Terraform

Best Practices and Deep Dive

June 2018

Wojciech Krysmann
Agenda: W
hat?

H
ow?

W hy?
/wkrysmann
+43
Countries

+35
Offices

+5,000
Employees

+350M
MAU

+4B
Events/Day

4
 Horizontals

Verticals
Real Estate New Ventures Cars

5
W hat?
Evolution?
Manual

Semi-automated

Infrastructure as code

Collaborative infrastructure as code

7
Evolution?
Manual

Re
vol
Semi-automated

utio
n!
Infrastructure as code

Collaborative infrastructure as code

8
 Manual

Collaborative infrastructure as code

9
H ow?
Rules
11
Greenfield
12
 manual
Greenfieldchanges
No
13
Automation
14
 General best-practices
DO’s DONT’s

● Review plan prior to apply ● Do not use ‘-target’

● Save plan to file, and apply from it ● Do not keep too many resources in one
● $ terraform fmt directory
● Enable bucket versioning for tfstate ● Do not create bucket per tfstate
● Don’t keep secrets in repo unencrypted
● Don’t try to build abstract / general
purpose modules

15
Implementation
16
 ● Application code
Application
● Runtime environment

Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data

● VPC, Network, Gateways, ...

Infrastructure

{ Infrastructure as a Service
●
●
DNS
CDN

17
 ● Application code
Application
● Runtime environment

Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data

● VPC, Network, Gateways, ...

Infrastructure

{ Infrastructure as a Service
●
●
DNS
CDN

18
Infrastructure repo
Infrastructure repo
Infrastructure repo

⇐ Provider
⇐ Environment
⇐ Region
⇐ Project
⇐ Service
⇐ Code
⇐ Service
⇐ Code
 ● Application code
Application
● Runtime environment

Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data

● VPC, Network, Gateways, ...

Infrastructure

{ Infrastructure as a Service
●
●
DNS
CDN

22
App repo

⇐ infrastructure catalog
⇐ Provider
⇐ Environment
⇐ Region

⇐ Code
main.tf (infra repo)
main.tf (app repo)
main.tf (app repo)

Data feed from infra repo ⇒

Data feed from infra repo ⇒

 ● Application code
Application
● Runtime environment

Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data

● VPC, Network, Gateways, ...

Infrastructure

{ Infrastructure as a Service
●
●
DNS
CDN

27
Outputs
Data sources
Workflow
 ● Application code
Application
● Runtime environment

Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data

● VPC, Network, Gateways, ...

Infrastructure

{ Infrastructure as a Service
●
●
DNS
CDN

31
IaaS workflow
Hook
Deploy
Build
Commit

...

32
 ● Application code
Application
● Runtime environment

Service(s)
{ Platform as a Service
●
●
●
Instance
Queue
Database
Feeds data

● VPC, Network, Gateways, ...

Infrastructure

{ Infrastructure as a Service
●
●
DNS
CDN

33
PaaS workflow
Hook

Commit

Build

Deploy

Apply
AMI-ID

34
Build

35
Deploy

36
W hy?
Could you
whitelist my
service?
Automating
What’s / Packer worflow
your What’s the
IP? subnet of
Apollo 11?

38
 4 /16 0/ 24
0/2 . 0
8. 0.
.0. 6 .0
6
0 2.2
0.1
0 17 9 2.1 24
1 1 0 /
0/8 .0.
.0.
10
.0
. 1 00 .2 55
0 .2 55
1 10

41
 Let’s
have a
peering

4 /16 0/ 24
0/2 . 0
8. 0. No.
.0. 6 .0
6
0 2.2
0.1
0 17 9 2.1 24
1 1 0 /
0/8 .0.
.0.
10
.0
. 1 00 .2 55
0 .2 55
1 10

42
Granularity = faster, safer deploy
Centralisation = control, predictability
 No! I will
I will apply
apply now
now

CD
Na
sC
Mo
n

od
44
Infra as Code

CD
DN

Na
Sa

sC
sC
Mo
as nit

ode
ode
Co ori
n 45
 Platform
Infra as Code as Code

CD
DN

Na
Sa

sC
sC
Ga
Co rlic

ode
ode
de as
46
 Thank you!
Q & A?

#weAreHiring