Introduction to HashiCorp Terraform with Armon Dadgar

00:09

- Hi, my name is Armon Dadgar,

00:10

and I wanna talk a little bit about Terraform today.

00:13

So Terraform, if you've never heard of it,

00:15

is our tool for doing provisioning.

00:17

So when we talk about provisioning,

00:19

there's really two different problems

00:21

we're talking about, right?

00:22

So as we provision, there is our day one challenge

00:25

where we haven't actually started running anything yet.

00:28

And so how do we go

00:29

from running nothing to running something?

00:31

And then there's actually our more challenging day two plus,

00:34

which is: great, day one, we had nothing and we provisioned

00:37

our initial set of infrastructure.

00:39

And then day two, we have an existing set of infrastructure,

00:42

but we're trying to evolve it.

00:43

We're changing it over time.

00:44

We're adding new services, removing services,

00:47

and generally evolving the way our infrastructure looks.

00:51

So how does Terraform really solve this problem?

00:54

We fundamentally believe in taking

00:55

an infrastructure as code approach.

00:57

And so what I mean by that is we allow you

01:00

to declaratively define in a set

01:02

of Terraform config files

01:04

what you want your infrastructure to look like.

01:07

So in something that's very simple and human readable,

01:10

you describe your overall topology.

01:13

And so what I mean by that is when we talk about

01:15

infrastructure as many moving pieces,

01:17

I might have a VPC or my core network.

01:20

On top of that, I might provision my security group rules,

01:23

the way my network security is set up.

01:25

And then within that environment,

01:27

I define my set of virtual machines.

01:28

I might have some VMs that I wanna provision.

01:31

And then overlaid on top of that, I have a load balancer.

01:34

And so you can imagine how this graph extends over time.

01:37

I add different pieces,

01:39

different amounts of a complexity to it,

01:41

and I incrementally evolve my infrastructure

01:43

day over day, week over week.

01:46

And so while this is sort of graphical in nature,

01:49

the way we capture it in a Terraform configuration

01:52

is very lightweight in describing

01:54

sort of high-level resources.

01:55

We describe, you know, the VPC resource

01:58

and the fields that are required

01:59

to create this element of our infrastructure.

02:02

And then as we define these other things,

02:04

we can reference the other components of our infrastructure.

02:08

And so what Terraform does is gives us a workflow

02:12

for creating and managing this.

02:14

And ultimately, this is sort of three different

02:16

main commands that we run.

02:18

The first command is Terraform refresh.

02:21

And what Terraform refresh does is basically reconcile

02:24

what Terraform thinks the world looks like,

02:27

Terraform's view of our infrastructure,

02:30

with the real world.

02:32

And so how this works is Terraform goes out

02:34

and talks to the real world.

02:35

It'll query our different infrastructure providers,

02:38

whether that's VMware, or Amazon, or Azure,

02:40

and ask them, what's actually running?

02:42

And so in this way, Terraform gets an up-to-date view

02:45

of what our infrastructure actually is.

02:47

Then we run a plan.

02:49

A plan is where Terraform

02:50

figures out what it needs to do.

02:52

And so you can think about a plan as reconciling

02:55

sort of the real world,

02:56

what things are actually running,

02:59

with what we want to be running,

03:00

our sort of desired configuration.

03:04

So when we talk about Terraform's configuration,

03:07

what we're putting into this graph,

03:08

this is our desired state of the world.

03:10

This might not actually be the world as it is.

03:13

So as an example, on day one, when we execute this,

03:16

nothing is yet running.

03:17

So when Terraform runs the plan,

03:19

it realizes that there is nothing

03:20

yet running in the real world.

03:22

So to get to this desired configuration,

03:25

Terraform needs to boot all four of these resources.

03:27

And so this becomes the plan.

03:29

Terraform will give us an output that says:

03:31

to bring the world to look like what you want it to be,

03:34

I'm gonna go boot these four things.

03:36

So then the last part is actually doing this.

03:38

This is the apply phase of Terraform's execution.

03:41

So when we apply Terraform's execution plan,

03:43

it starts with our plan of what we need to do,

03:45

and it goes out and executes it against the real world.

03:49

And so in doing this, Terraform will go out and figure out,

03:52

what is the right order in which these need to be done?

03:55

So there's a natural dependency here.

03:57

The network must be defined first

03:59

before we can define the security groups around it.

04:01

Once those are defined, we can boot all of our VMs,

04:03

whether we're booting one or booting,

04:05

you know, hundreds of these in parallel.

04:07

And Terraform will figure out where it has

04:09

that opportunity to create things in parallel

04:11

and where it needs to be sequential.

04:13

And once these VMs are available,

04:15

then Terraform can lastly create

04:16

our load balancer and say, all done.

04:20

So this gives us a way to do our day one infrastructure.

04:23

So day one, we described

04:24

what we want our universe to look like.

04:26

We ran Terraform refresh,

04:28

it said there was nothing existing yet.

04:29

Plan said all of these things are gonna be created,

04:31

and then apply goes out and builds it.

04:33

What now happens over day two

04:35

is we start evolving our infrastructure.

04:37

So where this was our infrastructure day one.

04:40

Day two we might come in and say,

04:41

I really want a DNS record that points to my load balancer.

04:45

I want to have, you know,

04:47

a content distribution network

04:48

like Fastly sitting in front of that.

04:51

And I want my VMs to be connected to a monitoring system,

04:52

so I might monitor these different VMs.

04:57

And so now we change our Terraform configuration,

05:01

we enhance it by adding, you know,

05:02

the definition of these other elements to our TF config,

05:07

and we rerun the exact same workflow.

05:09

So when we run refresh,

05:10

Terraform will realize these first four resources exist,

05:13

but these new ones do not.

05:14

And so when we run our plan, it'll tell us

05:16

that nothing needs to be done with these four.

05:18

They already exist and they're in the desired state,

05:21

but that we must add three new elements

05:23

to get to where we need to be.

05:24

And so now when we run Terraform apply,

05:26

it goes ahead and talks to the real world

05:28

and adds these three new things

05:30

and brings the world into looking like our desired state.

05:34

The advantage of this workflow is a few fold.

05:36

One, our day one experience is identical to our day two.

05:39

And this really is important

05:40

because day two is sort of forever:

05:42

this is something we're gonna keep doing.

05:44

And then the other advantage of this

05:47

is something we actually skipped,

05:49

which is day N when we decide we might need

05:51

to decommission this.

05:52

We don't need this service anymore.

05:54

We don't want this infrastructure.

05:55

Maybe this was just a staging environment

05:57

or a test environment.

05:58

We then have the option to come in and destroy.

06:01

And when we do a destroy, it's basically an unwinding

06:04

of everything that's been done, right?

06:06

In some sense, it's a specialized version of apply,

06:09

which really looks at, creates a special destroy plan,

06:13

and then goes out and talks to the real world

06:15

to destroy all the elements that exist.

06:18

And so now we can efficiently, at the end of our lifecycle,

06:21

go from nothing to something, evolving it day over day.

06:24

And the final day, when we need to decommission it,

06:26

Terraform knows how to clean up all the resources

06:29

associated with that application.

06:32

So, so far, everything we've talked about

06:34

is really about the workflow.

06:35

This is not specific to any technology.

06:38

So how does Terraform actually make any of this stuff work?

06:41

This is where Terraform's architecture becomes important.

06:45

So when we talk about the way Terraform actually works,

06:48

there's sort of two major components.

06:51

One is Terraform's core.

06:53

So the monolithic core is responsible for a few things.

06:57

It takes the Terraform configuration,

07:01

which is being provided by the user,

07:04

and then it takes Terraform's view of the world

07:06

or Terraform's state.

07:08

This is managed by Terraform itself.

07:10

And so these get fed into the core,

07:12

and the core is responsible for figuring out,

07:14

what is that graph of our different resources?

07:16

How do these different pieces relate to each other?

07:19

What needs to be created, what needs to be updated,

07:21

what needs to be destroyed?

07:23

And so it does all of the essential lifecycle management.

07:26

On the backside, Terraform supports

07:28

many different providers.

07:31

And providers are how Terraform

07:32

connects out to the rest of the world.

07:35

So these can be things like cloud providers,

07:37

things like AWS, or Azure, or GCP.

07:42

They could be on-premise infrastructure.

07:44

So things like OpenStack or VMware,

07:49

but it's not restricted to just infrastructure as a service.

07:53

Terraform can also manage higher-level things,

07:55

platforms as a service such as Heroku, or Kubernetes,

08:01

or things like Lambda functions.

08:04

So these are higher level

08:06

than what we would traditionally consider

08:08

infrastructure as a service,

08:09

more in the realm of a platform as a service.

08:13

The other types of things Terraform can manage

08:14

are pure software as a service.

08:16

Very high-level things, maybe monitoring like Datadog,

08:19

or CDNs like Fastly,

08:22

or even things like managing GitHub teams.

08:27

So these are what we'd consider pure software as a service.

08:29

These are externally managed services,

08:32

but the view that we take as Terraform authors

08:35

is that all of these pieces are connected.

08:37

When I talk about a modern infrastructure,

08:40

I might be composing all of these different resources.

08:42

So I might have some set of my infrastructure

08:45

that is infrastructure as a service,

08:47

and then I might compose that and say, you know what?

08:49

I'm gonna provision a Kubernetes cluster,

08:52

and on top of my Kubernetes cluster,

08:54

I'm going to define a namespace,

08:56

and I'm going to define services.

08:58

And so these now exist

09:00

on top of infrastructure as a service,

09:02

and I might compose even these

09:03

with higher-level things like DNS and CDNs.

09:08

And so all of these

09:09

are important pieces of our infrastructure.

09:12

We can't deliver our application without the IaaS,

09:15

without the platform as a service,

09:16

and without the higher-level software as a service.

09:18

They're all part of our logical end-to-end delivery.

09:21

And what we wanna get to with Terraform

09:23

is a single, unified workflow.

09:25

We don't want it to be: you use one tool to manage this,

09:28

and now you have to figure out, you know,

09:30

how you get past this disjointed experience

09:32

to manage the next section,

09:33

and then another disjointed experience.

09:35

And you have to piece together all these things.

09:37

Instead, anything that really has an API

09:40

and has a lifecycle associated with it,

09:42

how can we enable that to be a provider

09:44

such that Terraform can help us

09:45

solve this problem end to end?

09:48

And this is really where providers come in.

09:50

Today, we have over 100 providers,

09:53

and those individually can manage

09:54

over 1,000 different resources,

09:56

where a resource can be, you know, an AWS EC2 VM,

10:01

or an Azure Block store, right?

10:03

These different types of resources or anything that a cloud

10:06

or even these higher-level things expose.

10:10

And that list is constantly growing.

10:11

Terraform is an absolutely massive open source project

10:14

with thousands of contributors.

10:16

And so every day, there's new providers and new resources.

10:19

So how does this really start getting used

10:22

at different levels within teams?

10:25

So this becomes an interesting workflow question

10:27

around how you actually manage Terraform.

10:31

So initially, this goes back

10:32

to that core workflow we talked about.

10:35

So we start with a single individual practitioner

10:38

who's using Terraform locally,

10:40

and their workflow is to start

10:43

by writing some Terraform configuration.

10:45

Then they run Terraform plan.

10:48

Plan tells them, what is this configuration gonna do?

10:50

What does Terraform think needs to be done

10:53

to apply these changes?

10:54

And if this looks good,

10:56

the practitioner will apply the changes.

10:58

And then this cycle continues.

11:00

They continue to evolve the infrastructure.

11:02

This might look very similar to software development,

11:05

where we're writing some code, we're applying unit tests,

11:07

we're committing those changes,

11:09

and then we're continuing our cycle.

11:11

So what happens is we go from a single individual,

11:14

to now we add multiple team members.

11:16

We have other people we wanna collaborate

11:18

on managing the same infrastructure.

11:20

Well, there's a few challenges,

11:22

much like with software writing, which is,

11:24

how do we make sure we have a consistent view

11:26

of what the configuration actually is?

11:28

And how do we make sure we don't step on each other's toes

11:31

and run multiple changes in parallel?

11:33

So if we both try and add five new VMs,

11:36

how do we avoid booting ten new VMs instead?

11:39

So this problem, in some sense, ends up being very similar

11:43

to the problem of using Git locally

11:45

versus using Git as a team.

11:46

So as we go to a team, we use a system like GitHub

11:50

to provide that central collaboration.

11:52

And so our equivalent of that

11:54

is what we call Terraform Enterprise.

11:56

So the Terraform Enterprise workflow

11:58

augments this a little bit.

12:00

So what we would do instead of now running it locally

12:03

and running these coordination risks, as an individual,

12:06

we're still writing our Terraform and planning locally,

12:09

but now we're pushing that into a version control system.

12:13

So this could be GitHub, could be Bitbucket,

12:16

could really be anything.

12:17

But the idea is, how do we move

12:18

to having a central repository where we're managing this

12:21

and coordinating, much like we do for source control?

12:24

And then we drive off of this

12:27

our Terraform Enterprise application.

12:29

And the goal here is a few fold.

12:31

One is how do we make sure

12:32

the state management is done locally?

12:35

So like I said, Terraform keeps track of all the resources

12:38

it's provisioned so that it knows at destroy time

12:41

what it needs to tear down,

12:42

or as we incrementally make changes, what already exists.

12:45

So this state file is an important thing

12:47

to have centrally managed so it doesn't diverge

12:49

or end up with sort of different lineages where, you know,

12:52

we fork off and then independently run Terraform,

12:54

and now the state files conflict with one another.

12:57

So by managing that centrally,

12:58

we avoid those sort of conflicts.

13:01

The other important advantage here

13:02

is that we make sure we're only doing

13:04

one run at a time, right?

13:05

So we ensure there's the sequential application.

13:08

So if Alice and Bob are both working

13:10

on the same infrastructure

13:12

and they both try and make a change,

13:13

they don't step on each other's toes.

13:15

Lastly, one of the challenges is,

13:17

oftentimes, in this environment,

13:19

developers are using local variables

13:21

to populate things like AWS IAM keys

13:24

or other sensitive credentials.

13:26

And so we don't want these sensitive credentials

13:28

to be strung about on all of our developers' machines.

13:31

Instead, we want those variables

13:33

to be kept centrally and encrypted

13:36

so that we don't have to worry about these things

13:38

getting exposed or leaking out in plain text.

13:41

We can put them in a central place

13:42

and version control and access controls

13:44

who can actually modify and view these things.

13:47

So this sort of changes our workflow

13:48

and now enables a handful of people

13:51

to collaborate safely together.

13:54

Well, what starts happening as we start wanting

13:56

to add even more people, right?

13:58

So for example, we might be going from

14:00

sort of our early operators

14:03

who are very familiar with the cloud environment

14:05

to exposing it more to our development groups.

14:09

This is where Terraform's notion of a module comes in handy.

14:12

So a Terraform module

14:14

is sort of like a black box of infrastructure

14:17

where what we can define is a set of input variables

14:21

that let us toggle the behavior of this module.

14:23

And the module might emit a set of output variables.

14:28

So an example of this might be,

14:30

I might define a module for doing Java,

14:33

for deploying my Java application in AWS.

14:36

And my inputs might be, what's the path to my JAR?

14:38

And how many instances of my Java application do I want?

14:41

And now, inside this module, we can operate as a black box

14:45

and deploy either VMs using EC2,

14:48

we can deploy Lambda functions,

14:49

we could deploy containers with ECS.

14:51

All of these become a detail hidden within this module

14:54

that a consumer doesn't need to know about.

14:56

And their output can just be, what's the address

14:58

of the load balancer that hits my application?

15:01

So in this way, we encapsulate that complexity

15:03

and make it more accessible to a broader audience.

15:07

So how do we actually manage and share these modules?

15:09

In general, we publish these things to a central registry.

15:15

So there's a central registry

15:16

that exists today for Terraform.

15:18

If you go to registry.terraform.io,

15:21

that's our global public registry.

15:23

And there you'll find hundreds of modules

15:25

that cover common forms of infrastructure,

15:28

common architectural patterns.

15:30

And many of these are actually published

15:31

by the cloud providers themselves.

15:32

So you can log in and see Google's official recommendation

15:36

for how to provision their network,

15:38

or Azure's official recommendation

15:39

for how to help manage a virtual network inside of Azure.

15:42

And so these modules make it much more consumable for us

15:46

to operate in these environments,

15:47

because we don't have to know every detail of it.

15:49

We can just go and say,

15:50

I wanna network in Amazon, or Google, or Azure,

15:53

and fill in a few of the inputs that matter to us,

15:55

and let the module take care of the rest

15:57

of the complexity, right?

15:58

And so the same idea can be extended

16:00

to different applications,

16:01

different types of infrastructure.

16:04

One way we can apply this same pattern internally

16:07

to our organization is by running a private registry.

16:10

So instead of using the public registry

16:11

that's available sort of globally,

16:13

we can run a private registry within our organization.

16:16

And this is a capability

16:17

integrated into Terraform Enterprise.

16:19

And so what this really lets us start to do

16:22

is make this split between the set of people

16:24

internally who are publishers

16:28

and are familiar with our internal infrastructure

16:30

and how it should be managed and cloud environments.

16:33

And they can push in to basically

16:35

a catalog or a module registry,

16:38

all of the different key patterns that are needed.

16:42

So we might publish, here's how we do a Java app,

16:44

here's how we do a C# app, here's how we do a database,

16:48

and expose this out to our internal developer community.

16:51

And then our much larger base of consumers

16:56

can simply go into the catalog

16:58

and pull out the things they need.

17:01

And so these consumers can know much less

17:03

about how cloud works, but still get these approved modules

17:06

that are sort of the best practice internally, right?

17:08

And there's sort of a few ways of consuming this.

17:11

For people that are more familiar with Terraform,

17:13

they can consume it just like a normal Terraform module

17:16

and do an infrastructure as code approach.

17:18

For folks that are less familiar,

17:20

they might wanna take more of a WYSIWYG approach,

17:22

and they can do that with Terraform Enterprise

17:24

by selecting their modules,

17:25

filling in the different variables,

17:27

and basically letting the system automatically generate

17:30

the equivalent Terraform for them.

17:32

So they can either use that equivalent Terraform

17:34

as a starting point and customize it further from there.

17:36

Or if they have really no interest in learning

17:38

and using Terraform directly,

17:39

they can just use the auto-generated Terraform

17:41

and self-service their infrastructure.

17:43

And so our goal really becomes,

17:45

how do we enable this large audience of consumers

17:48

to get to self-service on infrastructure in a way

17:51

that is still going to be compliant

17:53

with how the business wants to do it

17:55

and not create this immense workload on publishers

17:58

to constantly generate custom infrastructure

18:00

and custom definitions for the vast body

18:02

of consumers within an organization.

18:04

So at a snapshot, this is Terraform,

18:06

this is how it applies an infrastructure

18:08

as code approach to provisioning,

18:10

really looking at both the day one challenge,

18:13

and more importantly and more challengingly,

18:15

the day two-plus challenge.

18:16

And then the natural journey

18:18

as we go from a single individual using Terraform

18:21

to a small team, to kind of an entire organization

18:24

who's trying to leverage Terraform

18:25

for infrastructure management.

18:27

If you're interested in learning more about Terraform

18:29

or Terraform Enterprise,

18:30

I recommend checking out our online resources.

18:32

Thank you.