Configuration Management and Provisioning Are Different Carlos Nunez [email protected] | @easiestnameever 

What’s Provisioning? Provisioning tools enable you to create, modify and/or delete infrastructure using code and/or APIs. 

Provisioning In A Nutshell OLD NEW Get hardware* terraform plan terraform apply * Or AWS/Google Cloud/Heroku/etc account. Get hardware* Run install scripts Consult runbook Configure CM, if necessary Wait for CM to apply 

Why Provisioning Tools? Infrastructure deployment procedures as code --- no more docx runbooks Save you time ($$$) from writing your own provisioning code Enables infrastructure deployment testing just like code --- no fragile infrastructure 

Provisioning: An Example # ~/code/terraform/main.yml resource "aws_instance" "ec2_instance" { ami = "${var.ami_id}" count = "${var.number_of_instances}" subnet_id = "${var.subnet_id}" instance_type = "${var.instance_type}" user_data = "${var.user_data}" key_name = "${var.key_name}" vpc_security_group_ids = ["${var.security_group_ids}"] tags { Name = "${var.instance_name}-${count.index}" } associate_public_ip_address = "${var.create_public_ip_address}“ provisioner “remote-exec” { inline = [ “git clone $ANSIBLE_REPO /tmp/ansible”, “ansible-playbook –i ${var.ansible_inventory} –vvv ${var.playbook} ] } } $> cd ~/code/terraform $> terraform plan –var-file ./environments/dev –var number_of_instances=1000 $> terraform apply –var-file ./environments/dev –var number_of_instances=1000 This is how you define an AWS EC2 instance with Terraform. You can make your own providers for nearly any server, networking device, or other piece of infrastructure you want to provision. Boom. You’ve just deployed 1,000 development EC2 instances, all configured by Ansible. Nice. * Until it’s not. But it usually is. 

Why Config Management? Configuration management expresses the state of your infrastructure with code and/or APIs. 

What’s Config Management? Consistent and repeatable infrastructure Simple domain-specific language --- anyone can read and contribute APIs allow easier tooling and scalability 

Config Management: An Example --- # an example of an ansible playbook main.yml - name: install tree sudo: yes apt: name={{ item }} state=present with_items: - tree --- # an example of which hosts would receive the above - hosts: useless_server.va1.example.com roles: - has_tree Roles in Ansible group specific actions to be applied onto hosts. This is an example of a role called has_tree. It installs tree. Yay, tree. This is how you tell Ansible to install tree onto servers. It really is that easy. Not kidding.* * Until it’s not. But it usually is. 

You might be thinking… Let’s provision stuff with Ansible! 

You might be thinking… Let’s not. 

Provisioning and CM are different There’s a cost to idempotency. 

Complexity in simplicity --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} exact_count: {{ number_of_instances }} group: [ ‘web’, ‘ansible_managed’ ] instance_type: t2.medium monitoring: yes key_name: {{ aws_ec2_access_key }} vpc_subnet_id: {{ vpc_subnet_id }} assign_public_ip: yes ami_id: {{ aws_ami_id }} instance_tags: cost_center: {{ cost_center }} project_code: {{ project_code }} application: ‘web_server’ Here is a simple playbook that deploys an EC2 instance. We’re assuming that our options such as its access and secret keys and AMI ID will be provided through a variable file. --- # ~/code/ansible/configure_nginx_web_server.yml - hosts: webservers tasks: - name: Install nginx ... - name: Configure it ... This (incomplete) playbook will configure hosts in the webservers group with NGINX. We’ll assume that this will run on ec2 servers tagged with “application: web_server” by way of dynamic inventory. 

Complexity in simplicity --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} exact_count: {{ number_of_instances }} group: [ ‘web’, ‘ansible_managed’ ] instance_type: t2.medium monitoring: yes key_name: {{ aws_ec2_access_key }} vpc_subnet_id: {{ vpc_subnet_id }} assign_public_ip: yes ami_id: {{ aws_ami_id }} instance_tags: cost_center: {{ cost_center }} project_code: {{ project_code }} application: ‘web_server’ --- # ~/code/ansible/configure_nginx_web_server.yml - hosts: webservers tasks: - name: Install nginx ... - name: Configure it ... How can we guarantee this? 

Complexity in simplicity --- # ~/code/ansible/configure_nginx_web_server.yml - hosts: webservers tasks: - name: Install nginx ... - name: Configure it ... when: instance_count < 3 --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Obtain number of web instances currently present shell: “aws ec2 describe_instances --filter {{ ec2_filter }} --query ‘Reservations[].Instances[].Id’ –output text | wc –l” register: command_result - set_fact: instance_count: “{{ command_result.stdout | int }}” - fail: msg: “Invalid instance count!” when: instance_count < 0 ... # continued to the right -> --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} exact_count: {{ number_of_instances }} group: [ ‘web’, ‘ansible_managed’ ] instance_type: t2.medium monitoring: yes key_name: {{ aws_ec2_access_key }} vpc_subnet_id: {{ vpc_subnet_id }} assign_public_ip: yes ami_id: {{ aws_ami_id }} instance_tags: cost_center: {{ cost_center }} project_code: {{ project_code }} application: ‘web_server’ Get state externally is how! 

Complexity in simplicity --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Obtain number of web instances currently present shell: “aws ec2 describe_instances --filter {{ ec2_filter }} --query ‘Reservations[].Instances[].Id’ –output text | wc –l” register: command_result - set_fact: instance_count: “{{ command_result.stdout | int }}” - fail: msg: “Invalid instance count!” when: instance_count < ... 1. What happens if your external dependency isn’t available? 2. What happens with unexpected output? 3. What if this external dependency is slow? 

Complexity in simplicity --- # ~/code/ansible/tasks/ec2/retrieve_instance_count.yml - include: tasks/check_for_awscli.yml - name: Obtain number of web instances currently present shell: “{{ awscli_path }} ec2 describe_instances --filter {{ ec2_filter }} --query ‘Reservations[].Instances[].Id’ –output text | wc –l” register: command_result - set_fact: instance_count: “{{ command_result.stdout | int }}” - fail: msg: “Invalid instance count!” when: instance_count < 0 “Modularize” it! --- # ~/code/ansible/tasks/ec2/check_for_awscli.yml - name: Find awscli binary shell: “which awscli” register: command_result - fail: msg: “AWSCLI was not found.” when: command_result.exit_code != - set_fact: awscli_path: “{{ command_result.stdout }}” --- # ~/code/ansible/deploy_ec2_web_server.yml - include: tasks/ec2/retrieve_instance_count.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} ... 

Complexity in simplicity --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} exact_count: {{ number_of_instances }} group: [ ‘web’, ‘ansible_managed’ ] instance_type: t2.medium monitoring: yes key_name: {{ aws_ec2_access_key }} vpc_subnet_id: {{ vpc_subnet_id }} assign_public_ip: yes ami_id: {{ aws_ami_id }} instance_tags: cost_center: {{ cost_center }} project_code: {{ project_code }} application: ‘web_server’ Want to create things like security groups dynamically? Prepare for more of that. 

Complexity in simplicity simplicity 

Complexity in simplicity --- # ~/code/terraform/web_servers.tf resource “aws_instance” “ec2_instance” { ami = “${var.ami_id}” count = “${var.number_of_instances}” subnet_id = “${var.instance_type}” user_data = “${var.user_data}” key_name = “${var.key_name}” tags { cost_center = “${var.cost_center}” application = “web servers” project_name = “${var.project_name}” } associate_public_ip_address = yes } simplicity. 

Stateless provisioning is tricky Keeping environment state is up to you. 

Stateless provisioning is tricky --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} exact_count: {{ number_of_instances }} group: [ ‘web’, ‘ansible_managed’ ] instance_type: t2.medium monitoring: yes key_name: {{ aws_ec2_access_key }} vpc_subnet_id: {{ vpc_subnet_id }} assign_public_ip: yes ami_id: {{ aws_ami_id }} instance_tags: cost_center: {{ cost_center }} project_code: {{ project_code }} application: ‘web_server’ --- # ~/code/ansible/configure_nginx_web_server.yml - hosts: webservers tasks: - name: Install nginx ... - name: Configure it ... What happens to existing instances when this changes? 

Stateless provisioning is tricky --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} exact_count: {{ number_of_instances }} group: [ ‘web’, ‘ansible_managed’ ] instance_type: t2.medium monitoring: yes key_name: {{ aws_ec2_access_key }} vpc_subnet_id: {{ vpc_subnet_id }} assign_public_ip: yes ami_id: {{ aws_ami_id }} instance_tags: cost_center: {{ cost_center }} project_code: {{ project_code }} application: ‘web_server’ --- # ~/code/ansible/configure_nginx_web_server.yml - hosts: webservers tasks: - name: Install nginx ... - name: Configure it ... Nothing. You have to write a new task to update them. 

Complexity in simplicity --- # ~/code/terraform/web_servers.tf resource “aws_instance” “ec2_instance” { ami = “${var.ami_id}” count = “${var.number_of_instances}” subnet_id = “${var.instance_type}” user_data = “${var.user_data}” key_name = “${var.key_name}” tags { cost_center = “${var.cost_center}” application = “web servers” project_name = “${var.project_name}” } associate_public_ip_address = yes } stateful. 

Stateless provisioning is tricky --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} exact_count: {{ number_of_instances }} group: [ ‘web’, ‘ansible_managed’ ] instance_type: t2.medium monitoring: yes key_name: {{ aws_ec2_access_key }} vpc_subnet_id: {{ vpc_subnet_id }} assign_public_ip: yes ami_id: {{ aws_ami_id }} instance_tags: cost_center: {{ cost_center }} project_code: {{ project_code }} application: ‘web_server’ --- # ~/code/ansible/configure_nginx_web_server.yml - hosts: webservers tasks: - name: Install nginx ... - name: Configure it ... What happens if this fails? 

Stateless provisioning is tricky --- # ~/code/ansible/deploy_ec2_web_server.yml - name: Provision an EC2 web server instance. ec2: aws_access_key: {{ aws_access_key }} aws_secret_key: {{ aws_secret_key }} exact_count: {{ number_of_instances }} group: [ ‘web’, ‘ansible_managed’ ] instance_type: t2.medium monitoring: yes key_name: {{ aws_ec2_access_key }} vpc_subnet_id: {{ vpc_subnet_id }} assign_public_ip: yes ami_id: {{ aws_ami_id }} instance_tags: cost_center: {{ cost_center }} project_code: {{ project_code }} application: ‘web_server’ --- # ~/code/ansible/configure_nginx_web_server.yml - hosts: webservers tasks: - name: Install nginx ... - name: Configure it ... Nothing. Rollback is on you. 

Complexity in simplicity --- # ~/code/terraform/web_servers.tf resource “aws_instance” “ec2_instance” { ami = “${var.ami_id}” count = “${var.number_of_instances}” subnet_id = “${var.instance_type}” user_data = “${var.user_data}” key_name = “${var.key_name}” tags { cost_center = “${var.cost_center}” application = “web servers” project_name = “${var.project_name}” } associate_public_ip_address = yes } safe. 

Provisioning Tools Cumulus SparkleFormation 

Provisioning Tools Cumulus SparkleFormation + Chef/Ansible/Puppet? 

Provisioning Tools Cumulus SparkleFormation + Chef/Ansible/Puppet? SURE! 

Thanks!