Effective TerraformCalvin French-Owen@calvinfo

SF Devops for Startups2/28/2017

But it wasn’t always that way…

Where we started

Let’s provision some infrastructure!

Let’s provision some infrastructure!

uhh… now what?

It was… janky.

github.com/ivolo/animals

So we defaulted to the easiest alternative

😱

✅ Initial Speed ❌ No audits. No changelog. ❌ No reproduceability.❌ ❌ No fun :(

💖

✅ Initial Speed ✅ Audits. ✅ Changelog.

Reproduceability.✅ ✅ Fun :) (if you do it right)

This Talk• What is Terraform?

• The Segment AWS Stack

• Writing and managing “good” Terraform

• Moving beyond infrastructure

What is Terraform?

Terraform enables you to safely and predictably create, change, and improve production infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.- terraform.io

Infrastructure == Code

Terraform at work

Terraform Nouns

resource: configuration for a given cloud entity (instance, load balancer, image, network)

resources take inputs as configuration, and can produce outputs once they are created in your infrastructure

type identifierresource

inputs

module: a re-usable collection of resources that can be passed its own inputs and outputs

How does it know?

.tfstate

Terraform Workflow• $ terraform plan

• $ terraform apply

Terraform workflow1. load the desired configuration2. load the stored .tfstate file3. calculate the diff between the current and

desired states4. use CRUD APIs to update the current state to

match the desired state5. update the state file

Terraform internals1. First READ the state2. If a resource is not in the state, CREATE3. If a resource is in the state and the config

UPDATE4. If a resource is in the state and not the

config DELETE

Terraform Workflow• $ terraform plan

• $ terraform apply

Terraform applies diffs in your configuration to manage your infrastructure

Segment Terraform by the numbers- 25 developers working with

Terraform- hundreds of microservices- thousands of AWS resources

The Segment AWS Stack

AWSScalableFlexibleCheapEasy-to-use

Production-ready infrastructure in under 5 minutes

A set of terraform modules for easily booting infrastructure on AWS

The Segment AWS Stack• an auto-scaling group of instances to run

your services• a multi-az VPC with different subnets for

availability• self-managed services run via docker and

ECS• an ELB and ECS definition for each service• docker logs that populate in CloudWatch• a bastion node for manual SSH access• automatic ELB logging to S3

Writing “good” Terraform

Writing good Terraform

• Managing state

• Organizing your modules

Managing State

dev stage prod old prodvpc peering

managed by Terraform

The advantage of states per environment?

The advantage of states per environment?

Safety

Developers avoid selecting tools if the probability of the effect of the tools is unknown, and the tools have some risks.

To promote development support tools, we have to suppress the risk of the tools.

- Analyzing the Decision Criteria of Software Based on Prospect Theory

States per service

core(vpc, networking, security groups,

asgs)

auth api site db cdn

services

core(vpc, networking, security groups,

asgs)

auth api site db cdn

services→

read

onl

y →

read only!

reference

State Management• separate core from services• states per service and env• use atlas or s3

Writing modules

Writing modules• Variables

• Composability

• Visibility

• In practice

Modules - Variables• Use variables liberally, everywhere you might

need config

• Use defaults even more liberally

Clever defaults ==Simple end-user interface

“${coalesce( var.cpu, lookup( map("low", "64", "medium", "256", "high", “1024”), var.resource_allocation), “64”)}”

Modules - Composability

• Don’t start with a large set of modules

• Start by combining a few resources, then combine them

A simple example:An IAM user

Another example:Workers and Services

module “consumer” {source = “modules/worker”…

}

module “webapp” {source = “modules/service”…

}

module “consumer” {source = “modules/worker”…

}

module “webapp” {source = “modules/service”…

}

Modules - Visibility• Outputs and template_file

Normally opaque (a hash)

Modules - in practice

Repo Structure

Beyond Infrastructure

If all of our infrastructure is now applied programmatically...

…how else can we use it?

Alerting

Cost analysis

Cloud package manager?

Kube and Docker provide an awesome API…

Kube and Docker provide an awesome API…

…but cloud hosted services are here to stay

$ terraform plan <org/repo>

Terraform

• Powerful

• Flexible

• Audible

• The cross-cloud API

Fin@calvinfo