Copyright © 2019 HashiCorp Test Infrastructure in Production with Terraform WWCode Cloud | Dec. 18, 2019 Rosemary Wang | @joatmon08 

Network engineers live dangerously. 

My users = developers ▪ Push and deliver code at any time ▪ Availability of application depends on system 

How do we change infrastructure without impacting applications? 

Infrastructure-as-Code* * Not really. 

Let’s talk software development. 

How do we work? ▪ Feature release vs. Continuous Delivery ▪ Feature branching vs. Trunk-based ▪ Mono- vs. Multi-Repository 

Approaches ▪ Shift-left testing (e.g., staging) ▪ Feature Toggles ▪ Canary Testing ▪ A/B Testing 

Shift-Left Testing ▪ Test before production ▪ Assess change impact ▪ Can apply Test-Driven Development 

Integration Tests Contract Tests Unit Tests “Ideal” Testing Pyramid Manual Testing Cost (Time, $$$) End-to-End Tests 

Unit / Contract Testing CODE EDITOR contains_variables(variables) { variables[_].vpc_cidr[0].value = "10.128.0.0/25" variables[_].region[0].value = "eu-central-1" variables[_].owner[0] } deny[msg] { not contains_variables(input.variables) msg = "Variables are not populated with expected values" } 

12 

Challenges ▪ Cost of lower environments ▪ Imperfect indicator – Net new each time? – Dependencies? 

Feature Toggles ▪ Preserve state, if possible ▪ Inject with roll forward mindset ▪ Don’t write toggles at the start 

Feature Toggles CODE EDITOR resource "aws_instance" "example_bionic" { count = var.enable_new_ami ? 1 : 0 instance_type = "t2.micro" ami = data.aws_ami.ubuntu_bionic.id tags = { Terraform = "true" Owner = var.owner Has_Toggle = var.enable_new_ami } } 

Canary Testing ▪ Smoke test before release ▪ Easier with container architectures – e.g., VM images for Kubernetes worker nodes 

Canary Testing CODE EDITOR resource "aws_instance" "canary" { count = var.enable_new_network ? 1 : 0 instance_type = "t2.micro" ami = data.aws_ami.ubuntu.id vpc_security_group_ids = [aws_security_group.instances _green.id] subnet_id = aws_subnet.public_green.id tags = { Name = "${var.prefix}-canary" Owner = var.owner } } 

VPC (blue) 10.128.0.0/24 VPC (green) 10.128.0.0/28 APP APP APP APP KITCHEN INSTANCE APP APP CANARY CAN I CONNECT? 

Kubernetes Control Plane Kubernetes Node Group (Insecure OS) Kubernetes Node Group (Secure OS) INTERNAL EXTERNAL EXTERNAL EXTERNAL EXTERNAL INTERNAL INTERNAL kubectl taint nodes external=true:NoExecute 

A/B Testing ▪ Infrastructure that affect upstream Service Level Objectives ▪ Hypotheses: –Does X batch process more quickly than Y? –Does X cost more than Y? 

Kafka FaaS “Data Lake” versus Kafka Spark “Data Lake” APPLICATION APPLICATION APPLICATION APPLICATION Does Spark + Kafka architecture process faster with lower cost? 

Regular VM versus Network Optimized VM Does a new instance reduce latency? APPLICATION APPLICATION APPLICATION APPLICATION 

Conclusions ▪ Test in production organizes infrastructure blast radius ▪ Risk mitigation over risk aversion ▪ “Infrastructure-as-Code” is heuristic 

Resources ▪ learn.hashicorp.com/terraform ▪ hashicorp.com/blog/terraform-feature-toggles-blue-green- deployments-canary-test ▪ hashicorp.com/resources/test-driven-development-tdd-for- infrastructure ▪ discuss.hashicorp.com ▪ app.terraform.io 

joatmon08.github.io Rosemary Wang (she/her) Developer Advocate at HashiCorp @joatmon08 joatmon08 linkedin.com/in/rosemarywang/ 25