![Terraform (our first attempt)
resource "aws_ecs_task_definition" "app" {
family = "app"
container_definitions = <<EOF
[
{
"cpu": 1024,
"memory": 768,
"environment": [
{
"name": "NODE_ENV",
"value": "stage"
}
],
"image": "segment/app:1.54.14",
"name": "app",
"portMappings": [
{
"containerPort": 8000,
"hostPort": 8000
}
]
}
]
EOF
}](https://image.slidesharecdn.com/hashiconf-abbreviated-161208081940/85/Terraform-at-Scale-35-320.jpg)
![resource "aws_ecs_task_definition" "app" {
family = "app"
container_definitions = <<EOF
[
{
"cpu": 1024,
"memory": 768,
"environment": [
{
"name": "NODE_ENV",
"value": "stage"
}
],
"image": "segment/app:1.54.14",
"name": "app",
"portMappings": [
{
"containerPort": 8000,
"hostPort": 8000
}
]
}
]
EOF
}
<= stage](https://image.slidesharecdn.com/hashiconf-abbreviated-161208081940/85/Terraform-at-Scale-41-320.jpg)
![resource "aws_ecs_task_definition" "app" {
family = "app"
container_definitions = <<EOF
[
{
"cpu": 1024,
"memory": 768,
"environment": [
{
"name": "NODE_ENV",
"value": "stage"
}
],
"image": "segment/app:1.54.14",
"name": "app",
"portMappings": [
{
"containerPort": 8000,
"hostPort": 8000
}
]
}
]
EOF
}
<= stage
resource "aws_ecs_task_definition" "app" {
family = "app"
container_definitions = <<EOF
[
{
"cpu": 1024,
"memory": 3072,
"environment": [
{
"name": "NODE_ENV",
"value": "production”,
}
],
"image": "segment/app:1.54.17",
"name": "app",
"portMappings": [
{
"containerPort": 8000,
"hostPort": 3000
}
]
}
]
EOF
}
prod =>](https://image.slidesharecdn.com/hashiconf-abbreviated-161208081940/85/Terraform-at-Scale-42-320.jpg)
![1. Variables
resource "aws_instance" "bastion" {
ami = "${module.ami.ami_id}"
source_dest_check = false
instance_type = "${var.instance_type}"
subnet_id = "${var.subnet_id}"
key_name = "${var.key_name}"
vpc_security_group_ids = ["${split(",",var.security_groups)}"]
monitoring = true
tags {
Name = "bastion"
Environment = "${var.environment}"
}
}
configurable
configurable
configurable
configurable
configurable](https://image.slidesharecdn.com/hashiconf-abbreviated-161208081940/85/Terraform-at-Scale-71-320.jpg)
![1. Variables
resource "aws_instance" "bastion" {
ami = "${module.ami.ami_id}"
source_dest_check = false
instance_type = "${var.instance_type}"
subnet_id = "${var.subnet_id}"
key_name = "${var.key_name}"
vpc_security_group_ids = ["${split(",",var.security_groups)}"]
monitoring = true
tags {
Name = "bastion"
Environment = "${var.environment}"
}
}
configurable
configurable
configurable
configurable
configurable
non-configurable
non-configurable
non-configurable](https://image.slidesharecdn.com/hashiconf-abbreviated-161208081940/85/Terraform-at-Scale-72-320.jpg)
![1. Variables
resource "aws_instance" "bastion" {
ami = "${module.ami.ami_id}"
source_dest_check = ${var.source_dest_check}
instance_type = "${var.instance_type}"
subnet_id = "${var.subnet_id}"
key_name = "${var.key_name}"
vpc_security_group_ids = ["${split(",",var.security_groups)}"]
monitoring = ${var.monitoring}
tags {
Name = "bastion"
Environment = "${var.environment}"
}
}](https://image.slidesharecdn.com/hashiconf-abbreviated-161208081940/85/Terraform-at-Scale-73-320.jpg)
More Related Content
Similar to Terraform at Scale (20)
![BBC NW_Tech Facilities_30 Odd Yrs Ago [J].pdf](https://cdn.slidesharecdn.com/ss_thumbnails/bbcnwtechfacilities30oddyrsagoj-250830230619-0d747bd6-thumbnail.jpg?width=560&fit=bounds)
Terraform at Scale
- 1. Terraform at Scale Hashiconf Calvin French-Owen Co-Founder of Segment @calvinfo September 7, 2016
- 4. 💖
- 7. Complexity
- 11. How do we move nimbly–while adding people?
- 12. This talk - Terraform at Segment - What makes “good” Terraform - What’s next
- 14. By the numbers - 16 developers working with Terraform - 94 microservices - thousands of AWS resources
- 15. A year with Terraform December 2012 – Launch day April 2015 – Terraform first attempt (v1) November 2015 – Terraform “redux” (v2)
- 16. Before Terraform
- 18. 😱
- 21. Migrating to Terraform April 2015
- 25. Migrating to Terraform 1. AWS accounts per environment
- 26. dev stage prod old prod vpc peering
- 27. dev stage prod old prod vpc peering managed by Terraform
- 28. Separate accounts - confidence to apply ‘at will’ - test the waters without screwing up the old account - any sort of ‘global’ configs are okay
- 29. Migrating to Terraform 1. AWS accounts per environment 2. Docker and ECS
- 32. Terraform (our first attempt) ├── Makefile ├── README.md └── environments ├── dev ├── production └── stage
- 33. Terraform (our first attempt) ├── Makefile ├── README.md └── environments ├── dev ├── production └── stage
- 34. Terraform (our first attempt) environments/stage ├── api.tf ├── bastion.tf ├── dns.tf ├── elasticache.tf ├── elbs.tf ├── iam.tf ├── outputs.tf ├── redis.tf ├── s3.tf ├── terraform.tfstate ├── terraform.tfvars └── vpc.tf
- 35. Terraform (our first attempt) resource "aws_ecs_task_definition" "app" { family = "app" container_definitions = <<EOF [ { "cpu": 1024, "memory": 768, "environment": [ { "name": "NODE_ENV", "value": "stage" } ], "image": "segment/app:1.54.14", "name": "app", "portMappings": [ { "containerPort": 8000, "hostPort": 8000 } ] } ] EOF }
- 36. Life was better
- 37. Life was better!Life was better…
- 38. Life was better!Life was better… but not good.
- 40. Terraform first attempt ├── Makefile ├── README.md └── environments ├── ops ├── production └── stage
- 41. resource "aws_ecs_task_definition" "app" { family = "app" container_definitions = <<EOF [ { "cpu": 1024, "memory": 768, "environment": [ { "name": "NODE_ENV", "value": "stage" } ], "image": "segment/app:1.54.14", "name": "app", "portMappings": [ { "containerPort": 8000, "hostPort": 8000 } ] } ] EOF } <= stage
- 42. resource "aws_ecs_task_definition" "app" { family = "app" container_definitions = <<EOF [ { "cpu": 1024, "memory": 768, "environment": [ { "name": "NODE_ENV", "value": "stage" } ], "image": "segment/app:1.54.14", "name": "app", "portMappings": [ { "containerPort": 8000, "hostPort": 8000 } ] } ] EOF } <= stage resource "aws_ecs_task_definition" "app" { family = "app" container_definitions = <<EOF [ { "cpu": 1024, "memory": 3072, "environment": [ { "name": "NODE_ENV", "value": "production”, } ], "image": "segment/app:1.54.17", "name": "app", "portMappings": [ { "containerPort": 8000, "hostPort": 3000 } ] } ] EOF } prod =>
- 43. 2. one massive local state
- 47. $ terraform plan –target=aws_elb.feels_so_easy
- 48. $ terraform plan –target=aws_elb.oh_no_what_have_w
- 50. Terraform v1 Problems 1. massive shared state 2. locally stored state 3. drift between environments
- 51. Terraform v1 Problems 1. massive shared state: split states 2. locally stored state: remote state 3. drift between environments: modules
- 53. core (vpc, networking, security groups, asgs) auth api site db cdn services
- 54. core (vpc, networking, security groups, asgs) auth api site db cdn services →readonly→
- 55. /** * Remote state. */ resource "terraform_remote_state" "state" { backend = "s3" config { bucket = "segment-ops" key = "terraform/${var.environment}/terraform.tfstate" } } data "template_file" ”test" { template = "${file("${path.module}/init.tpl")}" vars { zone_id = "${terraform_remote_state.state.zone_id}" } }
- 56. /** * Remote state. */ resource "terraform_remote_state" "state" { backend = "s3" config { bucket = "segment-ops" key = "terraform/${var.environment}/terraform.tfstate" } } data "template_file" ”test" { template = "${file("${path.module}/init.tpl")}" vars { zone_id = "${terraform_remote_state.state.zone_id}" } } read only!
- 57. /** * Remote state. */ resource "terraform_remote_state" "state" { backend = "s3" config { bucket = "segment-ops" key = "terraform/${var.environment}/terraform.tfstate" } } data "template_file" ”test" { template = "${file("${path.module}/init.tpl")}" vars { zone_id = "${terraform_remote_state.state.zone_id}" } } read only! reference
- 59. v2: modules
- 65. What makes good* Terraform? *for some definitions of good
- 67. Docker AMIs by Packer
- 68. Service Config by Terraform
- 69. 1. Variables 2. Composition 3. State 4. Versioning
- 70. 1. Variables - anything a user might want to override should be a variable - use defaults liberally
- 71. 1. Variables resource "aws_instance" "bastion" { ami = "${module.ami.ami_id}" source_dest_check = false instance_type = "${var.instance_type}" subnet_id = "${var.subnet_id}" key_name = "${var.key_name}" vpc_security_group_ids = ["${split(",",var.security_groups)}"] monitoring = true tags { Name = "bastion" Environment = "${var.environment}" } } configurable configurable configurable configurable configurable
- 72. 1. Variables resource "aws_instance" "bastion" { ami = "${module.ami.ami_id}" source_dest_check = false instance_type = "${var.instance_type}" subnet_id = "${var.subnet_id}" key_name = "${var.key_name}" vpc_security_group_ids = ["${split(",",var.security_groups)}"] monitoring = true tags { Name = "bastion" Environment = "${var.environment}" } } configurable configurable configurable configurable configurable non-configurable non-configurable non-configurable
- 73. 1. Variables resource "aws_instance" "bastion" { ami = "${module.ami.ami_id}" source_dest_check = ${var.source_dest_check} instance_type = "${var.instance_type}" subnet_id = "${var.subnet_id}" key_name = "${var.key_name}" vpc_security_group_ids = ["${split(",",var.security_groups)}"] monitoring = ${var.monitoring} tags { Name = "bastion" Environment = "${var.environment}" } }
- 74. 2. Composition - build modules as you need them - it’s okay if not everything fits the abstraction
- 75. 2. Composition – “full stack” module “stack” { source = “github.com/segmentio/stack” name = “my-stack” environment = “production” }
- 76. 2. Composition – inside stack module "vpc" { source = "./vpc” … } module "security_groups" { source = "./security-groups” … } module "bastion" { source = "./bastion” … } module "dhcp" { source = "./dhcp” … }
- 77. 2. Composition – byo edition module “cluster” { source = “github.com/segmentio/stack//ecs-cluster” environment = “prod” name = “cdn” vpc_id = “vpc-eff2eada” image_id = “ami-204faaf3” }
- 78. 3. State management - separate core from services - states per service - use atlas or s3 - use binary plans
- 79. core (vpc, networking, security groups, asgs) auth api site db cdn services →readonly→
- 80. 4. Versioning module “stack” { source = “github.com/segmentio/stack?ref=v1.x” }
- 81. What’s next
- 82. What’s next - Applying in CI - Atlas - Data sources - Terraform generation
- 84. Fin
- 85. Prior Art Stack: github.com/segmentio/stack Atlas Examples: github.com/hashicorp/atlas-examples