[Cloud Architect] 8. Infrastructure as Code

Intro to IaC

Key Points

The old way of managing hardware in the server room often led to miscommunication due to a lack of centralized logs and the gap between business owners and infrastructure engineers. Servers could run for years with unused or decommissioned software, having had nobody utilize them for a long time
Moving applications to virtual servers meant more tech for engineers to master, but because virtual servers are managed with dashboards and their health and use can be easily monitored, virtual server management is easier for engineers than in the server room
Defining your infrastructure in code reduces error and effort by providing a visual representation of your cloud services in code that can be run to create, modify, and destroy infrastructure.
Infrastructure as code is auditable and repeatable, which is perfect for large cloud implementations under the management of Cloud Governance where starting over for every new project or lifecycle is a tedious manual job with the potential for errors and compliance deviations

Infrastructure as code is also sometimes referred to as software defined infrastructure.
AWS CloudFormation makes it easy to use programming languages or even a text file to securely model and provision the resources you need to run your application.
One potential drawback of opting for AWS CloudFormation is that it effectively locks you into AWS as a cloud provider, unless you want to start over.

Additional Reading

Learn more about CloudFormation:

Create an RDS by Using AWS CLI

You will need to consult the AWS CLI Command Reference for RDS to determine the CLI commands you will need to use to create and delete a database with these parameters:

db.t2.micro instance class
Postgres database engine
20g storage
master username
password for the master user
not publicly available

aws rds create-db-instance 
    --allocated-storage 20 --db-instance-class db.t2.micro 
    --db-instance-identifier myinstancename 
    --engine postgres 
    --master-username myname 
    --master-user-password secret99 --no-publicly-accessible

on't forget to return to the CLI to delete your database!

aws rds  delete-db-instance 
     --db-instance-identifier myinstancename 
     --skip-final-snapshot

What is Terraform?

Key Points

Terraform is an Open source Infrastructure as code software tool
Terraform code is written in Hashicorp configuration language or HCL, a structured configuration language that is human and machine readable for use at the command line
Terraform is cloud neutral, meaning the APIs it provides do not lock the user to any one particular cloud provider.
Learning about Infrastructure as Code and Terraform is a great step toward advancing your career in cloud architecture

Additional Reading

Learn more about Terraform here:

Terraform Files and Hashicorp Configuration Language

Key Points

Terraform has its own configuration language,Hashicorp Configuration Language (HCL), that it uses primarily to declare resources.
HCL is declarative, meaning you use it to describe your desired infrastructure and Terraform will figure out how to create what you requested in the code
The set of files used to describe infrastructure in Terraform is referred to as a Terraform configuration
Terraform configuration files are named with the .tf file extension. A JSON-based varian of Terraform language uses the .tf.json file extension
A Terraform configuration can be as simple as a single root module (folder) containing one .tf file.

To get help or view information about a specific command, pass the -h flag after the command. For example, to learn more about the ‘show’ command, type:

terraform show -h

Demo Code

Try it out with a simple terraform file like the example shown below. Name the file terraform.tf and run it from a working directory in your terraform root folder.

provider "aws" {
  access_key = "<Your Access Key>"
  secret_key = "<Your Secret Key>"
  region = "us-east-1"
}

resource "aws_instance" "example" {
  ami = "ami-0742b4e673072066f"
  instance_type = "t2.micro"
}

Run terraform init, terraform plan, terraform apply, and terraform destroy and observe the results in the AWS EC2 Management console.

Additional Reading

Variables in Terraform

Key Points

Terraform variables are commonly stored in either a variables.tf or .tfvars file in a Terraform configuration
Input variables are used to make your code more configurable by allowing you to SEND values into Terraform
Output variables output or print an expression from Terraform.

Terraform Modules

Terraform modules ensure that the configurations in your lifecycle environments are the same.
Terraform modules abstract your infrastructure descriptions by describing it as architecture and not actual objects.
Terraform modules are a set of Terraform configuration files in a folder.
Terraform modules can be reused in different environments, so that the code in the environments is the exact same.
A Terraform module best practice is to have separate git repositories for reusable modules and live infrastructure and specify a versioned module git URL in the source parameter instead of your local filesystem.
Terraform modules can be created and shared among Terraform users on Terraform Registry or in private registries. Using premade modules is a good way to get started.

Using Terraform to Create AWS Infrastructure

Key Points

Terraform is a declarative language that describes infrastructure in terms of the end goal as opposed to a series of steps it would take to get there.
An example of how declarative code differs from procedural code would be changing the number of servers in a .tf file to increase the number of running servers from 2 to 4. Terraform would recognize that two servers have already been created based on the .tfstate, and add two more because the end goal is 4 servers. In procedural language such as an AWS CLI command, increasing the server count to 4 would result in 4 additional servers.

https://www.cnblogs.com/Answer1215/p/15350900.html

Additional Reading

Learn more about Terraform Modules

TFState FIle Management with Terraform

The Terraform state file, terraform.tfstate, is how Terraform is able to keep track of the elements of your infrastructure it is responsible for. The state file allows Terraform to find the resources it has previously created or updated and proceed to carry out the current instruction
terraform.tfstate is a JSON file that maps the instructions in your configuration files to the actual resource in the real world and maintains all of the metadata about the resource so it can keep track of its status.
Instead of using version control for your terraform.tfstate file, the terraform best practice is to use a remote backend to store the file.
- 　　Such as S3

Using AWS S3

If you are already using Terraform with AWS, your best bet would be to use AWS S3 as your remote backend.

AWS S3 is extremely durable, so losing your state file is nearly impossible
AWS S3 supports encryption in transit and at rest, and it supports versioning, so if you ever need to roll back your changes, all of your older versions are available
Storing a terraform.tfstate file in S3 would cost almost nothing.

https://www.cnblogs.com/Answer1215/p/15350921.html

Additional Reading

TF Best Practices

What do you think is the worst thing that can happen if Terraform isn’t implemented correctly?

In my opinion, the #1 worst thing that can happen is having your secrets accidentally exposed in your tfstate file or even worse your AWS config file in a public repo. Even though you are learners, you should start implementing the best practice of strong single-use passwords and multi-factor authentication. Once someone with bad intentions has your password, they will be off to the races trying to use it to get into other parts of your infrastructure.

AWS does scan public repos for secrets and notifies users when they have made such a mistake, but by that time, anything could have happened, and by anything, I mean a person may have provisioned quantum computers to mine bitcoin on your AWS account. Which brings me to another reminder to always set a billing alarm when you create an AWS account!

Key Points

Best practices are subjective and what works best for one company won’t work for another, These practices will generally keep you aware of the power of Terraform and the risks and rewards of running infrastructure as code
Ultimately, the implementation of a best practices culture at your company will lay the foundation for effective team communication, rapid issue resolution, and predictable deployments.
Terraform implementation should be done incrementally with all members of the team on board.
Terraform is not the answer for every company, especially a company that doesn’t want to use it. The risk of using it improperly is too great
Terraform has the best chance of succeeding at your company when it is used to address a specific pain point, and it performs that function well

More Best Practies

Separate administrative account, create one IAM user for Terraform
Use latest version of TF
Manage terrform.tfstate with a remote backend
Adhere to a style
Test in Sandbox
Leverage community modules
Use modules to standardize your code
Code review
Never make out-of-band changes
Plan for rollback and disaster recovery

Tips & Tricks

Implement incrementally
Train the team
Mindset and culture shift takes time
Use only when appropriate
Address a specific pain point

Additional Reading

Please follow the links below to learn more about Terraform. Terraform is the industry-leading IaC tool, and learning more about how to manage infrastructure using Terraform will be great for your cloud architecture career.