Terraform best practices with examples and arguments - Anton Babenko

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
cool so welcome everyone good morning for those who wake up if you didn't wake up I will try to wake you up with terraform I don't know how it works but we'll try so thanks ok my name is Anton by Bianca and quite recently I was recognized as there's community here of because I do pretty many different activities related to terraform and AWS so AWS decided to award me so I also organized a bunch of different user groups here in Norway and in Oslo Hoshi Corp user groups AWS user groups DevOps Norway and also conference devops days Oslo but for the last four years I've been spending pretty much daily at some point enormous amount of time to contribute to different terraform a SS projects some of them listed here and some of them I will be covering in more details in particular you can always ask me on Twitter LinkedIn or email if you have any questions about the talk or about terraform or AWS I really like to answer them so what I do obviously it's a terraform is hot everybody wants to use it so I write a lot of open source projects which turn out to be paying me nothing ok so that's why I provide consultant workshops mentorship and more traditional set of services because it's pretty hard to get rich from just write an open source code which actually some of you room in this room actually using so I'm glad for that for to begin with in about 2015 I started write in different terraform AWS modules figure out what is it how to use them and then I published many of them and then they become actually quite popular most of them are verified by Hoshi Corp and they get stamped and actually more than four millions of downloads for the last two years so a lot of people need to use them and use them if they want to build in structure on AWS like if you need to setup VPC on auto scaling group it's very hard to be really unique and you just have to use something existing like in general programming language we've been using the live choice right so that's that's what terraform a SS modules another product which I'm affiliated with as cloud craft it is the best way to draw a diverse diagrams for your project where you can visualize all of your infrastructure in the browser and you can connect them you can specify different properties you can actually import live AWS infrastructure you can see budget you can embed it into your confluence wiki you can export this image and many many different things but you may think like why cloud crafts ok cloud craft is probably not developer friendly because it's all in the browser and I'm here to emphasize the value of infrastructure as code using terraform ok so infrastructure as code makes devops possible because only if we write something as a code then we can actually treat it similar as we do with application code we always know what has changed who has changed maybe even why they change it and we can also validate different infrastructure changes as we do with application code in pipeline before deployment on production we can deploy the same change in test environment see how it behaves and so on so terraform who know what is terraform or who use terraform like okay so less than half of people raise hand some people raise hand under the desk which still count so i guess many of you know what is terraformed okay so terraform in nutshell started in 2014 as a tool to create update and change infrastructure safely and in predictable way so that we always know what's going to change we don't want to have different surprises so this is how a typical configuration file in terraform looks like I'm talking about 0:11 which was created for quite some time 0:12 was released three weeks ago there is very little difference but I will highlight them during talk as well so this is how a configuration file looks like it is text file where we specify variable which we want to use and we specify what kind of resource we want to make and then we run several commands to download dependencies terraform in it will download dependencies required to talk to different cloud providers like in this case a table years and then I run a terraform apply in order to see what's going to happen so in this case I want to create bucket with random name so that's what it tell I confirm this was yes that that's exactly what I want and then after six seconds my bucket called my bucket see snail is created that's all what we have so we create text file we declare what we want and we run tariffs on Commons to get these resources created you may think that AWS has CloudFormation Google has Google Cloud deployment manager nature of course said that there is nothing else better than Jason so here is a sure resource manager and why these providers create this they wanted to let users to manage the infrastructure on that provider so there is almost no way no easy way to combine resources between these providers and then terraform appeared and say ok no problem we have more than hundred more providers in addition to these three so that's that's pretty good right so you may think that ok we have support for all of these providers which we can easily combine and declare in the same syntax so we are using the same language we don't have to mix Python for Google Cloud and llamó or JSON for CloudFormation or a sure resource panel we all define in language which is called HCl which is short form for hajeck or configuration language so that's really good that we don't need to know all of this and try to come up with all of these things but in addition to this terraform was designed to be used to be reused so there are lots of different concepts in terraform built-in which allows us to write small amount of code and reuse it across different projects different solutions so that's that's really a differentiator and back in 2014 for those who don't remember what was the time all of those tools like CloudFormation as your google deployment manager you just execute your script you fingers crossed and we hope that nothing is destroyed okay that's this mod is called finger crossed wes terraform this was taken very seriously and there are concepts like terraform state file where we know that there is known known collection of our known specification known description of resources which we already managed with stirrup form so we can always compare what's going to happen and we don't have to turn on fingers cross mode every time we see what's going to happen we confirmed that this is exactly what we want and we apply this change back in 2014 it was one of the best benefit which you can tell to anybody and they will say oh my god I'm going to use terraform immediately I remember this time myself when I showed it to some of my customer and they say like oh my god I abandon CloudFormation from right now and yeah since they're happy users of terraform so terraform is actually a universal tool as long as there is an api it means that there is a way to instruct terraform to manage resources on any other providers for example if you want to order a pizza I mean yes Domino has an API so you just specify size of pizza what kind of stuff to put you specify your credit card details and then API call will be made by terraform to Domino pizza and eventually your pizza will be delivered it's nice I think right I mean isn't it what's our form for actually a Minecraft is what is it for I mean minecraft also has an API so in Minecraft you can specify in position what type of object you want to place on XYZ coordinates and you can also specify dependencies that you can say first built this plate and then put sheep on top of it so there will be specific telephone will handle dependencies in order to figure out in which sequence to build these objects again this is an example of API more traditional of course it's public cloud like AWS which takes I guess about 70% of all attention to terraform and many other providers like community developed by for example Dropbox or to manage your Google applications or Gmail accounts you can create issues with terraform and so on so many different providers exist right now I think there are about 170 or about 190 different providers by community so let's start with something more real ok because not everybody is playing minecraft not everybody ordering pizza on Domino though I order it okay so let's manage AWS Network stack this is getting to be a little bit more advanced and maybe Oh actually I forgot to mention this is going to be advanced talk ok it's not going to be about ordering pizza and minecraft anymore so let's deep dive into some more terraform specifics so this is how we want to create VPC we specify cedar block and we run tariffs on Commons and then we'll get cedar blocks allocated for this VPC then we extend this this text file and we want to have internet access so we specify that now we want to add Internet gateway and we tell for which we PC that's easy then we add subnets ok because obviously we need to put some resources so we specify a couple more resources and then we going to add some more resources like routing table route table Association rules not gateways elastic IP address and so on so for very small and for a pretty pretty simple Network stack on almost any project this network configuration file will contain two to three hundred lines easily so it's it's not a lot but it's not something what is a differentiator for your business most likely so there will be a lot of files and a lot of lines sorry and as we can see the amount of code is always increasing and the complexity is going to be increasing as well so VPC Internet gateway subnets all of them are dependent to each other and it will be pretty tricky to manage this so the first thing which terraform came up out of the box back in long long time ago was there are four modules so terraform models are just self-contained packages of terraform file which we always call as a single unit so that's the only thing which you need to know about there are four modules when you think about them so there are two types of modules one is called resource modules in particular those which I maintain under terraform alias modules github account and there are another type of module which is called infrastructure modules so let's look into more details about first group resource modules are are designed to be extremely flexible and they handle all of the complexity inside of it and they are not containing any business logic they don't have any opinions they just let you do whatever is possible with this resource so they're great candidate to be open source and majority of modules which you find in open source I mean in the public they are exactly the resource modules so resource modules in terraform can be involved like this first we specify from which place we'll want to call it in this case we specify that we want to use HTTP sub module from security group module we specify which version we want to yet and we specify different attributes or arguments which we want to pass to that module so that's easy in this case we are calling module and we want to open to have security group with just HTTP ports open so first question to people especially for those who use tariffs one so would you use tariffs for module to manage AWS ec2 security group or would you just write resource in to resources like security group and the touch bunch of different rules to it so the question is would you use tariffs or module to manage AWS ec2 security group nobody raising hands means that nobody would use it right okay that's good watch this movie and so on so this is a real logic which you will have to implement if you want to create security group yourself on AWS there are about 600 or 800 lines in order to create security group in really flexible configuration when I say flexible then it means that you as user of AWS you seldomly think about what is actually inside of terraform AWS provider AWS SDK AWS internals you are abstracted away from all of this and that's the purpose of resource modules is that you don't have to know internal implementation of how to create ipv6 rules ipv4 prefix list self references all protocols name group and and something else all of this is handled by these resource modules which you don't have to know and you don't have to make this yourself in order to use it so the abstraction here is a key that you don't have to know all of details in order to use it so think about this as a benefit of resource modules in first place and second type of module is infrastructure module which is obviously consisting of some resource modules because you don't want to deal with internals and this is often the place for your company to implement all standards which you have in company like namings security encryption and other things which are relevant for your industry or for your company specifically and back in 2015 or and 217 or actually up until now it is the only place where you can use different kind of processors like JSON net cookie cutter to generate code for your module and let other people in the organization to use it the invocation of infrastructure module is very similar we specify where we wanted to get and then we specify different arguments which we want to pass inside of the module we can see that we are just involved in different versions of different modules so we say that we want to make V PC by invoking this module and application law dancer and so on so it's no different there is no big difference between resource and infrastructure module so let's talk about what to do and what not to do with there are four modules one of the frequent problem is that when you start writing module you are trying to solve just your use case and if you are working alone in entire isolation you will never care about anyone else but it's unlikely and most likely you have some other team some other colleague somebody else who wants or who should not reinvent the same solution which you came up with so that's important point to write code which other people can use even in the organization so the first evil part in modules which I see quite often is that people food provider blocks and they assume that everybody will be using this module just in this configuration this is pretty bad idea because it's not possible to inherit and all right provider blocks so easily with terraform so never put this inside of your module itself always think about this as layer and put providers configuration as high as possible way it makes sense so second evil part is provisionary provision is something what allows you to execute different shell script or CLI like AWS CLI after resource has been created in this case you know we are totally we are tightly coupling AWS VPC resource together with provision which is pretty bad idea it is bad because it's not possible to extend or override this resource at all so just try to not put this resource this section at all in your files and always use something outside of terraform which is and simple puppet or whatever else what you can trigger after that after resource is created and even if you think that okay there is an instance and I will launch this instance and then I want to run ansible playbook from my local machine and connect to this instance and do whatever I want it is often better here because it's not possible to extend what is actually the problem part and provision are here in instance which many people don't think about is it at some point you will think about now I want to make launch configuration and I want to auto scale my instance even if I want to have minimum maximum desired capacity to one the thing is that it's not possible to use provisioners on launch configurations so the solution here is as you use user data and only when instance is launched then the common pattern is that you actually download playbooks from s3 and you execute them on machine locally once instances up and running so this is a common problem which many people don't realize unless they they are told to implement auto scaling group so at some point you may think that okay I actually need to extend functionality of certain resources which are available in AWS SDK or AWS CLI so I really want to use my local machine so new resource is special type of resource which is not actually like resource because it's new resource but it is possible to say that once vbc is created then actually run this commons which I want so this way it is possible to have vbc creation and execution of AWS CLI independently and there are many different points which I highlighted and I think they are pretty relevant if you want to write code in terraform which is actually useful and I order them these points i buy this order because I believe that documentation and example is the most important part not test because I mean tests are useless because simply a first you have to know what this module is doing how to use it what to expect from it okay does it have enough features which I need right now what kind of defaults does it have is it opinionated and everything is hard-coded hopefully not does it create just resources which I want or it also creates sums in what I really don't need so this means clean code and then at the end yes you may have some automation regarding regarding this module where you can run example you can verify that output of this was as expected and this is a pretty hot area where everybody thinks that they need tests I don't believe that people need tests unless they implement at least four steps before that so if you disagree I would really like to talk to you about Tara grant aw a spec in spec show respect and any other tool which you know about this because I kind of put it in this order and I'd like to know what you think about it so are there are four modules enough unfortunately not because it is good start but it's not enough okay so let's look into how to structure telephone configurations and we will see more about more about how to call them so if we look into how our project evolved first we started with small main TF file we put in two different files then we figure out that okay we we are doing something what is not actually differentiating so we go to place where other people publish their modules and we find something there and we start using it okay so now we we found VPC module auto scaling group RDS so we have our own mess okay we will soon have mess now it's time to think about okay how to actually orchestrate this how - maybe separate this so let's look into different patterns here the first way which is probably on the very left side is called all-in-one is where we just invoke in all of these modules one by one so we specify all of these modules after modules and it it eventually gets bigger and bigger and if next time when we're on terraform apply it will take 10 minutes 15 minutes and then we'll think like yeah it doesn't look so good so maybe it's arrow form is bad maybe I have to move to something else this is what people think no in fact you start with something what you probably have to evolve and second way on the very far right is one in one is well we have very small blast radius where we are just invoking a single module or small collection of modules and we specify that if I'm working on V PC then I will not be able to affect anything else than just V PC so i go to V PC folder I work in that isolation and that's it there is very small blast radius that's important point and let's think about especially those who use the reform already which way do you group your code at work like all in one or one and one so all in one is on one side and one on one is an on this side who is thinking that all in one is what you have and what you probably like anyone right but actually there are people but you're just shy okay but one in one who think that this is good and this is what we should be using right okay so yeah it's quite obvious that people think that yeah one in one's good and I definitely have to use it and the correct things are actually MFA is it's somewhere in between is true okay because most frequently or at least what I'm speaking about myself is when I wake up and I think like oh that's going to be an awesome project I will make everything perfect from day one no shortcuts everything will be ready in time believe me it's not happening like this okay I always start with one file I put a bunch of different things I experiment there I connect different components especially in situations which I never worked with before it will be much faster for me to work in a big snowball of mass and try to connect different resources before I figure out different patterns and can extrapolate it one in one on another side is when I clearly know that this is a well-established project it's not the one of the project I already know that okay we have some application we have some load balancers we have some VPC and what is really important is that if I'm not working on this alone which means that there will be different type of people involved it's really beneficial to think about 1 + 1 or somewhere in that area if I have created some code before for example to set up similar infrastructure 1 + 1 is very nature of choice for me so normally 1 + 1 is something what people are aiming for but they're always starting with all in one I mean occasionally people start thinking about like pre optimization and trying to make everything perfect but then they you know what's happening with optimization in advance right it will kill the project so what about terraform workspaces who think that terraform workspaces is awesome ok for those who don't know what is telephone workspaces let me tell that this is not awesome ok telephone workspaces is not awesome telephone workspaces was designed by Hershey Corp it became part of terraform because because why not I mean people have one folder and they want to execute the same code for for similar situation with slightly different variables so for example I have project a and I want to have a very similar project but for project B which is very similar but just a little bit difference I honestly believe and I'm glad that many many people my vision is that terraform workspaces is the evil there are two evil parts in terraform which I really like to highlight because I understand what I'm talking about there are four workspaces and provisionary these two things which should never be used in any real projects so never ever use them the problem with workspace is that we are not paying for disk storage we are paying for code readability so always copy paste code use some abstractions use something what is very easy for human to understand we are not writing code for computers anymore right we are not paying for two kilobytes saved of on my disk so always try to write something of what human will understand and documentation says what is Tara for workspaces in much more details so if you will read this documentation you may have some idea that oh yeah that's actually what I need but please read it carefully and don't try to to use it unless you have a lot of money okay it's paid fission so solution again we already know what is module so why not use the same module but just provide different arguments to it so that's easy again we are not paying for storage we are paying for support of this code so terraform 0:12 has been released three weeks ago if you've been following this process for quite some time terraform 0:12 was announced approximately a year ago and a lot of people will expect and that it is going to be solving my all of my needs it was all of my code because of all of cool features it has simplified syntax where we don't have to write double quotes dollar Carelli brackets anymore isn't it nice we can have loops we can have dynamics blocks we can have correct conditional iterations where left and right parts are executed not simultaneously we can have extended types like list of maps of strings of maps of lists of strings isn't it beautiful that we can have instead of just integer string and boolean we can have so nice complicated stuff we can have templates and values which is I don't even have example why you would need it but a lot of a lot of cool stuff was announced and I have filled and I believe myself is that it's going to be pretty solid change to many many projects many companies were there where they were using terraform 0 11 and what I want to to talk about is that not everything will be alright okay because there are very important point in terraform users community we have to think about different types of users and when I say that different types of users I'm not saying that this is good and this is bad I'm just saying that we cannot like to put it another way who know where has full-stack developers right I mean probably everyone so you know that previously we had front-end back-end let's combine them then what else what kind of skills we should inflate into full stack developers in order for them to be still full stack developer should they also know terraform hopefully not so there are terraform developers who are familiar with how to write terraform modules how to use different features of telephone how to use your public cloud of choice how to implement company standards and they know these standards and they can implement them they can maintain reference architecture for your company so that they really know ok we are dealing with micro services this is how we deploy our micro service this is how we manage different resources related to micro service and they can make reference architecture for everybody to look into and to discuss while on another side there are 90% of people who just want to get things done and that's really important to understand is that we cannot always expect people let's say front-end developers - hey please write awesome terraform code he will be able to do this and I'm not saying that front-end developers is bad by definition to work with terraform but I just don't want to to make HR process even more harder now that they have to look for full-stack developers with terraform skills I simply don't know anyone here in Oslo I live in Oslo so it's it's just bad - to require everybody know terraform and be domain expert no JavaScript nope it--and no these know that on very high level so what I'm saying is that era forum users are those who can figure out which component they want to change or they go to reference architecture and they figure out okay this is how we deal with micro stories so they call this service without deep understanding of how and why it was implemented this way and they just specified correct values there so they tell ok this is my key value or whatever type of input this model accept and that's it that's where they are the main experts they know what type of stuff this module accept and they provide it the complexity is treated by terraform developers who actually wrote these modules so for telephone developers terraform 0:12 has actually enormous amount of features so all of these features which were listed here that's exactly what terraform developers who developed modules were looking for so yes we need loops we need dynamic blocks we need all of these features in order to implement and handle the resource creation the way we want so I honestly was not able to write modules for some very easy resources which you may think like why why not for example s3 bucket in terraform 0:11 I couldn't make it with less six out 6,000 lines in terraform zero twelve it's 100 lines so it's it's big different but the code which if you look into that you will think that this is crazy and that something what I don't want users to to deal with so terraform zero twelve for users bring only one thing it is that they actually see much easy syntax so if they have to change something it will be much easier for them to to handle it they don't have to know crazy amount of interpolation functions and escaping and so on it's much more simplified so that's the only benefit for them as a summary I want to say that yes in fact terraform modules they are definitely must-have and as a as I said we cannot start with everything perfect but we still have to reach to that we have to go to the direction where 1 in 1 plus Tara grant is something what we should be aiming Tara grant is a third-party tool which allows to orchestrate invocation of infrastructure modules so think about this as something what you can call and it will handle dependencies for you so for example dependency can be that instance can be launched only after network is created so you go to the folder and you're on Tara grant apply and then it goes through dependencies and figure out which one has to be created first and then it creates it while having one in one structure it's very convenient and very easy to explain to people who are not professional terraform developers and if you don't have lots of money but you think that terraform workspace is for you please copy paste files it's much much easier and terraform 0:12 is awesome but unfortunately it's or not unfortunately realistically it's awesome for developers not for users so for me this means that I will be able right even more modules maintain them in much easier way for example I will be able to create cloud front modules as three modules Canisius modules and elasticsearch this means that if you need to setup your infrastructure you again don't have to be an expert in terraform in AWS in terraform a SS providers in terraform limitations you just specify that you need elasticsearch of this size in this availability zone that's it the rest heavy liftin which is creation of like five to ten different resources is happening without without you understanding it you it's always open source and you can always contribute and you can always use this code the way you want you can fork it you can make your changes but at least it's it's very easy way to get started and yeah I think that's all for me I was told that there is box somewhere where you have to put something but as a hint I don't know why but green piece of paper is much bigger I don't know why so thanks for that and if you have any questions I will be here today and tomorrow and you can ask me anything on Twitter and github I have some stickers actually as well if you are into that like this module cf is one of my project where you get visual diagrams created in cloud crafts you click export and you get a reformed configuration generated from these visual diagrams it is open source and I have stickers and if you want to add some new features edit into cloud craft or two modules TF or to any projects just let me know cool yeah thank you you have question yeah so the question was how how what is the difference between community terraform CloudFormation and Google and so on the community in terraform is built I mean where community is like what's the purpose of community that's all is to share knowledge and to get your problem fixed as far as I know Google as well as CloudFormation does not have anything like registry so there is no single place where you can go and you can say Oh what is the best way to set up let's say network in Google literally I have no clue where to go I can go to documentation I can ask in different slack channels I can ask different people and so on and I will get 20 different results 20 different solutions what is difference between hajeck or communities is that yes of course there are different slack channels mailing lists community dashi curve dot-com but all of these discussions are around something what people share in central place which is registry dot terraform dot IO there are about about a thousand of modules contributed by people and you can just see the contribution and you can easily find something to talk about there are many different good communities like slack I can recommend Han Han gobs is one I think there are more than thousands of terraform developers right now and another one is sweet ops sweet ops yeah we started it pretty a long time ago but we have about 30 people joining every every week yeah every week so we are almost reaching 1,000 of people and work which we have there is primarily support so if you have any question about staff which we develop you go there to specific room and you ask question and most likely there will be people answering you what I personally don't like with many of these communities is that you ask questions and nobody answering right I mean we've been to this position many times I'm asked constantly different questions which I try to answer but if it takes me more than a couple hours a day then I try to to kind of get paid for that but yeah any other questions please let me know we have one minute yeah that's a really good question so I will repeat question there will there are actually a lot of tools similar to terraform which allows to to do similar things I mean I use word similar because it's really similar it's not exactly the same it's similar okay and yes you're absolutely right there are they will be talked by Paul stack somewhere I think later today about but I don't know actually what he was going to talk about but he is a guy who developed a terraform in about 2016 and then he moved to another company who is developing a competitor of terraform so I really encourage you to check his talk although I'm not sure if he will be talking about that one in any case where terraform shine is creation of infrastructure it's not going to replace your puppet unstable because it's not configuration management it's not going to go deep into each of resource which you create and configure them so it's not going to replace things like Packer or vagrant which we use to create immutable images as well as it's not going to replace Tokyo communities it's just something were crates in structure infrastructure is needed for other things to be working on like your services cannot run without network so someone has to set up network and this is where historically all of these tools were able to jump in and say hey we can fix Network like with ansible you can do everything right you can set up literally the same amount of resources the benefit of telephone though is that it's very declarative you are not specifying to this after this after this though I know some companies who have invented or invented in quotes of course made terraform using ansible so think about this is that they solve problems like dependencies and that instances has to be created after network is created using ansible what is it notifications or how it's called an instable hooks notifications so it looked like big monster of course that it is possible as well as similar projects people do with puppet I mean puppet can create different resources so that's way to go know it's in fact it's not because code is not designed for that terraform has very clear separation is that there is telephone core there is terraform provider and there is your terraform module which manage telephone resources so you have this very clear separation between this while puppet is more like big monster with some modules which some resources so it doesn't have very clear separation so yeah that's that's the biggest difference when it comes to Google I simply don't know any place where I can just go and get list of like preferred ways to set up networking I mean of course I can read the commentation I can do the heavy lift and I can understand how networks supposed to be built in Google read bunch of different best practices come up with my solution but the idea of at least my understanding the idea of DevOps and business is that you actually focus on what you supposed to be doing you don't have to know everything in order to sell your stuff on your website and that's not what gonna to to help you with so don't don't try to come up with solution unless it's really important for your business and network is unlikely the main business for most of you guys yeah any other questions no but I have stickers right okay thanks a lot
Info
Channel: NDC Conferences
Views: 28,142
Rating: undefined out of 5
Keywords: Anton Babenko, Tools, DevOps, Cloud, Terraform, Code, AWS/GCP, NDC, Oslo, 2019
Id: mOsiLZGdXS4
Channel Id: undefined
Length: 45min 59sec (2759 seconds)
Published: Fri Jun 28 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.