1. The document discusses immutable infrastructure using Terraform, including defining immutable principles as not installing new software, updating servers, changing configurations, or updating code, but instead replacing infrastructure by building new images.
2. It promotes Terraform for implementing immutable infrastructure due to features like being declarative, having a state file and simple configuration language, and enabling reusable modules.
3. The document emphasizes testing infrastructure as code using tools like Terratest to test from top to bottom and prevent releasing without testing.
2. Sergii Marchenko
Head of IT at Dev-Pro
10 years in IT
Loves Terraform, and PowerShell :))
Knows a bit about DevOps
Thinks he can write some code in Go
Email: sergihire@gmail.com
Skype: sergihire
https://github.com/s-marchenko/GoWeb-PostgreSQL
8. Mutable
1. Server Drifts (Provisioning at diff time, manual actions, random failures)
2. You don't know how to configure it once again (Snowflake Server)
3. Hard to support multiple identical servers (Dev/Stage/Prod, Blue-Green)
10. 1. Don’t install new software
2. Don’t update servers
3. Don’t change configs
4. Don’t update code
5. Just one thing you can do with you infra - DELETE IT
Immutable principles
11. Software update?
Build a new image, replace the old one.
Config update?
Build a new image, replace the old one.
Deploy a new version of the code?
Build a new image, replace the old one.
Docker brings us immutable approach
14. TF is good
● A master is not required
● An agent is not required
● Declarative
● There is a state in the state file
● SImple Configuration Language (HCL)
● TF plan
● Count
● Loops (For, if)
15. TF is good
● TF is a kind of documentation
● Clear change management (version control)
● Reusable (dev, stg, prod)
● Not only for a small team, works for 10+ DevOps/SRE
● The best way to implement Immutable infrastructure approach
● Fast (hey, Ansible)
21. No manual actions!
1. No manual actions
2. No, you can't create a tiny resource manually
3. Yes, it matters
4. No, there are no exceptions to the rule
5. Yes, local-exec is better than manual actions
22. Use a Vault for secrets
1. Hashi Vault
2. AWS KMS
3. Azure Key Vault
27. Tests everything
1. From top to bottom (Automation QA tests, Integration, “Units”)
2. Use Terratest - https://github.com/gruntwork-io/terratest
3. Write tests in Golang
28. Terraform tests
package test
import (
"github.com/gruntwork-io/terratest/modules/terraform"
"testing"
)
func TestVmExample(t *testing.T) {
t.Parallel()
terraformOptions := &terraform.Options{
// You should update this relative path to point at your mysql
// example directory!
TerraformDir: "../modules/vm_test",
Vars: map[string]interface{}{
"environment": "test",
"region": "europe-north1",
"project_name": "learned-acolyte-221721",
"path_to_context": "/Users/sergii.marchenko/work/keys/gcp/Iegor-072a850167f3.json",
},
}
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
}
36. Why NOT use Terraform
1. Immutable doesn't work in some cases
2. IaC is not cheap
3. Security is a pain in the ass
4. Terraform has weaknesses
a. Backend doesn't support interpolation
b. TF state contains secrets
c. Multiple issues
38. Resources:
Book: Terraform: Up & Running, 2nd edition
Course: https://learn.hashicorp.com/terraform
Video: https://www.youtube.com/watch?v=LVgP63BkhKQ
Some code to play with: https://github.com/s-
marchenko/GoWeb-PostgreSQL