Building Multi-Account Apps with Terraform Stacks

© 2024, Amazon Web Services, Inc. or its affiliates. All
rights reserved. © 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Building multi-account, multi- region applications with Terraform Stacks Kerim Satirli D O P 2 0 6 he / him Senior Developer Advocate HashiCorp Welly Siauw he / him Principal Partner Solutions Architect AWS

rights reserved. Do you have: custom tooling to manage dependencies across different environments?

rights reserved. Do you deploy: identical infrastructure multiple times in a row with differing input variables?

rights reserved. Principal Partner SA AWS he / him Welly Siauw Senior Developer Advocate HashiCorp he / him Kerim Satirli

rights reserved. Multi-environment use cases 2 3 1 4 5 6 Agenda Declarative Terraform deployments Introducing Terraform Stacks Modeling deployments with Terraform Stacks Demo Recap

rights reserved. Example 1: Platform infrastructure Amazon VPC AWS IAM AWS IAM Identity Center

rights reserved. What this looks like with Terraform Module VPC Module IAM main.tf outputs.tf variables.tf terraform.tf main.tf outputs.tf variables.tf terraform.tf Account_A/ main.tf outputs.tf variables.tf Account_B/ main.tf outputs.tf variables.tf ... My deployment AWS account AWS account AWS account AWS account

rights reserved. Example 2: Workload resources Amazon VPC Amazon EKS K8s Namespace

rights reserved. What this looks like with Terraform App VPC EKS Cluster, services and add-ons EKS Cluster Services & add-ons App Pods Dev (us-east-1) App VPC EKS Cluster, services and add-ons EKS Cluster Services & add-ons App Pods Prod (us-east-1)

rights reserved. project-hashibank-dev - hashibank-networking - hashibank-k8s-cluster - hashibank-k8s-services - hashibank-web-app p p p p p p p p p p p p a a a a a a Time project-hashibank-prod-dr - hashibank-networking - hashibank-k8s-cluster - hashibank-k8s-services - hashibank-web-app project-hashibank-prod - hashibank-networking - hashibank-k8s-cluster - hashibank-k8s-services - hashibank-web-app 12 workspaces to manage a single application Common challenges at scale

rights reserved. Deployment use cases Platform resources ❖ Many accounts ❖ Many regions ❖ Common resources ❖ Prefers consistency ❖ Large targets ❖ High-level abstraction Workload resources ❖ Select accounts ❖ Select regions ❖ Specific resources ❖ Prefers ordering ❖ Selected targets ❖ High degree of control

rights reserved. Declarative deployments deployment "my_multi_region_app" { inputs = { regions = ["us-east-1", "us-west-2", "us-east-2"] count = 2 ... } } What if I could declare the deployments using HCL itself ? us-east-1 us-west-2 us-east-2

rights reserved. New approach to provision and manage New layer of HCL configuration Standard Terraform Modules Optimize the coordination, provisioning, and management of dependent Terraform configurations Built on top of existing modules Written as code

rights reserved. New approach to provision and manage Standard Terraform Modules Optimize the coordination, provisioning, and management of dependent Terraform configurations Built on top of existing modules Written as code New syntax allows easily creating identical and grouped infrastructure

rights reserved. Key concepts Deployments Components Regular Terraform modules for resources that share the same lifecycle Deployments Used to repeat the components in the Stack

rights reserved. Auto-approved Auto-approved Auto-approved Key concepts Components Regular Terraform modules for resources that share the same lifecycle Deployments Used to repeat the components in the Stack Orchestration Rules to automate repetitive actions such as approving an execution plan

rights reserved. Users Terraform Make a config change Return “plan part 1” Apply “plan part 1” Return “plan part 2” Apply “plan part 2” Success! Key concepts Deferred changes Produce partial plan when it encounters too many unknown values. Streamline deployment with complex resources dependencies.

rights reserved. Permission Sets IAM Role Example 1: Platform infrastructure VPC Deployment Components

rights reserved. Example 1: Platform infrastructure Permission Sets IAM Role VPC Deployment 012345678912 Permission Sets IAM Role VPC Deployment 432187652109 Permission Sets IAM Role VPC Deployment 987654321021 Auto-approved

rights reserved. K8s RBAC EKS Cluster Example 2: Application workload VPC K8s Addons K8s Namespace App Pods Deployment Components

rights reserved. K8s RBAC EKS Cluster Example 2: Application workload VPC Components K8s Addons K8s Namespace App Pods Deployment Deferred changes

rights reserved. Example 2: Application workload K8s RBAC EKS Cluster VPC K8s Addons K8s Namespace App Pods Deployment Prod K8s RBAC EKS Cluster VPC K8s Addons K8s Namespace App Pods Deployment Dev K8s RBAC EKS Cluster VPC K8s Addons K8s Namespace App Pods Deployment DR Manual review

rights reserved. Demo recap P L A T F O R M I N F R A S T R U C T U R E Permission Sets IAM Role VPC Deployment Account 1 Permission Sets IAM Role VPC Deployment Account 2 Permission Sets IAM Role VPC Deployment Account 3 Permission Sets IAM Role VPC Deployment Account n . . . . Terraform Stacks are a great way to represent a well-defined, repeating infrastructure at scale Scale

rights reserved. Demo recap A P P L I C A T I O N W O R K L O A D K8s RBAC EKS Cluster VPC K8s Addons K8s Namespace App Pods Deployment Prod K8s RBAC EKS Cluster VPC K8s Addons K8s Namespace App Pods Deployment Dev K8s RBAC EKS Cluster VPC K8s Addons K8s Namespace App Pods Deployment DR Time With a single Terraform Stack we orchestrate three instances of Kubernetes workloads

rights reserved. Scalability Allow for the ability to codify business rules around environment based approval flows using plan context Improved Visibility Provides a consolidated view across environments with components and deployment status Consolidation Gracefully manages dependencies so that you don’t have to Operational efficiency with Terraform Stacks

rights reserved. Infrastructure Infrastructure as code to build, deploy and manage the lifecycle of infrastructure and applications. Nomad Scheduling and orchestration Automated developer services Waypoint Packer Build and manage images as code Terraform Infrastructure as code provisioning WORKFLOW AUTOMATION SYSTEM OF RECORD LIFECYCLE MANAGEMENT Maximize your infrastructure investments

rights reserved. Follow the blueprint for cloud success Infrastructure Compose Collaborate Infrastructure as code Provision cloud resources Version control integration Role-based access Stage 1: Adopting Publish & discover Enforce policy Private registry Dynamic image usage Policy as code Integrate security tooling Stage 2: Standardizing Enable self- service Observe & respond No-code provisioning Standardize application delivery Continuous validation Automated remediation Stage 3: Scaling

rights reserved. Try it yourself Documentation developer.hashicorp.com/terraform/cloud-docs/stacks Tutorial developer.hashicorp.com/terraform/tutorials/cloud/stacks-deploy Demo github.com/orgs/wellsiau-reInvent2024

rights reserved. Thank you! © 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the session survey in the mobile app Kerim Satirli [email protected] Welly Siauw [email protected] /in/ksatirli /in/wellsiau

Building Multi-Account Apps with Terraform Stacks

Building Multi-Account Apps with Terraform Stacks

Video

More Decks by Kerim Satirli

Other Decks in Technology

Featured

Transcript