Intro to Terraform

Ricardo Hernandez

What is Terraform?

  • IaC (Infrastructure as Code) platform.
  • Broker to many cloud resource providers (AWS, GCE, Azure).
  • Created by Hashicorp.

What tries to solve?

  • Multi cloud provisioning orchestration.
  • Set a fixed state along all cloud resources.
  • Enables collaboration for managing infrastructure.
  • Abstracts resource providers APIs presenting a single language to configure all.

Features

  • It has support for many providers and implements most of the API calls to many of them.
  • As right now is the de facto standard for cloud independent IaC.
  • Flexible language with notions of modules to have reusable code.
  • Written in Go. Easy to install and update.

Core concepts

State file

Maintains the state of every resource and their relationship, as known by Terraform. Is updated after creating, modifying or destroying resources.

  • Is the "source of truth" for Terraform.
  • Saved locally or on remote storage.
  • JSON format.
  • Not good for sensitive data.
  • terraform state

Remote state

  • The state file can be stored on remote storage in order to allow collaboration and in some cases provide locking.
  • Supports many backends. Feature complete are: S3, Consul and Terraform Enterprise.

HCL (Hashicorp configuration language)

Providers

  • Providers of resources.
  • AWS, GCE, Azure, DNSimple, etc.
  • Allows having multiple instances of the same provider through aliasing.

Resources

  • Resources provided by Providers.
  • Dependencies between resources are managed automatically.
  • Meta-parameters for all resources like count.

Variables

  • Explicitely defined or automatically computed (attributes).
  • Types: string, list, map, booleans (as strings).
  • Can be defined on external files.
  • ${var.name}

Outputs

  • Explicitely defined outputs to allow:
    • Reading/Parsing data from third-party apps
    • Consume data from one state file to use it on "external" Terraform code.
    • terraform output

Data sources

  • Data that can be read from providers without being created by Terraform.
  • Examples:
    • Obtain a list of availability zones on a region.
    • Obtain ID of the last version of AMI image for Ubuntu 16.04.

Provisioners

  • Run a provisioner after creating or updating a resource to configure it. For example running Chef after creating an instance.
  • Can also run only on creation or only on destruction.
  • Chef, remote-exec (ssh or WinRM), local-exec, file upload.
  • null_resource

Modules

  • Used to create reusable components.
  • Can live outside the main Terraform code and can (should) be versioned.
  • Have a well defined API with inputs (variables) and outputs.
  • Can include other modules.

Caveats

  • Doesn't handle secrets properly.
  • No stable version yet. Very quick development pace.
  • No ACL or RBAC integrated. Terraform enterprise has something.
  • No way of unit/integration testing without actually trying on a real account.
  • A little bit difficult to integrate on already existing infrastructure.

DEMOS

Common settings

  • VPC: 192.168.1.0/24
  • Subnets:
    • az1: 192.168.1.0/26
    • az2: 192.168.1.64/26
    • az3: 192.168.1.128/26
  • Ubuntu AMI id: ami-dbbd9dbe
  • Security group: Allow ip x.x.x.x to access port tcp 9999

Basic

  • Local state.
  • Hardcoded values.
  • 1 VPC, 2 subnets on different azs, 1 security group
  • 1 EC2 SSH Key, 1 t2.nano instance using predefined Ubuntu 16.04 AMI
  • Plan, apply, destroy.

Advanced

  • Local state.
  • Variables and var-file.
  • 3 subnets, one per AZ.
  • 1 EC2 SSH Key, 2 instances.
  • Use a data source to get the latest Ubuntu 16.04 AMI.
  • Output VPC cidr block, the ami id, subnet_2b cidr, the instance private dns names.
  • Plan, apply, destroy.

Topics for future talks

  • More interpolation functions
  • Provisioners
  • Modules
  • Importing resources
  • Remote state
  • Workspaces
  • Development workflow