1. The document discusses immutable infrastructure using Terraform, including defining immutable principles as not installing new software, updating servers, changing configurations, or updating code, but instead replacing infrastructure by building new images. 2. It promotes Terraform for implementing immutable infrastructure due to features like being declarative, having a state file and simple configuration language, and enabling reusable modules. 3. The document emphasizes testing infrastructure as code using tools like Terratest to test from top to bottom and prevent releasing without testing.

1. Immutable infrastructure
with Terraform
by Sergii Marchenko

2. Sergii Marchenko
Head of IT at Dev-Pro
10 years in IT
Loves Terraform, and PowerShell :))
Knows a bit about DevOps
Thinks he can write some code in Go
Email: sergihire@gmail.com
Skype: sergihire
https://github.com/s-marchenko/GoWeb-PostgreSQL

3. How configuration docs look like

4. Spinning up a new server

5. IaC approaches
IaC is a must

6. 1. Chief
2. Puppet
3. Ansible
4. Cloudformation
5. Terraform
6. Pulumi
7. Code (Java, Go, JS)
IaC tools

7. IaC approaches
Mutable or Immutable

8. Mutable
1. Server Drifts (Provisioning at diff time, manual actions, random failures)
2. You don't know how to configure it once again (Snowflake Server)
3. Hard to support multiple identical servers (Dev/Stage/Prod, Blue-Green)

9. IaC approaches
Immutable

10. 1. Don’t install new software
2. Don’t update servers
3. Don’t change configs
4. Don’t update code
5. Just one thing you can do with you infra - DELETE IT
Immutable principles

11. Software update?
Build a new image, replace the old one.
Config update?
Build a new image, replace the old one.
Deploy a new version of the code?
Build a new image, replace the old one.
Docker brings us immutable approach

13. Why Terraform?

14. TF is good
● A master is not required
● An agent is not required
● Declarative
● There is a state in the state file
● SImple Configuration Language (HCL)
● TF plan
● Count
● Loops (For, if)

15. TF is good
● TF is a kind of documentation
● Clear change management (version control)
● Reusable (dev, stg, prod)
● Not only for a small team, works for 10+ DevOps/SRE
● The best way to implement Immutable infrastructure approach
● Fast (hey, Ansible)

16. Why Terraform

17. Modules
● Modules
● Yes, modules
● One more time, modules
● Many modules

18. Simple TF code
resource "google_compute_disk" "default" {
name = "test-disk"
type = "pd-ssd"
zone = "us-west1-b"
image = "debian-8-jessie-v20170523"
labels = {
environment = "dev"
}

19. Module
module "database" {
source = "../database"
environment = var.environment
region = var.region
whitelist = var.whitelist
project_name = var.project_name
}

20. How to start?

21. No manual actions!
1. No manual actions
2. No, you can't create a tiny resource manually
3. Yes, it matters
4. No, there are no exceptions to the rule
5. Yes, local-exec is better than manual actions

22. Use a Vault for secrets
1. Hashi Vault
2. AWS KMS
3. Azure Key Vault

23. Use modules
1. Reusable
2. Simple
3. Testable

24. Create before destroy
resource "google_compute_instance" "vm" {
name = "${var.environment}-${var.role}-${count.index}-${replace(var.code_version,".","-")}"
zone = element(var.zone, count.index)
deletion_protection = false
machine_type = var.machine_type
count = var.vm_count
project = var.project_name
lifecycle {
create_before_destroy = true
}
...
}

25. Dependency, triggers
resource "null_resource" "startupscript" {
count = "${var.vm_count}"
depends_on = [google_compute_instance.vm]
triggers = {
cluster_instance_ids = google_compute_instance.vm[count.index].instance_id
}
lifecycle {
create_before_destroy = true
}
}

26. Files structure
1. Separate persistent data
2. Separate networking
3. Global, mgmt and envs

27. Tests everything
1. From top to bottom (Automation QA tests, Integration, “Units”)
2. Use Terratest - https://github.com/gruntwork-io/terratest
3. Write tests in Golang

28. Terraform tests
package test
import (
"github.com/gruntwork-io/terratest/modules/terraform"
"testing"
)
func TestVmExample(t *testing.T) {
t.Parallel()
terraformOptions := &terraform.Options{
// You should update this relative path to point at your mysql
// example directory!
TerraformDir: "../modules/vm_test",
Vars: map[string]interface{}{
"environment": "test",
"region": "europe-north1",
"project_name": "learned-acolyte-221721",
"path_to_context": "/Users/sergii.marchenko/work/keys/gcp/Iegor-072a850167f3.json",
},
}
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
}

29. Releases without testing

30. Releases with IaC and tests

31. Tests, demo

32. Don’t stop
1. Use it for Resource Groups/Accounts
2. Use it for Data Structures (Keys)

33. While a yak is shaving, your business is losing
money
Don’t re-configure resources, create new!

34. Is it a silver bullet?

35. Immutability trade-off
1. Persistent data
2. Works in clouds, it’s hard to implement on hardware (NOT 100%)

36. Why NOT use Terraform
1. Immutable doesn't work in some cases
2. IaC is not cheap
3. Security is a pain in the ass
4. Terraform has weaknesses
a. Backend doesn't support interpolation
b. TF state contains secrets
c. Multiple issues

37. But, it still works for many cases

38. Resources:
Book: Terraform: Up & Running, 2nd edition
Course: https://learn.hashicorp.com/terraform
Video: https://www.youtube.com/watch?v=LVgP63BkhKQ
Some code to play with: https://github.com/s-
marchenko/GoWeb-PostgreSQL

39. My contacts:
Email: sergihire@gmail.com
Skype: sergihire
https://github.com/s-marchenko/GoWeb-PostgreSQL