Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform Tips

Anuraag Agrawal
August 10, 2023
Technology
0
80

Terraform Tips

Tips on improving usefulness of Terraform by taking advantage of the ecosystem of providers and defining modules.

Anuraag Agrawal

August 10, 2023
Tweet

More Decks by Anuraag Agrawal

See All by Anuraag Agrawal
Wrapping native libraries using WebAssembly
anuraaga
0
42
What is WebAssembly?
anuraaga
0
56

Other Decks in Technology

See All in Technology
データベース02: データベースの概念
trycycle
0
180
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
150
今さら聞けないDocker入門 〜 Dockerfileのベストプラクティス編
devops_vtj
1
350
How to Lead? Testimonial of a Lead Android Engineer
oleur
1
110
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
3
2.6k
The AI Revolution Will Not Be Monopolized: Behind the scenes
inesmontani
PRO
1
160
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
7
1.3k
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
510
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
330
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
270
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
620
require(ESM)とECMAScript仕様
uhyo
4
970

Featured

See All Featured
Design by the Numbers
sachag
274
18k
A Tale of Four Properties
chriscoyier
152
22k
How to train your dragon (web standard)
notwaldorf
75
5.2k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
KATA
mclloyd
16
12k
4 Signs Your Business is Dying
shpigford
176
21k
For a Future-Friendly Web
brad_frost
172
9k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
43k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
11
1k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
Infographics Made Easy
chrislema
238
18k

Transcript

  1. Terraform Tips Anuraag ラグ Agrawal

  2. Use all the providers!

  3. resource "google_sql_database_instance" "instance" { database_version = "POSTGRES_13" name = “cats”

    } resource "google_sql_database" "catsdb" { name = "cats" instance = } resource "random_password" "admin_password" { length = 16 } resource "postgresql_role" "admin_user" { name = "admin" login = true password = random_password.admin_user_password.result } resource "postgresql_default_privileges" "admin_privileges" { role = postgresql_role.admin_user.name database = google_sql_database.catsdb.name schema = "public" object_type = "table" privileges = ["INSERT", "SELECT", "UPDATE", "DELETE"] }

  4. resource "random_password" "app_password" { length = 16 } resource "postgresql_role"

    "app_user" { name = "app" login = true password = random_password.app_user_password.result } resource "postgresql_default_privileges" "app_privileges" { role = postgresql_role.app_user.name database = google_sql_database.catsdb.name schema = "public" object_type = "table" privileges = ["INSERT", "SELECT", "UPDATE"] } resource "kubernetes_secret" "catsdb" { metadata { namespace = "cats" name = “cats" } data = { DB_NAME = google_sql_database.catsdb.name DB_USER = postgresql_role.app_user.name DB_PASS = random_password.app_user_password.result }

  5. resource "github_actions_secret" "catsdb_admin_password" { repository = "catsrepo" secret_name = "CATSDB_ADMIN_PASSWORD"

    plaintext_value = random_password.admin_password.result } Used providers: - random - google - postgresql - kubernetes - github

  6. auth web mobile API TLS(CN=web) TLS(CN=mobile) TLS(CN=API)

  7. resource "tls_private_key" "services-ca" {..} resource "tls_self_signed_cert" "services-ca-cert" {..} resource “tls_private_key”

    “web-service” {..} resource “tls_cert_request” “web-service” {..} resource “tls_locally_signed_cert” “web-service” {..} resource "kubernetes_secret" "web" { metadata { namespace = "web" name = “web" } data = { TLS_CA_CERT = tls_self_signed_cert.services-ca-cert.cert_pem TLS_KEY = tls_private_key.web-service.private_key_pem TLS_CERT = tls_locally_signed_cert.web-service.cert_pem } }

  8. Make modules!

  9. k8s-deployment resource “tls_private_key” “service” {..} resource “tls_cert_request” “service” {..} resource

    “tls_locally_signed_cert” “service” {..} resource “google_service_account” “service” {..} resource “kubernetes_service_account” “service” {..} resource "google_service_account_iam_binding" "workload_identity" {..} resource "google_project_iam_member" "cloudsql" {..} resource "google_project_iam_member" "log_writer" {..} resource "google_project_iam_member" "metric_writer" {..} resource "google_project_iam_member" "trace_agent" {..}

  10. k8s-deployment resource "kubernetes_secret" "service" { metadata { namespace = var.name

    name = var.name } data = { TLS_CA_CERT = var.ca_cert_pem TLS_KEY = tls_private_key.service.private_key_pem TLS_CERT = tls_locally_signed_cert.service.cert_pem } } resource “kubernetes_deployment” “service” {..} resource “kubernetes_service” “service” {..}

  11. cats-infra module “web” {source=”./modules/k8s-deployment”, ..} module “mobile” {source=”./modules/k8s-deployment”, ..} module

    “api” {source=”./modules/k8s-deployment”, ..} module “auth” {source=”./modules/k8s-deployment”, ..} Database Dns etc

  12. Project module “cats-prod” {source=”github.com/cats/cats-infra/modules/cats-infra?ref=1234”, provider=google.prod} module “cats-stg” {source=”github.com/cats/cats-infra/modules/cats-infra?ref=1234” provider=google.stg} module

    “cats-dev” {source=”./modules/cats-infra”, provider=google.dev}

  13. Other tools kustomize: never use - Not IAC tool -

    cannot remove created resources - Engineers define inputs/outputs/logic, not merge patches aws-cdk: reconsider - Only for AWS resources - Developed for use at AWS - If following AWS-specific design (ECS fargate, Lambda + DynamoDB), no problem - Goodbye to ever releasing on-prem version