NOT require explicit credentials sheriffjackson
  • 42.  Managing Credentials with Vault - Process sheriffjackson login to vault create AWS credentials (with TTL) create IAM user (with policy) request AWS credentials terraform plan/apply/ destroy write to audit log revoke credentials (TTL expired) delete IAM user return credentials GitHub token validate login with GitHub vault token admin IAM policy IAM
  • 43.  AWS Secrets Managing Credentials with Vault - hierarchy sheriffjackson role A (aws_read) role B (aws_write) policy A (aws_read) [read] policy C (aws_write) [read] policy B (aws_read) [read, create] GitHub Auth user B (ricksanchez) user A (nicholasjackson)
  • 44. Terminal # enable the vault secrets engine for AWS $ vault secrets enable aws Success! Enabled the aws secrets engine at: aws/ # add IAM credentials which have the capability to manage IAM credentials $ vault write aws/config/root access_key=AKIAJWVN5Z4FOFT7NLNA secret_key=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 region=us-east-1 Configure AWS secret engine
  • 45. Terminal # enable the vault secrets engine for AWS $ vault auth enable github # set the auth endpoint to a GitHub organization $ vault write auth/github/config organization=hashicorp Configure GitHub auth
  • 46. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::tfremotestatenic"] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": ["arn:aws:s3:::tfremotestatenic/*"] }, { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe*", "Resource": "*" }, ... terraform.tf Create a read-only AWS IAM policy https://github.com/nicholasjackson/terraform-cfgmgmtcamp/blob/master/vault/templates/aws_read.json
  • 47. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::tfremotestatenic"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::tfremotestatenic/*"] }, { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, terraform.tf Create a write AWS IAM policy https://github.com/nicholasjackson/terraform-cfgmgmtcamp/blob/master/vault/templates/aws_write.json
  • 48. Terminal # create the read only role $ vault write aws/roles/aws_readonly policy=@aws_read_policy.json Success! Data written to: aws/roles/aws_readonly # create the write role $ vault write aws/roles/aws_write policy=@aws_write_policy.json Success! Data written to: aws/roles/aws_write Configure roles
  • 49. path "aws/creds/aws_readonly" { capabilities = ["read"] # "create", "read", "update", "delete", "list" } terraform.tf Create a read-only Vault policy
  • 50. path "aws/creds/aws_write" { capabilities = ["read"] } terraform.tf Create a write Vault policy
  • 51. Terminal # Add the read only policy to vault $ vault write sys/policy/aws_readonly policy=@aws_readonly.hcl Success! Data written to: sys/policy/aws_readonly # Add the write policy to vault $ vault write sys/policy/aws_write policy=@aws_write.hcl Success! Data written to: sys/policy/aws_write Add the policy to Vault
  • 52. Terminal # Assign the policy to the GitHub user $ vault write auth/github/map/users/nicholasjackson value=aws_readonly,aws_write Success! Data written to: auth/github/map/users/nicholasjackson # Or assign the policy to a GitHub team $ vault write auth/github/map/teams/hasicorp value=aws_readonly,aws_write Success! Data written to: auth/github/map/teams/hashicorp Assign the policy to the GitHub user
  • 53. Terminal # login to vault with GitHub token $ vault login -token-only -method=github token=${GITHUB_TOKEN} The token was not stored in token helper. Set the VAULT_TOKEN environment variable or pass the token below with each request to Vault. ebb39457-cdb8-41ae-c227-9e0245837873 # use vault token to obtain AWS credentials $ VAULT_TOKEN=ebb39457-cdb8-41ae-c227-9e0245837873 vault read aws/creds/ aws_readonly Key Value --- ----- lease_id aws/creds/aws_readonly/0bb798a3-c4fd-0609-6bcd- f34673156c8a lease_duration 15m lease_renewable true access_key AKIAJMWSOATIG3VQJCNA secret_key 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 security_token <nil> Login with GitHub obtain IAM credentials
  • 54. provider "vault" { address = "http://pi01.local.demo.gs:8200" } module "vault" { source = "./vault" github_org = "hashicorp" aws_access_key_id = "xxxxxxxxxxxxxx" aws_access_key_secret = "xxxxxxxxxxxxxxxxxxxxxx" aws_region = "us-east-1" } We can also do this with a module https://github.com/nicholasjackson/terraform-cfgmgmtcamp/tree/master/vault
  • 55.  Putting it all together sheriffjackson
  • 56. THANKS FOR LISTENING • https://www.terraform.io • https://www.vaultproject.io • https://registry.terraform.io FURTHER INFO: @sheriffjackson, nic@hashicorp.com DEVOPS DELIVERED • https://github.com/nicholasjackson/terraform-cfgmgmtcamp EXAMPLE PROJECT:
  • 57. AGENDA DEVOPS DELIVERED 14:55 - CoreOS baremetal provisioning with Terraform, Ignition and Matchbox ★ Rafael Porres Molina 15:35 - Break 15:55 - Introduction to provisioning basic infrastructure on Google Cloud Platform with Terraform ★ Stein Inge Morisbak 16:35 - Terraform for fun and profit ★ Bram Vogelaar & Julien Pivottto 17:15 - Terraboard ★ Raphael Pinson