Terraform
Best Practices and Deep Dive
June 2018
Wojciech Krysmann
Agenda: W
hat?
H
ow?
W hy?
/wkrysmann
+43
Countries
+35
Offices
+5,000
Employees
+350M
MAU
+4B
Events/Day
4
Horizontals
Verticals
Real Estate New Ventures Cars
5
W hat?
Evolution?
Manual
Semi-automated
Infrastructure as code
Collaborative infrastructure as code
7
Evolution?
Manual
Re
vol
Semi-automated
utio
n!
Infrastructure as code
Collaborative infrastructure as code
8
Manual
Collaborative infrastructure as code
9
H ow?
Rules
11
Greenfield
12
manual
Greenfieldchanges
No
13
Automation
14
General best-practices
DO’s DONT’s
● Review plan prior to apply ● Do not use ‘-target’
● Save plan to file, and apply from it ● Do not keep too many resources in one
● $ terraform fmt directory
● Enable bucket versioning for tfstate ● Do not create bucket per tfstate
● Don’t keep secrets in repo unencrypted
● Don’t try to build abstract / general
purpose modules
15
Implementation
16
● Application code
Application
● Runtime environment
Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data
● VPC, Network, Gateways, ...
Infrastructure
{ Infrastructure as a Service
●
●
DNS
CDN
17
● Application code
Application
● Runtime environment
Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data
● VPC, Network, Gateways, ...
Infrastructure
{ Infrastructure as a Service
●
●
DNS
CDN
18
Infrastructure repo
Infrastructure repo
Infrastructure repo
⇐ Provider
⇐ Environment
⇐ Region
⇐ Project
⇐ Service
⇐ Code
⇐ Service
⇐ Code
● Application code
Application
● Runtime environment
Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data
● VPC, Network, Gateways, ...
Infrastructure
{ Infrastructure as a Service
●
●
DNS
CDN
22
App repo
⇐ infrastructure catalog
⇐ Provider
⇐ Environment
⇐ Region
⇐ Code
main.tf (infra repo)
main.tf (app repo)
main.tf (app repo)
Data feed from infra repo ⇒
Data feed from infra repo ⇒
● Application code
Application
● Runtime environment
Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data
● VPC, Network, Gateways, ...
Infrastructure
{ Infrastructure as a Service
●
●
DNS
CDN
27
Outputs
Data sources
Workflow
● Application code
Application
● Runtime environment
Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data
● VPC, Network, Gateways, ...
Infrastructure
{ Infrastructure as a Service
●
●
DNS
CDN
31
IaaS workflow
Hook
Deploy
Build
Commit
...
32
● Application code
Application
● Runtime environment
Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data
● VPC, Network, Gateways, ...
Infrastructure
{ Infrastructure as a Service
●
●
DNS
CDN
33
PaaS workflow
Hook
Commit
Build
Deploy
Apply
AMI-ID
34
Build
35
Deploy
36
W hy?
Could you
whitelist my
service?
Automating
What’s / Packer worflow
your What’s the
IP? subnet of
Apollo 11?
38
4 /16 0/ 24
0/2 . 0
8. 0.
.0. 6 .0
6
0 2.2
0.1
0 17 9 2.1 24
1 1 0 /
0/8 .0.
.0.
10
.0
. 1 00 .2 55
0 .2 55
1 10
41
Let’s
have a
peering
4 /16 0/ 24
0/2 . 0
8. 0. No.
.0. 6 .0
6
0 2.2
0.1
0 17 9 2.1 24
1 1 0 /
0/8 .0.
.0.
10
.0
. 1 00 .2 55
0 .2 55
1 10
42
Granularity = faster, safer deploy
Centralisation = control, predictability
No! I will
I will apply
apply now
now
CD
Na
sC
Mo
n
od
44
Infra as Code
CD
DN
Na
Sa
sC
sC
Mo
as nit
ode
ode
Co ori
n 45
Platform
Infra as Code as Code
CD
DN
Na
Sa
sC
sC
Ga
Co rlic
ode
ode
de as
46
Thank you!
Q & A?
#weAreHiring