6. ● Self-service and Chatops
● Elasticity: Training, dev, test
● International deployment
● Ability to invest to add value
● Time to Market
● Impact on all our teams
● Number of environments
● Mission critical “Ops”
7. Why Ops also live for the code?
● We need monitoring, CI/CD, AB testing, DRP
● We need to move faster and faster
● People should not need us!
● Let’s stop building from the ground
● Focus on products and businesses, not infrastructure
● Ops are deadly alive!
#OracleCode AND @gregoryguillou
8. Agenda
Mastering Terraform with OCI
● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices
● Summary
9.
10. Terraform Key concepts - https://terraform.io
● Infrastructure as Code
● A go application
● HCL/JSON with an inference syntax
● Immutable Infrastructure
● State management
● Dozens of providers, including OCI
● GIT and Registry
● Open-source and enterprise versions
11. Agenda
Mastering Terraform with OCI
● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices
● Summary
14. Installing Terraform for OCI (master)
● Download the software from terraform.io
● Install terraform OCI provider
● Install the OCI Command Line Interface
● Create a RSA key and register it in your API Keys
● Defines your OCI CLI configuration
● Create a provider.tf file and set the associated variables
● Initialize the project with the `init` command
● Define resources and `apply` them
16. Agenda
Mastering Terraform with OCI
● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices
● Summary
17. A few coding good practices
● Create a specific compartment (master)
● Manage your state on a bucket (02-demo)
● Variables, inferences and dependencies (03-demo)
● Modules (04-demo)
● Packer (05-demo)
● dynamicgroups and OCI_CLI_AUTH (06-demo)
● Use other providers (07-demo)
● An easy (and bad) way to manage secrets (08-demo)
18. Create a specific compartment (master)
● Use OCI CLI to create a compartment
● Add it to the .env file and with variables Checkout 01-install.md
oci iam compartment create
--compartment-id="${TF_VAR_tenancy}"
--name="DevTeam"
--description="A compartiment to be used by developers"
--wait-for-state=ACTIVE
--max-wait-seconds=300
--wait-interval-seconds 5
19. Manage your state on a bucket (02-demo)
● Create a bucket
● Upload the current state as an object in that bucket
● Create a pre-authenticated request for that object
● Test you can access the file from the request
● Add a backend.tf file that reference the preauth request
● Re-initialize terraform with the backend
● Verify you can access the remote state
Checkout 02-remote-state.md
20. Variables, inferences and dependencies (03-demo)
● Add access to the `compartment` variable
● Create a variable with a default value
● Infer variable value from another variable with `lookup`
● Create a VCN, DCHP Options and an Internet Gateway
● Create multiple resource and inferences with `count`
Checkout 03-inferences.md
21. Modules (04-demo)
● Create a directory to move the resource for your module
● Remove the resource from your original stack
● Create variable and output to encapsulate your logic
● Use `terraform init` to reference the new module
Checkout 04-modules.md
module "livecode" {
tenancy = "${var.tenancy}"
compartment = "${var.compartment}"
source = "github.com/gregoryguillou/oci-workshop?ref=04-demo//modules/public-network"
}
22. Packer (05-demo)
● Installing Packer
● Finding the latest Oracle Linux Image
● Subnet and Compartment
● Building an OCI image with Packer
Checkout 05-packer.md
packer build -var "subnet=$SUBNET"
-var "compartment=$TF_VAR_compartment"
template.json
23. dynamicgroups and OCI_CLI_AUTH (06-demo)
● Deploy a dynamic group and its policy
● Access the remote instance from SSH
● Use the metadata API to figure out the compartment
● Use the OCI CLI without any credentials
Checkout 06-dynamicgroups.md
export OCI_CLI_AUTH=instance_principal
oci os bucket list --compartment-id=$COMPARTMENT
--query='data[].{bucket: name}' --output=table
24. Use other providers (07-demo)
● There are a lot of useful providers, including random, null,
http, external, template or terraform_remote, for instance:
● You can use many more: kubernetes, consul, vault...
Checkout 07-other-providers.md
data "external" "version" {
program = ["${path.module}/version.sh"]
query = {
workspace = "${terraform.workspace}"
}
}
output "oci-workshop" {
value = "${lookup(data.external.version.result, "oci-workshop")}"
}
#OracleCode AND @gregoryguillou
25. An easy and bad way to manage secrets (08-demo)
● Rely on Hashicorp Vault for a best configuration:
○ Automatic password rotation
○ Access token expiration
○ Emergency process
● An easy way to manage secrets is to store them in a
bucket:
○ Easy to push/pull new values
○ Dynamic Groups make it easy to get back from an instance
Checkout 08-secrets.md
26. Destroy your stack (08-demo)
Checkout 08-secrets.md
oci os object delete
--bucket-name=ftclnpb3wrytejru.resetlogs.com
--name=/configuration/secret/secret.json
--force
terraform destroy
…
● Destroy the stack as part of the last part:
27. Random thoughts
● KISS and DRY
○ Use as few external tools as possible
○ Avoid provisioners and null_resource
● Add +1 to tag support for Terraform OCI provider #400
● Add +1 to support the container registry and OKE
● Don’t use terraform for Windows
● Rely on LetsEncrypt/DNS to generate SSL certificates
● Use Kubernetes (OKE) and a CI/CD for your application
● Implement Chatops and self-service
28. Agenda
Mastering Terraform with OCI
● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices
● Summary
29. Summary
● Terraform is easy to use, quick to learn and popular
● OCI is a powerful and fast infrastructure
● The terraform-provider-oci leverage both OCI and TF
● The workshop explores many aspects: configuration,
compartment, state, inference, modules, templates,
dynamic groups, providers…
● Try the oci-workshop, provide feedback and open issues
● OCI gets more advanced tools like DCS, OKE