O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

How to get rid of terraform plan diffs

352 visualizações

Publicada em

Terraform meetup tokyo#1 でのLT資料です。

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

How to get rid of terraform plan diffs

  1. 1. 私がterraform planの 差分に怯えなくなった訳 
 オイシックス・ラ・大地(株)@morihaya55 Photo by Alexandr Podvalny on Unsplash: https://unsplash.com/photos/WOxddhzhC1w LT at Terraform meetup tokyo #1 2019-08-01
  2. 2. 本日の流れ ● Who am I ? ● 結論を最初に言うと「出力を読もう」 ● 差分具体例 ● 差分を取り込もう ● まとめ
  3. 3. 簡単な自己紹介 林 如弥(Yukiya Hayashi) @morihaya55 ● これまで、インフラエンジニアとしてSier、ゲーム会 社等を経験してきました ● terraform歴は直近のシステムで4ヶ月程 ● 今は安全・安心な野菜をお届けするオイラ大地の システムの運用、改善をするSREです
  4. 4. 最初に結論を言います
  5. 5. 結論 terraform planの差分は 「ちゃんと出力を読めば怖く ない」></
  6. 6. ...だけだと怒られが発生し ますので
  7. 7. 具体例を挙げます
  8. 8. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 注: ID,サブネットは適当なものに変換してます
  9. 9. よく(?)ある AWSのSGを手動で 更新したケース 「あー、あの時は急いでたからさー(^^;」
  10. 10. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ]
  11. 11. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 削除される内容
  12. 12. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容
  13. 13. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容
  14. 14. ここまで見ての通り そして
  15. 15. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容
  16. 16. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容
  17. 17. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容
  18. 18. 2つ目のルールは 完全に一致
  19. 19. つまり
  20. 20. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, 削除される内容 このルールが 消えるだけ
  21. 21. ここでTerraformの 仕組みのおさらい
  22. 22. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 書く
  23. 23. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 plan/apply指示
  24. 24. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 コードを読み込み
  25. 25. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 突き合せ
  26. 26. Terraform超ざっくり図 クラウドサービス
 (実際の状態)
 tfstateファイル (Terraformが管理 する状態) 参考: https://www.terraform.io/docs/state/ tfファイル (コードとして宣言し た状態) 管理/開発者 コードとして宣言した状態に、 実際の状態を変更する
  27. 27. 差分がある= コードが正しい or 実際の状態が正しい
  28. 28. 差分を見て、 どちらが正しいのか判断す る必要がある
  29. 29. コードが正しいなら (これが普通) terraform apply
  30. 30. 実際の状態が正しいなら コードに取り込む必要があ る
  31. 31. ここでもう一度 plan の差分を見ましょう
  32. 32. 差分例: Security Group ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, + { + cidr_blocks = [ + "10.150.0.0/16", ] + description = null + from_port = 65432 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 65432 }, ] 適用される内容削除される内容 再掲
  33. 33. あれ? よく見るとこの出力、 ほぼHCLでは?
  34. 34. 差分からコードへ - 1 ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ~ ingress = [ - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "SSH Allow from private" - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 22 }, - { - cidr_blocks = [ - "10.150.0.0/16", ] - description = "" - from_port = 65432 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 65432 }, 再掲
  35. 35. 差分からコードへ - 2 { cidr_blocks = [ "10.150.0.0/16", ] description = "" from_port = 65432 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 65432 }, ~ resource "aws_security_group" "digdag" { id = "sg-07ee4c2hogehoge" ingress = [ { cidr_blocks = [ "10.150.0.0/16", ] description = "SSH Allow from private" from_port = 22 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 22 }, 再掲
  36. 36. ‘~’と’-’を置換で消して コードへ反映し、 terraform fmtで整える だけ!
  37. 37. 反映したら plan !!!
  38. 38. No changes ! Mission Complete!
  39. 39. と言うのが簡単な パターン (こんなのばかりなら楽)
  40. 40. 簡単じゃないケースもある ● モジュールが対応してない ● プロバイダのバージョンが不足 ● 不具合 etc...
  41. 41. 立ち向かうには... ● terraform state list/show/pull/push... ● terraform show ● terraform console ● terraform import ...
  42. 42. 正直難しいケースもあるけど Slackで相談してみては?!
  43. 43. 結論(再掲) terraform planの差分は 「ちゃんと出力を読めば怖く ない」></ (基本的には)

×