Demystifying Terraform 012
Download as PPTX, PDF1 like659 views
This document provides an overview of Terraform 0.12, including improvements to the HashiCorp Configuration Language (HCL). Key updates include first class expressions, for expressions, generalized splat operators, improved conditionals, dynamic blocks, rich value types, improved template syntax, and more reliable JSON syntax. The presentation agenda includes a company overview, digital transformation trends, products overview, and focuses on demystifying changes in Terraform 0.12.
![∕Copyright © 2019 HashiCorp 21
First Class Expressions
Prior to 0.12, expressions had to be wrapped in interpolation sequences with double quotes, such
as "${var.foo}". With 0.12, expressions are a native part of the language and can be used directly.
Example: ami = var.ami[1]
resource "aws_subnet" "my_subnet" {
vpc_id = aws_vpc.my_vpc.id
cidr_block = "172.16.10.0/24"
tags = {
Name = "tf-0.12-fce-example"
}
}
Example: https://github.com/hashicorp/terraform-guides/blob/master/infrastructure-as-code/terraform-0.12-examples/first-class-expressions/main.tf](https://image.slidesharecdn.com/terraform012-190709134917/85/Demystifying-Terraform-012-21-320.jpg)
![∕Copyright © 2019 HashiCorp 22
For Expressions
For Expression can be used to iterate across multiple items in lists. It does this for several outputs,
illustrating the usefulness and power of the for expression in several ways.
// For expression
output "private_addresses_new" {
value = [
for instance in aws_instance.ubuntu:
instance.private_dns
]
}
Example: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/for-expressions
// prior to tf 0.12
output "private_addresses_old" {
value = aws_instance.ubuntu.*.private_dns
}
// Equivalent, new splat operator
output "private_addresses_full_splat" {
value = [ aws_instance.ubuntu[*].private_dns ]
}](https://image.slidesharecdn.com/terraform012-190709134917/85/Demystifying-Terraform-012-22-320.jpg)
![∕Copyright © 2019 HashiCorp 24
Improvements to Conditional
The conditional operator ... ? ... : ... now supports any value type and lazily evaluates results, as those familiar
with this operator in other languages would expect. Also, the special value null can now be assigned to any field
to represent the absence of a value. This causes Terraform to omit the field from upstream API calls, which is
important in some cases for triggering certain default behaviors.
Example: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/for-expressions
// This is a list without a count associated
output "ips_with_list_in_brackets" {
value = [
for instance in aws_instance.ubuntu:
(instance.public_ip != "" ? [instance.private_ip, instance.public_ip] : [instance.private_ip])
]
}](https://image.slidesharecdn.com/terraform012-190709134917/85/Demystifying-Terraform-012-24-320.jpg)
Demystifying Terraform 012
- 1. Copyright © 2019 HashiCorp Demystifying Terraform 0.12
- 2. © 2019 HashiCorp 2 Background • Senior Solutions Engineer • At Hashicorp for over a year • Developer/ Consultant/ Sales background • Originally from Brazil • Play once a month in a metal band @stenio123 [email protected] Copyright © 2019 HashiCorp ∕ 2
- 3. © 2019 HashiCorp 3 Agenda • Company Overview • Digital Transformation • Products Overview • Terraform 0.12 • Questions/ Discussion Copyright © 2019 HashiCorp ∕ 2
- 4. Copyright © 2019 HashiCorp ∕ Company Overview Copyright © 2019 HashiCorp ∕ 4 Founded in 2012 by Mitchell Hashimoto and Armon Dadgar Enabling the Cloud Operating Model Provision, Secure, Connect, and Run any infrastructure for any application
- 5. Copyright © 2018 HashiCorp ∕ The Transition to Multi-Cloud 5
- 6. Copyright © 2019 HashiCorp ∕ The Transition to Multi-Cloud Copyright © 2019 HashiCorp ∕ 6 Traditional Datacenter “Static” Dedicated Infrastructure Modern Datacenter “Dynamic” AWS Azure GCP+ + +Private Cloud + “Ticket-based” “Self-service”
- 7. Copyright © 2019 HashiCorp ∕ The Transition to Multi-Cloud Copyright © 2019 HashiCorp ∕ 7 Traditional Datacenter “Static” Dedicated Infrastructure Modern Datacenter “Dynamic” AWS Azure GCP+ + +Private Cloud + Why? • Capex to Opex • Scale, repeatability, maintainability • Access to new technologies
- 8. Copyright © 2019 HashiCorp ∕ The Transition to Multi-Cloud Copyright © 2019 HashiCorp ∕ 8 Traditional Datacenter “Static” SYSTEMS OF RECORD SYSTEMS OF ENGAGEMENT Dedicated Infrastructure Modern Datacenter “Dynamic” AWS Azure GCP+ + +Private Cloud +
- 9. Copyright © 2018 HashiCorp ∕Copyright © 2018 HashiCorp ∕ 9 A Common Operating Model with the HashiCorp Suite C++ Provision Operations Secure Security Run Development Connect Networking Private Cloud AWS Azure GCP
- 10. Copyright © 2018 HashiCorp ∕ Product Overview 10
- 11. Copyright © 2018 HashiCorp ∕Copyright © 2018 HashiCorp ∕ 11 Cloud Provisioning With Terraform Provision Operations Secure Security Run Development Connect Networking Private Cloud AWS Azure GCP A Common Cloud Operating Model
- 12. Copyright © 2018 HashiCorp ∕Copyright © 2018 HashiCorp ∕ 12 Cloud Provisioning With Terraform Self-Service provisioning Templates can be made available to any development team for self-provisioning. Multi-cloud provisioning & compliance Consistent workflow, API support, security & policy enforced at provisioning time. Infrastructure as Code Allows repeatability, scalability, version control and automation. Multi-cloud Infrastructure Workflow
- 13. Copyright © 2018 HashiCorp ∕Copyright © 2018 HashiCorp ∕ 13 Cloud Security With Vault Provision Operations Secure Security Private Cloud AWS Azure GCP Run Development Connect Networking A Common Cloud Operating Model
- 14. Copyright © 2019 HashiCorp ∕ Secret Management With Vault Copyright © 2019 HashiCorp ∕ 14 A Common Cloud Operating Model Dynamic Secrets Leverage time-bound credentials or rotate passwords for databases, cloud platforms and more. Encryption as a Service One workflow to create and manage keys used to encrypt your data in-flight and at rest. Centralized Secrets Management Securely store, access, and deploy sensitive information through a centralized workflow.
- 15. Copyright © 2018 HashiCorp ∕Copyright © 2018 HashiCorp ∕ 15 Cloud Networking With Consul Provision Operations Secure Security Connect Networking Private Cloud AWS Azure GCP Run Development A Common Cloud Operating Model
- 16. Copyright © 2019 HashiCorp ∕ Multi-Cloud Networking With Consul Copyright © 2019 HashiCorp ∕ 16 Service Segmentation Secure service-to-service communication with automatic TLS encryption and identity-based authorization. Service Discovery Dynamically register and discover services across distributed infrastructure. Runtime Configuration Feature rich Key/Value store to easily configure services at scale and at runtime. Service Mesh Solution
- 17. Copyright © 2018 HashiCorp ∕Copyright © 2018 HashiCorp ∕ 17 Cloud Scheduling with Nomad C++ Provision Operations Secure Security Run Development Connect Networking Private Cloud AWS Azure GCP A Common Cloud Operating Model
- 18. ∕Copyright © 2019 HashiCorp 18 Nomad Use Cases Multi-Cloud Workload Management Safely manage workloads across platforms, regions and cloud providers. Flexible Orchestration Deploy and manage any containerized, legacy or batch application. Efficient Resource Utilization Increase resource utilization, reduce fleet size and cut costs. Simplified Orchestration
- 19. Copyright © 2019 HashiCorp Demystifying Terraform 0.12
- 20. ∕Copyright © 2019 HashiCorp 20 Improving HCL • First class expressions • For Expressions • Generalized “splat” operator • Conditional improvements • Dynamic blocks • Rich Value types • Improved Template syntax • Reliable JSON syntax
- 21. ∕Copyright © 2019 HashiCorp 21 First Class Expressions Prior to 0.12, expressions had to be wrapped in interpolation sequences with double quotes, such as "${var.foo}". With 0.12, expressions are a native part of the language and can be used directly. Example: ami = var.ami[1] resource "aws_subnet" "my_subnet" { vpc_id = aws_vpc.my_vpc.id cidr_block = "172.16.10.0/24" tags = { Name = "tf-0.12-fce-example" } } Example: https://github.com/hashicorp/terraform-guides/blob/master/infrastructure-as-code/terraform-0.12-examples/first-class-expressions/main.tf
- 22. ∕Copyright © 2019 HashiCorp 22 For Expressions For Expression can be used to iterate across multiple items in lists. It does this for several outputs, illustrating the usefulness and power of the for expression in several ways. // For expression output "private_addresses_new" { value = [ for instance in aws_instance.ubuntu: instance.private_dns ] } Example: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/for-expressions // prior to tf 0.12 output "private_addresses_old" { value = aws_instance.ubuntu.*.private_dns } // Equivalent, new splat operator output "private_addresses_full_splat" { value = [ aws_instance.ubuntu[*].private_dns ] }
- 23. ∕Copyright © 2019 HashiCorp 23 Generalized “splat” Operator The splat expression was previously a special-case operation only for attributes on resources with count and didn't work for any other list values. For Terraform 0.12, we've generalized the operation to work for any list value and are calling the syntax the "splat operator." Example: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/for-expressions // This is a list without a count associated output "instance_ip_addrs" { value = google_compute_instance.example.network_interface.*.address }
- 24. ∕Copyright © 2019 HashiCorp 24 Improvements to Conditional The conditional operator ... ? ... : ... now supports any value type and lazily evaluates results, as those familiar with this operator in other languages would expect. Also, the special value null can now be assigned to any field to represent the absence of a value. This causes Terraform to omit the field from upstream API calls, which is important in some cases for triggering certain default behaviors. Example: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/for-expressions // This is a list without a count associated output "ips_with_list_in_brackets" { value = [ for instance in aws_instance.ubuntu: (instance.public_ip != "" ? [instance.private_ip, instance.public_ip] : [instance.private_ip]) ] }
- 25. ∕Copyright © 2019 HashiCorp 25 Dynamic Blocks Child blocks such as rule in aws_security_group can now be dynamically generated based on lists/maps and support iteration. Example: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/dynamic-blocks-and-splat-expressions # Configuration for Terraform 0.11 and earlier resource "aws_autoscaling_group" "example" { # ... tag { key = "Name" value = "example-asg-name" } tag { key = "Environment" value = "production" } } # Configuration for Terraform 0.12 locals { standard_tags = { Component = "user-service" Environment = "production" } } resource "aws_autoscaling_group" "example" { # ... tag { key = "Name" value = "example-asg-name" } dynamic "tag" { for_each = local.standard_tags content { key = tag.key value = tag.value} } }
- 26. ∕Copyright © 2019 HashiCorp 26 Rich Value Types Terraform has supported basic lists and maps as inputs/outputs since Terraform 0.7, but elements were limited to only simple values. Terraform 0.12 allows arbitrarily complex lists and maps for any inputs and outputs, including with modules. Example: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/rich-value-types // project/module/output.tf output "vpc" { value = aws_vpc.my_vpc } output "subnet" { value = aws_subnet.my_subnet } // project/main.tf output "vpc" { value = module.network.vpc } output "subnet" { value = module.network.subnet } // project/module/output.tf output "vpc" { value = aws_vpc.my_vpc } output "subnet" { value = aws_subnet.my_subnet } // project/main.tf output "vpc" { value = module.network.vpc } output "subnet" { value = module.network.subnet } vpc = { "arn" = "arn:aws:ec2:us-west-2:753646501470:vpc/vpc- 0a1d5a09545df5d29" "assign_generated_ipv6_cidr_block" = false "cidr_block" = "172.16.0.0/16" ... "main_route_table_id" = "rtb-07cbd1dc962def19f" "owner_id" = "753646501470" "tags" = { "Name" = "tf-0.12-rvt-example-vpc" } }
- 27. ∕Copyright © 2019 HashiCorp 27 Improved Template Syntax The string interpolation syntax ${ ... } has been part of Terraform since its initial release in 2015. This continues to work in Terraform 0.12, but is now extended to include support for conditionals and forexpressions. Example https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/new-template-syntax output "just_mary" { value = <<EOT %{ for name in var.names ~} %{ if name == "Mary" }${name}%{ endif ~} %{ endfor ~} EOT }
- 28. ∕Copyright © 2019 HashiCorp 28 Reliable JSON Syntax Terraform 0.12 HCL configuration has an exact 1:1 mapping to and from JSON, providing better error messages and allowing comments in JSON. Example https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples/reliable-json-syntax // Using Terraform < 0.12 Error: Error loading /home/ubuntu/test_json/variable1.tf.json: -: "variable" must be followed by a name // Using Terraform 0.12 Error: Incorrect JSON value type on variable1.tf.json line 3, in variable: 3: "example": "foo" Either a JSON object or a JSON array is required, representing the contents of one or more "variable" blocks.
- 29. ∕Copyright © 2019 HashiCorp 29 Upgrading to Terraform 0.12 Upgrade Guide: https://www.terraform.io/upgrade-guides/0-12.html Upgrade tool: https://www.terraform.io/docs/commands/0.12upgrade.html
- 30. ∕Copyright © 2019 HashiCorp 30 Should you Upgrade? Old stable code - perhaps not necessary New code – recommended. If not upgrading, ensure pegging version for Terraform, providers and modules: terraform { required_providers { aws = ">= 2.7.0" } } module "consul" { source = "hashicorp/consul/aws" version = "0.0.5" servers = 3 } terraform { required_version = ”< 0.12.0" }
- 31. ∕Copyright © 2019 HashiCorp 31 www.hashicorp.com [email protected] Thank you
Editor's Notes
- #6: <note to presenter> frame the discussion to indicate that there are really three pictures that matter #1 is the transition in infrastructure #2 is how we think about them in layers #3 is what success looks like in terms of core Terraform, Vault and Consul as a shared service
- #7: Talk about what’s happening in the world of infrastructure where we are going through a transition that happens in our industry every 20 years: this time from one which is largely dedicated servers in a private datacenter to a pool of compute capacity available on demand. In simple terms, this is a shift from “static” infrastructure to ‘dynamic infrastructure’ which is the reality of cloud. And while the first cloud provider was AWS, it is clear that it will be a multi-cloud world. Each of these platforms have their own key advantages and so it is inevitable that most G2K organizations will use more than one. This is not about moving applications around (since data gravity is a constraint) but rather creates a need for a common operating model across these distinct platforms that allows different teams to leverage the platform for their choice.
- #8: Talk about what’s happening in the world of infrastructure where we are going through a transition that happens in our industry every 20 years: this time from one which is largely dedicated servers in a private datacenter to a pool of compute capacity available on demand. In simple terms, this is a shift from “static” infrastructure to ‘dynamic infrastructure’ which is the reality of cloud. And while the first cloud provider was AWS, it is clear that it will be a multi-cloud world. Each of these platforms have their own key advantages and so it is inevitable that most G2K organizations will use more than one. This is not about moving applications around (since data gravity is a constraint) but rather creates a need for a common operating model across these distinct platforms that allows different teams to leverage the platform for their choice.
- #9: As has been the case in every prior infrastructure transition, the catalyst for this shift is a change in the TYPE of application being built today. These new ‘systems of engagement’ (credit Geoffrey Moore) — those applications built to engage customers and users — tend to (a) be very “spikey” in their usage characteristics (100K users at noon and 100 users at midnight) and (b) are under enormous pressure to be built quickly. Both of those characteristics make it inevitable that they will be on cloud. However invariably these new ‘systems of engagement’ must connect to ‘systems of record’ (e.g. the core database, the core mainframe system etc.) on-premises, and so organizations end up in this hybrid world whether they like it or not. http://wiki.p2pfoundation.net/Systems_of_Engagement
- #11: <note to presenter> frame the discussion to indicate that there are really three pictures that matter #1 is the transition in infrastructure #2 is how we think about them in layers #3 is what success looks like in terms of core Terraform, Vault and Consul as a shared service
- #12: The way we decompose the problem practically is to say there are four kinds of people in IT (ops, security, networking and developers). And all four of these participants have to figure out how to run infrastructure in this new model. And that's how we think about our product portfolio. So we've taken a very cloud native approach to solving each of those problems independently. At the infrastructure layer, we have Terraform which is the world's most widely used cloud provisioning product. Terraform is used to provision infrastructure across any application.
- #13: What ops can now do is create a single Terraform template that expresses not just the configuration of the services from the core cloud platform but also the services from the ISV providers. That template can be provisioned once or a million times that includes not just the services of the cloud provider but all of the monitoring agents, the APM systems, the security configurations and the various ISVs that are described in that template. It is this provider ecosystem even more than the multi-cloud aspect that has caused Terraform to become the lingua-franca for provisioning across public and private cloud.
- #14: At the security layer its about using identity as the basis for systems access and our product here is called Vault. Vault is enormously widely used including at products which includes Stock Exchanges, large financial organizations, hotel chains and everything in-between.
- #15: In the cloud model, Vault inserts itself into the middle of this flow and creates an intermediary step.
- #16: Similar to how Vault has introduced a totally different way of thinking about security, Consul does the same for networking. Consul is one of our most widely deployed products. We have customers running well north of 100K consul nodes in their environments today.
- #17: In the cloud model, Vault inserts itself into the middle of this flow and creates an intermediary step.