Infrastructure as code

00:00

MARTIN OMANDER: Steve, I was tuning the permissions

00:02

in my Google Cloud project, and that broke my Cloud Run service.

00:06

There's no undo button, so I can't get back

00:09

to a working state.

00:10

STEVE MCGHEE: Well, infrastructure as code

00:12

might have prevented that.

00:13

Let's see how.

00:14

[MUSIC PLAYING]

00:23

MARTIN OMANDER: Welcome back to the show, Steve.

00:25

I'm so happy you're here to tell us about reliability.

00:28

You have some solid experience.

00:30

STEVE MCGHEE: Thanks, Martin.

00:31

Yeah.

00:32

I was a site reliability engineer, or SRE, inside

00:35

Google for over a decade.

00:37

I worked on Search, Android, YouTube, and Cloud.

00:40

Now my job is helping developers understand

00:42

how to build reliable systems in the Cloud.

00:45

MARTIN OMANDER: And you said infrastructure as code

00:47

could help me project settings?

00:49

STEVE MCGHEE: Yeah.

00:50

Infrastructure as code or IAC is like using version control

00:54

for your infrastructure.

00:55

We all know it's safer to keep the application

00:57

code in source control.

00:59

It's a good idea to do the same for your infrastructure.

01:02

For example, I have a web app here

01:04

that uses Cloud Run, a Firestore database,

01:07

and a few other components.

01:09

Let's say I'm playing around with the service account

01:11

settings and I accidentally remove a role from one of them.

01:16

Now my users will get an error message, the web app is broken.

01:20

MARTIN OMANDER: Yeah, that's exactly what

01:22

happened to my application.

01:23

STEVE MCGHEE: Right.

01:24

The application is broken now, and we're losing money.

01:26

Everyone is stressed, and the application

01:28

needs to come back online ASAP.

01:31

It's hard to do troubleshooting in this kind of environment.

01:34

MARTIN OMANDER: Yep.

01:35

Been there, done that.

01:36

STEVE MCGHEE: So instead of troubleshooting,

01:38

let's run the Terraform file that

01:40

describes our last known good configuration.

01:43

I run Terraform apply in this terminal, then I confirm,

01:47

and off it goes.

01:48

This may take a few minutes.

01:50

MARTIN OMANDER: And now it's restoring the service accounts

01:52

in your project?

01:53

STEVE MCGHEE: Yeah.

01:54

It's restoring the service accounts, the Cloud Run

01:56

services, my database settings, any virtual machines

01:59

I might have, and so on.

02:01

And now it's done.

02:02

Let's try accessing the web app again.

02:05

The app is working again.

02:06

We didn't have to do any troubleshooting

02:08

in a stressful situation.

02:09

MARTIN OMANDER: Ah, excellent.

02:11

And you use Terraform for this?

02:12

STEVE MCGHEE: Yeah.

02:13

I use Terraform, but there are alternatives

02:15

like Poulomi and others.

02:17

Some Cloud providers also offer their own tools.

02:19

The one thing they have in common

02:21

is that they update the infrastructure in a project,

02:23

like you might do in the Cloud Console or on the command line

02:26

with the gcloud command.

02:28

MARTIN OMANDER: I don't have infrastructure

02:29

as code in my project now, and I'm a little overwhelmed.

02:33

How can I get started?

02:34

STEVE MCGHEE: Sure.

02:35

First, describe your infrastructure as runnable files

02:38

that you can check into source control.

02:40

It's fine to do this for part of your system

02:42

and expand as you grow more comfortable.

02:45

Then your goal is to set things up so that if someone changes

02:49

the infrastructure in your project,

02:50

you'd be able to recover in minutes.

02:53

Finally, this may be weeks or months down the road.

02:56

Set up a reconciliation loop to prevent infrastructure drift.

03:01

MARTIN OMANDER: All right.

03:02

Tell me more about that first item on your list.

03:04

STEVE MCGHEE: OK.

03:05

By having your infrastructure described in runnable files,

03:08

you can see the desired state of your infrastructure.

03:10

For example, if your project includes Cloud Run services,

03:13

this desired state would describe things

03:15

like in which region the service is deployed, if each service is

03:19

open to anonymous users or if it's authenticated,

03:22

and what service accounts are used.

03:24

Now that these settings are in runnable files,

03:27

you can update them with precision

03:29

and collaborate around them, just like you

03:31

would with source code.

03:32

MARTIN OMANDER: Could you give us an example of that?

03:35

STEVE MCGHEE: Sure.

03:35

Let's say you have a Cloud Run service that is public

03:38

and you described it using Terraform.

03:40

Here's what it would look like.

03:41

Now, let's say in the next release,

03:43

this Cloud Run service should be an authenticated service that

03:47

can only be called by other services, not by end users.

03:50

A developer would update the Terraform file accordingly

03:53

and submit it to source control.

03:55

MARTIN OMANDER: And then that change

03:56

would use the same approval process

03:58

as any other code change?

04:00

STEVE MCGHEE: Yes.

04:01

The developer would create a pull request,

04:03

and it would be reviewed by another developer who might ask

04:05

questions or propose changes.

04:07

When the change has been approved

04:09

and it's time to release the next version of the system,

04:11

the Terraform file would be run and change

04:14

the authentication setting for the Cloud Run service.

04:17

MARTIN OMANDER: Back when I worked in startups,

04:19

we used to document the production environment

04:21

very carefully.

04:23

Is that the same thing?

04:24

STEVE MCGHEE: Not really.

04:25

A document still has to be interpreted

04:27

by a person who might make mistakes or misunderstand.

04:31

This is less ambiguous and less prone to errors

04:34

if you specify the infrastructure

04:35

in these runnable files.

04:37

MARTIN OMANDER: I have a bunch of gcloud commands

04:39

in a runnable shell script.

04:40

Is that infrastructure as code?

04:42

STEVE MCGHEE: Kind of.

04:43

But that shell script does the same set of steps

04:46

every time, regardless of the current state of the running

04:49

system.

04:50

We call that an imperative language.

04:52

Terraform, Poulomi, and some other tools like them

04:56

use declarative languages.

04:57

That means that you specify what your environment should

05:00

look like.

05:01

The tool then figures out what needs to change, if anything.

05:05

MARTIN OMANDER: That sounds like idempotency.

05:07

STEVE MCGHEE: That's right.

05:08

These changes are idempotent.

05:10

That is, they can be run again and again

05:12

without any unintended side effects.

05:14

That makes them safer than a simple imperative script which

05:17

might go off and make the same VM over

05:20

and over every time you ran it if you weren't careful.

05:23

MARTIN OMANDER: Ah.

05:23

Very good.

05:25

Item number two on your list has to do with recreating

05:28

a deleted project.

05:29

STEVE MCGHEE: Well, hopefully you

05:30

have some safeguards in place so that your projects can't

05:33

be easily deleted by mistake, but it's a good litmus test.

05:36

Ask yourself, how long would it take

05:38

to recreate your production application

05:40

if its project was deleted?

05:42

You can reduce that time significantly with IAC.

05:45

MARTIN OMANDER: Got it.

05:46

STEVE MCGHEE: So once you have those runnable infrastructure

05:48

files, you can use them to create new environments.

05:51

For example, when a new developer joins your team,

05:54

you may want to set up a new development project for them.

05:57

If you have runnable infrastructure files,

05:59

you can do that in minutes.

06:01

MARTIN OMANDER: I guess the same goes for new test environments?

06:03

STEVE MCGHEE: You're right, it does.

06:05

For example, you might want to set up a short lived test

06:07

environment for a major new feature of your application.

06:10

IAC makes that easy.

06:12

MARTIN OMANDER: What about data in a database?

06:14

That would be needed too to set up a new project, right?

06:17

STEVE MCGHEE: That's right.

06:18

Data is more complex, so it's best

06:19

to use dedicated tools for that.

06:21

For example, you may use database tools

06:23

to back up your production data at regular intervals,

06:26

and you probably have a different set

06:27

of data for development that doesn't include

06:30

sensitive production data.

06:31

You'd use IAC to create your infrastructure,

06:34

then you'd use a database tool to restore data into it.

06:37

MARTIN OMANDER: Makes sense.

06:38

Let's say I have created an infrastructure file so I can

06:41

restore my system in minutes.

06:43

Then the last item on your list mentions a reconciliation loop.

06:47

What's that?

06:48

STEVE MCGHEE: So this is an extension of IAC,

06:50

but many teams find it useful.

06:52

Here's how it works.

06:53

People might make changes to your production or test

06:56

environments outside of IAC.

06:58

For example, someone in your organization

07:00

might notice that a service account has too many privileges.

07:03

They might change that manually in the Cloud Console.

07:06

MARTIN OMANDER: And that could break the application?

07:08

STEVE MCGHEE: Yes, it could break the application.

07:10

But even if it doesn't, we can no longer

07:12

be sure what our infrastructure looks like or when it changed.

07:16

We need a way to notice changes made outside of our IAC tool.

07:20

MARTIN OMANDER: And what should we do if we notice a change?

07:23

STEVE MCGHEE: Well, you could report the change

07:25

or you could overwrite it.

07:26

It's up to you which you prefer.

07:28

You may want to start with just reporting.

07:30

By sending a diff between the desired

07:33

environment and the actual environment, it's like an alert.

07:35

MARTIN OMANDER: And how would I get started

07:37

with this reconciliation loop?

07:39

STEVE MCGHEE: Well, you'd set up a nightly check like in a Cron.

07:42

Then you would run the check more often

07:44

to see if you see some benefits.

07:46

One option is to run it against a subset of your infrastructure

07:49

if that subset is extra important.

07:52

MARTIN OMANDER: All right.

07:53

I have some questions for you, Steve.

07:54

STEVE MCGHEE: Go ahead, Martin.

07:56

MARTIN OMANDER: So I already have a CI/CD pipeline

07:58

based on your recommendations from my previous video.

08:01

How does infrastructure as code relate to that CI/CD pipeline?

08:04

STEVE MCGHEE: OK.

08:05

There are two approaches.

08:07

Either run IAC as part of the CI/CD pipeline.

08:10

There would be two passes, one to update

08:13

the infrastructure, another to deploy applications to it.

08:16

But you can imagine there could be unintended consequences

08:19

this way.

08:20

So you may want to run the dry run command every time

08:23

and provide the developer an opportunity

08:25

to evaluate if they want the proposed infrastructure

08:28

changes to be applied or not.

08:29

MARTIN OMANDER: Got it.

08:30

And what's the other approach?

08:32

STEVE MCGHEE: The other approach is

08:33

to update infrastructure separately, like just

08:35

on initial creation and then periodically after that.

08:39

These might be suggested by security or compliance teams,

08:42

and they could even be managed separately.

08:45

Again, the best practice here would

08:46

be to do the dry run first like Terraform plan,

08:49

and inform the app owners of the intended changes

08:52

before they are applied.

08:54

You have to find the right approach that's

08:55

right for you, your application, and your team.

08:58

MARTIN OMANDER: And in some organizations,

09:00

there is a separate infrastructure team.

09:03

Does that change things?

09:04

STEVE MCGHEE: Then IAC may run outside of that CI/CD pipeline.

09:08

The infrastructure team could choose to release updates

09:10

on a different cycle, but they'd still use IAC when they do that.

09:14

The infrastructure experts can deliver templates

09:17

to the developers so the developers

09:18

don't have to become infrastructure

09:20

experts themselves.

09:21

For example, they may create a Terraform template

09:24

for an internal-only Cloud Run service.

09:26

That saves time for the developers

09:28

and it means that the infrastructure is standardized

09:30

across applications.

09:32

The infrastructure team will do less firefighting and more

09:35

designing of fire trucks.

09:37

MARTIN OMANDER: I love that analogy, Steve.

09:39

So my Google Cloud project has evolved over time

09:42

as I've made dozens and dozens of tweaks over the years.

09:46

How do I even get started with infrastructure as code?

09:49

STEVE MCGHEE: Well, there are tools

09:50

that can inspect your GCP project

09:52

and create IAC descriptions of your current state.

09:55

You can get started by running this gcloud command.

09:58

There are also third party tools which are more specialized

10:01

and may be a better fit for you.

10:02

Use one of these tools to get your current state.

10:05

Focus on one service that you know well, like Cloud Run,

10:08

and make sure the IAC files work really

10:10

well for that service in a test environment,

10:13

then expand to other parts of your system

10:15

as you gain confidence.

10:16

MARTIN OMANDER: All right, Steve.

10:18

That was a lot of information.

10:19

What are the takeaways?

10:21

STEVE MCGHEE: First, describe your infrastructure

10:23

as runnable files that you can check into source control.

10:26

It's fine to do this for part of your system

10:28

and then expand as you grow more comfortable.

10:30

Then keep working on this until you've set things

10:33

up so that if someone changes the infrastructure

10:35

in your project, you'd be able to recover in minutes.

10:39

Finally, and this may be weeks or months down the road,

10:42

set up a reconciliation loop to prevent infrastructure drift.

10:46

MARTIN OMANDER: Sounds good, Steve.

10:48

Thanks for sharing this with us.

10:49

STEVE MCGHEE: Thanks for having me, Martin.

10:51

MARTIN OMANDER: And thank you, everyone, for watching.

10:53

If you have questions for Steve or me,

10:56

please enter them in the comments below.

10:58

Also, let me know if there are other serverless topics you'd

11:02

like to see in future episodes.

11:04

I read every single comment.

11:07

Until next time.

11:09

[MUSIC PLAYING]