Touring the Terraform Journey and Atlantis

Transcript

1. Touring the Terraform Journey and Atlantis lkysow Luke Kysow

2. Agenda • Phase 1: Starting Out • Phase 2: All

   In On Terraform • Phase 3: Collaboration and Automation

3. Phase 1: Starting Out • How do I structure my

   repo(s) and files? • I don't know what Terraform to write

4. Phase 1: Starting Out • How do I structure my

   repo(s) and files?
5. None
6. None

7. . └── main.tf Single State variable "staging_vpc_id" { default =

   "vpc-1345" } variable "production_vpc_id" { default = "vpc-1345" } resource "aws_ecs_cluster" "staging" { name = "staging" } resource "aws_ecs_cluster" "production" { name = "production" } resource "aws_ecs_service" "atlantis_staging" { ... resource "aws_ecs_service" "atlantis_production" { ...

8. . ├── production │ └── main.tf └── staging └── main.tf

   State Per Env variable "vpc_id" { default = "vpc-1345" } resource "aws_ecs_cluster" "cluster" { name = "production" } resource "aws_ecs_service" "atlantis" { ... variable "vpc_id" { default = "vpc-1345" } resource "aws_ecs_cluster" "cluster" { name = "staging" } resource "aws_ecs_service" "atlantis" { ...

9. . ├── production │ ├── atlantis │ │ └── main.tf

   │ └── ecs │ └── main.tf └── staging ├── atlantis │ └── main.tf └── ecs └── main.tf Separate Core and Services resource "aws_ecs_cluster" "cluster" { name = "production" } resource "aws_ecs_service" "atlantis" { ...

10. . ├── production │ ├── atlantis │ │ └── main.tf

    │ └── ecs │ └── main.tf └── staging ├── atlantis │ └── main.tf └── ecs └── main.tf Separate Core and Services resource "aws_ecs_cluster" "cluster" { name = "production" } resource "aws_ecs_service" "atlantis" { cluster = "????"

11. . ├── production │ ├── atlantis │ │ └── main.tf

    │ └── ecs │ └── main.tf └── staging ├── atlantis │ └── main.tf └── ecs └── main.tf Separate Core and Services terraform { backend "s3" { bucket = "bucket" region = "us-east-1" key = "production/ecs" } } resource "aws_ecs_cluster" "cluster" { name = "production" } output "cluster_arn" { value = "${aws_ecs_cluster.cluster.arn}" }

12. . ├── production │ ├── atlantis │ │ └── main.tf

    │ └── ecs │ └── main.tf └── staging ├── atlantis │ └── main.tf └── ecs └── main.tf Separate Core and Services data terraform_remote_state "ecs" { backend = "s3" config { bucket = "bucket" key = "production/ecs" region = "us-east-1" } } resource "aws_ecs_service" "atlantis" { cluster = "${data.terraform_remote_state.ecs.cluster_arn}"

13. DRY (don't repeat yourself) 1. Terraform workspaces 2. Modules 3.

    .tfvars files 4. Terragrunt

14. Terraform workspaces . ├── atlantis │ └── main.tf └── ecs

    └── main.tf $ terraform workspace new staging Created and switched to workspace "staging"! // ecs/main.tf resource "aws_ecs_cluster" "cluster" { name = "${terraform.env}" } variable "num_servers" { count = "${terraform.workspace == "production" ? 5 : 1}" }

15. When Terraform is used to manage larger systems, teams should

    use multiple separate Terraform configurations that correspond with suitable architectural boundaries within the system so that different components can be managed separately and, if appropriate, by distinct teams. Workspaces alone are not a suitable tool for system decomposition. - https://www.terraform.io/docs/state/workspaces.html

16. Modules . ├── modules │ ├── atlantis │ └── ecs

    ├── production │ ├── atlantis │ └── ecs └── staging ├── atlantis └── ecs module "ecs" { source = "../modules/ecs" name = "production" } variable "name" {} resource "aws_ecs_cluster" "cluster" { name = "${var.name}" } ... module "ecs" { source = "../modules/ecs" name = "staging" }

17. .tfvars . ├── atlantis │ ├── main.tf │ ├── production.tfvars

    │ └── staging.tfvars └── ecs ├── main.tf ├── production.tfvars └── staging.tfvars $ terraform plan -var-file production.tfvars name = "production" variable "name" {} resource "aws_ecs_cluster" "cluster" { name = "${var.name}" }

18. Terragrunt github.com/gruntwork-io/terragrunt

19. Phase 1: Starting Out • How do I structure my

    repo(s) and files? • I don't know what Terraform to write ◦ Use the console ◦ Use registry.terraform.io

20. Phase 1: Starting Out • Separate states for safety •

    Consistent directory structure • DRY templates

21. Phase 2: All In On Terraform • How can I

    extract common patterns?
22. None
23. None

24. resource "aws_security_group" "internet_to_alb" {...} resource "aws_security_group" "alb_to_ecs" {...} resource "aws_lb"

    "alb" {...} resource "aws_ecs_task_definition" "atlantis" {...} resource "aws_ecs_service" "atlantis" {...} resource "aws_cloudwatch_log_group" "atlantis" {...} . ├── modules │ ├── atlantis │ ├── app2 │ └── ecs ├── production │ ├── atlantis │ ├── app2 │ └── ecs └── staging ├── atlantis ├── app2 └── ecs resource "aws_security_group" "internet_to_alb" {...} resource "aws_security_group" "alb_to_ecs" {...} resource "aws_lb" "alb" {...} resource "aws_ecs_task_definition" "app2" {...} ...

25. module "ecs-app" { source = "../ecs-app" name = "atlantis" }

    . ├── modules │ ├── atlantis │ ├── app2 │ ├── ecs-app │ └── ecs ├── production │ ├── atlantis │ ├── app2 │ └── ecs └── staging ├── atlantis ├── app2 └── ecs resource "aws_security_group" "internet_to_alb" {...} resource "aws_security_group" "alb_to_ecs" {...} resource "aws_lb" "alb" {...} resource "aws_ecs_task_definition" "def" {...} ... module "ecs-app" { source = "../ecs-app" name = "app2" }
26. None

27. // modules/ecs-app/main.tf resource "aws_security_group" "internet_to_alb" {...} resource "aws_security_group" "alb_to_ecs" {...}

    resource "aws_lb" "alb" {...} resource "aws_ecs_task_definition" "atlantis" {...} resource "aws_ecs_service" "atlantis" {...} resource "aws_cloudwatch_log_group" "atlantis" {...} // modules/atlantis/main.tf module "ecs-app" { source = "../../modules/ecs-app" name = "atlantis" }

28. // modules/ecs-app/main.tf resource "aws_security_group" "internet_to_alb" {...} resource "aws_security_group" "alb_to_ecs" {...}

    resource "aws_nlb" "nlb" {...} resource "aws_ecs_task_definition" "atlantis" {...} resource "aws_ecs_service" "atlantis" {...} resource "aws_cloudwatch_log_group" "atlantis" {...} // modules/atlantis/main.tf module "ecs-app" { source = "../../modules/ecs-app" name = "atlantis" }

29. // => github.com/myorg/tf-modules-ecs-app/main.tf resource "aws_security_group" "internet_to_alb" {...} resource "aws_security_group" "alb_to_ecs"

    {...} resource "aws_nlb" "nlb" {...} resource "aws_ecs_task_definition" "atlantis" {...} resource "aws_ecs_service" "atlantis" {...} resource "aws_cloudwatch_log_group" "atlantis" {...} // modules/atlantis/main.tf module "ecs-app" { source = "github.com/myorg/tf-modules-ecs-app?ref=v1.0" name = "atlantis" }

30. Phase 3: Collaboration and Automation • Coordinating is hard •

    People need credentials to run terraform

31. Phase 3: Collaboration and Automation • Coordinating is hard •

    People need credentials to run terraform

32. Summary • Phase 1: Starting Out ◦ How do I

    structure my repo(s) and files? ◦ I don't know what Terraform to write • Phase 2: All In On Terraform ◦ How do I manage resources I've already created? ◦ How can I extract common patterns? • Phase 3: Collaboration and Automation

33. github.com/runatlantis/atlantis Gràcies / Gracias / Thank You! Preguntes / Preguntas

    / Questions? lkysow