Many companies continue to manaully create and manage their cloud infrastructure via web consoles. Documenting these procedures is challenging, especially since the interfaces are always evolving. Reviewing the changes is also difficult, and it often involves having a coworker watching over your shoulder. Rolling back a bad change requires deleting your current work and attemtping to manually re-create the old infrastructure from memory. Scaling or deploying the infrastructure to new environments also often involves manually re-creating it. Hashicorp's Terraform allows for the management of infrastructure as code. While a growing number of groups have started to utilize this tool, most are only just beginning to scratch the surface of its potential. Yes, Terraform can be used to create and manage resources in AWS and other cloud providers. However, thanks to an ever growing number of providers, it can manage resources in many other popular cloud services. At Yelp, we use Terraform to manage our AWS resources, DNS records in NS1, CDN configuration in Fastly and Cloudflare, and our charts and dashboards in SignalFx. This setup provides us with the ability to maintain our infrastructure as code in a version control system that can be put through standard code review flows. If we discover an issue, we can revert to an older, working commit and restore our infrastructure to that point in time. Documentation can include code snippets that can be easily copied/pasted in an error free manner. Finally, resources managed by one Terraform provider can benefit from and utilize information from resources managed by another provider. This means that launching a new AWS EC2 instance can automatically update the necessary DNS records in NS1, and then create a dashboard filled with customized charts designed to monitor the instance.

1. Nathan Handler
nhandler@yelp.com / @nathanhandler
Terraform all the Things

2. ● Nathan Handler
● Yelp Site Reliability Engineer
● nhandler@yelp.com / @nathanhandler
Who am I?

3. Yelp’s Mission
Connecting people with great
local businesses.

4. The Old Way

7. aws ec2 run-instances
--image-id ami-abcd1234
--count 1
--instance-type t2.micro
--key-name demokey
--security-group-ids sg-1a2b3c4d
--subnet-id subnet-d4c3b2a1
--iam-instance-profile Name=MyInstanceProfile
--tag-specifications
'ResourceType=instance,Tags=[
{Key=Environment,Value=Production}]'
--region us-west-1

8. github.com/wallix/awless

9. Tools should not dictate your Processes

10. ● Version Control
● Reviewable
● Utilizes existing APIs/SDKs
● No single vendor lock-in
What are we looking for?

12. provider "aws" {
access_key = "ACCESS_KEY_HERE"
secret_key = "SECRET_KEY_HERE"
region = "us-east-1"
}
resource "aws_instance" "example" {
ami = "ami-2757f631"
instance_type = "t2.micro"
}

13. Why not CloudFormation?

14. Why not CloudFormation?

15. What about {Chef, Puppet, Ansible, …}?
Terrafor
m
Configuration
Management

16. Traps, Tips, and Gotchas

17. Scare Factor

18. AWS

19. NS1

20. resource "ns1_zone" "tld" {
zone = "terraform.example"
}
resource "ns1_record" "www" {
zone = "${ns1_zone.tld.zone}"
domain = "www.${ns1_zone.tld.zone}"
type = "CNAME"
ttl = 60
answers = {
answer = "sub1.${ns1_zone.tld.zone}"
}
answers = {
answer = "sub2.${ns1_zone.tld.zone}"
}
filters = {
filter = "select_first_n"
config = {
N = 1
}
}
}

21. SignalFx

22. variable "regions" {
default = ["regionA", "regionB", "regionC", "regionD"]
}
resource "signalform_detector" "application_delay" {
count = "${length(var.regions)}"
name = "max delay - ${var.regions[count.index]}"
description = "delay in region - ${var.regions[count.index]}"
program_text = <<-EOF
filters = filter("region","${var.regions[count.index]}")
signal = data("app.delay", filter=filters).max()
detect("Processing old messages 5m", when(signal > 60, "5m"))
EOF
rule {
description = "Max delay > 60s for 5m"
severity = "Critical"
detect_label = "Processing old messages since 5m"
notifications = ["Email,foo-alerts@bar.com"]
}
}
resource "signalform_dashboard" "queue_length_dashboard" {
name = "Queue Length Dashboard"
time_range = "-1h"
variable {
property = "region"
alias = "region"
values = ["regionA"]
values_suggested = "${var.regions}"
value_required = true
restricted_suggestions = true
}
chart {
chart_id = "${signalform_list_chart.queue_length.id}"
width = 6
row = 1
}
}
resource "signalform_list_chart" "queue_length" {
name = "queue length"
program_text = <<-EOF
filters = filter("device", "dm-0")
data("iostat.queue_length", filter=filters).mean().publish()
EOF
color_by = "Dimension"
refresh_interval = 60
sort_by = "-value"
}

23. Discovering Dynamic Resources

24. Fastly / Cloudflare

25. resource "fastly_service_v1" "demo" {
name = "demofastly"
domain {
name = "demo.notexample.com"
comment = "demo"
}
backend {
address = "127.0.0.1"
name = "localhost"
port = 80
}
force_destroy = true
vcl {
name = "my_custom_main_vcl"
content = "${file("${path.module}/my_custom_main.vcl")}"
main = true
}
vcl {
name = "my_custom_library_vcl"
content = "${file("${path.module}/my_custom_library.vcl")}"
}
}

26. resource "cloudflare_record" "foobar" {
domain = "${var.cloudflare_domain}"
name = "terraform"
value = "192.168.0.11"
type = "A"
ttl = 3600
}

27. State Management

28. Remote State

29. Locking

30. Makefile Wrapper

31. Access Keys

32. Permissions

33. Modules

34. Outputs

35. What do Outputs look like?

36. Rolling Back

37. Automatic Applications

38. Generated Terraform Code

39. Perfect World

40. Questions?

41. www.yelp.com/careers/
We're Hiring!

42. @YelpEngineering
fb.com/YelpEngineers
engineeringblog.yelp.com
github.com/yelp